f860a1d5cc114ab8f1878a4a6ed38e3548f770df674048e5d7310c98cb80a64d

Resubmissions

08-01-2023 16:17

230108-trgv8she2z 8

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20220901-es
resource tags

arch:x64arch:x86image:win7-20220901-eslocale:es-esos:windows7-x64systemwindows
submitted
08-01-2023 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.72-Installer-0.6.3.exe
Size

16.2MB
MD5

a34a897408b80f11f795db6c9d269969
SHA1

60b954a4b8629da018ee8f7e2d3437fcae22a40e
SHA256

f860a1d5cc114ab8f1878a4a6ed38e3548f770df674048e5d7310c98cb80a64d
SHA512

161b9f0883f90eb836cc422755c4158b7458040692566262621202c28e33500284d6f0af7451c0a3ee8cc8feeccc298bd3180b34168b2de8cabe0e2f3d53d52b
SSDEEP

393216:pXl30fdQwfsD441ffz4e4oQL14BIzAtdB7laeN7r570hn:pV3xw+1Hz4e4txzuB7lao57en

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1852	irsetup.exe
1872	TLauncher.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001422b-55.dat	upx
behavioral1/files/0x000900000001422b-56.dat	upx
behavioral1/files/0x000900000001422b-57.dat	upx
behavioral1/files/0x000900000001422b-58.dat	upx
behavioral1/files/0x000900000001422b-60.dat	upx
behavioral1/files/0x000900000001422b-64.dat	upx
behavioral1/memory/1852-68-0x0000000000080000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1852-74-0x0000000000080000-0x0000000000468000-memory.dmp	upx
behavioral1/files/0x000900000001422b-75.dat	upx
behavioral1/memory/1852-81-0x0000000000080000-0x0000000000468000-memory.dmp	upx

Loads dropped DLL 9 IoCs

pid	Process
1360	TLauncher-2.72-Installer-0.6.3.exe
1360	TLauncher-2.72-Installer-0.6.3.exe
1360	TLauncher-2.72-Installer-0.6.3.exe
1360	TLauncher-2.72-Installer-0.6.3.exe
1852	irsetup.exe
1852	irsetup.exe
1852	irsetup.exe
1852	irsetup.exe
1852	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	irsetup.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	irsetup.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1792	chrome.exe
1588	chrome.exe
1588	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1852	irsetup.exe
1852	irsetup.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe
1588	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1852	irsetup.exe
1852	irsetup.exe
1852	irsetup.exe
1852	irsetup.exe
1852	irsetup.exe
1852	irsetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 1852	1360	TLauncher-2.72-Installer-0.6.3.exe	27
PID 1360 wrote to memory of 1852	1360	TLauncher-2.72-Installer-0.6.3.exe	27
PID 1360 wrote to memory of 1852	1360	TLauncher-2.72-Installer-0.6.3.exe	27
PID 1360 wrote to memory of 1852	1360	TLauncher-2.72-Installer-0.6.3.exe	27
PID 1360 wrote to memory of 1852	1360	TLauncher-2.72-Installer-0.6.3.exe	27
PID 1360 wrote to memory of 1852	1360	TLauncher-2.72-Installer-0.6.3.exe	27
PID 1360 wrote to memory of 1852	1360	TLauncher-2.72-Installer-0.6.3.exe	27
PID 1852 wrote to memory of 1872	1852	irsetup.exe	31
PID 1852 wrote to memory of 1872	1852	irsetup.exe	31
PID 1852 wrote to memory of 1872	1852	irsetup.exe	31
PID 1852 wrote to memory of 1872	1852	irsetup.exe	31
PID 1852 wrote to memory of 1872	1852	irsetup.exe	31
PID 1852 wrote to memory of 1872	1852	irsetup.exe	31
PID 1852 wrote to memory of 1872	1852	irsetup.exe	31
PID 1588 wrote to memory of 332	1588	chrome.exe	33
PID 1588 wrote to memory of 332	1588	chrome.exe	33
PID 1588 wrote to memory of 332	1588	chrome.exe	33
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1004	1588	chrome.exe	34
PID 1588 wrote to memory of 1792	1588	chrome.exe	35
PID 1588 wrote to memory of 1792	1588	chrome.exe	35
PID 1588 wrote to memory of 1792	1588	chrome.exe	35
PID 1588 wrote to memory of 1284	1588	chrome.exe	36
PID 1588 wrote to memory of 1284	1588	chrome.exe	36
PID 1588 wrote to memory of 1284	1588	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.72-Installer-0.6.3.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.72-Installer-0.6.3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1905626 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.72-Installer-0.6.3.exe" "__IRCT:1" "__IRTSS:17001464" "__IRSID:S-1-5-21-4063495947-34355257-727531523-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe
    "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"
    3⤵
    - Executes dropped EXE
    PID:1872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefab84f50,0x7fefab84f60,0x7fefab84f70
  2⤵
  PID:332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=796,10063906500778874782,13755276237616121846,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=796,10063906500778874782,13755276237616121846,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=796,10063906500778874782,13755276237616121846,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1800 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=796,10063906500778874782,13755276237616121846,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=796,10063906500778874782,13755276237616121846,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=796,10063906500778874782,13755276237616121846,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1988 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=796,10063906500778874782,13755276237616121846,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3344 /prefetch:2
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=796,10063906500778874782,13755276237616121846,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1264 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=796,10063906500778874782,13755276237616121846,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3500 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=796,10063906500778874782,13755276237616121846,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
  2⤵
  PID:2080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9fca19d5ba4ca2399bcb9ee39d8e2a48

SHA1
f1f213b2f4d0decbfdd963a41857e8876c776495

SHA256
36bf2ad1b2e64e5fc73f17af2b7fc81c3dc9870aa9a69e8abad1b0cdc70a0cd0

SHA512
410faa07024eb8f34f9cb6344f85ad9a33652519e61ab5c934f2ad621ae4993d7b3fec2dcd906fb35df4a0111655b3f62dfd93a98df6a5be5b38f7bb6c379878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9fca19d5ba4ca2399bcb9ee39d8e2a48

SHA1
f1f213b2f4d0decbfdd963a41857e8876c776495

SHA256
36bf2ad1b2e64e5fc73f17af2b7fc81c3dc9870aa9a69e8abad1b0cdc70a0cd0

SHA512
410faa07024eb8f34f9cb6344f85ad9a33652519e61ab5c934f2ad621ae4993d7b3fec2dcd906fb35df4a0111655b3f62dfd93a98df6a5be5b38f7bb6c379878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
5.2MB

MD5
1f73fb40bb5f2adfba15a2ff635e38f1

SHA1
a1d86b12e6776224a27cd86e50f9fddfed080da4

SHA256
9904f3d58a967aca7b4a74b182d930b380eb72d19f61cfefff86f65702c35385

SHA512
1e48fd4a01cbc005b99a8c2a21807f892e224ab0b9e16298683ecb7a64f30a7a9583853c2a9e7a0bdc0fa010e0d9a816d182126a379e64c4f016646ca89c813b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9fca19d5ba4ca2399bcb9ee39d8e2a48

SHA1
f1f213b2f4d0decbfdd963a41857e8876c776495

SHA256
36bf2ad1b2e64e5fc73f17af2b7fc81c3dc9870aa9a69e8abad1b0cdc70a0cd0

SHA512
410faa07024eb8f34f9cb6344f85ad9a33652519e61ab5c934f2ad621ae4993d7b3fec2dcd906fb35df4a0111655b3f62dfd93a98df6a5be5b38f7bb6c379878

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9fca19d5ba4ca2399bcb9ee39d8e2a48

SHA1
f1f213b2f4d0decbfdd963a41857e8876c776495

SHA256
36bf2ad1b2e64e5fc73f17af2b7fc81c3dc9870aa9a69e8abad1b0cdc70a0cd0

SHA512
410faa07024eb8f34f9cb6344f85ad9a33652519e61ab5c934f2ad621ae4993d7b3fec2dcd906fb35df4a0111655b3f62dfd93a98df6a5be5b38f7bb6c379878

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9fca19d5ba4ca2399bcb9ee39d8e2a48

SHA1
f1f213b2f4d0decbfdd963a41857e8876c776495

SHA256
36bf2ad1b2e64e5fc73f17af2b7fc81c3dc9870aa9a69e8abad1b0cdc70a0cd0

SHA512
410faa07024eb8f34f9cb6344f85ad9a33652519e61ab5c934f2ad621ae4993d7b3fec2dcd906fb35df4a0111655b3f62dfd93a98df6a5be5b38f7bb6c379878

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9fca19d5ba4ca2399bcb9ee39d8e2a48

SHA1
f1f213b2f4d0decbfdd963a41857e8876c776495

SHA256
36bf2ad1b2e64e5fc73f17af2b7fc81c3dc9870aa9a69e8abad1b0cdc70a0cd0

SHA512
410faa07024eb8f34f9cb6344f85ad9a33652519e61ab5c934f2ad621ae4993d7b3fec2dcd906fb35df4a0111655b3f62dfd93a98df6a5be5b38f7bb6c379878

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
9fca19d5ba4ca2399bcb9ee39d8e2a48

SHA1
f1f213b2f4d0decbfdd963a41857e8876c776495

SHA256
36bf2ad1b2e64e5fc73f17af2b7fc81c3dc9870aa9a69e8abad1b0cdc70a0cd0

SHA512
410faa07024eb8f34f9cb6344f85ad9a33652519e61ab5c934f2ad621ae4993d7b3fec2dcd906fb35df4a0111655b3f62dfd93a98df6a5be5b38f7bb6c379878

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
5.2MB

MD5
1f73fb40bb5f2adfba15a2ff635e38f1

SHA1
a1d86b12e6776224a27cd86e50f9fddfed080da4

SHA256
9904f3d58a967aca7b4a74b182d930b380eb72d19f61cfefff86f65702c35385

SHA512
1e48fd4a01cbc005b99a8c2a21807f892e224ab0b9e16298683ecb7a64f30a7a9583853c2a9e7a0bdc0fa010e0d9a816d182126a379e64c4f016646ca89c813b

Download Submit
\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

Filesize
5.2MB

MD5
1f73fb40bb5f2adfba15a2ff635e38f1

SHA1
a1d86b12e6776224a27cd86e50f9fddfed080da4

SHA256
9904f3d58a967aca7b4a74b182d930b380eb72d19f61cfefff86f65702c35385

SHA512
1e48fd4a01cbc005b99a8c2a21807f892e224ab0b9e16298683ecb7a64f30a7a9583853c2a9e7a0bdc0fa010e0d9a816d182126a379e64c4f016646ca89c813b

Download Submit
memory/1360-67-0x0000000002E20000-0x0000000003208000-memory.dmp

Filesize
3.9MB

Download
memory/1360-72-0x0000000002E20000-0x0000000003208000-memory.dmp

Filesize
3.9MB

Download
memory/1360-73-0x0000000002E20000-0x0000000003208000-memory.dmp

Filesize
3.9MB

Download
memory/1360-54-0x0000000075691000-0x0000000075693000-memory.dmp

Filesize
8KB

Download
memory/1360-66-0x0000000002E20000-0x0000000003208000-memory.dmp

Filesize
3.9MB

Download
memory/1360-65-0x0000000002E20000-0x0000000003208000-memory.dmp

Filesize
3.9MB

Download
memory/1852-71-0x0000000000A20000-0x0000000000A23000-memory.dmp

Filesize
12KB

Download
memory/1852-70-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/1852-74-0x0000000000080000-0x0000000000468000-memory.dmp

Filesize
3.9MB

Download
memory/1852-68-0x0000000000080000-0x0000000000468000-memory.dmp

Filesize
3.9MB

Download
memory/1852-81-0x0000000000080000-0x0000000000468000-memory.dmp

Filesize
3.9MB

Download