Overview
overview
7Static
static
3GDevelop-5...09.exe
windows7-x64
7GDevelop-5...09.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3GDevelop.exe
windows7-x64
7GDevelop.exe
windows10-2004-x64
7LICENSES.c...m.html
windows7-x64
3LICENSES.c...m.html
windows10-2004-x64
3d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/...x.html
windows7-x64
3resources/...x.html
windows10-2004-x64
3resources/...ect.js
windows7-x64
3resources/...ect.js
windows10-2004-x64
3resources/...er.vbs
windows7-x64
1resources/...er.vbs
windows10-2004-x64
1resources/...ain.js
windows7-x64
3resources/...ain.js
windows10-2004-x64
3resources/...t3D.js
windows7-x64
3resources/...t3D.js
windows10-2004-x64
3resources/...ion.js
windows7-x64
3Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01/09/2024, 14:04
Static task
static1
Behavioral task
behavioral1
Sample
GDevelop-5-Setup-5.4.209.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
GDevelop-5-Setup-5.4.209.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
GDevelop.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
GDevelop.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
LICENSES.chromium.html
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
LICENSES.chromium.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
ffmpeg.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral17
Sample
ffmpeg.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
libEGL.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral19
Sample
libEGL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
libGLESv2.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral21
Sample
libGLESv2.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
resources/GDJS/Runtime-sources/Cordova/www/index.html
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral23
Sample
resources/GDJS/Runtime-sources/Cordova/www/index.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
resources/GDJS/Runtime-sources/CustomRuntimeObject.js
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral25
Sample
resources/GDJS/Runtime-sources/CustomRuntimeObject.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
resources/GDJS/Runtime-sources/CustomRuntimeObjectInstanceContainer.vbs
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral27
Sample
resources/GDJS/Runtime-sources/CustomRuntimeObjectInstanceContainer.vbs
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
resources/GDJS/Runtime-sources/Electron/main.js
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral29
Sample
resources/GDJS/Runtime-sources/Electron/main.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
resources/GDJS/Runtime-sources/Extensions/3D/CustomRuntimeObject3D.js
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral31
Sample
resources/GDJS/Runtime-sources/Extensions/3D/CustomRuntimeObject3D.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
resources/GDJS/Runtime-sources/Extensions/3D/JsExtension.js
Resource
win7-20240708-en
windows7-x64
General
-
Target
GDevelop.exe
-
Size
139.9MB
-
MD5
c89e3deefd5ec0cdd95d7bba71d734ac
-
SHA1
886a4b9c072e4d8b6b56aee61190a6ca1233709c
-
SHA256
796d03445a99286b19a815da7f37f28f31de88bf73c8c946a0eb77432de14205
-
SHA512
42030b8d36eddf240b42ad9fe7b8773eeed4cc5c85573c417d0649dae463ce04703c1f9a36170f0c585b091e24cee8af78b690b8984a26666749ef9da99f9a84
-
SSDEEP
786432:v56tMJLlSDPXBFXXAKuLQPeL0wGs4pO1aFfSQvk/os10tBf54PsSgvE:RWMDU/BNXoQPeL0q4pO1aFfMoA0FS6
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation GDevelop.exe Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation GDevelop.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 GDevelop.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd GDevelop.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd GDevelop.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd GDevelop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 GDevelop.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e GDevelop.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e GDevelop.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2076 GDevelop.exe 2076 GDevelop.exe 2940 GDevelop.exe 2940 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2940 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe Token: SeShutdownPrivilege 2076 GDevelop.exe -
Suspicious use of FindShellTrayWindow 16 IoCs
pid Process 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe 2076 GDevelop.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2648 2076 GDevelop.exe 30 PID 2076 wrote to memory of 2604 2076 GDevelop.exe 31 PID 2076 wrote to memory of 2604 2076 GDevelop.exe 31 PID 2076 wrote to memory of 2604 2076 GDevelop.exe 31 PID 2076 wrote to memory of 2940 2076 GDevelop.exe 32 PID 2076 wrote to memory of 2940 2076 GDevelop.exe 32 PID 2076 wrote to memory of 2940 2076 GDevelop.exe 32 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33 PID 2076 wrote to memory of 316 2076 GDevelop.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\GDevelop.exe"C:\Users\Admin\AppData\Local\Temp\GDevelop.exe"1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\GDevelop.exe"C:\Users\Admin\AppData\Local\Temp\GDevelop.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\GDevelop 5" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1008 --field-trial-handle=1092,i,4810366611775823733,7253167899974099118,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\GDevelop.exe"C:\Users\Admin\AppData\Local\Temp\GDevelop.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\GDevelop 5" --standard-schemes --secure-schemes --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1260 --field-trial-handle=1092,i,4810366611775823733,7253167899974099118,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\GDevelop.exe"C:\Users\Admin\AppData\Local\Temp\GDevelop.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\GDevelop 5" --standard-schemes --secure-schemes --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=gdevelop.ide --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --enable-blink-features=WebAppWindowControlsOverlay --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1484 --field-trial-handle=1092,i,4810366611775823733,7253167899974099118,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:12⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\GDevelop.exe"C:\Users\Admin\AppData\Local\Temp\GDevelop.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\GDevelop 5" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1324 --field-trial-handle=1092,i,4810366611775823733,7253167899974099118,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize230B
MD5ae11003c182533a4c2c1fc0760077a31
SHA183ebc4bc79122c71bb44332c2120d49f14ee0587
SHA2565fb39bad19b0c8ff7abd14095f5c36e29cbbc330bda6fb1925807f188255301a
SHA512e873555e4aae050651503cef54242eeae7273155b8d416456f94bd8ad3ef65672df67fb31680555d2022b5c79fdad759d7615c66fca560614b4b7cbe107a0a22
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b352ae7e72ef35bd19c7900115ddb585
SHA1288b611ee05b3a7828bcf222319cb999d638c50b
SHA256d00fd11d0f52c443a9bf8ebc6487a36984b10ba12e450b20928ad970e2d8c4e5
SHA5120292b67dd621d3a8f34835cb7f14d48eccba06c92dda6af70d16bb43234a6ef3cd7533112362ffa172164f199803d5d9c422f3d7e59481169e519cb9614023e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e643674000fb015c0ac72bd7d8bdcc30
SHA198015fe67fe4874b987fdf4da6bdae8d9589966b
SHA25659b608a935812d684a7ce6d4131de5fff68f48a2390735138e1155fcdb17e166
SHA512f7634df23e47e0c80ccbdd41aa19f2d186b0c65e4262bdded1dad907abf992753f0fb29fa36e8aaf5f725e24fb0e881fa35c8ee5127cf0e9ddc6668f0028a583
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d11073db19560f63aced37a5befb3389
SHA1d16e619b9ccd17c91c428159724ee893feb76b3b
SHA25614a01f809a0a0aab4d51da37a3324af955fb5643d06d71c4d54c9e8dae343e4d
SHA51250d7159105260a3547c9dd8fa1a5c625faa5a1603cbe380355c43f9592a6dc480c4eaf5a1d5b66cb8ae88122ea0b82739d8bbbe62cb3bed01341f1a960d35c2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5085a58825582f0127678bffa18c8b469
SHA1786aa0f26dad5bcd0265c023d003c8e83dc6bdeb
SHA256736f5b720da9489d50a954431b5e0051ee29dc7724f5bf48f421d30941bc47e8
SHA5125c694faf77cb4fdc32625edc214037169ff733ff585eced1cd96b81b3d8863c79579dc6ab2266bcd7d82b7b50588ed522fc6484228e12d70dcd5197e20e9ce79
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a9f8b96b474f7f68d1bf9bfd1ff843c
SHA1f216c1b16f9faf6a119bb7f2c953267dabeb906e
SHA25614a7382d12072b288ca7d1794cc445fa1535d885bf74ea209639596b445bd6ef
SHA5121760d7fdac859255731d7f320e268aac193f7fce84b30e9178819b36ec2f536729c79d66b4374b0f98f5535118b542aac01e66236acbed2268df25bb19388e70
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD580810a3d0da34ed0798255d05a626fa0
SHA175b41f6b18dc737ab75291b5b93e6155668e2b28
SHA256816e769ba259771d02de8e795dfd91cc6f6828a40c4bec7f4188d0fa8c847f84
SHA512542fbddef6a4c46b65e82e59a952b81b55bcef878b812d095eab8c3dbe6af9bee27b4700845d7b4c49c729e921ddb370636f46efcf48c1a166f7438e5c83c3c1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
441KB
MD5a78ad14e77147e7de3647e61964c0335
SHA1cecc3dd41f4cea0192b24300c71e1911bd4fce45
SHA2560d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa
SHA512dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
57B
MD558127c59cb9e1da127904c341d15372b
SHA162445484661d8036ce9788baeaba31d204e9a5fc
SHA256be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA5128d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145