69ac13de7f6c4223b05baceb4da9c983849de3ef139cb66ff26902cb6a3c15b5

Analysis

max time kernel
173s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
15/01/2023, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tlauncher-2_72.exe
Size

4.1MB
MD5

a031e1e3b283e3cc9f895e337b0a6e18
SHA1

b5bc0da7ebab8655503a9c5de06691f4cf16ba20
SHA256

69ac13de7f6c4223b05baceb4da9c983849de3ef139cb66ff26902cb6a3c15b5
SHA512

afa6cf17e7e918e4835589a540d17d98d1dd651049f7079c42211fe8ceb3be706a2362e04a37a09c77854d5a463d8db1200767c482c9ef97ff0a39f4a4124b0a
SSDEEP

49152:NnOpSqSRk9kmBlOLc85/kJsugaX3NgfT+UO+DUtFNmnVg6kIVuQ2fiFpJM:NnOEqmCBlOLc85tuxNgf4lCjHdM

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
716	tlauncher-2_72.exe
1652	tlauncher-2_72.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4388	chrome.exe
4388	chrome.exe
4996	chrome.exe
4996	chrome.exe
3112	chrome.exe
3112	chrome.exe
4984	chrome.exe
4984	chrome.exe
3584	chrome.exe
3584	chrome.exe
2204	chrome.exe
2204	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	908	WMIC.exe
Token: SeSecurityPrivilege	908	WMIC.exe
Token: SeTakeOwnershipPrivilege	908	WMIC.exe
Token: SeLoadDriverPrivilege	908	WMIC.exe
Token: SeSystemProfilePrivilege	908	WMIC.exe
Token: SeSystemtimePrivilege	908	WMIC.exe
Token: SeProfSingleProcessPrivilege	908	WMIC.exe
Token: SeIncBasePriorityPrivilege	908	WMIC.exe
Token: SeCreatePagefilePrivilege	908	WMIC.exe
Token: SeBackupPrivilege	908	WMIC.exe
Token: SeRestorePrivilege	908	WMIC.exe
Token: SeShutdownPrivilege	908	WMIC.exe
Token: SeDebugPrivilege	908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	908	WMIC.exe
Token: SeRemoteShutdownPrivilege	908	WMIC.exe
Token: SeUndockPrivilege	908	WMIC.exe
Token: SeManageVolumePrivilege	908	WMIC.exe
Token: 33	908	WMIC.exe
Token: 34	908	WMIC.exe
Token: 35	908	WMIC.exe
Token: 36	908	WMIC.exe
Token: SeIncreaseQuotaPrivilege	908	WMIC.exe
Token: SeSecurityPrivilege	908	WMIC.exe
Token: SeTakeOwnershipPrivilege	908	WMIC.exe
Token: SeLoadDriverPrivilege	908	WMIC.exe
Token: SeSystemProfilePrivilege	908	WMIC.exe
Token: SeSystemtimePrivilege	908	WMIC.exe
Token: SeProfSingleProcessPrivilege	908	WMIC.exe
Token: SeIncBasePriorityPrivilege	908	WMIC.exe
Token: SeCreatePagefilePrivilege	908	WMIC.exe
Token: SeBackupPrivilege	908	WMIC.exe
Token: SeRestorePrivilege	908	WMIC.exe
Token: SeShutdownPrivilege	908	WMIC.exe
Token: SeDebugPrivilege	908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	908	WMIC.exe
Token: SeRemoteShutdownPrivilege	908	WMIC.exe
Token: SeUndockPrivilege	908	WMIC.exe
Token: SeManageVolumePrivilege	908	WMIC.exe
Token: 33	908	WMIC.exe
Token: 34	908	WMIC.exe
Token: 35	908	WMIC.exe
Token: 36	908	WMIC.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4472	javaw.exe
4472	javaw.exe
4148	javaw.exe
4148	javaw.exe
2268	javaw.exe
2268	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4472	4504	tlauncher-2_72.exe	80
PID 4504 wrote to memory of 4472	4504	tlauncher-2_72.exe	80
PID 4996 wrote to memory of 2540	4996	chrome.exe	99
PID 4996 wrote to memory of 2540	4996	chrome.exe	99
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4496	4996	chrome.exe	100
PID 4996 wrote to memory of 4388	4996	chrome.exe	101
PID 4996 wrote to memory of 4388	4996	chrome.exe	101
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102
PID 4996 wrote to memory of 4800	4996	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\tlauncher-2_72.exe
"C:\Users\Admin\AppData\Local\Temp\tlauncher-2_72.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\tlauncher-2_72.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc2cbb4f50,0x7ffc2cbb4f60,0x7ffc2cbb4f70
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1620 /prefetch:2
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:4408
- C:\Users\Admin\Downloads\tlauncher-2_72.exe
  "C:\Users\Admin\Downloads\tlauncher-2_72.exe"
  2⤵
  - Executes dropped EXE
  PID:716
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\tlauncher-2_72.exe"
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,8853002655162060607,3218545990905735579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3316

C:\Users\Admin\Downloads\tlauncher-2_72.exe
"C:\Users\Admin\Downloads\tlauncher-2_72.exe"
1⤵
- Executes dropped EXE
PID:1652
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\tlauncher-2_72.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2268
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C chcp 437 & wmic qfe get HotFixID
    3⤵
    PID:1640
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:2552
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic qfe get HotFixID
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
b859b62f87e12a7a98fd4c217a339ce4

SHA1
bc4b0888331d003549a5ed783ec80c3a3131f925

SHA256
24273abb23b1e516cc9acb13fb26dd069481a855c5c6c0ab92b6a77df7df8064

SHA512
668d9586fa89f129df6943ae4468e5ea315940ee5ba45ce516f74bf231d6ce292c05a91580c016728d9254fc6b1bcc1e9df86c8d0178a3fb53d5ff27cfce191c

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
29342a793b840de62584b9fc11307b22

SHA1
bf542076ddfec36955f8045e13d3325f582ccfa8

SHA256
51b743b7c088735b7bca1030e17050f02b8a84143a03047692bc8fb7e108e02f

SHA512
aa962f5644c088f96d87ca38ad134d562eae52d21819b182c36a7cbbd3bea67042072842a5058e677fac8abf1365c57ebcd6b4700a5a0a240bcf977186bf0a94

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\aopalliance\aopalliance\1.0\aopalliance-1.0.jar

Filesize
4KB

MD5
04177054e180d09e3998808efa0401c7

SHA1
0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8

SHA256
0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08

SHA512
3f44a932d8c00cfeee2eb057bcd7c301a2d029063e0a916e1e20b3aec4877d19d67a2fd8aaf58fa2d5a00133d1602128a7f50912ffb6cabc7b0fdc7fbda3f8a1

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\guava\guava\19.0\guava-19.0.jar.tlauncherdownload

Filesize
672KB

MD5
faaa260b603b9cb903033e40014e612a

SHA1
617228674b213bb979660d6a9b7bd0901620568d

SHA256
ce4231e02841b56029ed249ea98d8cda00b8f104afa28b246ab2b52eb9eadaf8

SHA512
9080c1fe1c5082b832c59562f14ca0ccde21e55ac42af3dca84da819ba1fa85788c3edc2ba264dcb2f59a2d742aa5f3da23e3b2fba4ff0d4eb8d83f230b41399

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\inject\extentions\guice-assistedinject\4.1.0\guice-assistedinject-4.1.0.jar

Filesize
41KB

MD5
65912196b6e91f2ceb933001c1fb5c94

SHA1
af799dd7e23e6fe8c988da12314582072b07edcb

SHA256
663728123fb9a6b79ea39ae289e5d56b4113e1b8e9413eb792f91e53a6dd5868

SHA512
60b15182130ddfd801dd0438058d641dd5ba9122f2d1e081eb63f5e2c12fff0271d9d47c58925be0be8267ed22ae893ea9d1b251faba17dc1d2552b5d93056de

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\inject\guice\4.1.0\guice-4.1.0.jar

Filesize
658KB

MD5
41f66d1d4d250efebde3bbf8b2d55dfa

SHA1
eeb69005da379a10071aa4948c48d89250febb07

SHA256
9b9df27a5b8c7864112b4137fd92b36c3f1395bfe57be42fedf2f520ead1a93e

SHA512
109a1595668293b32376e885ad59e0e4c0e088ea00f58119f0f7d0d2055f03eb93a9f92d974b6dbd56ef721792ac03c889d9add3a2850aa7ccd732c2682d17ef

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\tlauncher_libraries\javax\inject\javax.inject\1\javax.inject-1.jar

Filesize
2KB

MD5
289075e48b909e9e74e6c915b3631d2e

SHA1
6975da39a7040257bd51d21a231b76c915872d38

SHA256
91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff

SHA512
e126b7ccf3e42fd1984a0beef1004a7269a337c202e59e04e8e2af714280d2f2d8d2ba5e6f59481b8dcd34aaf35c966a688d0b48ec7e96f102c274dc0d3b381e

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\doubleRunningProtection.txt

Filesize
13B

MD5
dfa570cb88c670f0625e850599f5acd1

SHA1
42740fba7c046870d73123635c681f9418342cea

SHA256
22d7eac7e1102726406cfad73760c9623ad1cda67b2aecca89f60bf931026cc5

SHA512
06242e25996167c7ee38deed87ca5f4d0654669f702aabdaab35059416b3b5239c08bda522f3467568f24f6177d4d384808cc019296fe739c4c731c84fe447be

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\doubleRunningProtection.txt

Filesize
13B

MD5
75917e5fe746caf25b875d224c9cad59

SHA1
2c5e6aa8fbba898590d31bc07b62bbec705943d6

SHA256
68dd6a32cc3c7cdba3ea4024ac52f942c5d83147b8219813ac07814b58fafd37

SHA512
6bd9e2e59682b59f1d635d0da045fa6f89dfae78219b6d98cb40685670e5db667a8e68525624be24fdb6db14e76af184fee07af84942dfc22e7a0b9e898b4eee

Download Submit
C:\Users\Admin\AppData\Roaming\.tlauncher\tlauncher-2.0.properties

Filesize
51B

MD5
71899a2bed8213ac35ab87af319bc8c5

SHA1
95e221036ec6794ba3abca6b5e2f9e992477cbeb

SHA256
13b9737f4896e51efca92a6057f86642607619c3f9e8c43dadc8a7dc4b8d5eda

SHA512
7aa562e5ed77c79110756438e5570b33c2939680fb6eb9e2362afaf415eb958ee71a7fc297fe6880563b4b0ff7dbe01592b1dc0e1439db3e76602e30d3901d9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2295526160-1155304984-640977766-1000\83aa4cc77f591dfc2374580bbd95f6ba_4b401a7f-b7c1-4c1c-a9cf-2b1aa260545d

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\Downloads\tlauncher-2_72.exe

Filesize
4.1MB

MD5
a031e1e3b283e3cc9f895e337b0a6e18

SHA1
b5bc0da7ebab8655503a9c5de06691f4cf16ba20

SHA256
69ac13de7f6c4223b05baceb4da9c983849de3ef139cb66ff26902cb6a3c15b5

SHA512
afa6cf17e7e918e4835589a540d17d98d1dd651049f7079c42211fe8ceb3be706a2362e04a37a09c77854d5a463d8db1200767c482c9ef97ff0a39f4a4124b0a

Download Submit
C:\Users\Admin\Downloads\tlauncher-2_72.exe

Filesize
4.1MB

MD5
a031e1e3b283e3cc9f895e337b0a6e18

SHA1
b5bc0da7ebab8655503a9c5de06691f4cf16ba20

SHA256
69ac13de7f6c4223b05baceb4da9c983849de3ef139cb66ff26902cb6a3c15b5

SHA512
afa6cf17e7e918e4835589a540d17d98d1dd651049f7079c42211fe8ceb3be706a2362e04a37a09c77854d5a463d8db1200767c482c9ef97ff0a39f4a4124b0a

Download Submit
C:\Users\Admin\Downloads\tlauncher-2_72.exe

Filesize
4.1MB

MD5
a031e1e3b283e3cc9f895e337b0a6e18

SHA1
b5bc0da7ebab8655503a9c5de06691f4cf16ba20

SHA256
69ac13de7f6c4223b05baceb4da9c983849de3ef139cb66ff26902cb6a3c15b5

SHA512
afa6cf17e7e918e4835589a540d17d98d1dd651049f7079c42211fe8ceb3be706a2362e04a37a09c77854d5a463d8db1200767c482c9ef97ff0a39f4a4124b0a

Download Submit
memory/2268-257-0x0000000002E00000-0x0000000003E00000-memory.dmp

Filesize
16.0MB

Download
memory/2268-265-0x0000000002E00000-0x0000000003E00000-memory.dmp

Filesize
16.0MB

Download
memory/2268-269-0x0000000002E00000-0x0000000003E00000-memory.dmp

Filesize
16.0MB

Download
memory/2268-270-0x0000000002E00000-0x0000000003E00000-memory.dmp

Filesize
16.0MB

Download
memory/2268-274-0x0000000002E00000-0x0000000003E00000-memory.dmp

Filesize
16.0MB

Download
memory/2268-246-0x0000000002E00000-0x0000000003E00000-memory.dmp

Filesize
16.0MB

Download
memory/4148-192-0x0000000002AE0000-0x0000000003AE0000-memory.dmp

Filesize
16.0MB

Download
memory/4148-211-0x0000000002AE0000-0x0000000003AE0000-memory.dmp

Filesize
16.0MB

Download
memory/4148-231-0x0000000002AE0000-0x0000000003AE0000-memory.dmp

Filesize
16.0MB

Download
memory/4148-232-0x0000000002AE0000-0x0000000003AE0000-memory.dmp

Filesize
16.0MB

Download
memory/4148-233-0x0000000002AE0000-0x0000000003AE0000-memory.dmp

Filesize
16.0MB

Download
memory/4148-230-0x0000000002AE0000-0x0000000003AE0000-memory.dmp

Filesize
16.0MB

Download
memory/4148-229-0x0000000002AE0000-0x0000000003AE0000-memory.dmp

Filesize
16.0MB

Download
memory/4148-222-0x0000000002AE0000-0x0000000003AE0000-memory.dmp

Filesize
16.0MB

Download
memory/4148-204-0x0000000002AE0000-0x0000000003AE0000-memory.dmp

Filesize
16.0MB

Download
memory/4148-215-0x0000000002AE0000-0x0000000003AE0000-memory.dmp

Filesize
16.0MB

Download
memory/4472-174-0x0000000003220000-0x0000000004220000-memory.dmp

Filesize
16.0MB

Download
memory/4472-173-0x0000000003220000-0x0000000004220000-memory.dmp

Filesize
16.0MB

Download
memory/4472-165-0x0000000003220000-0x0000000004220000-memory.dmp

Filesize
16.0MB

Download
memory/4472-158-0x0000000003220000-0x0000000004220000-memory.dmp

Filesize
16.0MB

Download
memory/4472-176-0x0000000003220000-0x0000000004220000-memory.dmp

Filesize
16.0MB

Download
memory/4472-175-0x0000000003220000-0x0000000004220000-memory.dmp

Filesize
16.0MB

Download
memory/4472-160-0x0000000003220000-0x0000000004220000-memory.dmp

Filesize
16.0MB

Download
memory/4472-137-0x0000000003220000-0x0000000004220000-memory.dmp

Filesize
16.0MB

Download