Overview
overview
6Static
static
3GDLauncher...64.exe
windows10-ltsc 2021-x64
6$PLUGINSDI...er.dll
windows10-ltsc 2021-x64
3$PLUGINSDI...ls.dll
windows10-ltsc 2021-x64
3$PLUGINSDI...em.dll
windows10-ltsc 2021-x64
3$PLUGINSDI...ll.dll
windows10-ltsc 2021-x64
3GDLauncher.exe
windows10-ltsc 2021-x64
6LICENSES.c...m.html
windows10-ltsc 2021-x64
4d3dcompiler_47.dll
windows10-ltsc 2021-x64
1ffmpeg.dll
windows10-ltsc 2021-x64
1libEGL.dll
windows10-ltsc 2021-x64
1libGLESv2.dll
windows10-ltsc 2021-x64
1owutility.dll
windows10-ltsc 2021-x64
1resources/...le.exe
windows10-ltsc 2021-x64
5resources/elevate.exe
windows10-ltsc 2021-x64
3vk_swiftshader.dll
windows10-ltsc 2021-x64
1vulkan-1.dll
windows10-ltsc 2021-x64
1$PLUGINSDI...ec.dll
windows10-ltsc 2021-x64
3$PLUGINSDI...7z.dll
windows10-ltsc 2021-x64
3$R0/Uninst...er.exe
windows10-ltsc 2021-x64
5$PLUGINSDIR/INetC.dll
windows10-ltsc 2021-x64
3$PLUGINSDI...ls.dll
windows10-ltsc 2021-x64
3$PLUGINSDI...em.dll
windows10-ltsc 2021-x64
3$PLUGINSDI...ll.dll
windows10-ltsc 2021-x64
3$PLUGINSDI...ec.dll
windows10-ltsc 2021-x64
3Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
13-11-2024 10:07
Static task
static1
Behavioral task
behavioral1
Sample
GDLauncher__2.0.20__win__x64.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral6
Sample
GDLauncher.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral7
Sample
LICENSES.chromium.html
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral8
Sample
d3dcompiler_47.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral9
Sample
ffmpeg.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral10
Sample
libEGL.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral11
Sample
libGLESv2.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral12
Sample
owutility.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral13
Sample
resources/binaries/core_module.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral14
Sample
resources/elevate.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral15
Sample
vk_swiftshader.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral16
Sample
vulkan-1.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral19
Sample
$R0/Uninstall GDLauncher.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/INetC.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10ltsc2021-20241023-en
General
-
Target
GDLauncher.exe
-
Size
169.9MB
-
MD5
be4a0b976dc22fa138414ea983c4055f
-
SHA1
2e24cbc8b5af690cfe95adc54dcfec1cd6a69e2a
-
SHA256
20b054c46a52908c4f71727228f409cc02f6e23ac50cc72c9729c4a81159ccd4
-
SHA512
942733d8d076ccfc5a80c19f8c61191a789b9dd33c0998be1c671ed85b70a1dba14ec94b7318676803e4bd415000fe76ed4ec378527d7fb7d6887d08c750d8b0
-
SSDEEP
1572864:1s+fxQiW1vVzbHpUcEtmLd7cF3PPHNzLuTe7ulsxM/Gyr/w7VoB4X+x2CFRXQQSl:ce8BWNg3DFxfy
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
core_module.exedescription ioc Process File opened (read-only) \??\F: core_module.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
GDLauncher.exeGDLauncher.exeGDLauncher.exeGDLauncher.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation GDLauncher.exe Key value queried \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation GDLauncher.exe Key value queried \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation GDLauncher.exe Key value queried \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation GDLauncher.exe -
Drops file in Windows directory 1 IoCs
Processes:
GDLauncher.exedescription ioc Process File opened for modification C:\Windows\SystemTemp GDLauncher.exe -
Loads dropped DLL 1 IoCs
Processes:
GDLauncher.exepid Process 416 GDLauncher.exe -
Processes:
powershell.exepowershell.exepid Process 2016 powershell.exe 4888 powershell.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
GDLauncher.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString GDLauncher.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 GDLauncher.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GDLauncher.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz GDLauncher.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GDLauncher.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 GDLauncher.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz GDLauncher.exe -
Modifies registry class 7 IoCs
Processes:
GDLauncher.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GDLauncher.exe\" \"%1\"" GDLauncher.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher GDLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\URL Protocol GDLauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\ = "URL:gdlauncher" GDLauncher.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\shell\open\command GDLauncher.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\shell GDLauncher.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\shell\open GDLauncher.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
GDLauncher.execore_module.exepowershell.exepowershell.exeGDLauncher.exeGDLauncher.exepid Process 4652 GDLauncher.exe 4652 GDLauncher.exe 4652 GDLauncher.exe 4652 GDLauncher.exe 2600 core_module.exe 2600 core_module.exe 4888 powershell.exe 4888 powershell.exe 2016 powershell.exe 2016 powershell.exe 2600 core_module.exe 2600 core_module.exe 2016 powershell.exe 4888 powershell.exe 2600 core_module.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 416 GDLauncher.exe 2116 GDLauncher.exe 2116 GDLauncher.exe 2116 GDLauncher.exe 2116 GDLauncher.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeGDLauncher.exedescription pid Process Token: SeDebugPrivilege 4888 powershell.exe Token: SeDebugPrivilege 2016 powershell.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeIncreaseQuotaPrivilege 2016 powershell.exe Token: SeSecurityPrivilege 2016 powershell.exe Token: SeTakeOwnershipPrivilege 2016 powershell.exe Token: SeLoadDriverPrivilege 2016 powershell.exe Token: SeSystemProfilePrivilege 2016 powershell.exe Token: SeSystemtimePrivilege 2016 powershell.exe Token: SeProfSingleProcessPrivilege 2016 powershell.exe Token: SeIncBasePriorityPrivilege 2016 powershell.exe Token: SeCreatePagefilePrivilege 2016 powershell.exe Token: SeBackupPrivilege 2016 powershell.exe Token: SeRestorePrivilege 2016 powershell.exe Token: SeShutdownPrivilege 2016 powershell.exe Token: SeDebugPrivilege 2016 powershell.exe Token: SeSystemEnvironmentPrivilege 2016 powershell.exe Token: SeRemoteShutdownPrivilege 2016 powershell.exe Token: SeUndockPrivilege 2016 powershell.exe Token: SeManageVolumePrivilege 2016 powershell.exe Token: 33 2016 powershell.exe Token: 34 2016 powershell.exe Token: 35 2016 powershell.exe Token: 36 2016 powershell.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe Token: SeCreatePagefilePrivilege 1608 GDLauncher.exe Token: SeShutdownPrivilege 1608 GDLauncher.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
GDLauncher.exepid Process 1608 GDLauncher.exe 1608 GDLauncher.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
GDLauncher.execmd.exedescription pid Process procid_target PID 1608 wrote to memory of 4396 1608 GDLauncher.exe 85 PID 1608 wrote to memory of 4396 1608 GDLauncher.exe 85 PID 4396 wrote to memory of 4416 4396 cmd.exe 87 PID 4396 wrote to memory of 4416 4396 cmd.exe 87 PID 1608 wrote to memory of 4808 1608 GDLauncher.exe 88 PID 1608 wrote to memory of 4808 1608 GDLauncher.exe 88 PID 1608 wrote to memory of 2600 1608 GDLauncher.exe 89 PID 1608 wrote to memory of 2600 1608 GDLauncher.exe 89 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 3820 1608 GDLauncher.exe 91 PID 1608 wrote to memory of 4652 1608 GDLauncher.exe 92 PID 1608 wrote to memory of 4652 1608 GDLauncher.exe 92 PID 1608 wrote to memory of 4784 1608 GDLauncher.exe 93 PID 1608 wrote to memory of 4784 1608 GDLauncher.exe 93 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94 PID 1608 wrote to memory of 2068 1608 GDLauncher.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"2⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\System32\reg.exeC:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid3⤵PID:4416
-
-
-
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exeC:\Users\Admin\AppData\Local\Temp\GDLauncher.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Crashpad --url=https://f.a.k/e --annotation=_productName=GDLauncher --annotation=_version=2.0.20 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.5 --initial-client-data=0x528,0x52c,0x530,0x51c,0x534,0x7ff6e66ff648,0x7ff6e66ff654,0x7ff6e66ff6602⤵PID:4808
-
-
C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exeC:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe --runtime_path C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2600 -
C:\Program Files\Java\jdk-1.8\bin\java.exe"C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck3⤵PID:2144
-
-
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck3⤵PID:2608
-
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_37343\java.exe"C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_37343\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck3⤵PID:1080
-
-
C:\Program Files\Java\jdk-1.8\bin\java.exe"C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck3⤵PID:2992
-
-
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck3⤵PID:4280
-
-
-
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1896 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:22⤵PID:3820
-
-
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exeC:\Users\Admin\AppData\Local\Temp\GDLauncher.exe --type=cs --cs-app=GDLauncher2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4652
-
-
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=2220 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:82⤵PID:4784
-
-
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2684 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --skip-intro-animation=false /prefetch:12⤵
- Checks computer location settings
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3656 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:12⤵
- Checks computer location settings
PID:4104
-
-
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --uid=dibeihhdinofpmiennjkclnoidpjakanhclfmpmo --package-folder="C:\Users\Admin\AppData\Roaming\ow-electron" --app-root="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --muid=adb74a79-b134-1e29-8428-787d6dcb8380 --phase=63 --owepm-config="{\"phasing\":100}" --js-flags=--expose-gc /prefetch:12⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:416
-
-
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=3712 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:82⤵PID:4416
-
-
C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2296 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x50c 0x5001⤵PID:4424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5792a0f700e26a7cbe9b6c90271e359bd
SHA115d27d64261809f0524eb6ebfd5daa6696caaf54
SHA256afd610b3ea1f4f5ec55af89e56acc435678b31f7eb7d29fe2db5dda2a97f3200
SHA512b4ac23efa712326e95b0589b171303665d12a4628e3b299aa3dbc5bb9d411c2d3cfa263f9dd297f57eabf38fda492dbf793f5ec9a249194d737712b0166a3c11
-
Filesize
46B
MD5d0d555099f56613fbbfc4292e37ecb30
SHA1da5e5ab0258d99a80b6f4fdcf97df7896cc9e24f
SHA2567c88153f8f886cafe15cedc4db45027b03a6428db3a5f4add4f4d87edc88cfa5
SHA512a6ecbc1fbe5fb0604f96a2da8e5fbc65da0d4313078086dcedebce981a793c5b8626d8b161b88075b53fa3feb1f4978e86ca2e8a6faba4febfbfade4b6f2d4d5
-
Filesize
50B
MD5c5eb8f040f95db8be9b01b83df45e753
SHA14b69a1df2c60462320a1aceb0b7ec593412bfe9e
SHA256aa9569442bc21bc4c3c7274884e4df364b939b413514acd645c1d2566772c8d3
SHA512453bb0297871e34b7f5be358ab9efd59a12cfff3db73b0c3d1c32cee63f21e59d6d3ea46171a92f1a7a04cc5b89b6db801a548589d22329d72d48f6e9d3c9f9d
-
Filesize
3KB
MD56e8a22d25f5b76a8d6ec8aee6df8be5f
SHA1c587d7d3db3925a4a74782de196b7b05fb73e73e
SHA256c12f1de062291c115fd4af16fb0b5236d75e063d65841f5be33d35018812f5fc
SHA51276b9e5729d65622b8c0e1e1292a92c6df3021cccf0516f9f19af0dac23514b593296d445111071912b2d5e7afa184707f3b189d955c9e77ba4226fc1be0aa7b2
-
Filesize
2KB
MD5432f9dde51413638aa680afc11009cee
SHA13a457e5820bae4e2e8f4c805e020e6431fd90fcd
SHA256882b1f9d2025c7bdd95f6bf95011745281f84b65326027b5ad7903e67cb5ca65
SHA512b3a7be48d871b29bc995bacd66d66cbc2def0723fe232f3b58826581954c30c95c8c235ab63d026b576294ca7ab45ccded9a6f35a7121f311f71c429cbf59549
-
Filesize
1013B
MD58098d31488cd52db41f95188b9daed5e
SHA176988b607c667c86211fe1dfe57ed4aedacc5691
SHA256c607f5871610bf9240c75f4abe947469496570b380f670e9d8d09f9c785978b5
SHA512e2b4c54e78daba4a04d17915eded43a3f59a744108cf28baf4c22545d807338a39de052d69243ce610981b930e49790ba8be0f7b370e042a9526ef09e2b9fb78
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
57B
MD558127c59cb9e1da127904c341d15372b
SHA162445484661d8036ce9788baeaba31d204e9a5fc
SHA256be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA5128d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a
-
Filesize
624B
MD5ce0d22daa2e8f958cb81f26f36c9fa31
SHA1093f8e1c8c045950cdeca4814a0a27a94a69aebd
SHA2564645a3dc2ce227f59359d5df18d03ee6c51fa116b996f2b8be0259ed8c495956
SHA512066af56b9b2011ec14e1f3e30aa11c5caa74d2cee620483f648506f918d3b1042695fefa36888196d39285f1b1b13372991c6ed74fa6d65f265d37a023f9ccc8
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State
Filesize761B
MD554360ea374d7b08f5f47ff42f2b0ad12
SHA1cca2fe5c6699df8931a81ed8e38dcb7bf004ead0
SHA25690a1a52f056d2272e3ec7a8333d76e4633d72ba0b9caee83ca5abbc8bea886e3
SHA512153b6071ded92ccd51d0596ef1d5552cdca4123c2c8ea19df96bce2bb9caaa2f11eb54c5c5330f9a3dcffc2d58dac4c9c9289961cf7862bbebbd0e4cbb0d2e29
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
248KB
MD5cc3733801ee562c3dc7054fe86f90980
SHA1bfd8aab5ad354e107aac0b44f71b4da5bf2d273e
SHA256abfd86d6a3a00ed4516cc623069f7bc63c8b7cab74b6ab5488261914b6a31265
SHA512074f4d6aed5ca12f9ae57e73851bc091b2d4b097c35882e306e65c8308e29456c711bddc87e2fbd5aa6fa628ca335a16fe56423cd1e873aeabce64b244cc2a0a
-
Filesize
7KB
MD52ec4455ef4cd9361bd12254a88f46b9c
SHA131d3b2ee78a07fda1b2d9bb78b1fa014bc1e4600
SHA25618a87971ca52f0f068213cd0679132af21e6496890cd169b021d87dd5e5dff79
SHA51232214c0ab4dc8dff6e3553c8d6d59429e2d764789ed040bebc988dcb463570a8fdce15a9c6096eb2c9e9d202f1432cb8c120124c305ee614f64722a07a4382b6
-
Filesize
2KB
MD50e9058fb9054d5b35feb01048bf6b84f
SHA13c69f0d1ae047e1c1e34437db0309a1d77a66de8
SHA2569c98754c8fe719f5bbd0186fb16a4564fcbabb0ffe73be89b2a7abdca4de72df
SHA5122f31dc897fb9939d938f5794045d6db39093ea8aa3b8203ac4afdd43392d4be7ee52bfb2ce78b3adfbeda3b8c678f49c44dce7609da4dd83a1a986eda80c90a5
-
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\utility\utility.log
Filesize568B
MD513fef188aa9b7a37cf0676774b028d57
SHA18f7cfb4dd48054f0c37af40bf7b48907e1be176f
SHA25604e0ed55cdc3778773dc70400a2f15b0275ad9d412ec61568d24dd4fbfc158ce
SHA5128e95ce8f5bf742231be690e5c11ae65381a638512bb59cf50a2f449a54c31da1f0cf5e049d907e4b87425e695da1675a3b1d638355881b099c0172c9d7a2dde6
-
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\utility\utility.log
Filesize3KB
MD52e47aa8190afff4bf724b4aa049adfba
SHA1563ea9db82686da1f072ce83c2877bfea3c1e3de
SHA2560f40fbba7080f3f7d10295a4c96fc549943359a92310e2484cd1548af65d2e72
SHA512b33d74693b4be5640e515291c962a8b74e97578f2e981dde78aea48137a83c8530daeb28ed27af78e15adce30af8e03c05c9961914f6fcee5a1eb216865d9f74
-
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon.owepk
Filesize732KB
MD59c01e71fd87f8548f1433a01bd41cc01
SHA1f3961505e96038d96f0f87f3e47f5e49e66c390d
SHA256cefa09c7f9c0309fbb3f49ea34cae8ccd095d6612f3fc1b9c8e1912e1ad44d5d
SHA51236641fabf05de49e1bb5f99acec7dfa0388dae44bab1e564b70d47512ec059958b1109a67454759021593826b4c1b605021047385144c79303fce1a5e55776d9
-
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon\2.1.3\ow-electron-utility-plugin.node
Filesize679KB
MD52e8dec2f5f64f92ee8a906817dfa20f6
SHA18ceeac10c096e7e0dae87c1b5283c3d66d421652
SHA2566b6b2c7784b4b3bd2f9709df3093b49197005e047e74b0784d80482e1cc17fab
SHA5128e17acf0cf73836eef6961d1ec3e3e91489ae8b933c33b96812c5bcde908c9ac5a812cbbf19b41489bcaabc005fd51550b3f277c6678f6026f3a06c3b824f617
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e