2718e831ac3db9a05ad546de42908348e6aaf55ba5025292d23dc274bfcb6c38

Analysis

max time kernel
151s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GDLauncher.exe
Size

169.9MB
MD5

be4a0b976dc22fa138414ea983c4055f
SHA1

2e24cbc8b5af690cfe95adc54dcfec1cd6a69e2a
SHA256

20b054c46a52908c4f71727228f409cc02f6e23ac50cc72c9729c4a81159ccd4
SHA512

942733d8d076ccfc5a80c19f8c61191a789b9dd33c0998be1c671ed85b70a1dba14ec94b7318676803e4bd415000fe76ed4ec378527d7fb7d6887d08c750d8b0
SSDEEP

1572864:1s+fxQiW1vVzbHpUcEtmLd7cF3PPHNzLuTe7ulsxM/Gyr/w7VoB4X+x2CFRXQQSl:ce8BWNg3DFxfy

Score

6^/10

execution spyware stealer

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	core_module.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	GDLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	GDLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	GDLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	GDLauncher.exe

Loads dropped DLL 1 IoCs

pid	Process
216	GDLauncher.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
740	powershell.exe
2196	powershell.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	GDLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	GDLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	GDLauncher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	GDLauncher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GDLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GDLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GDLauncher.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\gdlauncher\ = "URL:gdlauncher"	GDLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\gdlauncher\shell\open\command	GDLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\gdlauncher\shell	GDLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\gdlauncher\shell\open	GDLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\gdlauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GDLauncher.exe\" \"%1\""	GDLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\gdlauncher	GDLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\gdlauncher\URL Protocol	GDLauncher.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3040	GDLauncher.exe
3040	GDLauncher.exe
3040	GDLauncher.exe
3040	GDLauncher.exe
2116	core_module.exe
2116	core_module.exe
2116	core_module.exe
2116	core_module.exe
2116	core_module.exe
2196	powershell.exe
2196	powershell.exe
740	powershell.exe
740	powershell.exe
2116	core_module.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
216	GDLauncher.exe
1928	GDLauncher.exe
1928	GDLauncher.exe
1928	GDLauncher.exe
1928	GDLauncher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeIncreaseQuotaPrivilege	740	powershell.exe
Token: SeSecurityPrivilege	740	powershell.exe
Token: SeTakeOwnershipPrivilege	740	powershell.exe
Token: SeLoadDriverPrivilege	740	powershell.exe
Token: SeSystemProfilePrivilege	740	powershell.exe
Token: SeSystemtimePrivilege	740	powershell.exe
Token: SeProfSingleProcessPrivilege	740	powershell.exe
Token: SeIncBasePriorityPrivilege	740	powershell.exe
Token: SeCreatePagefilePrivilege	740	powershell.exe
Token: SeBackupPrivilege	740	powershell.exe
Token: SeRestorePrivilege	740	powershell.exe
Token: SeShutdownPrivilege	740	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeSystemEnvironmentPrivilege	740	powershell.exe
Token: SeRemoteShutdownPrivilege	740	powershell.exe
Token: SeUndockPrivilege	740	powershell.exe
Token: SeManageVolumePrivilege	740	powershell.exe
Token: 33	740	powershell.exe
Token: 34	740	powershell.exe
Token: 35	740	powershell.exe
Token: 36	740	powershell.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe
Token: SeCreatePagefilePrivilege	1888	GDLauncher.exe
Token: SeShutdownPrivilege	1888	GDLauncher.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1888	GDLauncher.exe
1888	GDLauncher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 3360	1888	GDLauncher.exe	82
PID 1888 wrote to memory of 3360	1888	GDLauncher.exe	82
PID 3360 wrote to memory of 4136	3360	cmd.exe	84
PID 3360 wrote to memory of 4136	3360	cmd.exe	84
PID 1888 wrote to memory of 1828	1888	GDLauncher.exe	85
PID 1888 wrote to memory of 1828	1888	GDLauncher.exe	85
PID 1888 wrote to memory of 2116	1888	GDLauncher.exe	86
PID 1888 wrote to memory of 2116	1888	GDLauncher.exe	86
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 4888	1888	GDLauncher.exe	88
PID 1888 wrote to memory of 1176	1888	GDLauncher.exe	89
PID 1888 wrote to memory of 1176	1888	GDLauncher.exe	89
PID 1888 wrote to memory of 3040	1888	GDLauncher.exe	90
PID 1888 wrote to memory of 3040	1888	GDLauncher.exe	90
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91
PID 1888 wrote to memory of 4368	1888	GDLauncher.exe	91

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
    3⤵
    PID:4136
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Crashpad --url=https://f.a.k/e --annotation=_productName=GDLauncher --annotation=_version=2.0.20 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.5 --initial-client-data=0x50c,0x510,0x514,0x500,0x518,0x7ff6e1b3f648,0x7ff6e1b3f654,0x7ff6e1b3f660
  2⤵
  PID:1828
- C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe
  C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe --runtime_path C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:2116
- - C:\Program Files\Java\jdk-1.8\bin\java.exe
    "C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:3928
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:1448
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84546\java.exe
    "C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84546\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:2132
- - C:\Program Files\Java\jdk-1.8\bin\java.exe
    "C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:5084
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:1936
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1864 --field-trial-handle=1868,i,13516566866923863125,591209706542617716,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:4888
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=2064 --field-trial-handle=1868,i,13516566866923863125,591209706542617716,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:1176
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe --type=cs --cs-app=GDLauncher
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2676 --field-trial-handle=1868,i,13516566866923863125,591209706542617716,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --skip-intro-animation=false /prefetch:1
  2⤵
  - Checks computer location settings
  PID:4368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3628 --field-trial-handle=1868,i,13516566866923863125,591209706542617716,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  PID:4292
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3636 --field-trial-handle=1868,i,13516566866923863125,591209706542617716,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --uid=dibeihhdinofpmiennjkclnoidpjakanhclfmpmo --package-folder="C:\Users\Admin\AppData\Roaming\ow-electron" --app-root="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --muid=47e88385-b987-4a46-9d6b-7d860f3e5947 --phase=25 --owepm-config="{\"phasing\":100}" --js-flags=--expose-gc /prefetch:1
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:216
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=3700 --field-trial-handle=1868,i,13516566866923863125,591209706542617716,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:1952
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3400 --field-trial-handle=1868,i,13516566866923863125,591209706542617716,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1928

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x310 0x494
1⤵
PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
97d15b94cd59add5e09906418fd2cac9

SHA1
dc65484f95cd363dac59e61719eb19d4b376590c

SHA256
6f450026f85806e8abb94555030462f5e3501a4363878eb0c63afceb60b693c3

SHA512
abfb669b31e41262c0156fa01d7a9ca84e570d205070c65ce10937850bb4ca1d9274e536c0663a2e25fe0e2709a6b4457e9a3f2b90f902452407f29581bdcc91

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
194bca0cf5ba87d8a2ba9d2573ce5214

SHA1
f2a668368fd51e98d20ca7f6de950d423c0c9f60

SHA256
fdebe9a535eff20859d9074722fc68c3d75b85a923f344dee4b3469149b74c26

SHA512
0630ccc324cc7589792ce69537090a8e1343516aeb531562abc3ae77e63ff708b3e80a69677187ac5e5a9171fabeeff9e1a238fe999c4aac7d05d3535120f06d

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\905ebba3a8fc8cc.timestamp

Filesize
50B

MD5
de9901d0f6beaffdad6a1bf2fb177d32

SHA1
8390d1571daf329c4af23d6ab9cbb652e78ccf8a

SHA256
0b6a9c99a83ac8f7336c10ce30cc7d778dd275ea5186118a6ca9d6bd98109f10

SHA512
4f08508274ba1974984feccd99582e66de45739511fd8c297ee69add8d5016d09bcef5da38cf8ac842d47798c7a26bbeacd92746650974283333404f5f0427cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaCheck.class

Filesize
1013B

MD5
8098d31488cd52db41f95188b9daed5e

SHA1
76988b607c667c86211fe1dfe57ed4aedacc5691

SHA256
c607f5871610bf9240c75f4abe947469496570b380f670e9d8d09f9c785978b5

SHA512
e2b4c54e78daba4a04d17915eded43a3f59a744108cf28baf4c22545d807338a39de052d69243ce610981b930e49790ba8be0f7b370e042a9526ef09e2b9fb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qkrlz2l5.f2d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\1183516d-d445-4e5e-a403-e26968c0cdd6.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Network\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Network\Network Persistent State

Filesize
624B

MD5
6a72f4411a549b730c0b67d168ff9be3

SHA1
0337d23b5fd3cd8d5e15935cf2528785fb15c32f

SHA256
1226287217ee50608d116fbe5d02f83ea769c74056b09d599f08e15005398900

SHA512
686d82bd344109831dd37dccbdebc9450e8eb285a58c76587186c72f3ed372538b6dd6d1813fdbae11aa89a89e800b4ef29e62758572e19f10e75183959d8286

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State

Filesize
761B

MD5
ffbdaf51f422f1599db4c1e4ff77a424

SHA1
f2b18879c3493984a89a96f1edeeb31c05613275

SHA256
cdbccd9cc11bde75095c6fa83b7d4f03249c688a2cd6f4176f264d7c52b1bcde

SHA512
31740b1aa1f83671b99983add080a8174f42d6752424de6ceaf18b76d4a142b011cb4f5b1ddcb804fb37d7a45b6c52c641c9229c77c0967bd4d53fe006a8be8f

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data\gdl_conf.db

Filesize
248KB

MD5
cc3733801ee562c3dc7054fe86f90980

SHA1
bfd8aab5ad354e107aac0b44f71b4da5bf2d273e

SHA256
abfd86d6a3a00ed4516cc623069f7bc63c8b7cab74b6ab5488261914b6a31265

SHA512
074f4d6aed5ca12f9ae57e73851bc091b2d4b097c35882e306e65c8308e29456c711bddc87e2fbd5aa6fa628ca335a16fe56423cd1e873aeabce64b244cc2a0a

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\sentry\scope_v3.json

Filesize
8KB

MD5
8e09cafde8b74e46c28d0b6555791790

SHA1
4c47f7663d1e392c08d2ff9ab61f5abd3cddf50b

SHA256
8658fdddf0d94b19043c6d50c61f08bba93b9e23b5e273a4064081ec8d5ecb97

SHA512
7dd426364177ee147d78842cf9d94fc8d675be8db59ae9681c7c8ccc4590df1e78f7f209122ba59c553cb278ea8fe5707f8a44d8079355e56f1ae3d99a23b9bf

Download Submit
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\utility\utility.log

Filesize
309B

MD5
c73eed02e9096eb934621705c7b027dc

SHA1
dac46891ec969ab107d268eb1fee9886e2ffcfa2

SHA256
a03b0b340aed8599ba049f855f2f06733a5de4e9fa30349a779d24fffbf0d82d

SHA512
f6c54540b89ac50ffe8ff0b632eba6e4177e2fd173cee6d12cc96ba991be7aa55a26af30fd8a9a2d51bbf1bb3ce02e3b010b85cd1108c968ea8ce51836ef61ec

Download Submit
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\utility\utility.log

Filesize
2KB

MD5
3a58bdda1edc38b8ea3e87e77ea4f9b9

SHA1
997d4346c9e03211d7fc6c4a7478baaafd5546f6

SHA256
2ea1c747f67f7b7f75907b36d1b71f790517fb8031f81409b5f3bd52ba7dfa49

SHA512
c1b6324b4714fb0e332a7bc45f6aa1401adaee1a0e73b1dd3b0c8798406d1adf251e21e916353e1812688407d7e172eff467895015b67250749ed547c5938092

Download Submit
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon.owepk

Filesize
695KB

MD5
6b3881189e3ce3d3f5fa45056580114a

SHA1
4c3b751cde3c7af1f14798956e202c16788c9447

SHA256
3a119d4ddbdfba9328041c73dd3ab894b5669f7e2ff698a8e4be93b6013f6f4d

SHA512
a5844fb4256d0af88fde5f0176cd22293a01250bb107275bad3b87d7431cdeac33784c75fb5475aaaec7fb3d1c37c8ff95e9120b9d51d1d38d49bae2215e267e

Download Submit
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon\2.0.3\ow-electron-utility-plugin.node

Filesize
609KB

MD5
65d13c459f463cb50a50467d6cade186

SHA1
66752ed8509d4ceea88706107307684539cdc30d

SHA256
6dec6e2bf0384953490117d7e1f5b9875769b5acc6a10ff051d4eed02de07142

SHA512
6d8a781ed4bfee34123872762062ebd5f742458b4d7c96dcf4f7db8d509512dbf3321ec3c15805ed9d3288a6d05c481c5be113375598d98cc74d99be6b13884a

Download Submit
memory/740-169-0x000001C1FFFA0000-0x000001C1FFFC4000-memory.dmp

Filesize
144KB

Download
memory/740-168-0x000001C1FFFA0000-0x000001C1FFFCA000-memory.dmp

Filesize
168KB

Download
memory/740-167-0x000001C2000D0000-0x000001C200146000-memory.dmp

Filesize
472KB

Download
memory/1448-248-0x0000020F33690000-0x0000020F33691000-memory.dmp

Filesize
4KB

Download
memory/1928-459-0x000001E01C490000-0x000001E01C491000-memory.dmp

Filesize
4KB

Download
memory/1928-452-0x000001E01C490000-0x000001E01C491000-memory.dmp

Filesize
4KB

Download
memory/1928-451-0x000001E01C490000-0x000001E01C491000-memory.dmp

Filesize
4KB

Download
memory/1928-462-0x000001E01C490000-0x000001E01C491000-memory.dmp

Filesize
4KB

Download
memory/1928-457-0x000001E01C490000-0x000001E01C491000-memory.dmp

Filesize
4KB

Download
memory/1928-463-0x000001E01C490000-0x000001E01C491000-memory.dmp

Filesize
4KB

Download
memory/1928-460-0x000001E01C490000-0x000001E01C491000-memory.dmp

Filesize
4KB

Download
memory/1928-458-0x000001E01C490000-0x000001E01C491000-memory.dmp

Filesize
4KB

Download
memory/1928-461-0x000001E01C490000-0x000001E01C491000-memory.dmp

Filesize
4KB

Download
memory/1928-453-0x000001E01C490000-0x000001E01C491000-memory.dmp

Filesize
4KB

Download
memory/1936-352-0x0000021833970000-0x0000021833971000-memory.dmp

Filesize
4KB

Download
memory/1952-363-0x00007FF9A8290000-0x00007FF9A8291000-memory.dmp

Filesize
4KB

Download
memory/2132-279-0x000002A482B40000-0x000002A482B41000-memory.dmp

Filesize
4KB

Download
memory/2196-166-0x0000014F7FDD0000-0x0000014F7FE14000-memory.dmp

Filesize
272KB

Download
memory/2196-152-0x0000014F7FD50000-0x0000014F7FD72000-memory.dmp

Filesize
136KB

Download
memory/3928-218-0x000001F205650000-0x000001F205651000-memory.dmp

Filesize
4KB

Download
memory/4292-224-0x0000023D6A6A0000-0x0000023D6A6D0000-memory.dmp

Filesize
192KB

Download
memory/4368-75-0x00007FF9A9020000-0x00007FF9A9021000-memory.dmp

Filesize
4KB

Download
memory/4368-74-0x00007FF9A9730000-0x00007FF9A9731000-memory.dmp

Filesize
4KB

Download
memory/4368-380-0x000001F78D590000-0x000001F78D5C0000-memory.dmp

Filesize
192KB

Download
memory/5084-324-0x000001DDE6310000-0x000001DDE6311000-memory.dmp

Filesize
4KB

Download