Malware Analysis Report

2024-12-07 16:13

Sample ID 241113-l5t4qasrfm
Target GDLauncher__2.0.20__win__x64.exe
SHA256 2718e831ac3db9a05ad546de42908348e6aaf55ba5025292d23dc274bfcb6c38
Tags
discovery execution spyware stealer
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

2718e831ac3db9a05ad546de42908348e6aaf55ba5025292d23dc274bfcb6c38

Threat Level: Shows suspicious behavior

The file GDLauncher__2.0.20__win__x64.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery execution spyware stealer

Enumerates connected drives

Checks computer location settings

Drops file in System32 directory

Executes dropped EXE

Checks installed software on the system

Drops file in Windows directory

Drops file in Program Files directory

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Browser Information Discovery

Reads user/profile data of web browsers

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Enumerates system info in registry

Checks processor information in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 10:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

99s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3764 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3764 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3764 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2236 -ip 2236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

107s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

149s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffmpeg.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

148s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libGLESv2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

107s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe

"C:\Users\Admin\AppData\Local\Temp\resources\elevate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

98s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3168 wrote to memory of 4064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3168 wrote to memory of 4064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3168 wrote to memory of 4064 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\INetC.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4064 -ip 4064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

98s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4708 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4708 wrote to memory of 1980 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

98s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3668 wrote to memory of 4156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3668 wrote to memory of 4156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3668 wrote to memory of 4156 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4156 -ip 4156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

97s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 4024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 4024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2028 wrote to memory of 4024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.103.156.88:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GDLauncher.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\URL Protocol C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\ = "URL:gdlauncher" C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\shell\open\command C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\shell C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\gdlauncher\shell\open C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Windows\system32\cmd.exe
PID 1608 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Windows\system32\cmd.exe
PID 4396 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 4396 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1608 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe
PID 1608 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
PID 1608 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Crashpad --url=https://f.a.k/e --annotation=_productName=GDLauncher --annotation=_version=2.0.20 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.5 --initial-client-data=0x528,0x52c,0x530,0x51c,0x534,0x7ff6e66ff648,0x7ff6e66ff654,0x7ff6e66ff660

C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe

C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe --runtime_path C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1896 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe --type=cs --cs-app=GDLauncher

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=2220 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2684 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --skip-intro-animation=false /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3656 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Program Files\Java\jdk-1.8\bin\java.exe

"C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --uid=dibeihhdinofpmiennjkclnoidpjakanhclfmpmo --package-folder="C:\Users\Admin\AppData\Roaming\ow-electron" --app-root="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --muid=adb74a79-b134-1e29-8428-787d6dcb8380 --phase=63 --owepm-config="{\"phasing\":100}" --js-flags=--expose-gc /prefetch:1

C:\Program Files\Java\jre-1.8\bin\java.exe

"C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_37343\java.exe

"C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_37343\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck

C:\Program Files\Java\jdk-1.8\bin\java.exe

"C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck

C:\Program Files\Java\jre-1.8\bin\java.exe

"C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=3712 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x50c 0x500

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2296 --field-trial-handle=1900,i,5426585292859037850,14187559662413195545,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 api.gdl.gg udp
US 172.67.73.58:443 api.gdl.gg tcp
US 8.8.8.8:53 electronapi.overwolf.com udp
US 8.8.8.8:53 electronapi.overwolf.com udp
US 8.8.8.8:53 tracking.overwolf.com udp
US 8.8.8.8:53 tracking.overwolf.com udp
US 8.8.8.8:53 analyticsnew.overwolf.com udp
US 8.8.8.8:53 analyticsnew.overwolf.com udp
US 8.8.8.8:53 unpkg.com udp
US 8.8.8.8:53 unpkg.com udp
US 8.8.8.8:53 features.overwolf.com udp
US 8.8.8.8:53 features.overwolf.com udp
FR 13.249.9.62:443 electronapi.overwolf.com tcp
FR 18.245.175.10:443 analyticsnew.overwolf.com tcp
FR 18.245.175.10:443 analyticsnew.overwolf.com tcp
US 52.21.153.248:443 tracking.overwolf.com tcp
US 52.21.153.248:443 tracking.overwolf.com tcp
US 104.17.246.203:443 unpkg.com tcp
FR 3.165.136.129:443 features.overwolf.com tcp
US 52.21.153.248:443 tracking.overwolf.com tcp
US 8.8.8.8:53 content.overwolf.com udp
US 8.8.8.8:53 content.overwolf.com udp
FR 18.244.28.67:443 content.overwolf.com tcp
US 8.8.8.8:53 62.9.249.13.in-addr.arpa udp
US 8.8.8.8:53 58.73.67.172.in-addr.arpa udp
US 8.8.8.8:53 10.175.245.18.in-addr.arpa udp
US 8.8.8.8:53 203.246.17.104.in-addr.arpa udp
US 8.8.8.8:53 129.136.165.3.in-addr.arpa udp
US 8.8.8.8:53 248.153.21.52.in-addr.arpa udp
US 8.8.8.8:53 67.28.244.18.in-addr.arpa udp
FR 18.245.175.10:443 analyticsnew.overwolf.com tcp
US 172.67.73.58:443 api.gdl.gg tcp
US 8.8.8.8:53 electrondl-overwolf-com.akamaized.net udp
US 8.8.8.8:53 electrondl-overwolf-com.akamaized.net udp
GB 2.19.117.102:443 electrondl-overwolf-com.akamaized.net tcp
US 8.8.8.8:53 content.overwolf.com udp
US 8.8.8.8:53 content.overwolf.com udp
FR 18.244.28.15:443 content.overwolf.com tcp
FR 18.244.28.15:443 content.overwolf.com tcp
FR 18.244.28.15:443 content.overwolf.com tcp
US 8.8.8.8:53 102.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 15.28.244.18.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 cdn-raw.gdl.gg udp
US 8.8.8.8:53 cdn-raw.gdl.gg udp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 172.67.73.58:443 cdn-raw.gdl.gg udp
US 172.67.73.58:443 cdn-raw.gdl.gg tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
N/A 127.0.0.1:1025 tcp
N/A 127.0.0.1:1025 tcp
N/A 127.0.0.1:1025 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.4.4:443 dns.google udp
US 54.83.233.222:443 tcp
US 8.8.8.8:53 222.233.83.54.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp

Files

\??\pipe\crashpad_1608_VQJZTAZVMVJUMJBC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data\gdl_conf.db

MD5 cc3733801ee562c3dc7054fe86f90980
SHA1 bfd8aab5ad354e107aac0b44f71b4da5bf2d273e
SHA256 abfd86d6a3a00ed4516cc623069f7bc63c8b7cab74b6ab5488261914b6a31265
SHA512 074f4d6aed5ca12f9ae57e73851bc091b2d4b097c35882e306e65c8308e29456c711bddc87e2fbd5aa6fa628ca335a16fe56423cd1e873aeabce64b244cc2a0a

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/2068-64-0x00007FFF41FE0000-0x00007FFF41FE1000-memory.dmp

memory/2068-63-0x00007FFF41B10000-0x00007FFF41B11000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Shared Dictionary\cache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

memory/4888-139-0x000001FBD6550000-0x000001FBD6572000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edvnmk3u.jvi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4888-157-0x000001FBD6A80000-0x000001FBD6AC4000-memory.dmp

memory/4888-166-0x000001FBD6B50000-0x000001FBD6BC6000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

memory/2016-188-0x000001C446C00000-0x000001C446C2A000-memory.dmp

memory/2016-190-0x000001C446C00000-0x000001C446C24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\JavaCheck.class

MD5 8098d31488cd52db41f95188b9daed5e
SHA1 76988b607c667c86211fe1dfe57ed4aedacc5691
SHA256 c607f5871610bf9240c75f4abe947469496570b380f670e9d8d09f9c785978b5
SHA512 e2b4c54e78daba4a04d17915eded43a3f59a744108cf28baf4c22545d807338a39de052d69243ce610981b930e49790ba8be0f7b370e042a9526ef09e2b9fb78

memory/2144-221-0x0000019882F80000-0x0000019882F81000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 432f9dde51413638aa680afc11009cee
SHA1 3a457e5820bae4e2e8f4c805e020e6431fd90fcd
SHA256 882b1f9d2025c7bdd95f6bf95011745281f84b65326027b5ad7903e67cb5ca65
SHA512 b3a7be48d871b29bc995bacd66d66cbc2def0723fe232f3b58826581954c30c95c8c235ab63d026b576294ca7ab45ccded9a6f35a7121f311f71c429cbf59549

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6e8a22d25f5b76a8d6ec8aee6df8be5f
SHA1 c587d7d3db3925a4a74782de196b7b05fb73e73e
SHA256 c12f1de062291c115fd4af16fb0b5236d75e063d65841f5be33d35018812f5fc
SHA512 76b9e5729d65622b8c0e1e1292a92c6df3021cccf0516f9f19af0dac23514b593296d445111071912b2d5e7afa184707f3b189d955c9e77ba4226fc1be0aa7b2

C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\owpm.log

MD5 0e9058fb9054d5b35feb01048bf6b84f
SHA1 3c69f0d1ae047e1c1e34437db0309a1d77a66de8
SHA256 9c98754c8fe719f5bbd0186fb16a4564fcbabb0ffe73be89b2a7abdca4de72df
SHA512 2f31dc897fb9939d938f5794045d6db39093ea8aa3b8203ac4afdd43392d4be7ee52bfb2ce78b3adfbeda3b8c678f49c44dce7609da4dd83a1a986eda80c90a5

C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon.owepk

MD5 9c01e71fd87f8548f1433a01bd41cc01
SHA1 f3961505e96038d96f0f87f3e47f5e49e66c390d
SHA256 cefa09c7f9c0309fbb3f49ea34cae8ccd095d6612f3fc1b9c8e1912e1ad44d5d
SHA512 36641fabf05de49e1bb5f99acec7dfa0388dae44bab1e564b70d47512ec059958b1109a67454759021593826b4c1b605021047385144c79303fce1a5e55776d9

memory/2608-264-0x000002D6ABC20000-0x000002D6ABC21000-memory.dmp

C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon\2.1.3\ow-electron-utility-plugin.node

MD5 2e8dec2f5f64f92ee8a906817dfa20f6
SHA1 8ceeac10c096e7e0dae87c1b5283c3d66d421652
SHA256 6b6b2c7784b4b3bd2f9709df3093b49197005e047e74b0784d80482e1cc17fab
SHA512 8e17acf0cf73836eef6961d1ec3e3e91489ae8b933c33b96812c5bcde908c9ac5a812cbbf19b41489bcaabc005fd51550b3f277c6678f6026f3a06c3b824f617

C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\utility\utility.log

MD5 13fef188aa9b7a37cf0676774b028d57
SHA1 8f7cfb4dd48054f0c37af40bf7b48907e1be176f
SHA256 04e0ed55cdc3778773dc70400a2f15b0275ad9d412ec61568d24dd4fbfc158ce
SHA512 8e95ce8f5bf742231be690e5c11ae65381a638512bb59cf50a2f449a54c31da1f0cf5e049d907e4b87425e695da1675a3b1d638355881b099c0172c9d7a2dde6

memory/1080-299-0x000001F9E75D0000-0x000001F9E75D1000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 792a0f700e26a7cbe9b6c90271e359bd
SHA1 15d27d64261809f0524eb6ebfd5daa6696caaf54
SHA256 afd610b3ea1f4f5ec55af89e56acc435678b31f7eb7d29fe2db5dda2a97f3200
SHA512 b4ac23efa712326e95b0589b171303665d12a4628e3b299aa3dbc5bb9d411c2d3cfa263f9dd297f57eabf38fda492dbf793f5ec9a249194d737712b0166a3c11

C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\utility\utility.log

MD5 2e47aa8190afff4bf724b4aa049adfba
SHA1 563ea9db82686da1f072ce83c2877bfea3c1e3de
SHA256 0f40fbba7080f3f7d10295a4c96fc549943359a92310e2484cd1548af65d2e72
SHA512 b33d74693b4be5640e515291c962a8b74e97578f2e981dde78aea48137a83c8530daeb28ed27af78e15adce30af8e03c05c9961914f6fcee5a1eb216865d9f74

C:\ProgramData\Oracle\Java\.oracle_jre_usage\905ebba3a8fc8cc.timestamp

MD5 c5eb8f040f95db8be9b01b83df45e753
SHA1 4b69a1df2c60462320a1aceb0b7ec593412bfe9e
SHA256 aa9569442bc21bc4c3c7274884e4df364b939b413514acd645c1d2566772c8d3
SHA512 453bb0297871e34b7f5be358ab9efd59a12cfff3db73b0c3d1c32cee63f21e59d6d3ea46171a92f1a7a04cc5b89b6db801a548589d22329d72d48f6e9d3c9f9d

memory/2992-325-0x000001EF9BDF0000-0x000001EF9BDF1000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 d0d555099f56613fbbfc4292e37ecb30
SHA1 da5e5ab0258d99a80b6f4fdcf97df7896cc9e24f
SHA256 7c88153f8f886cafe15cedc4db45027b03a6428db3a5f4add4f4d87edc88cfa5
SHA512 a6ecbc1fbe5fb0604f96a2da8e5fbc65da0d4313078086dcedebce981a793c5b8626d8b161b88075b53fa3feb1f4978e86ca2e8a6faba4febfbfade4b6f2d4d5

memory/4280-338-0x0000018FA0F70000-0x0000018FA0F71000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\sentry\scope_v3.json

MD5 2ec4455ef4cd9361bd12254a88f46b9c
SHA1 31d3b2ee78a07fda1b2d9bb78b1fa014bc1e4600
SHA256 18a87971ca52f0f068213cd0679132af21e6496890cd169b021d87dd5e5dff79
SHA512 32214c0ab4dc8dff6e3553c8d6d59429e2d764789ed040bebc988dcb463570a8fdce15a9c6096eb2c9e9d202f1432cb8c120124c305ee614f64722a07a4382b6

memory/4416-350-0x00007FFF418D0000-0x00007FFF418D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\9479decd-abd9-4121-97a1-cd012a6ebcc3.tmp

MD5 58127c59cb9e1da127904c341d15372b
SHA1 62445484661d8036ce9788baeaba31d204e9a5fc
SHA256 be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA512 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Network\Network Persistent State

MD5 ce0d22daa2e8f958cb81f26f36c9fa31
SHA1 093f8e1c8c045950cdeca4814a0a27a94a69aebd
SHA256 4645a3dc2ce227f59359d5df18d03ee6c51fa116b996f2b8be0259ed8c495956
SHA512 066af56b9b2011ec14e1f3e30aa11c5caa74d2cee620483f648506f918d3b1042695fefa36888196d39285f1b1b13372991c6ed74fa6d65f265d37a023f9ccc8

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State

MD5 54360ea374d7b08f5f47ff42f2b0ad12
SHA1 cca2fe5c6699df8931a81ed8e38dcb7bf004ead0
SHA256 90a1a52f056d2272e3ec7a8333d76e4633d72ba0b9caee83ca5abbc8bea886e3
SHA512 153b6071ded92ccd51d0596ef1d5552cdca4123c2c8ea19df96bce2bb9caaa2f11eb54c5c5330f9a3dcffc2d58dac4c9c9289961cf7862bbebbd0e4cbb0d2e29

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/2116-430-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

memory/2116-431-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

memory/2116-429-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

memory/2116-441-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

memory/2116-440-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

memory/2116-439-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

memory/2116-438-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

memory/2116-437-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

memory/2116-436-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

memory/2116-435-0x000001CE71BC0000-0x000001CE71BC1000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1adb15e5-adbf-4902-9e27-d8f4aadc6501.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241113101100.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 2204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 2204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1984 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2572 wrote to memory of 1648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd87c346f8,0x7ffd87c34708,0x7ffd87c34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6c19f5460,0x7ff6c19f5470,0x7ff6c19f5480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15606408485325213058,13213589462616859574,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1872 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c29339188732b78d10f11d3fb23063cb
SHA1 2db38f26fbc92417888251d9e31be37c9380136f
SHA256 0a61fa9e17b9ae7812cdeda5e890b22b14e53fa14a90db334f721252a9c874c2
SHA512 77f1f5f78e73f4fc01151e7e2a553dc4ed9bf35dd3a9565501f698be373640f153c6d7fc83450b9d2f29aeaa72387dd627d56f287a46635c2da07c60bc3d6e2c

\??\pipe\LOCAL\crashpad_2572_HCDLAMDYSGALGZDZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ccff51f965f8f4176e4ad112c34c86a7
SHA1 eab249ca0f58ed7a8afbca30bdae123136463cd8
SHA256 3eb00cf1bd645d308d0385a95a30737679be58dcc5433bc66216aac762d9da33
SHA512 8c68f146152045c2a78c9e52198b8180b261edf61a8c28364728eafb1cba1df0fa29906e5ede69b3c1e0b67cfcbeb7fde65b8d2edbc397c9a4b99ecfe8dea2dd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 86aa28ffd286b08415aa197216684874
SHA1 d99924976c73e3220108817ad6bc1d8b1795ca2d
SHA256 a6dc4bc6ade3039e57b538f2620b91602199f1908b23c4a2beb3fd3aa721579d
SHA512 a51fbd1af778d32f2f95a9a863a59f42a7eb804dbb8ce85459297959eea21fbfe9625d74c3f91ad65016031d4b3e26eeb748c1c59e09ac68778fc670d408d0fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a1048a714a4b3a214b70e915b6db27b2
SHA1 76c5bc6c4c9f3f103d0eff761196580acfd3b39e
SHA256 9a72a9551ee4d7336a1481866647f6ced31d03f2f6e6f518492650a75e5b2b94
SHA512 d7b2309364b68df5cefee88b149896bd9dfdae62f238e0fbe5e4bf7b7e7d0c68d0b2a4efc5801f4b532612b544f80d24007809734b702a5d6d0279dd8ab18a4d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 9c9788da83a3ed9f4a6ab738de371c89
SHA1 dc8376adcd1f85f1736218a8c94bba3966b76857
SHA256 9c480979559fb7e49f86537bbc76ef8b535bd8abc6049f6c5385088909f6bfc8
SHA512 22e50c0bd1d9ee5b611caaf01dd4a93be5865ed4c5a7f8391467b5b78fed0b628d1ec6b94167af29a511b9ad0ec4e74032a321f94bfcbe7335c13dce7d21c112

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 0434360deb6f59ce2644dac3455da849
SHA1 bf3cba1c128c511b0e66e79a6c61808c40c17d15
SHA256 2821083539c430e43f56729ec4de33283071b09b229dacff00858ce66f8b8414
SHA512 eb4fb5bc1b589c39a2e7f24ba1283723757461ac4adb2c8553217047c020f5bc462d8ce6739a5ffa981b5134bfe36381ef0cd6fa0f2ac73eaab88754e366130e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7bcf5d1de2e64eb21c6e309475d93110
SHA1 0e8d30bf2add415dfe38061396473e79664b7adf
SHA256 968d307fe00050edea57ee39081315413caf802c3cfc26a9118c4e21686d3491
SHA512 3d5b4bbe28f44c73b06c937f0535a8a4d6c92076bde40d37e26c6e55fca6b1d8d6de203722187cc1c67f0b2ed3d93c6faa1faac3363ca6d2cd1bc315a2c1abcc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2743d0593e331d5ad5f40a81b5013f85
SHA1 b1f436124ed2e3a828ccb0190924bec36e7ac5c7
SHA256 c483e96d54386624c4a43f5b941d810fd9f92072f0de10aca099503c5124f3ae
SHA512 2693fc3db60f55e70d7e98ac4298025425de0bbc1f241156e94d25ff968d7b16f00e72d56146bdc0187c624c81d6aa65a5c22c43a020e8ea0052e755106e8b51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 26978f38b0bce48572b90b762b7d937c
SHA1 8b8b88012fab1d37fca79575a5db81674b424867
SHA256 b38f05e2e63a1f87026aed06f5b85354570c6f91d28947466f0555276bab6afa
SHA512 501e0de5f46bfaac901cde5c39a321edc411426fd91c83427f36710fa56d20b5f6ab8f2219d963f7ab495c2df7def879652381db3876b7e2a7080921cce78379

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4dcd258a22f2a661830891ebc3e176d9
SHA1 051a4c947ed89d2622c39686385706c0d0efa092
SHA256 c32198c5bac6eeeb2220b5d3bd53346b988deae67f7c0d91b40cd8ab4a0b5b89
SHA512 837d5c297d307301b14c6ea05b2d1ed4c529332b8d60e1f767ea372af01257e21fececae20c7e8b99889976ff40205f387a8376f3809d75d509f0fd1f12da891

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

148s

Max time network

164s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libEGL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 105.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

149s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\owutility.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\owutility.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.103.156.88:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3588 wrote to memory of 2444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3588 wrote to memory of 2444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3588 wrote to memory of 2444 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2444 -ip 2444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

149s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 3476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 3476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2392 wrote to memory of 3476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SpiderBanner.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 105.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

97s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 704 wrote to memory of 4876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 704 wrote to memory of 4876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 704 wrote to memory of 4876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WinShell.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4876 -ip 4876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.199.58.43:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

149s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vk_swiftshader.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.199.58.43:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

99s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3224 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3224 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3224 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:12

Platform

win10ltsc2021-20241023-en

Max time kernel

129s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\binaries\core_module.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\gdlauncher C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\gdlauncher\URL Protocol C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\gdlauncher\ = "URL:gdlauncher" C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\gdlauncher\shell\open\command C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\gdlauncher\shell C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Key created \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\gdlauncher\shell\open C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\gdlauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\@gddesktop\\GDLauncher.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\binaries\core_module.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\binaries\core_module.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\binaries\core_module.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\binaries\core_module.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\binaries\core_module.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Windows\system32\cmd.exe
PID 1876 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Windows\system32\cmd.exe
PID 1624 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1624 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\reg.exe
PID 1876 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\binaries\core_module.exe
PID 1876 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\binaries\core_module.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe
PID 1876 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe

"C:\Users\Admin\AppData\Local\Temp\GDLauncher__2.0.20__win__x64.exe"

C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"

C:\Windows\System32\reg.exe

C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe

C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Crashpad --url=https://f.a.k/e --annotation=_productName=GDLauncher --annotation=_version=2.0.20 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.5 --initial-client-data=0x54c,0x550,0x554,0x540,0x558,0x7ff69e23f648,0x7ff69e23f654,0x7ff69e23f660

C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\binaries\core_module.exe

C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\binaries\core_module.exe --runtime_path C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data

C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1916 --field-trial-handle=1920,i,4865514398348347194,4484253133229551319,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2

C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=2224 --field-trial-handle=1920,i,4865514398348347194,4484253133229551319,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe

C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe --type=cs --cs-app=GDLauncher

C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2744 --field-trial-handle=1920,i,4865514398348347194,4484253133229551319,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --skip-intro-animation=false /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -

C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3688 --field-trial-handle=1920,i,4865514398348347194,4484253133229551319,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1

C:\Program Files\Java\jdk-1.8\bin\java.exe

"C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck

C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3868 --field-trial-handle=1920,i,4865514398348347194,4484253133229551319,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --uid=dibeihhdinofpmiennjkclnoidpjakanhclfmpmo --package-folder="C:\Users\Admin\AppData\Roaming\ow-electron" --app-root="C:\Users\Admin\AppData\Local\Programs\@gddesktop\resources\app.asar" --muid=cf701bf4-8488-e645-a22f-d66c86cf2be8 --phase=58 --owepm-config="{\"phasing\":100}" --js-flags=--expose-gc /prefetch:1

C:\Program Files\Java\jre-1.8\bin\java.exe

"C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_36812\java.exe

"C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_36812\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck

C:\Program Files\Java\jdk-1.8\bin\java.exe

"C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck

C:\Program Files\Java\jre-1.8\bin\java.exe

"C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck

C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe

"C:\Users\Admin\AppData\Local\Programs\@gddesktop\GDLauncher.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=3768 --field-trial-handle=1920,i,4865514398348347194,4484253133229551319,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x320 0x2c0

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.61.93:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 api.gdl.gg udp
US 172.67.73.58:443 api.gdl.gg tcp
US 8.8.8.8:53 58.73.67.172.in-addr.arpa udp
US 8.8.8.8:53 electronapi.overwolf.com udp
US 8.8.8.8:53 electronapi.overwolf.com udp
FR 13.249.9.99:443 electronapi.overwolf.com tcp
US 8.8.8.8:53 tracking.overwolf.com udp
US 8.8.8.8:53 tracking.overwolf.com udp
US 8.8.8.8:53 analyticsnew.overwolf.com udp
US 8.8.8.8:53 analyticsnew.overwolf.com udp
US 8.8.8.8:53 unpkg.com udp
US 8.8.8.8:53 unpkg.com udp
US 8.8.8.8:53 features.overwolf.com udp
US 8.8.8.8:53 features.overwolf.com udp
US 3.208.91.189:443 tracking.overwolf.com tcp
US 3.208.91.189:443 tracking.overwolf.com tcp
US 104.17.247.203:443 unpkg.com tcp
FR 18.245.175.87:443 analyticsnew.overwolf.com tcp
FR 18.245.175.87:443 analyticsnew.overwolf.com tcp
FR 3.165.136.48:443 features.overwolf.com tcp
US 3.208.91.189:443 tracking.overwolf.com tcp
US 8.8.8.8:53 content.overwolf.com udp
US 8.8.8.8:53 content.overwolf.com udp
FR 18.244.28.15:443 content.overwolf.com tcp
US 8.8.8.8:53 99.9.249.13.in-addr.arpa udp
US 8.8.8.8:53 203.247.17.104.in-addr.arpa udp
US 8.8.8.8:53 87.175.245.18.in-addr.arpa udp
US 8.8.8.8:53 48.136.165.3.in-addr.arpa udp
US 8.8.8.8:53 189.91.208.3.in-addr.arpa udp
US 8.8.8.8:53 15.28.244.18.in-addr.arpa udp
US 172.67.73.58:443 api.gdl.gg tcp
FR 18.245.175.87:443 analyticsnew.overwolf.com tcp
US 8.8.8.8:53 electrondl-overwolf-com.akamaized.net udp
US 8.8.8.8:53 electrondl-overwolf-com.akamaized.net udp
GB 2.19.117.100:443 electrondl-overwolf-com.akamaized.net tcp
US 8.8.8.8:53 100.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 content.overwolf.com udp
US 8.8.8.8:53 content.overwolf.com udp
FR 18.244.28.15:443 content.overwolf.com tcp
FR 18.244.28.15:443 content.overwolf.com tcp
FR 18.244.28.15:443 content.overwolf.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 cdn-raw.gdl.gg udp
US 8.8.8.8:53 cdn-raw.gdl.gg udp
US 8.8.8.8:443 dns.google tcp
US 104.26.1.51:443 cdn-raw.gdl.gg udp
US 104.26.1.51:443 cdn-raw.gdl.gg tcp
US 8.8.8.8:53 51.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:1025 tcp
N/A 127.0.0.1:1025 tcp
N/A 127.0.0.1:1025 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\SpiderBanner.dll

MD5 17309e33b596ba3a5693b4d3e85cf8d7
SHA1 7d361836cf53df42021c7f2b148aec9458818c01
SHA256 996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA512 1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\nsis7z.dll

MD5 80e44ce4895304c6a3a831310fbf8cd0
SHA1 36bd49ae21c460be5753a904b4501f1abca53508
SHA256 b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592
SHA512 c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\chrome_100_percent.pak

MD5 4fc6564b727baa5fecf6bf3f6116cc64
SHA1 6ced7b16dc1abe862820dfe25f4fe7ead1d3f518
SHA256 b7805392bfce11118165e3a4e747ac0ca515e4e0ceadab356d685575f6aa45fb
SHA512 fa7eab7c9b67208bd076b2cbda575b5cc16a81f59cc9bba9512a0e85af97e2f3adebc543d0d847d348d513b9c7e8bef375ab2fef662387d87c82b296d76dffa2

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\chrome_200_percent.pak

MD5 47668ac5038e68a565e0a9243df3c9e5
SHA1 38408f73501162d96757a72c63e41e78541c8e8e
SHA256 fac820a98b746a04ce14ec40c7268d6a58819133972b538f9720a5363c862e32
SHA512 5412041c923057ff320aba09674b309b7fd71ede7e467f47df54f92b7c124e3040914d6b8083272ef9f985eef1626eaf4606b17a3cae97cfe507fb74bc6f0f89

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\d3dcompiler_47.dll

MD5 5a614e7d0fdfa8b37e8e050361c2909a
SHA1 8ed59dc41bac11ba10344bd426f69a57f9738de9
SHA256 568bcce599c8f67dc31e6472c419002490907d8b0fecca1f93da051d96977071
SHA512 f4fab716de19a77085f4deb85bb682161733d9b9e66a171ca5cfe235587c85d2192660552b44d836eaaf7a68191352ad599258e488921d8bb61d9ed074bf6c77

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\ffmpeg.dll

MD5 4c01b367aa3b0b9726a08074df302f94
SHA1 cae3a29495800bc30b33464c9ba00b8bb624ffee
SHA256 5e1fe207fd4919d26600ccb219c8849c35ccf3ccd5036cafaca0ea275afca32c
SHA512 0a912b65a769df5282c49e34839e2451fb06156f30b132f5e1f7677ed801be1d18403e1009fb02f43690c237cddb0e6555c8623a25de28bfbc87fb278d60a974

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\libEGL.dll

MD5 e18a27ba4b9ebd23505af33f1b4cabab
SHA1 5cc6c4738bb57c3a008d1f745aaa457891412736
SHA256 1307ff9dce08e39f24e7a3a43a8843191f951f0424bf2dd8ed4740e417de88b3
SHA512 2daa4d9b78ae00d9eecd8d336ce92abec3719d5650eb71d653f232380feecc6f68db7abc7b7ee1dd86efd6590e9ea10283a68acf63501a9dad6c37ed8ce4503c

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\libGLESv2.dll

MD5 03b1b0060eabab709ce88d844c4f6b6d
SHA1 cd3f6e4689d3a7d88b5c51e41bcc1a9d8db6bb2b
SHA256 1ec2db6b243365f7f8099fb29bc56b96076299ee48e007474e6d769353a8bc05
SHA512 92b87c005635b49d80d355f6b3de0ee1513f35e25ba666974a4772b1ccc9d220ce51789656bd85302fa006d4490a1999eaeb75a4f459519a9de992d84e5b5a96

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\LICENSE.electron.txt

MD5 4d42118d35941e0f664dddbd83f633c5
SHA1 2b21ec5f20fe961d15f2b58efb1368e66d202e5c
SHA256 5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d
SHA512 3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\LICENSES.chromium.html

MD5 fcb299831276a7c8bdeb036142da1c25
SHA1 bf6990abb92ab627b7f2e7aecbd5a58b86d2e09a
SHA256 6daa3cd398e5380222c6b6bdb4d66a4b4273d4bb74d6bf53495a5722f03ac0dc
SHA512 1e31ac0b6836d24488e32d04b5028ac2a9e00ebd8e29aaf742d9e0cdb50d5a9d4f7bcc3919b22a793552d31aaed2104415268f14e903754bf25a86510fbc98c9

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\owutility.dll

MD5 2c050de41b36dabdaeeacf38e76b6c9b
SHA1 aa6fccc7cf02c97079f21e179c8217beaa69c32a
SHA256 b8d800a059fcb3f7a687dc87d9cefcc527f22b0fdadf11bf2400ae8007d2ac0f
SHA512 11a2b85701ecf4d7f0e220e2cc86f85460dd923f3429bcbb65755e4dc00fd073dfa2e46a3f0f1c09e19d68865b09292ac02a7bda65b8849283521f558f2bb568

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\resources.pak

MD5 b5392415d53abf8bfd55923a09d22086
SHA1 f1dc1dd77a762e541885c34b492734263791c5ed
SHA256 87dfc68cc6d5626e9c27e49c540878fdec2851ff9546932ffde65fb9e7ba61c7
SHA512 b4e837a5fd7a39bbf88cb8ff71d49bacc898ac18ba9b3da505e9d6e6d436c4388dce5ae7a1856a04624dce237bebfc442f489a866aff30d85ab29b35228371fa

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\snapshot_blob.bin

MD5 d20922aefcad14dc658a3c6fd5ff6529
SHA1 75ce20814bdbe71cfa6fab03556c1711e78ca706
SHA256 b6bea91727efb8c88e7c059856553d3a47abd883e60dd60efc01b04dc6eec621
SHA512 dbd63a9f01feb3c389c11b55d720b5d689558626041fb1dd27ded2be602e5e2a8d210f785fde025d7b9959f81de3df7fef06981269b58be564df05aec190dd1c

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\v8_context_snapshot.bin

MD5 1e4da0bc6404552f9a80ccde89fdef2b
SHA1 838481b9e4f1d694c948c0082e9697a5ed443ee2
SHA256 2db4a98abe705ef9bc18e69d17f91bc3f4c0f5703f9f57b41acb877100718918
SHA512 054917652829af01977e278cd0201c715b3a1280d7e43035507e4fa61c1c00c4cd7ed521c762aebd2ea2388d33c3d4d4b16cee5072d41e960021b6f38745a417

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\vk_swiftshader_icd.json

MD5 8642dd3a87e2de6e991fae08458e302b
SHA1 9c06735c31cec00600fd763a92f8112d085bd12a
SHA256 32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9
SHA512 f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\vk_swiftshader.dll

MD5 925338079e6608119e33e79a44bf8f73
SHA1 9e857d320819f88d72e219452a1c7ac0b87b5e2e
SHA256 e43c94e95d0a88951b25927457c45986e7ed9633fec476dba6ead8f4e6079eb6
SHA512 3d6e4584c2ce610c167a6c88fea337861772873367c67fc8762c070d8d88ee333c49a58b00562168235f9a803b58cdfa5876e9f418b9d3c1f418147dc74fa6f7

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\vulkan-1.dll

MD5 1564b094baaf6d9a34c07160ecd3016b
SHA1 4d40959f7e5423e05aeea55833a7dc19800b9965
SHA256 b45d5e6bf092d779060829894a61ec312f806bf8b2f73dc4fa18d1ce3ef69c2e
SHA512 775c8a5c4dd11af46c884a10ac53ae2a93bb7f5acc864ee2f74d3df52bbad417fc978e83876a4a52860a121ec17a92e18adb79c5f1ccfa615091a26b401013fb

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\af.pak

MD5 862a2262d0e36414abbae1d9df0c7335
SHA1 605438a96645b9771a6550a649cddbb216a3a5b1
SHA256 57670eae6d1871e648ad6148125ee82d08575bec5b323459fc14c3831570774a
SHA512 a789a4cad72106a5c64d27709b129c4ae6284076f147b7c3fcb808b557a3468b4efe3ede28033f981335d5eab986532c0497ddd6ed24b76189fe49366692ee73

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\am.pak

MD5 4eaa15771058480f5c574730c6bf4090
SHA1 2b0322aae5a0927935062ea89bd8bd129fa77961
SHA256 b05dcb8136751aee5eced680a5bad935e386bfce657dd283d3ec00ee722fd740
SHA512 b67e7dd24eadc91d4cd920f8864cfb23a9c67b2cecd54ec97e01705636604ce504dc417d6af1c53f374b58eddf71a12bb82248bd8fd68307161d4833342681a9

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ar.pak

MD5 2b2dfafb0d258c1d2b58e51ae1ee9ab5
SHA1 2a538491ff4023d29bdf2a053447c6016138d9f2
SHA256 ea49bc2ceb6b185030eaa0ee0155feca90e632390417299113b02fbe365ff731
SHA512 6b629ed83edfea1b1ff3c379009332e413c420de651a24160fae859e1e0948fbebab99c9da714df6dfad3b9e472dece7bee95815ceca428183f4ac0bd6d42ff3

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\bg.pak

MD5 0e8005b17ac49f50fb60f116f822840d
SHA1 f2486da277de22e5741356f8e73e60b7a7492510
SHA256 50e4f6b9c387adf4baba3377c61d99326cc3987928d8d60b88d1ac29352820ea
SHA512 5df18bbeabd56e70d4c5a80dee5b7ce48259000665941634937e556e3b3a1c6403aa45c410f6f755607549c9dd35d722987b447c50efca51228ffeca4628756d

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\bn.pak

MD5 c8173f0cc63ca9e02c07abec94892b53
SHA1 2688b199cc40bb2082247fa451eac1304608e48b
SHA256 e6adcfb4f3b3bccd4a27edadc168b503c36551cd6b27fb24043efeb21f691ce5
SHA512 3d2317430722dc15c5d938fa55235af1caa03dcff7a574b44d37d89e7cf2c94dd2e84518b3eeca4a5a8dbec1b99d94aed97429aaf55c63998002d50ce9cb5019

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ca.pak

MD5 d193a3ac614f64f4754c9df5cf00e880
SHA1 0da0f7c1a4048074f6fe9d70704aa93ff75e42f9
SHA256 4ecfa3785ab52564e0bd7dda04d59a30163561588a04f3bd1b1b71de051d2c53
SHA512 e85d18951f9a1a86514d577f9b19a4b3727523c15b4ccdd17217f6fdf69a0e774a36874108a05de1be3dcee1720b0cb19eced2d3283f57f41f5f9c5e233e1c68

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\cs.pak

MD5 70f320d38d249b48091786bd81343afc
SHA1 367decdcdad33369250af741b45bdc2ca3b41ab3
SHA256 1c9448ea3aefce1a7e1491e73af91af772d8b22d538676a2beab690558e668fa
SHA512 02b08ed9261fd021e367995551defaf4b4f54c357409a362f4d2470423644913375cac444f62153ec2963a84880a30a36f827dbfacdd76a6222838c276cf5082

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\da.pak

MD5 0e4207e2cf5741a8968617df9174a681
SHA1 bf9b7558141ad30bbc921992e48d48cd6d6ab475
SHA256 438d2b1fd396c2108ca3902f69eeb372219edd5d95fe70970d8ee9e64556c9a4
SHA512 4ed8368013912c408f7e5f7b4f6f1748834e5506307b92f4b669c557efd27363a55b4e2918eb7707e798878c9492b765f24ab9c90e843f54e8641c4646bc72da

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\de.pak

MD5 141045fc1f94f93e82db06db4f7321c8
SHA1 d63d226c531a710359cb65f4e6aa190f593b4d54
SHA256 47253e2fcf0e4691f29b3ebbe8f888a97b28d6aeaf73ab000857a6b8d0907ff3
SHA512 85c27fdc9a2cb9310bfbb05d0bcd668eb2156a37765d8fb59496739f6f1eae12afcbaadf5eea8f2db2ad8c8a0602f83500bff9cb71a429174a80bee16ec10118

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\el.pak

MD5 16bcd10bc81dd8a5b3ad76c90cfb9614
SHA1 240395860971fb9205d28602d4d4995007ee5c75
SHA256 6a06d1d6b566214f7c3b693052beec488f7aae5ceeca26781a5d66fade39388b
SHA512 353a26b21848f4dd30b3aa1f4196b23571e177893ec6912db4570493664ed987e688fd66c04e509ecc58233476ebe59453260bc3569136f275fcd681ae54a174

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\en-GB.pak

MD5 a1aa885be976f3c27a413389ea88f05f
SHA1 4c7940540d81bee00e68883f0e141c1473020297
SHA256 4e4d71f24f5eea6892b961fcda014fc74914c1340366f9c62f0535e9b94ae846
SHA512 8b6d67e09fbe7a2152a71532a82c1e301d56cdde34b83a9f17d9f471e258b255d5b2d4a0c39f38581da3a31cec24fb403156a8e493560d7206e1ec3db7e68b72

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\en-US.pak

MD5 809b600d2ee9e32b0b9b586a74683e39
SHA1 99d670c66d1f4d17a636f6d4edc54ad82f551e53
SHA256 0db4f65e527553b9e7bee395f774cc9447971bf0b86d1728856b6c15b88207bb
SHA512 9dfbe9fe0cfa3fcb5ce215ad8ab98e042760f4c1ff6247a6a32b18dd12617fc033a3bbf0a4667321a46a372fc26090e4d67581eaab615bf73cc96cb90e194431

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\es-419.pak

MD5 088de6d12071ea5cf8d4a618ed45e7d5
SHA1 f12a76d18b84b17906f5f8cfc78cbb370b026b09
SHA256 d1019c780e836e0c30fe01928d23ecdd0ca04ed8ee886adb3428e3683e4ed6ea
SHA512 8da7326cf99cce53d7ccbec0c177ff9cf6dc0009431d6c89b3e8f0475bbcd0dac4c888460b535c1070ced62f1bf1c614bb0fbe9c5583e66c42f30d6e025ed7d6

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\es.pak

MD5 d584992a0670c5771147c01266d17362
SHA1 d6e70e43585564d520e4b1777fac0b1e7bc6ed37
SHA256 f6a01c26bc18dcf701e1d4b6ff76602f14c4bb9adf9dd176c9107d5aedb4503f
SHA512 39db436a05955a3ad3b54ace4f2f0e8a313797d3ae8eda9cf1cab6f2ea1edba0a82c30f3b589b8c5399ed06e9fcf4ce9059d3d5a07472f05ab1f0819e42d5b73

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\et.pak

MD5 e7ea23d6304d5d600d884f4e3b3cb2d7
SHA1 99fbef7eb1bde7df398cce9faf6c7c357769334a
SHA256 292eb18ec61502b0e952b447f73a66143c56dd95f170981945e5aab53a6b32b3
SHA512 23dfa1161d11faf440241b1f48f2ddbc8ec086a8e18da351734656551f0f54fe4c94b490c0d3ecc378a3de7f7713a1626a7a6c21da2500b9597b44fd08197d50

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\fa.pak

MD5 e2bee9eeeac231de237100fae0aa77c7
SHA1 5e5eeb59656e2f8f4f62bc618966d38cc06a385b
SHA256 7a856070430e3cfad15b96b153b1cb483cca9a1b9a43453df3707b09c748a3f2
SHA512 5593c4a48e679f0f6283c3bca69838f581b6f928cc7170737778458393b6b85fab0e6ca390bc5da840f4b79de9e638015bf341c1a95e8f99770886f5354ecff6

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\fi.pak

MD5 a9fc339d49ea069bd81380ae1fa0ef11
SHA1 5f376072f38e94e252d72c5660d8120a41d73469
SHA256 e6454458dfbe150112c37f8b02f8c72c593af22e8be16980ebc854ad113fb763
SHA512 3bee6723485a9eae4aa9bfd4e7fb490ce7a0aa12cbe41443b8bd28a26fe552cd31f4a1487bd98c6bc7774df1ea16b1de94ed0f52af59baf9e17b3db815404c4d

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\fil.pak

MD5 cbb431da002cc8b3be6e9fe546cd9543
SHA1 19fbf2715098fc9f8faba1ac3b805e6680bbcca4
SHA256 ab107369d45e105a4cb4f2f6bc8da2a8c1b6c65d5e94a7ab3e703e619c083dae
SHA512 3cabbfd021e5814587dad266c4f5c9f624e9d9278f22658dafd65ff2ad2bdc5f6df8a8672614b296cea826819211e12f8e77f183007c0a79075e2f0980b99911

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\fr.pak

MD5 59e1e573153a209c56ae3bcb390b898f
SHA1 45f8a5469651c032c453b14bd68c85cdd6c75fc2
SHA256 976622fb851378f57f81423e5625e40d0753d7a5e34caed2c39e4b130a3427b8
SHA512 91f1b88ffb9f3362fbab7d607a68c4ca65e6b89fef7de0c986067ef7fd013c0ce35bce328ff3546cb7aafc296993e46a908ac506bb6a141088cfbc5ead948ba4

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\gu.pak

MD5 a9e6d8e291ffec28551fccf4d1b06896
SHA1 adc9784433fbf2ee89bcfe05baea21beb1820570
SHA256 716ea0433e19edb5113dc8a25ae67c2587bc17c7fb63a93ac473bdcef8f72d34
SHA512 3a60002dc6a9008cac78bbc050fc36d1053bfbd21ecf4d0579b2780985d4e7a7aec94483d8b0b8dd7a899b8435d54a27bba68917a23945431183eda021722697

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\he.pak

MD5 ec16b50e6575cd6863df282847cac3b0
SHA1 a59e089951c3a5dcfac165774c68651055b829e0
SHA256 c3955c97b6998f1806f8871fd3137f6f504bdd091f8bd1ff5ab8cd089474ae8e
SHA512 3c640430e3391be156aab26f6057e966348dff50ea946a02db947e2316d3a915c29f329faa26725a90af4d06ead7c7fc28cfa7573033b2b9546fd8e4d2bb7ab1

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\hi.pak

MD5 18bdd1d8d1d5c6a5fb2678abaa1ef6a9
SHA1 e40602e86e758a518ec70bb6a9cfa23107955301
SHA256 1f49622ec6682c90e03fc42c319074565cf9d3532a2a4e3798e2f6cc159b2e8a
SHA512 c859118e7c1be0642ba9bb1112a98a8fa7114a00711f578971a55aab7254b1ee9bb3899c852b79a002596f29e02f487267aca7033e38cbfd14c90b2989b9595e

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\hr.pak

MD5 d80178f9df2b72a24a7dc58b5aa13229
SHA1 cda864bbfc6935cb4e3e30a6eaeabbab5264d01d
SHA256 e442d083c32d752d1ef2225d84a4f1a91efab768e86fc63a7ed22c10fbf7e520
SHA512 c08380fc0c415a529a035e6e9c0eebc719766c656a3d9e3a782f21b4fef320688e1d11de8c3a5d0e59a102c9fbadcc960478a17c534500e137f4cb0e697ec9b9

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\hu.pak

MD5 0b62fc2b60b8a92dc506550339766139
SHA1 abf0b1ae99ae40d87f86ee04bdba467674fc1039
SHA256 6ca150d0fc35492bafb411bbc520f3b34da6399969fa9685ae74201623882560
SHA512 aab6058e2f41282ac5a9394cdcd503efdeb6b9eb8b9a64cc1215e31a806e60a34966b6823f91a97bfb81656d91ccfef3a226165811e6f4208fa436e1d04c1242

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\id.pak

MD5 6a406a9adb5c25e35c6838828ef30c17
SHA1 2a1ea1dcb75217ace04254644845cd038df6a980
SHA256 af63384cf7d1d39e57decd823dff7538ab2b1e7e36e9ac61238477f7889d1d46
SHA512 ac7afa288b768a730027db0780b0f7c9f42ef990e4e22751ef1dc85e4841579a6e252293fb04d61b0cb591ccaa5c74d37bbd380afa15308c80ea32070019a361

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\it.pak

MD5 e0e5580e8882f0eae4b5b21e6c7828d4
SHA1 51e32e51458b5839112ed9dcaf500403c45ac1cd
SHA256 a7f555e7e797e1de1a66cfca8c7b709b0e542ca62e7de96e034701fcef316d0c
SHA512 1a2a4948a5538158e6dab7ca7b3b780ec7a66a0aadb889fd451e07b32336ea08b88b5d57759e335fa967f3b4bb1282e952b97e496d798758159c70eed2e5acb2

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ja.pak

MD5 dfd5ab27c326a1e1f87943a3079a2af2
SHA1 3aaa73a6668e1249e4d51c8fa8e0c6868fde9da6
SHA256 8260f4c9500b64d541386a8515fd0c9ddef82e3f044951b7b51a33ad81c1128f
SHA512 d701674fb6e19bcdf297b19a9fe3b81c7f446019a8c2fd3e90e19294765b1e8ad4f0e40e4bac65b2db313a4f83eb050b5871ee4d74f9ea372208b7abd76c524f

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\kn.pak

MD5 59e6642f09ce97cfa4a4173413a1b036
SHA1 777a96a4aefbe138f26c8697e66633452285eb2c
SHA256 58d16195170f76e40e18ee0ac2e10e1b73bcfd083821158927a7d67a51bcbc42
SHA512 66deb67a4ce1914f5f27bb6423e5be62e05d0a36320accbe653572a437ce033ed5d26858a62d8c57476b34e1718d580f34ab44a3886d8d22d17f642d70f0138e

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ko.pak

MD5 cd2310448ba6689cc73d0b2e6dd2791f
SHA1 7827179d3fb98a5abc2ad38e20d942b83b397235
SHA256 cba6b7633cce796407821264e176a6266f80c1799ade16bf16893d68144236c6
SHA512 c3069bab640ae43856330bb8b3a0e0a4ca058a68a0fc03b8efc0ce1dc2b517f11380fbc641221e29b4a527d685ece72107fb83cdb9b539390eaf6a30c21bf36d

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\lt.pak

MD5 edb2c872a4fec5367cbe68035ef0ecc7
SHA1 b4d42bcc83c98dda1ea2ef962d097f6fb3d25c71
SHA256 1bd385b780f3d13d41f8cf782a322e37be889aee273ffde3d8959e0ebcaabd0b
SHA512 dd801a1aac2242e3f532e968b4c9639a2c8bf3eccc17470d9aa8bd6730ae4be3e7276fb782c7908bb6f87d3ade20a40c644b9db5d2201d96d91fd95ebdf429c9

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\lv.pak

MD5 393c296fabe0c4c64a7d6b576d7d2cf7
SHA1 16c0605e5829cde9738e1cd3344a59b74fa1f819
SHA256 91642c04de64f88a5c49b4eeaf5d627554e60d56fc40e7cd58cd2601b0d3dbf2
SHA512 067cccb059d4526c104880a26ebf04c7e2498c49c5641abdc91785e859bc0be1475ec58cae9ad1eb076f26fb9215ac246155e123baa13c06a05e4f22a002c2ad

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ml.pak

MD5 b690b0f01954735e1bcea9c2fb2ac4e4
SHA1 8d98860e202b15a712822322058e80a06c471bb8
SHA256 83d187cd70048f4129fa65ba148c74a04a47ee1f14218e7c85b36fe83e87b5e3
SHA512 786f08019a0917d0b3f29aa2d1885db6a6f995990fd8faaf41a9630f8347b4d210a844cc6690a41b4af37d60e11f41fd2675df1a01bab5915e20cd9bc69b4541

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\mr.pak

MD5 f26bc5673e02a93212220d71cf1bbac2
SHA1 8d0ab40fc2b35b75f99538951acfbf6a348c73a3
SHA256 0877f2e75e0b9f5e709f0a0bf7cc793a02ff5bbb28bd6a8b6b6012760c1bbff3
SHA512 9f3a629dfa116cd92892d120f0fdecc5f57043dad232311bdc8c218ae9317f49e655b8b8dc8399639231f2321013190a667d22b6b2735bbcbc375c438dce9aaf

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ms.pak

MD5 d22cfc1b78320157685839f14253fa1d
SHA1 0cfcb5c176d708e26bbca2427be611ce6609eb93
SHA256 c7b56e9ca2f75b4414c13144ff4deee1459c2a7cde79730d863ab234cd4c2f8b
SHA512 2eed40c50a63e362dfe2f172d16e4545f5b19c673e71db674bb004e4e6a4cf793ed4a44ee80d86b05aaa6cc4356c207476afdedc2b35017421ea9b9fa6ebc81d

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\nb.pak

MD5 bf9bfdfab1479bb52254329d7aa229ff
SHA1 cd9ff35321731b839ea6e5f31f5de0bfb475666b
SHA256 96747543d9b2dbfb4482d4c24d7818d366545b2476633ad4fec8cc958ab760d3
SHA512 ba8e62d0a87c532ff46f2129724dd2f1bfdebd99c2606e0b9608cd07841776faeca15d04ec6241020c232d4c07809d718f40cf4ad9231d6a8996d55973486629

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\nl.pak

MD5 b525894276852be4ab42ab7044fa164f
SHA1 d3d035522265718def8125f5c4a1d3e74832dc2a
SHA256 c7a18764ca908ec7f66c48cae2be06fef95213d7a5580b45f9bacee474456167
SHA512 36b11f1df92df27b007fd640b589c6b7b30cd889bc297635bdaa40bfcb4332ff20911edfd23ce74c1c8963dd658f77bf4b9af50d3c281717f58eb23a598783bc

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\pl.pak

MD5 7b5d41611b92b24ec8b36b66feb11f9a
SHA1 3d6c36f404c29d59a24970585931860453f5c88a
SHA256 69e16e41f5fe7fa18557b938874f20cda6879f3cc616ead9a815c1381fe94158
SHA512 16ba52cc799132e4525d220ed595d3969d4cecf163ccea6b62fe2211003b0cc44090c4d384e9cc4e32800181b7f7e0810da5a0d2c908f4625ff8382cfa3c177e

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\pt-BR.pak

MD5 8dabbceb430a6bc190ee344541fa8e2b
SHA1 44c7da04bac8c9ee67c8d6a0eeb491cf7ffd2479
SHA256 6d54f87f6c8b5e01bd0da9a961236344e95e85c3dc55fc92a34542777d6f6275
SHA512 4d36d527f1769501d1fce208738028d5ba142716a6243798212d5a2403dc5c950dcb3399e571cf3a11b1f35d845a6ba6798c38074d0ed66c894b1c18ab800159

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\pt-PT.pak

MD5 4816d83e54beaa2f94c671d56361c04e
SHA1 5cae66c0b7079d778ac87ad48777afd85b172d2f
SHA256 a903ca2a8e52f987e23d040de7403b58d925a6c39668d3bc0822fb2aadd34cb1
SHA512 0d3a39e1205ce9366818cb51d38db035b80448dc1e2d2d6bbd7d5df693641582043b45b4a78bbf2334159616187dc85a51e623bb6878b1498d9bc7acd2a6ffab

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ro.pak

MD5 938e62fca60d7b54e9c54cdd1f745f06
SHA1 5a61a1ef3ae855ff436c5d7f45b6ec271a5228aa
SHA256 82e69f505222125ea62f8e90d8030d82a1bd49871192cb4274a8fd9d0e03d577
SHA512 d3f43881fc951c961cfb34babaa6eba2aa9175865dc07542dc529ab1c11d15703c03a7e8193c004b004d13f0a0672bccb2fcdd1cd88f32add159c337281d6d5f

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ru.pak

MD5 9ef6fd52dec5613f9e80204a84c7f2ba
SHA1 fbb8c9db815126fca3c62c810432a71b6965f2aa
SHA256 d0068b9ddf8a9e6a5b1186bd0e00ed9f09224ed56ba7e653e2d54158d938c6f2
SHA512 0fb442ef86f75ca2cf58a677bd25ffb7c420f98250fac7f5f25e2272d4e7dc505a5f3eb3665b62bec189496154b05a1462b6f17a0e9aeafc1517b71e2d813953

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\sk.pak

MD5 fd001b1b02597bbf16baf3f0baf3c6e4
SHA1 e4c703fc115e02833fe08caab1e62775b5812473
SHA256 f9cd222838721a618c23c8f6493bc9699c795c0063998f1a8d506b4b7a297cdc
SHA512 0ee991da6b8ba1bcc3cc27abc645af43bb93edddbf182496aafeeb401d71ae10716335ee0197f1987c21b3abb441aaac968b9a76e75ae77fcba4cc48847f5b1d

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\sl.pak

MD5 ff14d5f9484350396780bea7f3bc64ec
SHA1 de097f12b70b552824de69141d6ee1969275eca4
SHA256 b174c4c49654f7d65d223568c700bfaace74238447ae63171787236ce2aab00e
SHA512 011bcc3980d21e0900d1da334a28b72623b22b527a4fc3d96a8f78fb055dc87cd1433a63d8b4414a0a86cf2ded5833a395214910b17433a0545e04d1ce4875b8

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\sr.pak

MD5 5d70a218b7dcccab0406fa9239ef800b
SHA1 cd231758f84a0d56545d0a234a58757a18a58d0c
SHA256 a2bc6b064ff1f7b15707f61bd76ddd9d889bd982c4182e9e74272d39c6235c85
SHA512 ef6f71e0d9782b5ed6706d9226c1a7fb5a4323b8dc8de25737c7dcca87d04c16b545372127670de312079be993823f565de1aaaf5ad833bec5baa0856c19b0f3

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\sw.pak

MD5 9808a9df2da0844b1ce1a2a4213c48d0
SHA1 541f24f006ddb3361ff1e5015f097ab799120fc4
SHA256 1949953d638f266ce74d84c020174c074780166b880e7c2ec38bc6047bbb8ecc
SHA512 66b256e02ce11ea0273cc5bfa78e56faf8b250208d1e868bf4af77cbefd1c891708573d63873a5d02436f884544a6550176afcd3a8220cd35d64b88987e94404

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\sv.pak

MD5 a813b566c9e630910e6ca946defb7202
SHA1 2e25d2479715a572c096ce19b8dfd7a6da5339eb
SHA256 48a71912e4843b03358fede7176b2e57ced83d3a1344a92b989886374dbded62
SHA512 b348404135e147cef93c246c826107f9df170b294e9d0cbf576d2812d0ff3d2b7794ab5aba55cf729fcf7135a495d2ff591db62fa61e2998290ff02538a0e48c

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ta.pak

MD5 d50aa6815b63aff8c443622cb8bfd849
SHA1 fd247855e6e428109e7bf2e0018580cc6e0663c8
SHA256 6348cc2d385b9808fdf1b815914dbfb26f552da4d10f85b2613a5e6e9f95b8fa
SHA512 620e2f9ab9998c68d667e32ad9bbfa2569f7a60fbc2a67d7492c6c215af2a1037708e38b4ed7932074d29a140581fe0ffedddb362133a941966044b98eaa50db

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\te.pak

MD5 d262c33a8c2b4949dff36cc1980e5f05
SHA1 e1ad725c388c4a1a386b4ab6170601863c943c29
SHA256 09ab1ac2b69f868539d4f2e59dfea8c3c2f418a5455777e4c91d13c5ee55ab4c
SHA512 0202f6ac32878926422d542ea96b0bcf8b168f8ec6b928121c368711856fd5f4781a24b15851cdb5892246b355d0dd37504d4599b24e9fe8a723b8dfbfeed29b

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\th.pak

MD5 a4d1594635d26330ace7054bc025b76d
SHA1 bc4874a6a3b1d1886f05858ef2f653ab3520451c
SHA256 f06a45f0395c3e42e42c46de2c19a2a104661b47be6f9ee97f8c68b05706ef1e
SHA512 731485b139ba0ed80dac5e582ec36f53a805a867ad33551741b805e851a9d2356fb1894232395d4fdb200defc988bcf6d51e58834b542c398c1012e389953a3d

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\tr.pak

MD5 193f0c0a8218f05657e2590ea4ee6004
SHA1 dd3ffd7f67f72de879903a231271c20aee56f695
SHA256 676d46d19d1673eeff4f5e908aec3b53a6273c440e69e7d655ced6c70531cb9a
SHA512 28606d710d44c9a82c2849fa5ef989bac1afab53cdea99a825f80aa41dbd38a9ad6f0f44935f45439922ca2bdddc89c61f8ffcb999aa13fa45558551d5216e1d

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\uk.pak

MD5 83e5f0092b6d72403b60fe0e1e228331
SHA1 989ed480b7ef55dfc9ccfbef1a5b9b0e104693d8
SHA256 29d68d90512ee9952635c7e074d5ab210531d93ae24c11a8f91bca20b685e9a2
SHA512 9895928ee516db7d4395b2788135a814031b9ba45e3a837e633bc253b08d6f380e4078d4d3fd51ae37502a39ff45a0166969fb62365e890f4960a51040b20941

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\ur.pak

MD5 29403f3d5c8f6ae2a768de2fbe8b368e
SHA1 da83015565980ea1a24f5493be6311f06427269e
SHA256 2520ba8471c840aa075075524c4ad2bde10f43fa7a1b623aa14555180ecd30ef
SHA512 a0709280adec39633ca19daf9f8bac6c17a999101246778a63cd9e172dbea2f281b20ce197290c4af6c7601ee7956da42f17e31461a1bd8b8a4bce3c36dc87b7

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\vi.pak

MD5 e088be14dded779f50feabc4906d5ae7
SHA1 0eeca2c7ea82a03b6373c84adf1a890f29e18b05
SHA256 25aeee59775ae38b21a091107022312fc228f96dbea906042bf3626b7cf86b98
SHA512 af9d1e415a6d06c28df9abaae1f337bf4dd3e323dfd5560df5fb35d01c6801b9145072ee85ab4c524c489fb6cdea956ce327b8c4f6820197d76fc2f33171ca3d

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\zh-CN.pak

MD5 d1145f2dcb13c5ba797df5a0792553c8
SHA1 e8d9604300d6413fc896d252a0261be2dfdebfbd
SHA256 6a9a1f5b7674da36f20cb76af7e3e75e9e56873539e8a3b32895ebba439af83a
SHA512 f54adffc7d40866fd53dbb238687116d46354f79580877b5d4d93840494e604deaeaeb7e825f6a00d020f3c58d1fb9df8af667feb64c86f243ecab57765623e9

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\locales\zh-TW.pak

MD5 1eb532e97b84db33a50055bbd7d36200
SHA1 7aaf0560a16a9754059871a000d237964f3ab0c8
SHA256 6a43c8fac5a0ce7c7a21b30ac7bc2167488e17c81c76c00f0b92b49e9e46e469
SHA512 c946d82bd6ced6e61b35acaf7ace1a61f226c4891caaeeeec9ce4a3ab45e6f43c35dbb388d6d5fa925ed020d7d10f951fa2048269d0585ad3b723f5ad8f4eabc

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\resources\app-update.yml

MD5 fb01b9479a97014234fbffba6dbd7811
SHA1 677cca903beae0ba830e569bfead4f1a74f52bc6
SHA256 d7358a93f52b95baa21cd49d81bf22c3edcc2169f9d1728dd70a7af0af212f4a
SHA512 e805b927e30cdac3d5a0f65a15d2b91dc6a511c05e08cdce676a9faeacc88f86ffbdf8de6b63060b71edcb2f8fb85d3d627d37a8b5f0aba45bebf0655f61be4b

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\resources\app.asar

MD5 8488d87d5583583c6372ecdde6b64cd2
SHA1 6d7f9720b24b07c9087d38674d1e37b6989cfafd
SHA256 5a9a9f286c51fb365afc04613bef36c4f370fe6f2e01308be1774ba33d883f9a
SHA512 94d62091c80902245113660591fb886227e58b5aff7eb80c39bb3d83ddf1710cd01e913019fa13406e5ce5263e9d749b915e4fff1f602ff536301829b58d168c

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\resources\elevate.exe

MD5 2d3ec665d71416d626ced91da8d37355
SHA1 d37bc23baeef03b666b5195642ad8eb1df21680b
SHA256 0adae91d34d9458948cb661ddcc12e5a5bba12e5ed853d577265fbe385e6c228
SHA512 e87d1321180e3d977d37d9e597993f22dbd39bc2c25d34749c650b8107e8a3ecaaa55ef79e37aa80904b9295a5f153aad46b08a6e8de49e15b0bf5a3becc9a7b

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\7z-out\resources\binaries\core_module.exe

MD5 0adf3331e34150110edfacd3978db8da
SHA1 5a73b7177ec2e977ca2b144e0df6d9d61c21e990
SHA256 577d16975eb070055a706043dea10d7d2d60b576f34fc729e40df5703569529d
SHA512 4a501c55ac9afc0fb00969a628abc305a4290f77df1af337ea61e0a9ce3627a66f8b86c93b9a41f3323ef20f029ebd936d722358a38876514ef3f8f3200b6053

C:\Users\Admin\AppData\Local\Temp\nswB0B3.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

\??\pipe\crashpad_1876_UUWVPFDUMPOOKZUI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data\gdl_conf.db

MD5 cc3733801ee562c3dc7054fe86f90980
SHA1 bfd8aab5ad354e107aac0b44f71b4da5bf2d273e
SHA256 abfd86d6a3a00ed4516cc623069f7bc63c8b7cab74b6ab5488261914b6a31265
SHA512 074f4d6aed5ca12f9ae57e73851bc091b2d4b097c35882e306e65c8308e29456c711bddc87e2fbd5aa6fa628ca335a16fe56423cd1e873aeabce64b244cc2a0a

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Shared Dictionary\cache\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

memory/3708-672-0x00007FFCE7E00000-0x00007FFCE7E01000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

memory/3708-671-0x00007FFCE7C20000-0x00007FFCE7C21000-memory.dmp

memory/4180-746-0x00000229A8680000-0x00000229A86A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fz2jmxi3.kmn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4180-777-0x00000229C0E00000-0x00000229C0E44000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

memory/4180-786-0x00000229C0ED0000-0x00000229C0F46000-memory.dmp

memory/3032-821-0x000001F0AA770000-0x000001F0AA79A000-memory.dmp

memory/3032-822-0x000001F0AA770000-0x000001F0AA794000-memory.dmp

C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\owpm.log

MD5 1bd6124e372c3579fdc832e0d7c71489
SHA1 54628e60940308adfddf5f25b7efb37fa38e26a9
SHA256 aae0a7e01e71e413ea693b351e9ab0bba096ff347fc6c79ddb6de699774a7434
SHA512 39f578fd52d37815cef0e2c99871aa7b583225d320876087050c76c8aacc0a3f6560ecac620a1718af1f6155762f72062ec28b83ff2b12a305e2b2952b694267

C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon.owepk

MD5 9c01e71fd87f8548f1433a01bd41cc01
SHA1 f3961505e96038d96f0f87f3e47f5e49e66c390d
SHA256 cefa09c7f9c0309fbb3f49ea34cae8ccd095d6612f3fc1b9c8e1912e1ad44d5d
SHA512 36641fabf05de49e1bb5f99acec7dfa0388dae44bab1e564b70d47512ec059958b1109a67454759021593826b4c1b605021047385144c79303fce1a5e55776d9

C:\Users\Admin\AppData\Local\Temp\JavaCheck.class

MD5 8098d31488cd52db41f95188b9daed5e
SHA1 76988b607c667c86211fe1dfe57ed4aedacc5691
SHA256 c607f5871610bf9240c75f4abe947469496570b380f670e9d8d09f9c785978b5
SHA512 e2b4c54e78daba4a04d17915eded43a3f59a744108cf28baf4c22545d807338a39de052d69243ce610981b930e49790ba8be0f7b370e042a9526ef09e2b9fb78

memory/3548-853-0x000002D3A5210000-0x000002D3A5211000-memory.dmp

C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon\2.1.3\ow-electron-utility-plugin.node

MD5 2e8dec2f5f64f92ee8a906817dfa20f6
SHA1 8ceeac10c096e7e0dae87c1b5283c3d66d421652
SHA256 6b6b2c7784b4b3bd2f9709df3093b49197005e047e74b0784d80482e1cc17fab
SHA512 8e17acf0cf73836eef6961d1ec3e3e91489ae8b933c33b96812c5bcde908c9ac5a812cbbf19b41489bcaabc005fd51550b3f277c6678f6026f3a06c3b824f617

C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\utility\utility.log

MD5 ce732a2fa61c19c56334c2f325ebfd6e
SHA1 3f0217ef66db1b8dfe6512c17436e95276ead71a
SHA256 1d9776bab140d49fdd6c605df6b2ca64d9dd6bf21d0115318d6aa0f3cd739531
SHA512 2a2a0a037216abe67e906dc3d3178105effcf66cb3759362ac9ae9c0619f7e732e5e0218a4ebbd518a1dca0f582aa192f8b560f90f41c0792d9311e690072057

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6e8a22d25f5b76a8d6ec8aee6df8be5f
SHA1 c587d7d3db3925a4a74782de196b7b05fb73e73e
SHA256 c12f1de062291c115fd4af16fb0b5236d75e063d65841f5be33d35018812f5fc
SHA512 76b9e5729d65622b8c0e1e1292a92c6df3021cccf0516f9f19af0dac23514b593296d445111071912b2d5e7afa184707f3b189d955c9e77ba4226fc1be0aa7b2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 432f9dde51413638aa680afc11009cee
SHA1 3a457e5820bae4e2e8f4c805e020e6431fd90fcd
SHA256 882b1f9d2025c7bdd95f6bf95011745281f84b65326027b5ad7903e67cb5ca65
SHA512 b3a7be48d871b29bc995bacd66d66cbc2def0723fe232f3b58826581954c30c95c8c235ab63d026b576294ca7ab45ccded9a6f35a7121f311f71c429cbf59549

memory/5164-915-0x0000026C4E5D0000-0x0000026C4E5D1000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 c2d4077a43b20375e0e9f7b6856c2af6
SHA1 fbdd12e9528e426f5b7fec0667df469f48c9c379
SHA256 d0c25cdd4c7b5477814dfa8502952c3b391050db5f94cd24eb2fe4a3719bd501
SHA512 75c755d81cecf5df5fd32c8d5ff2e082562580e024b472c09a9803dee7ec7a13b5361810882d52ad4c24a200a230cf2318c7222dfef25fdf0f04ae0d0f9d3a4e

memory/5512-927-0x000001BFCD1F0000-0x000001BFCD1F1000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\905ebba3a8fc8cc.timestamp

MD5 11e67b2f528354eb6fae067de3074699
SHA1 39a03e11abddc42ad4ce4c990a24c75f8d978f15
SHA256 1aa6c0ac6bc8f7ad17b13c1ad6c0002d022a2ebfdc7ef498facc8584c08af1cf
SHA512 8026e91a2310a273b18d604967896e13ff3554482d048adf1652b6a9b8af9a3d87b1be5d9c7357e082e09243de0ac7b679c14b9e1dd4833a7a630cee86f2ae1b

memory/5648-941-0x00000220D0A50000-0x00000220D0A51000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 f42e1e6d259a95af3f49991af81f124b
SHA1 95ee9ff50383ccbcf78a7638488f2fc91722c33b
SHA256 6800855fd84cdf74bfb14afdf727a752e517a56fe006f4bc85895b823aebce69
SHA512 78a2a415d4b22f48d6dc92af3297bdd12eaf5552c52c3108461e556037ad066326ef01d97d4eff8042890ff7cec8747995b977e886cd7ce21a3db509e8bc9249

memory/5776-954-0x000001EEE8460000-0x000001EEE8461000-memory.dmp

memory/5932-965-0x00007FFCE7C20000-0x00007FFCE7C21000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\sentry\scope_v3.json

MD5 010e9d4c0263332b840556170175c3c8
SHA1 b6799b43d1afed2718e7f73e28ad3a0d514c01c5
SHA256 69ef9cf4c3df04958c50671b6addc03f7b050eea03f2b22fb42f68082cd6cba1
SHA512 70b648e6f987fbb6121b335fdd7e639cfd87212c93a5a3c54492e4d0dd518b7fbb77e5435f00cd3f0e24d11ce5516ad8e425bbb0b9e2630a581ba1b0990e6d48

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\d888cd93-9657-4c6e-9d0a-1bf675704a4b.tmp

MD5 58127c59cb9e1da127904c341d15372b
SHA1 62445484661d8036ce9788baeaba31d204e9a5fc
SHA256 be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de
SHA512 8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State

MD5 ad32a4cf82513192be2929a0e88bae45
SHA1 00ff93f3a28d6095086a554df64db95942ce1051
SHA256 6e7e94adb8cc523a1fb17dda00aa4b232d06c85f055245e2286177dbd49539d5
SHA512 27cea34cb799697d5e16ce6cb08772fa5118ba7c05fd5fcee99f7f6c6c5b3cc9ac06ec01969a13330543e9a448adf8a6b1e1bc41a8bad56b5c0c855dbbe83247

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Network\Network Persistent State

MD5 12e2526f9d73d5245734078786433c10
SHA1 817a8f55d3a0f36655c5fe02bd30780b7975d1af
SHA256 38737a9d2f24e922a2038efe386068e33f124e3be03bb8cdceab6dd14429e301
SHA512 da6054b7d94dbdc86c196238fce3ced6e289eef1193aa0d31ad5846325c9b7da912e828f681be21b576ffb47a3d9cb293f19bebfc7c8c40d51d0500aa12986f3

C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Network\Network Persistent State

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 4500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3392 wrote to memory of 4500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3392 wrote to memory of 4500 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4500 -ip 4500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.199.58.43:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

148s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe"

Signatures

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM32\carbon_app.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\SYSTEM32\symbols\exe\carbon_app.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\System32\exe\carbon_app.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\System32\symbols\exe\carbon_app.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\SYSTEM32\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\SYSTEM32\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\System32\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\SYSTEM32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\System32\carbon_app.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\SYSTEM32\symbols\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\System32\DLL\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\SYSTEM32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\System32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\SYSTEM32\exe\carbon_app.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\System32\kernel32.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A
File opened for modification C:\Windows\SYSTEM32\ntdll.pdb C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe

"C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 o4504152598511616.ingest.sentry.io udp
US 34.120.195.249:443 o4504152598511616.ingest.sentry.io tcp
US 8.8.8.8:53 249.195.120.34.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

150s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\vulkan-1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

149s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3276 wrote to memory of 644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3276 wrote to memory of 644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3276 wrote to memory of 644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-13 10:07

Reported

2024-11-13 10:13

Platform

win10ltsc2021-20241023-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall GDLauncher.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall GDLauncher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall GDLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\$R0\Uninstall GDLauncher.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\$R0\

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 analyticssec.overwolf.com udp
FR 18.245.175.10:443 analyticssec.overwolf.com tcp
US 8.8.8.8:53 10.175.245.18.in-addr.arpa udp
US 8.8.8.8:53 ocsp.rootca3.amazontrust.com udp
FR 52.84.193.90:80 ocsp.rootca3.amazontrust.com tcp
US 8.8.8.8:53 26.200.245.18.in-addr.arpa udp
US 8.8.8.8:53 90.193.84.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 3803d1988a2ed4d222c031e63cdadeb5
SHA1 12a51b8f3d49acff38a58db6682b0873732694a5
SHA256 fc026091f9a61b503d159f8bcdeaef75fc5603a02ba79aab6693992314b77b37
SHA512 626aa84e5820a67bfa7afd4d4ed729a33022b7fb23542b563d56fc323a496fe0b759778580527ee8e3c667f651ed4c1e75710fae4aa4e4b84bcb86156f5c78ff

C:\Users\Admin\AppData\Local\Temp\nscA643.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nscA643.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nscA643.tmp\nsExec.dll

MD5 ec0504e6b8a11d5aad43b296beeb84b2
SHA1 91b5ce085130c8c7194d66b2439ec9e1c206497c
SHA256 5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962
SHA512 3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

C:\Users\Admin\AppData\Local\Temp\nscA643.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

C:\Users\Admin\AppData\Local\Temp\nscA643.tmp\INetC.dll

MD5 38caa11a462b16538e0a3daeb2fc0eaf
SHA1 c22a190b83f4b6dc0d6a44b98eac1a89a78de55c
SHA256 ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a
SHA512 777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1