Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    13-11-2024 10:07

General

  • Target

    GDLauncher.exe

  • Size

    169.9MB

  • MD5

    be4a0b976dc22fa138414ea983c4055f

  • SHA1

    2e24cbc8b5af690cfe95adc54dcfec1cd6a69e2a

  • SHA256

    20b054c46a52908c4f71727228f409cc02f6e23ac50cc72c9729c4a81159ccd4

  • SHA512

    942733d8d076ccfc5a80c19f8c61191a789b9dd33c0998be1c671ed85b70a1dba14ec94b7318676803e4bd415000fe76ed4ec378527d7fb7d6887d08c750d8b0

  • SSDEEP

    1572864:1s+fxQiW1vVzbHpUcEtmLd7cF3PPHNzLuTe7ulsxM/Gyr/w7VoB4X+x2CFRXQQSl:ce8BWNg3DFxfy

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Checks processor information in registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4396
      • C:\Windows\System32\reg.exe
        C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
        3⤵
          PID:4416
      • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
        C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Crashpad --url=https://f.a.k/e --annotation=_productName=GDLauncher --annotation=_version=2.0.20 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.5 --initial-client-data=0x528,0x52c,0x530,0x51c,0x534,0x7ff6e66ff648,0x7ff6e66ff654,0x7ff6e66ff660
        2⤵
          PID:4808
        • C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe
          C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe --runtime_path C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data
          2⤵
          • Enumerates connected drives
          • Suspicious behavior: EnumeratesProcesses
          PID:2600
          • C:\Program Files\Java\jdk-1.8\bin\java.exe
            "C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
            3⤵
              PID:2144
            • C:\Program Files\Java\jre-1.8\bin\java.exe
              "C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
              3⤵
                PID:2608
              • C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_37343\java.exe
                "C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_37343\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
                3⤵
                  PID:1080
                • C:\Program Files\Java\jdk-1.8\bin\java.exe
                  "C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
                  3⤵
                    PID:2992
                  • C:\Program Files\Java\jre-1.8\bin\java.exe
                    "C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
                    3⤵
                      PID:4280
                  • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
                    "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1896 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
                    2⤵
                      PID:3820
                    • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
                      C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe --type=cs --cs-app=GDLauncher
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4652
                    • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
                      "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=2220 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
                      2⤵
                        PID:4784
                      • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
                        "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2684 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --skip-intro-animation=false /prefetch:1
                        2⤵
                        • Checks computer location settings
                        PID:2068
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
                        2⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2016
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
                        2⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4888
                      • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
                        "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3656 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
                        2⤵
                        • Checks computer location settings
                        PID:4104
                      • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
                        "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --uid=dibeihhdinofpmiennjkclnoidpjakanhclfmpmo --package-folder="C:\Users\Admin\AppData\Roaming\ow-electron" --app-root="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --muid=adb74a79-b134-1e29-8428-787d6dcb8380 --phase=63 --owepm-config="{\"phasing\":100}" --js-flags=--expose-gc /prefetch:1
                        2⤵
                        • Checks computer location settings
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        PID:416
                      • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
                        "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=3712 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
                        2⤵
                          PID:4416
                        • C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
                          "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2296 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2116
                      • C:\Windows\system32\AUDIODG.EXE
                        C:\Windows\system32\AUDIODG.EXE 0x50c 0x500
                        1⤵
                          PID:4424

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

                          Filesize

                          46B

                          MD5

                          792a0f700e26a7cbe9b6c90271e359bd

                          SHA1

                          15d27d64261809f0524eb6ebfd5daa6696caaf54

                          SHA256

                          afd610b3ea1f4f5ec55af89e56acc435678b31f7eb7d29fe2db5dda2a97f3200

                          SHA512

                          b4ac23efa712326e95b0589b171303665d12a4628e3b299aa3dbc5bb9d411c2d3cfa263f9dd297f57eabf38fda492dbf793f5ec9a249194d737712b0166a3c11

                        • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

                          Filesize

                          46B

                          MD5

                          d0d555099f56613fbbfc4292e37ecb30

                          SHA1

                          da5e5ab0258d99a80b6f4fdcf97df7896cc9e24f

                          SHA256

                          7c88153f8f886cafe15cedc4db45027b03a6428db3a5f4add4f4d87edc88cfa5

                          SHA512

                          a6ecbc1fbe5fb0604f96a2da8e5fbc65da0d4313078086dcedebce981a793c5b8626d8b161b88075b53fa3feb1f4978e86ca2e8a6faba4febfbfade4b6f2d4d5

                        • C:\ProgramData\Oracle\Java\.oracle_jre_usage\905ebba3a8fc8cc.timestamp

                          Filesize

                          50B

                          MD5

                          c5eb8f040f95db8be9b01b83df45e753

                          SHA1

                          4b69a1df2c60462320a1aceb0b7ec593412bfe9e

                          SHA256

                          aa9569442bc21bc4c3c7274884e4df364b939b413514acd645c1d2566772c8d3

                          SHA512

                          453bb0297871e34b7f5be358ab9efd59a12cfff3db73b0c3d1c32cee63f21e59d6d3ea46171a92f1a7a04cc5b89b6db801a548589d22329d72d48f6e9d3c9f9d

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                          Filesize

                          3KB

                          MD5

                          6e8a22d25f5b76a8d6ec8aee6df8be5f

                          SHA1

                          c587d7d3db3925a4a74782de196b7b05fb73e73e

                          SHA256

                          c12f1de062291c115fd4af16fb0b5236d75e063d65841f5be33d35018812f5fc

                          SHA512

                          76b9e5729d65622b8c0e1e1292a92c6df3021cccf0516f9f19af0dac23514b593296d445111071912b2d5e7afa184707f3b189d955c9e77ba4226fc1be0aa7b2

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                          Filesize

                          2KB

                          MD5

                          432f9dde51413638aa680afc11009cee

                          SHA1

                          3a457e5820bae4e2e8f4c805e020e6431fd90fcd

                          SHA256

                          882b1f9d2025c7bdd95f6bf95011745281f84b65326027b5ad7903e67cb5ca65

                          SHA512

                          b3a7be48d871b29bc995bacd66d66cbc2def0723fe232f3b58826581954c30c95c8c235ab63d026b576294ca7ab45ccded9a6f35a7121f311f71c429cbf59549

                        • C:\Users\Admin\AppData\Local\Temp\JavaCheck.class

                          Filesize

                          1013B

                          MD5

                          8098d31488cd52db41f95188b9daed5e

                          SHA1

                          76988b607c667c86211fe1dfe57ed4aedacc5691

                          SHA256

                          c607f5871610bf9240c75f4abe947469496570b380f670e9d8d09f9c785978b5

                          SHA512

                          e2b4c54e78daba4a04d17915eded43a3f59a744108cf28baf4c22545d807338a39de052d69243ce610981b930e49790ba8be0f7b370e042a9526ef09e2b9fb78

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edvnmk3u.jvi.ps1

                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

                          Filesize

                          2B

                          MD5

                          f3b25701fe362ec84616a93a45ce9998

                          SHA1

                          d62636d8caec13f04e28442a0a6fa1afeb024bbb

                          SHA256

                          b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                          SHA512

                          98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                        • C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\9479decd-abd9-4121-97a1-cd012a6ebcc3.tmp

                          Filesize

                          57B

                          MD5

                          58127c59cb9e1da127904c341d15372b

                          SHA1

                          62445484661d8036ce9788baeaba31d204e9a5fc

                          SHA256

                          be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

                          SHA512

                          8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

                        • C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Network\Network Persistent State

                          Filesize

                          624B

                          MD5

                          ce0d22daa2e8f958cb81f26f36c9fa31

                          SHA1

                          093f8e1c8c045950cdeca4814a0a27a94a69aebd

                          SHA256

                          4645a3dc2ce227f59359d5df18d03ee6c51fa116b996f2b8be0259ed8c495956

                          SHA512

                          066af56b9b2011ec14e1f3e30aa11c5caa74d2cee620483f648506f918d3b1042695fefa36888196d39285f1b1b13372991c6ed74fa6d65f265d37a023f9ccc8

                        • C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_0

                          Filesize

                          8KB

                          MD5

                          cf89d16bb9107c631daabf0c0ee58efb

                          SHA1

                          3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

                          SHA256

                          d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

                          SHA512

                          8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

                        • C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_1

                          Filesize

                          264KB

                          MD5

                          d0d388f3865d0523e451d6ba0be34cc4

                          SHA1

                          8571c6a52aacc2747c048e3419e5657b74612995

                          SHA256

                          902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

                          SHA512

                          376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

                        • C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_2

                          Filesize

                          8KB

                          MD5

                          0962291d6d367570bee5454721c17e11

                          SHA1

                          59d10a893ef321a706a9255176761366115bedcb

                          SHA256

                          ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

                          SHA512

                          f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

                        • C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_3

                          Filesize

                          8KB

                          MD5

                          41876349cb12d6db992f1309f22df3f0

                          SHA1

                          5cf26b3420fc0302cd0a71e8d029739b8765be27

                          SHA256

                          e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

                          SHA512

                          e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

                        • C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Local Storage\leveldb\CURRENT

                          Filesize

                          16B

                          MD5

                          46295cac801e5d4857d09837238a6394

                          SHA1

                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                          SHA256

                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                          SHA512

                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                        • C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State

                          Filesize

                          59B

                          MD5

                          2800881c775077e1c4b6e06bf4676de4

                          SHA1

                          2873631068c8b3b9495638c865915be822442c8b

                          SHA256

                          226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

                          SHA512

                          e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

                        • C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State

                          Filesize

                          761B

                          MD5

                          54360ea374d7b08f5f47ff42f2b0ad12

                          SHA1

                          cca2fe5c6699df8931a81ed8e38dcb7bf004ead0

                          SHA256

                          90a1a52f056d2272e3ec7a8333d76e4633d72ba0b9caee83ca5abbc8bea886e3

                          SHA512

                          153b6071ded92ccd51d0596ef1d5552cdca4123c2c8ea19df96bce2bb9caaa2f11eb54c5c5330f9a3dcffc2d58dac4c9c9289961cf7862bbebbd0e4cbb0d2e29

                        • C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Shared Dictionary\cache\index

                          Filesize

                          24B

                          MD5

                          54cb446f628b2ea4a5bce5769910512e

                          SHA1

                          c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

                          SHA256

                          fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

                          SHA512

                          8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

                        • C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Session Storage\MANIFEST-000001

                          Filesize

                          41B

                          MD5

                          5af87dfd673ba2115e2fcf5cfdb727ab

                          SHA1

                          d5b5bbf396dc291274584ef71f444f420b6056f1

                          SHA256

                          f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                          SHA512

                          de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                        • C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data\gdl_conf.db

                          Filesize

                          248KB

                          MD5

                          cc3733801ee562c3dc7054fe86f90980

                          SHA1

                          bfd8aab5ad354e107aac0b44f71b4da5bf2d273e

                          SHA256

                          abfd86d6a3a00ed4516cc623069f7bc63c8b7cab74b6ab5488261914b6a31265

                          SHA512

                          074f4d6aed5ca12f9ae57e73851bc091b2d4b097c35882e306e65c8308e29456c711bddc87e2fbd5aa6fa628ca335a16fe56423cd1e873aeabce64b244cc2a0a

                        • C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\sentry\scope_v3.json

                          Filesize

                          7KB

                          MD5

                          2ec4455ef4cd9361bd12254a88f46b9c

                          SHA1

                          31d3b2ee78a07fda1b2d9bb78b1fa014bc1e4600

                          SHA256

                          18a87971ca52f0f068213cd0679132af21e6496890cd169b021d87dd5e5dff79

                          SHA512

                          32214c0ab4dc8dff6e3553c8d6d59429e2d764789ed040bebc988dcb463570a8fdce15a9c6096eb2c9e9d202f1432cb8c120124c305ee614f64722a07a4382b6

                        • C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\owpm.log

                          Filesize

                          2KB

                          MD5

                          0e9058fb9054d5b35feb01048bf6b84f

                          SHA1

                          3c69f0d1ae047e1c1e34437db0309a1d77a66de8

                          SHA256

                          9c98754c8fe719f5bbd0186fb16a4564fcbabb0ffe73be89b2a7abdca4de72df

                          SHA512

                          2f31dc897fb9939d938f5794045d6db39093ea8aa3b8203ac4afdd43392d4be7ee52bfb2ce78b3adfbeda3b8c678f49c44dce7609da4dd83a1a986eda80c90a5

                        • C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\utility\utility.log

                          Filesize

                          568B

                          MD5

                          13fef188aa9b7a37cf0676774b028d57

                          SHA1

                          8f7cfb4dd48054f0c37af40bf7b48907e1be176f

                          SHA256

                          04e0ed55cdc3778773dc70400a2f15b0275ad9d412ec61568d24dd4fbfc158ce

                          SHA512

                          8e95ce8f5bf742231be690e5c11ae65381a638512bb59cf50a2f449a54c31da1f0cf5e049d907e4b87425e695da1675a3b1d638355881b099c0172c9d7a2dde6

                        • C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\utility\utility.log

                          Filesize

                          3KB

                          MD5

                          2e47aa8190afff4bf724b4aa049adfba

                          SHA1

                          563ea9db82686da1f072ce83c2877bfea3c1e3de

                          SHA256

                          0f40fbba7080f3f7d10295a4c96fc549943359a92310e2484cd1548af65d2e72

                          SHA512

                          b33d74693b4be5640e515291c962a8b74e97578f2e981dde78aea48137a83c8530daeb28ed27af78e15adce30af8e03c05c9961914f6fcee5a1eb216865d9f74

                        • C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon.owepk

                          Filesize

                          732KB

                          MD5

                          9c01e71fd87f8548f1433a01bd41cc01

                          SHA1

                          f3961505e96038d96f0f87f3e47f5e49e66c390d

                          SHA256

                          cefa09c7f9c0309fbb3f49ea34cae8ccd095d6612f3fc1b9c8e1912e1ad44d5d

                          SHA512

                          36641fabf05de49e1bb5f99acec7dfa0388dae44bab1e564b70d47512ec059958b1109a67454759021593826b4c1b605021047385144c79303fce1a5e55776d9

                        • C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon\2.1.3\ow-electron-utility-plugin.node

                          Filesize

                          679KB

                          MD5

                          2e8dec2f5f64f92ee8a906817dfa20f6

                          SHA1

                          8ceeac10c096e7e0dae87c1b5283c3d66d421652

                          SHA256

                          6b6b2c7784b4b3bd2f9709df3093b49197005e047e74b0784d80482e1cc17fab

                          SHA512

                          8e17acf0cf73836eef6961d1ec3e3e91489ae8b933c33b96812c5bcde908c9ac5a812cbbf19b41489bcaabc005fd51550b3f277c6678f6026f3a06c3b824f617

                        • \??\pipe\crashpad_1608_VQJZTAZVMVJUMJBC

                          MD5

                          d41d8cd98f00b204e9800998ecf8427e

                          SHA1

                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                          SHA256

                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                          SHA512

                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        • memory/1080-299-0x000001F9E75D0000-0x000001F9E75D1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2016-190-0x000001C446C00000-0x000001C446C24000-memory.dmp

                          Filesize

                          144KB

                        • memory/2016-188-0x000001C446C00000-0x000001C446C2A000-memory.dmp

                          Filesize

                          168KB

                        • memory/2068-63-0x00007FFF41B10000-0x00007FFF41B11000-memory.dmp

                          Filesize

                          4KB

                        • memory/2068-64-0x00007FFF41FE0000-0x00007FFF41FE1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2116-441-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2116-440-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2116-431-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2116-429-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2116-430-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2116-438-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2116-439-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2116-437-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2116-435-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2116-436-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

                          Filesize

                          4KB

                        • memory/2144-221-0x0000019882F80000-0x0000019882F81000-memory.dmp

                          Filesize

                          4KB

                        • memory/2608-264-0x000002D6ABC20000-0x000002D6ABC21000-memory.dmp

                          Filesize

                          4KB

                        • memory/2992-325-0x000001EF9BDF0000-0x000001EF9BDF1000-memory.dmp

                          Filesize

                          4KB

                        • memory/4280-338-0x0000018FA0F70000-0x0000018FA0F71000-memory.dmp

                          Filesize

                          4KB

                        • memory/4416-350-0x00007FFF418D0000-0x00007FFF418D1000-memory.dmp

                          Filesize

                          4KB

                        • memory/4888-139-0x000001FBD6550000-0x000001FBD6572000-memory.dmp

                          Filesize

                          136KB

                        • memory/4888-166-0x000001FBD6B50000-0x000001FBD6BC6000-memory.dmp

                          Filesize

                          472KB

                        • memory/4888-157-0x000001FBD6A80000-0x000001FBD6AC4000-memory.dmp

                          Filesize

                          272KB