42ad279878792b976f051847fc40e8b31fb4a043cc440455fca28b8f9a252271

Analysis

max time kernel
150s
max time network
154s
platform
windows10-1703_x64
resource
win10-20240404-es
resource tags

arch:x64arch:x86image:win10-20240404-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
05/06/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GDLauncher.exe
Size

169.9MB
MD5

f96c065714738a4008c9eebc4f0ccbb3
SHA1

0461a73a7500bbaf033dcc308d29d8968891388f
SHA256

c8c3e212a56976e087a49d7fc5a007a9950c1b2b0426b5bf48e6ccec6ce7ae78
SHA512

a3584d8d2a87870523a04a1aad8cc9d1aa388305650558621e3808fdf5a0bc26b55cba684a87084fc3989e47a8812b73d359e0e04e9bdea352c488d0422b8fcc
SSDEEP

1572864:es+fxQiW1vVzbHpUcEtmLd7cF3PPHNzLuTe7ulsxM/Gyr/w7VoB4X+x2CFRXQQSz:ze8BWNg3DFxfw

Score

7^/10

discovery execution spyware stealer

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4132	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	core_module.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	GDLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	GDLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	GDLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	GDLauncher.exe

Loads dropped DLL 1 IoCs

pid	Process
4476	GDLauncher.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3704	powershell.exe
648	powershell.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GDLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GDLauncher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	GDLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	GDLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	GDLauncher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	GDLauncher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GDLauncher.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\gdlauncher	GDLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\gdlauncher\URL Protocol	GDLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\gdlauncher\ = "URL:gdlauncher"	GDLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\gdlauncher\shell\open\command	GDLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\gdlauncher\shell	GDLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\gdlauncher\shell\open	GDLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\gdlauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GDLauncher.exe\" \"%1\""	GDLauncher.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3704	powershell.exe
648	powershell.exe
648	powershell.exe
3704	powershell.exe
2640	core_module.exe
2640	core_module.exe
648	powershell.exe
3704	powershell.exe
2640	core_module.exe
2640	core_module.exe
2640	core_module.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4476	GDLauncher.exe
4168	GDLauncher.exe
4168	GDLauncher.exe
4168	GDLauncher.exe
4168	GDLauncher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeIncreaseQuotaPrivilege	3704	powershell.exe
Token: SeSecurityPrivilege	3704	powershell.exe
Token: SeTakeOwnershipPrivilege	3704	powershell.exe
Token: SeLoadDriverPrivilege	3704	powershell.exe
Token: SeSystemProfilePrivilege	3704	powershell.exe
Token: SeSystemtimePrivilege	3704	powershell.exe
Token: SeProfSingleProcessPrivilege	3704	powershell.exe
Token: SeIncBasePriorityPrivilege	3704	powershell.exe
Token: SeCreatePagefilePrivilege	3704	powershell.exe
Token: SeBackupPrivilege	3704	powershell.exe
Token: SeRestorePrivilege	3704	powershell.exe
Token: SeShutdownPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeSystemEnvironmentPrivilege	3704	powershell.exe
Token: SeRemoteShutdownPrivilege	3704	powershell.exe
Token: SeUndockPrivilege	3704	powershell.exe
Token: SeManageVolumePrivilege	3704	powershell.exe
Token: 33	3704	powershell.exe
Token: 34	3704	powershell.exe
Token: 35	3704	powershell.exe
Token: 36	3704	powershell.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe
Token: SeCreatePagefilePrivilege	220	GDLauncher.exe
Token: SeShutdownPrivilege	220	GDLauncher.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
220	GDLauncher.exe
220	GDLauncher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4056	220	GDLauncher.exe	72
PID 220 wrote to memory of 4056	220	GDLauncher.exe	72
PID 4056 wrote to memory of 4468	4056	cmd.exe	74
PID 4056 wrote to memory of 4468	4056	cmd.exe	74
PID 220 wrote to memory of 212	220	GDLauncher.exe	75
PID 220 wrote to memory of 212	220	GDLauncher.exe	75
PID 220 wrote to memory of 2640	220	GDLauncher.exe	76
PID 220 wrote to memory of 2640	220	GDLauncher.exe	76
PID 220 wrote to memory of 2012	220	GDLauncher.exe	78
PID 220 wrote to memory of 2012	220	GDLauncher.exe	78
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 2784	220	GDLauncher.exe	79
PID 220 wrote to memory of 1224	220	GDLauncher.exe	80
PID 220 wrote to memory of 1224	220	GDLauncher.exe	80
PID 220 wrote to memory of 3704	220	GDLauncher.exe	81
PID 220 wrote to memory of 3704	220	GDLauncher.exe	81
PID 220 wrote to memory of 648	220	GDLauncher.exe	82
PID 220 wrote to memory of 648	220	GDLauncher.exe	82
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85
PID 220 wrote to memory of 2028	220	GDLauncher.exe	85

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
    3⤵
    PID:4468
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Crashpad --url=https://f.a.k/e --annotation=_productName=GDLauncher --annotation=_version=2.0.9 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.5 --initial-client-data=0x4d4,0x4d8,0x4dc,0x4d0,0x4e0,0x7ff657aef648,0x7ff657aef654,0x7ff657aef660
  2⤵
  PID:212
- C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe
  C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe --runtime_path C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- - C:\Program Files\Java\jdk-1.8\bin\java.exe
    "C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:2296
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:4132
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:2160
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78000\java.exe
    "C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78000\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:1048
- - C:\Program Files\Java\jdk-1.8\bin\java.exe
    "C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:652
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:4716
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe --type=cs --cs-app=GDLauncher
  2⤵
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1776 --field-trial-handle=1780,i,4708054259042325185,12130681566366783478,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=2140 --field-trial-handle=1780,i,4708054259042325185,12130681566366783478,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --first-renderer-process --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2544 --field-trial-handle=1780,i,4708054259042325185,12130681566366783478,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --skip-intro-animation=false /prefetch:1
  2⤵
  - Checks computer location settings
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3320 --field-trial-handle=1780,i,4708054259042325185,12130681566366783478,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3800
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --lang=es --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3560 --field-trial-handle=1780,i,4708054259042325185,12130681566366783478,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --uid=dibeihhdinofpmiennjkclnoidpjakanhclfmpmo --package-folder="C:\Users\Admin\AppData\Roaming\ow-electron" --app-root="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --muid=f01e4f7b-1be5-ae00-cb8c-387f12d67b14 --phase=20 --owepm-config="{\"phasing\":100}" --js-flags=--expose-gc /prefetch:1
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4476
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=es --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=3912 --field-trial-handle=1780,i,4708054259042325185,12130681566366783478,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1976 --field-trial-handle=1780,i,4708054259042325185,12130681566366783478,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4168

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e8
1⤵
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\905ebba3a8fc8cc.timestamp

Filesize
50B

MD5
727921598b422545376d51900870b194

SHA1
e291dcabde9597b784305af7d265672a9b51d83c

SHA256
a6eb3da608808ffca1332f7fd67f31bd3d319ecad13955fc104837e5155778bd

SHA512
c256081ed15268786c312222303b477ff0e4c1dac3d3d1d9ae2c890cfc96fa16a544a15285a4106bf64cf8ae33fa76bd600a0e22a2c37944ed69a5541d020598

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
010c219c46b4439bc787644989e20389

SHA1
f3a63066ab4446458bd6417386777e39e09b9b25

SHA256
2a7c264d94398912c720de578b6d959b2457582182b8f2cc98281f27ef6701aa

SHA512
c6967d2a37b9a45f491138b638d99e5fa09ef38f680c887bfbc2336c683deae86f4d6626f6defc8c0aabccf545923a708df05825de8102086a8f333a58e74963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
c373cdb8236bb363319af570bd628dfc

SHA1
4f756c7d4a6f6e8494bd884bb9e00646e84e119b

SHA256
68d7a477b2bc5a4bf0f3894860999fa442a5b8653579f8173391dcc43dcbaf47

SHA512
cf8b041f6bfa9608191750a577bd86573656a017af61882db73f3e1f639411855038e3b761965cf04b26a0c0bbec1b6320482e787b7d667e0450c8ffb9ef1ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaCheck.class

Filesize
1013B

MD5
8098d31488cd52db41f95188b9daed5e

SHA1
76988b607c667c86211fe1dfe57ed4aedacc5691

SHA256
c607f5871610bf9240c75f4abe947469496570b380f670e9d8d09f9c785978b5

SHA512
e2b4c54e78daba4a04d17915eded43a3f59a744108cf28baf4c22545d807338a39de052d69243ce610981b930e49790ba8be0f7b370e042a9526ef09e2b9fb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jkfev0ts.ih4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\8edfce7f-18a9-4983-be3f-ab48121ce4f6.tmp

Filesize
57B

MD5
217c781be08416f5b6fa33aedf027293

SHA1
0e76955a55f31406fc64e3b136f1bb9214bc2d79

SHA256
3de8ead96083d18355eed62a5b8089a61f6c7f97ba3dba04cbefae364f0455b0

SHA512
964b588d2bb87d3e19924cf8a16f1c35807c45ccb41caa00be9dd4e34b9fdfa0625973828a9df1f5f56354f00bf13939e01798c40a8a7089c9aee4535e45b099

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Cache\Cache_Data\f_000002

Filesize
766KB

MD5
471061756215fd1f387f076ac014303c

SHA1
d8397cb5900f52a5cad2416ed8ebf53caa1a3adc

SHA256
e6334dcf080aaeca679db70565762a2c296ff5780c1af263530ac7345736bfa9

SHA512
ba9d0f2deb2fcd77e75bfe8a9c6241da25c7eb9012d0374ccca8e9cd9cd1c9615efd5f3980166b0b3431c7e3e55ef013cbc37f0d53bd1e2411afb9363ceccb05

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Network\Network Persistent State

Filesize
980B

MD5
2c2740bdbb795896c4fcc30a1883b08e

SHA1
b069b2c7369977deb51cca85f7604f118e39ecfa

SHA256
d47a5da21d9d2a3d5651364215e1505b67b019fd5e90b921861283ab58ea7cf0

SHA512
d4a96c2a8364e4bfff33ce08f074a456f17e4f8b417f8cc9ea31a1b85a5caa7ffc3eac632afe37d912bf934370685a1d659e53b6ba7cf83a9cecf713d8c40a26

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State

Filesize
1KB

MD5
fa5d41c3f33aba47ab01e6338f2d4c6d

SHA1
13a519384b428aceb37d75a9fd22ee46ee880dbd

SHA256
0f23d3e2f413bdd32baab45fe91e8e303f4cc0393ccf23b2b1aa700f99ab361e

SHA512
7a7263f82af573345f4a97ba067b48d5c6c7068025197f2a9d003c52d7dc0ecbdb61a2bebd9ca6eaccd9279a51a76f70f8fa95f6b924bfa27a41b68cc2720687

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\sentry\scope_v3.json

Filesize
7KB

MD5
a5f29a9377120027e4be0d920b8f3fc1

SHA1
fa2c0482cbf6d46b3f94ba7906a28152b5011e81

SHA256
34caf876eeeac175b7389906b6d7deff86456b49ecabbd6d61b3f7ef610908e2

SHA512
3a678cb30e62361ccbcf33dd706aae22462beee50629514a0b634303eb88095d68159123eda47807774a0c99e9bf2093bf0da6b2e5c5b69cbc3be18a162bed7e

Download Submit
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon.owepk

Filesize
689KB

MD5
9b4d3ae283e629f1f9e2eec567d18e28

SHA1
63dab54d35e506adbd904f5296895bc94b1b9f0d

SHA256
cea832c0ce470badca8cd9a4646a47395a8bddf4929293f6ddbebf8c631a7817

SHA512
97b766371e76385b05900bfc7c54c3c76ff46e2e8e53c8eef1e6a68c117ab1accbef9d06eef54d23c93d7197ff1fb27e3f9562593574a1e31f350b93d1582f87

Download Submit
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon\1.0.19\ow-electron-utility-plugin.node

Filesize
607KB

MD5
1655baa81ad104125f7b67cfe727fd75

SHA1
00c56f079a9d5df4e8d26c94337382a02d971870

SHA256
4afac59e7b1e7339117ca9cff131f6c9408f739406d18343b9694e31654af589

SHA512
c29831964711df2f03645804266323ca9c06c03dadbaf0864d6c6f5b6d3661d8ad1f5d2d528e7c7808faf450a7c1fde3ed65020360fa365fda6ec83866f76d30

Download Submit
memory/648-162-0x000002B7B1590000-0x000002B7B15A0000-memory.dmp

Filesize
64KB

Download
memory/648-161-0x000002B7C9750000-0x000002B7C97D2000-memory.dmp

Filesize
520KB

Download
memory/652-735-0x000002218D2A0000-0x000002218D2A1000-memory.dmp

Filesize
4KB

Download
memory/1048-714-0x000001CAD81A0000-0x000001CAD81A1000-memory.dmp

Filesize
4KB

Download
memory/2028-846-0x000001F520B70000-0x000001F520B9D000-memory.dmp

Filesize
180KB

Download
memory/2028-135-0x00007FFE03030000-0x00007FFE03031000-memory.dmp

Filesize
4KB

Download
memory/2028-134-0x00007FFE03840000-0x00007FFE03841000-memory.dmp

Filesize
4KB

Download
memory/2160-698-0x000002160CB60000-0x000002160CB61000-memory.dmp

Filesize
4KB

Download
memory/2296-640-0x000001F364E20000-0x000001F364E21000-memory.dmp

Filesize
4KB

Download
memory/3704-473-0x0000018843E70000-0x0000018843E9A000-memory.dmp

Filesize
168KB

Download
memory/3704-553-0x0000018843950000-0x0000018843958000-memory.dmp

Filesize
32KB

Download
memory/3704-527-0x0000018843E70000-0x0000018843E84000-memory.dmp

Filesize
80KB

Download
memory/3704-554-0x0000018843C10000-0x0000018843C18000-memory.dmp

Filesize
32KB

Download
memory/3704-492-0x0000018843E70000-0x0000018843E92000-memory.dmp

Filesize
136KB

Download
memory/3704-277-0x0000018844260000-0x00000188442D6000-memory.dmp

Filesize
472KB

Download
memory/3704-247-0x0000018843E30000-0x0000018843E6C000-memory.dmp

Filesize
240KB

Download
memory/3704-166-0x0000018843C20000-0x0000018843D22000-memory.dmp

Filesize
1.0MB

Download
memory/3704-164-0x00000188438E0000-0x0000018843902000-memory.dmp

Filesize
136KB

Download
memory/3800-847-0x00000214E4F30000-0x00000214E4F5D000-memory.dmp

Filesize
180KB

Download
memory/4716-751-0x000001B8D3DE0000-0x000001B8D3DE1000-memory.dmp

Filesize
4KB

Download
memory/4924-791-0x00007FFE03AE0000-0x00007FFE03AE1000-memory.dmp

Filesize
4KB

Download