5ab5f39d143b6ff77df2fd5026ac8e4788edfd3de27a4e1fa4b420a7d2f61d38

Analysis

max time kernel
112s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2022, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.86-Installer-1.0.1.exe
Size

21.7MB
MD5

f643be370cc9763a17f7746b1b6a0243
SHA1

c65391f59a6e1421d783eaf43eb9661cfd476f82
SHA256

5ab5f39d143b6ff77df2fd5026ac8e4788edfd3de27a4e1fa4b420a7d2f61d38
SHA512

5ce377dc1a4a59723cf2b969c0cadb3197e5bf61d0064e2e8c94a0be9d4fd1cd9b33e05078a17e89f54b763e180be32ce14b46949a58ff47e5df18183291142f
SSDEEP

393216:WXYwVCtYto0fs/dQETVlOBbpFEj9GZdqV56HpkbGCST7yuk9sLx:WowVCWTHExiTTqqHpMsV

Score

8^/10

discovery upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
1460	irsetup.exe
2268	AdditionalExecuteTL.exe
3352	irsetup.exe
1092	TLauncher.exe
2348	TLauncher.exe
1092	TLauncher.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023146-133.dat	upx
behavioral2/files/0x000b000000023146-134.dat	upx
behavioral2/memory/1460-137-0x0000000000C80000-0x0000000001068000-memory.dmp	upx
behavioral2/files/0x0002000000022624-147.dat	upx
behavioral2/files/0x0002000000022624-146.dat	upx
behavioral2/memory/1460-150-0x0000000000C80000-0x0000000001068000-memory.dmp	upx
behavioral2/memory/3352-151-0x00000000009E0000-0x0000000000DC8000-memory.dmp	upx
behavioral2/memory/3352-153-0x00000000009E0000-0x0000000000DC8000-memory.dmp	upx
behavioral2/memory/1460-158-0x0000000000C80000-0x0000000001068000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	TLauncher-2.86-Installer-1.0.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	AdditionalExecuteTL.exe

Loads dropped DLL 4 IoCs

pid	Process
1460	irsetup.exe
1460	irsetup.exe
1460	irsetup.exe
3352	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4246620582-653642754-1174164128-1000\{5DB36E34-AA93-4239-BE19-4B9823CB4D46}	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4376	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4028	WMIC.exe
Token: SeSecurityPrivilege	4028	WMIC.exe
Token: SeTakeOwnershipPrivilege	4028	WMIC.exe
Token: SeLoadDriverPrivilege	4028	WMIC.exe
Token: SeSystemProfilePrivilege	4028	WMIC.exe
Token: SeSystemtimePrivilege	4028	WMIC.exe
Token: SeProfSingleProcessPrivilege	4028	WMIC.exe
Token: SeIncBasePriorityPrivilege	4028	WMIC.exe
Token: SeCreatePagefilePrivilege	4028	WMIC.exe
Token: SeBackupPrivilege	4028	WMIC.exe
Token: SeRestorePrivilege	4028	WMIC.exe
Token: SeShutdownPrivilege	4028	WMIC.exe
Token: SeDebugPrivilege	4028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4028	WMIC.exe
Token: SeRemoteShutdownPrivilege	4028	WMIC.exe
Token: SeUndockPrivilege	4028	WMIC.exe
Token: SeManageVolumePrivilege	4028	WMIC.exe
Token: 33	4028	WMIC.exe
Token: 34	4028	WMIC.exe
Token: 35	4028	WMIC.exe
Token: 36	4028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4028	WMIC.exe
Token: SeSecurityPrivilege	4028	WMIC.exe
Token: SeTakeOwnershipPrivilege	4028	WMIC.exe
Token: SeLoadDriverPrivilege	4028	WMIC.exe
Token: SeSystemProfilePrivilege	4028	WMIC.exe
Token: SeSystemtimePrivilege	4028	WMIC.exe
Token: SeProfSingleProcessPrivilege	4028	WMIC.exe
Token: SeIncBasePriorityPrivilege	4028	WMIC.exe
Token: SeCreatePagefilePrivilege	4028	WMIC.exe
Token: SeBackupPrivilege	4028	WMIC.exe
Token: SeRestorePrivilege	4028	WMIC.exe
Token: SeShutdownPrivilege	4028	WMIC.exe
Token: SeDebugPrivilege	4028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4028	WMIC.exe
Token: SeRemoteShutdownPrivilege	4028	WMIC.exe
Token: SeUndockPrivilege	4028	WMIC.exe
Token: SeManageVolumePrivilege	4028	WMIC.exe
Token: 33	4028	WMIC.exe
Token: 34	4028	WMIC.exe
Token: 35	4028	WMIC.exe
Token: 36	4028	WMIC.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
1460	irsetup.exe
1460	irsetup.exe
1460	irsetup.exe
1460	irsetup.exe
1460	irsetup.exe
1460	irsetup.exe
1460	irsetup.exe
2268	AdditionalExecuteTL.exe
3352	irsetup.exe
3352	irsetup.exe
3352	irsetup.exe
1092	TLauncher.exe
3408	javaw.exe
3408	javaw.exe
2720	javaw.exe
2720	javaw.exe
2720	javaw.exe
2720	javaw.exe
4376	OpenWith.exe
1192	javaw.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 1460	4304	TLauncher-2.86-Installer-1.0.1.exe	81
PID 4304 wrote to memory of 1460	4304	TLauncher-2.86-Installer-1.0.1.exe	81
PID 4304 wrote to memory of 1460	4304	TLauncher-2.86-Installer-1.0.1.exe	81
PID 1460 wrote to memory of 2268	1460	irsetup.exe	92
PID 1460 wrote to memory of 2268	1460	irsetup.exe	92
PID 1460 wrote to memory of 2268	1460	irsetup.exe	92
PID 2268 wrote to memory of 3352	2268	AdditionalExecuteTL.exe	93
PID 2268 wrote to memory of 3352	2268	AdditionalExecuteTL.exe	93
PID 2268 wrote to memory of 3352	2268	AdditionalExecuteTL.exe	93
PID 1460 wrote to memory of 1092	1460	irsetup.exe	96
PID 1460 wrote to memory of 1092	1460	irsetup.exe	96
PID 1460 wrote to memory of 1092	1460	irsetup.exe	96
PID 1092 wrote to memory of 3408	1092	TLauncher.exe	97
PID 1092 wrote to memory of 3408	1092	TLauncher.exe	97
PID 2348 wrote to memory of 2720	2348	TLauncher.exe	102
PID 2348 wrote to memory of 2720	2348	TLauncher.exe	102
PID 1092 wrote to memory of 1192	1092	TLauncher.exe	107
PID 1092 wrote to memory of 1192	1092	TLauncher.exe	107
PID 1192 wrote to memory of 4784	1192	javaw.exe	108
PID 1192 wrote to memory of 4784	1192	javaw.exe	108
PID 4784 wrote to memory of 372	4784	cmd.exe	110
PID 4784 wrote to memory of 372	4784	cmd.exe	110
PID 4784 wrote to memory of 4028	4784	cmd.exe	111
PID 4784 wrote to memory of 4028	4784	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1908426 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.86-Installer-1.0.1.exe" "__IRCT:3" "__IRTSS:22693301" "__IRSID:S-1-5-21-4246620582-653642754-1174164128-1000"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1814730 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1839152" "__IRSID:S-1-5-21-4246620582-653642754-1174164128-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3352
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
      4⤵
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:3408

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2720

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:3896

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:3780

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C chcp 437 & wmic qfe get HotFixID
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:372
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic qfe get HotFixID
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
8358ee669950090a882dd2a5a8434970

SHA1
a7f72ab930d6fb2f44b62c006b15b17c6d80f1b2

SHA256
57ecfbdcd99b7cf22c922e1f345613c27b9cb4281df95b6ba3042d7a5cfc03a9

SHA512
ebd90b2b51034780cf009a44e6f682215103e411bdfdd543070a56ba4175e823dad57c8ab060441b00ba45167c70dbb8fc1a7b94302cd93d8022575e35a3a3b3

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
68a66daa03452c19a76a13741690bef8

SHA1
301cc059ae634b11d135e5b9091bc08bfcbec144

SHA256
4e840164211be668bef19cce569b1fb7f4d74b95de665fc094efed4c1b1125f2

SHA512
adc5ab2a43d00952091e101b01aab02730decab8bb19d6dea95c01b525a252b9788a712368fd9ccac1bc395776df7d84132e584bd91eb5757799d1780c22b1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

Filesize
1.8MB

MD5
f8996d2158a69a12b4bc99edd28100bc

SHA1
892887691df881fe432e09b618e90f50447340e6

SHA256
866836c68a3c7b313fa6a0ab6d7b9d74112ca07e4709487951ff572938eff547

SHA512
d6856d91ded75901a4af914e66bcdd904a51a2aba24e4762a2986f9a5f4b42f5b758b91c37ee5c9783c5797f19026e7f31e73d0e063f71bf5df8355a3213dd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1313bb5df6c6e0d5c358735044fbebef

SHA1
cac3e2e3ed63dc147318e18f202a9da849830a91

SHA256
7590d0f21687327812a6c61d0429c6df1345b97c53ad7115f03bd4cb2e4f4c8d

SHA512
596d877b3906f877f124d705933391478ed425ad860ca5341493f04050c4605fc8e9a1c890859105da1b6817da5e874e0afaabbc86a80597f296e642795fc33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
1313bb5df6c6e0d5c358735044fbebef

SHA1
cac3e2e3ed63dc147318e18f202a9da849830a91

SHA256
7590d0f21687327812a6c61d0429c6df1345b97c53ad7115f03bd4cb2e4f4c8d

SHA512
596d877b3906f877f124d705933391478ed425ad860ca5341493f04050c4605fc8e9a1c890859105da1b6817da5e874e0afaabbc86a80597f296e642795fc33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
1.3MB

MD5
e7bbc7b426cee4b8027a00b11f06ef34

SHA1
926fad387ede328d3cfd9da80d0b303a865cca98

SHA256
e7a43c6f10e3e65b8462b6d67c91c628db5402d3209f549e90998c875cf21538

SHA512
f08b4833c1dcb9c2b0f8c90e092275795fda3c20aaec6590504c20a93cb6d50b8ce11301bc3a42d9417c78ddb25a5e991fad688c39d1dede3fce0b67f3e13e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

Filesize
647B

MD5
19fadc5efe7e5ac91f4d5337b9fe9cfe

SHA1
da61176054b43fd69e600571f17ce3b6cb7be579

SHA256
addedd42cc22092163c3f4624dc3bb87c5c3c67f78411e0ec1d95735eb68b8d8

SHA512
97b48e040cd5b353e5a09a17e117ca2c998f8c16d4f418273d5812106f0730e8094a7fe40efc9bbffbe07b4db746fb7088ba4515d3ca128a8d7b913409e6ce33

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
5.2MB

MD5
58e22c0ee91280156cdaadacac7acddb

SHA1
189c552c94a9b0ae0208763bca77f2801debc224

SHA256
765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714

SHA512
9f510c896d641919b037e201f5ba9de476241e7cab1004d92a85df4b9240ff947737619921b1223cd926c8c5a6e667dc76cad37e818d2a9d144b826836d562c6

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
5.2MB

MD5
58e22c0ee91280156cdaadacac7acddb

SHA1
189c552c94a9b0ae0208763bca77f2801debc224

SHA256
765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714

SHA512
9f510c896d641919b037e201f5ba9de476241e7cab1004d92a85df4b9240ff947737619921b1223cd926c8c5a6e667dc76cad37e818d2a9d144b826836d562c6

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
5.2MB

MD5
58e22c0ee91280156cdaadacac7acddb

SHA1
189c552c94a9b0ae0208763bca77f2801debc224

SHA256
765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714

SHA512
9f510c896d641919b037e201f5ba9de476241e7cab1004d92a85df4b9240ff947737619921b1223cd926c8c5a6e667dc76cad37e818d2a9d144b826836d562c6

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
5.2MB

MD5
58e22c0ee91280156cdaadacac7acddb

SHA1
189c552c94a9b0ae0208763bca77f2801debc224

SHA256
765cab48564743844b057e21eab768d5d84194a635b09d02d9d2909f632f5714

SHA512
9f510c896d641919b037e201f5ba9de476241e7cab1004d92a85df4b9240ff947737619921b1223cd926c8c5a6e667dc76cad37e818d2a9d144b826836d562c6

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\aopalliance\aopalliance\1.0\aopalliance-1.0.jar

Filesize
4KB

MD5
04177054e180d09e3998808efa0401c7

SHA1
0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8

SHA256
0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08

SHA512
3f44a932d8c00cfeee2eb057bcd7c301a2d029063e0a916e1e20b3aec4877d19d67a2fd8aaf58fa2d5a00133d1602128a7f50912ffb6cabc7b0fdc7fbda3f8a1

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\github\junrar\junrar\0.7\junrar-0.7.jar

Filesize
151KB

MD5
75a215b9e921044cd2c88e73f6cb9745

SHA1
18cc717b85af0b12ba922abf415c2ff4716f8219

SHA256
7c764fa1af319b98ff452189ab31bb722ea74ed7a52b17b0c6282249c10a61fc

SHA512
1a44af2f3f8dbfbf38ad5f71ef11b32d5822d734f77af2cdea419fb6af845e894acb60bffbcebb4533068d86b55a22a8b0f74be20b204c2343bdb165d9c787f9

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\guava\guava\19.0\guava-19.0.jar

Filesize
1.6MB

MD5
e04c514bc4ebf4134f50c4c66f596d45

SHA1
a449d9e88ea38f1c3ee9eb87e6d383f93efde832

SHA256
c6739b975f415605f66265157882fc05853abaabea8900a6d695084eedefbba3

SHA512
03806dff7961c44c9fdeba5b5111dc4183b5a8a7d445b0a3cec0df68a6785c1bda19e436aa990351f3adb4232d0b8629b8942fcfc3bc5e8f0c640787317cf44c

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\inject\extentions\guice-assistedinject\4.1.0\guice-assistedinject-4.1.0.jar

Filesize
41KB

MD5
65912196b6e91f2ceb933001c1fb5c94

SHA1
af799dd7e23e6fe8c988da12314582072b07edcb

SHA256
663728123fb9a6b79ea39ae289e5d56b4113e1b8e9413eb792f91e53a6dd5868

SHA512
60b15182130ddfd801dd0438058d641dd5ba9122f2d1e081eb63f5e2c12fff0271d9d47c58925be0be8267ed22ae893ea9d1b251faba17dc1d2552b5d93056de

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\inject\guice\4.1.0\guice-4.1.0.jar

Filesize
658KB

MD5
41f66d1d4d250efebde3bbf8b2d55dfa

SHA1
eeb69005da379a10071aa4948c48d89250febb07

SHA256
9b9df27a5b8c7864112b4137fd92b36c3f1395bfe57be42fedf2f520ead1a93e

SHA512
109a1595668293b32376e885ad59e0e4c0e088ea00f58119f0f7d0d2055f03eb93a9f92d974b6dbd56ef721792ac03c889d9add3a2850aa7ccd732c2682d17ef

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\dnsjava\dnsjava\2.1.8\dnsjava-2.1.8.jar

Filesize
307KB

MD5
540f330717bca9d29c8762cf6daca443

SHA1
eed8a2cbf56cc60d07a189a429ead3067564193c

SHA256
52de1ff2a7556ac2cc4284abd7123bc3d6274210fc4e3b1d9ba90efad5f6a153

SHA512
a4bcb8bbb43906f42faf1802c504ccc9c616e49afd5dd7db77676d13aaed79a300979ffc2195b680a9c6d5f03466b611b6f1338d824099816aa224b234760f4b

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\javax\inject\javax.inject\1\javax.inject-1.jar

Filesize
2KB

MD5
289075e48b909e9e74e6c915b3631d2e

SHA1
6975da39a7040257bd51d21a231b76c915872d38

SHA256
91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff

SHA512
e126b7ccf3e42fd1984a0beef1004a7269a337c202e59e04e8e2af714280d2f2d8d2ba5e6f59481b8dcd34aaf35c966a688d0b48ec7e96f102c274dc0d3b381e

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\log4j\log4j\1.2.17\log4j-1.2.17.jar

Filesize
478KB

MD5
04a41f0a068986f0f73485cf507c0f40

SHA1
5af35056b4d257e4b64b9e8069c0746e8b08629f

SHA256
1d31696445697720527091754369082a6651bd49781b6005deb94e56753406f9

SHA512
3f12937a69ba60d0f5e86265168d6a0d069ce20d95b99a3ace463987655e7c63053f4d7e36e32f2b53f86992b888ca477bf81253ad04c721896b397f94ee57fc

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\net\sf\jopt-simple\jopt-simple\4.9\jopt-simple-4.9.jar

Filesize
64KB

MD5
39c6476e4de3d4f90ad4ca0ddca48ec2

SHA1
ee9e9eaa0a35360dcfeac129ff4923215fd65904

SHA256
26c5856e954b5f864db76f13b86919b59c6eecf9fd930b96baa8884626baf2f5

SHA512
fd04c19bce810a1548b2d2eaadb915cff2cbc81a81ec5258aafc1ba329100daedc49edad1fc7b254ab892996796124283d7004b5414f662c0efa3979add9ca5f

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\apache\commons\commons-lang3\3.4\commons-lang3-3.4.jar

Filesize
424KB

MD5
8667a442ee77e509fbe8176b94726eb2

SHA1
5fe28b9518e58819180a43a850fbc0dd24b7c050

SHA256
734c8356420cc8e30c795d64fd1fcd5d44ea9d90342a2cc3262c5158fbc6d98b

SHA512
b1b556692341a240f8b81f8f71b8b5c0225ccf857ce1b185e7fe6d7a9bb2a4d77823496cd6e2697a20386e7f3ba02d476a0e4ff38071367beb3090104544922d

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\apache\httpcomponents\fluent-hc\4.5.13\fluent-hc-4.5.13.jar

Filesize
30KB

MD5
8f7e4f1a95a870ebee87ddacc425362c

SHA1
300bf1846737e34b9ea10faae257ca8fdcd0616f

SHA256
f883b6b027d5e05c53e48e4fe3548715c52dbd590ffa3f52d039574f1a4d0728

SHA512
98e30ed27d6ac078450efe5e236117445c93e05eb280399e056816c52643a3a33adce5e3a885ce8488186f38d05e0fb6c65dfcbaa509be8c6047ef2f0870d9b0

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\apache\logging\log4j\log4j-core\2.14.1\log4j-core-2.14.1.jar

Filesize
1.5MB

MD5
a30dcfe1c739b3fe9c37b1cab74f7e50

SHA1
6325a2b63f59f1545db38c61b25de3f3020d4eed

SHA256
a620e48ed4e5ca15afac253aed67a621779cfbedb526a2415bc81f11b8549c14

SHA512
625e153cee408a4e9cd448c039f26a942b8b3a7e4ed296739452e4eb9fd1a57279144f392b9d6911c34539d2ff644263ca7a2c6d074992c52160a0b2c759ce10

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\picture-bundle\3.5\picture-bundle-3.5.jar

Filesize
1.5MB

MD5
d419ab7756f5ec189259ee0766eed1b9

SHA1
c9405acdaf4032df0e3d043902f9ddcc467d3a78

SHA256
a8dba4fd7fabc1d0873aa54fac481ffc09805fe005712ca430f235a638d27de7

SHA512
557c625b005af015c85c50869936318c3f880353fdd3b3387386df6754f1b4e79b09dd1a0c0b08f45408bb2ff5d5ec53114be1da26df4787c611343d494e645f

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\skin-server-API\1.0\skin-server-API-1.0.jar

Filesize
14KB

MD5
13a8e72587ac6eacfb0986f75e51eb7c

SHA1
6c3daf89705427f73e6106d2d4d9619e99c5ecb5

SHA256
1fcffa073f722737431e2699b1f3ea48b92a3b825397d8f0d1464e4d4d15a014

SHA512
134735390415f60d0c42ff33a060bda508e273b35fc9aab271c20ff23f331b51cf3fa36443009e0987049f6bfb22c4098a1473e65ea0349e719fbf4b528f344e

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\tlauncher-resource\1.4\tlauncher-resource-1.4.jar

Filesize
1.5MB

MD5
ced600c3a9be34453fc594b420034fe9

SHA1
e2fc596e9ea9562656a4d4ec85e9a07477999520

SHA256
7b701f3dd29665dd46bb35bc9f16918508a21cc4c09cbdfc8fcfd1973633a931

SHA512
5ed736939fd898858af68e6d69876f555c891e399af608662acc038d9c9735ddee1645cdac2f78eddfc6438a6eeb6ee866fc8570b6f129b552fe7513c8e50c19

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tukaani\xz\1.5\xz-1.5.jar

Filesize
97KB

MD5
51050e595b308c4aec8ac314f66e18bc

SHA1
9c64274b7dbb65288237216e3fae7877fd3f2bee

SHA256
86f30fa8775fa3a62cdb39d1ed78a6019164c1058864048d42cbee244e26e840

SHA512
c5c130bf22f24f61b57fc0c6243e7f961ca2a8928416e8bb288aec6650c1c1c06ace4383913cd1277fc6785beb9a74458807ea7e3d6b2e09189cfaf2fb9ab7e1

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\doubleRunningProtection.txt

Filesize
13B

MD5
0de552df5ffc3a14a20eabbfef472927

SHA1
18e40253832f7fd23bf4efe0108e1e0200ca78f6

SHA256
046add1ae10148e8c026d4b43281572076c903db332c25fcc891605ea4924311

SHA512
e2eea023b8863f8e9c8fcbfa121dc7f805d4a9a4b422e86ffc3282fbdc4fc3610b35d46967b0ac7ee19d0b0e14e81c306400334580f8ceeaa0840722ecfa40e6

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\tlauncher-2.0.properties

Filesize
51B

MD5
f40447f8dba110891a0a2faf7d6c5307

SHA1
033c51607d978d8ebf3ff48d9aba6ecb423ad15c

SHA256
ba502555b28e4a91c50b4b724e424f86e62531869797a1042af5147ba2540f09

SHA512
08fbe4487c2cff1f8d95c0d4fcaa251e4c97d29bf5ad3dc588b76b7e783bdc1a1f039c3bae38fb9113608c8b414b00e5bbe12d96e0f857a375235d25129de3bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4246620582-653642754-1174164128-1000\83aa4cc77f591dfc2374580bbd95f6ba_26355f79-4f6c-4ae9-abeb-84bfcbb996ec

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/1192-231-0x00000000026D0000-0x00000000036D0000-memory.dmp

Filesize
16.0MB

Download
memory/1192-239-0x00000000026D0000-0x00000000036D0000-memory.dmp

Filesize
16.0MB

Download
memory/1192-215-0x00000000026D0000-0x00000000036D0000-memory.dmp

Filesize
16.0MB

Download
memory/1192-260-0x00000000026D0000-0x00000000036D0000-memory.dmp

Filesize
16.0MB

Download
memory/1192-236-0x00000000026D0000-0x00000000036D0000-memory.dmp

Filesize
16.0MB

Download
memory/1192-226-0x00000000026D0000-0x00000000036D0000-memory.dmp

Filesize
16.0MB

Download
memory/1460-137-0x0000000000C80000-0x0000000001068000-memory.dmp

Filesize
3.9MB

Download
memory/1460-158-0x0000000000C80000-0x0000000001068000-memory.dmp

Filesize
3.9MB

Download
memory/1460-141-0x0000000006D10000-0x0000000006D13000-memory.dmp

Filesize
12KB

Download
memory/1460-150-0x0000000000C80000-0x0000000001068000-memory.dmp

Filesize
3.9MB

Download
memory/1460-140-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2720-201-0x0000000003150000-0x0000000004150000-memory.dmp

Filesize
16.0MB

Download
memory/2720-191-0x0000000003150000-0x0000000004150000-memory.dmp

Filesize
16.0MB

Download
memory/2720-199-0x0000000003150000-0x0000000004150000-memory.dmp

Filesize
16.0MB

Download
memory/2720-200-0x0000000003150000-0x0000000004150000-memory.dmp

Filesize
16.0MB

Download
memory/3352-153-0x00000000009E0000-0x0000000000DC8000-memory.dmp

Filesize
3.9MB

Download
memory/3352-151-0x00000000009E0000-0x0000000000DC8000-memory.dmp

Filesize
3.9MB

Download
memory/3408-179-0x0000000003210000-0x0000000004210000-memory.dmp

Filesize
16.0MB

Download
memory/3408-168-0x0000000003210000-0x0000000004210000-memory.dmp

Filesize
16.0MB

Download
memory/3408-178-0x0000000003210000-0x0000000004210000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads