Analysis
-
max time kernel
174s -
max time network
140s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
16-02-2023 21:52
Static task
static1
General
-
Target
koid.exe
-
Size
1.7MB
-
MD5
937bd53a5f505b8e9b00416590ad8d92
-
SHA1
5abece11f9d282ec009bf441f132676344f1ede2
-
SHA256
662d56478c8fa24fb43b71cba64af8d941ddb90659c2412144b46137e2cc4c36
-
SHA512
2027fe14eff8cc0edd67be7f159e0710d79376aef11a70d4c0ad94d501667fd178780fb3a8f0c4481d2da32a3f6fd698e45cef297aee628cda1ae164e0434dd5
-
SSDEEP
49152:MXi87ZaoNcK9mVrSPYO1M+BrgdhwmzJnU:yvycBr
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
Processes:
TLauncher-2.871-Installer-1.0.6-global.exeirsetup.exeAdditionalExecuteTL.exeirsetup.exeTLauncher.exeTLauncher.exeTLauncher.exeTLauncher.exepid process 3332 TLauncher-2.871-Installer-1.0.6-global.exe 4348 irsetup.exe 3304 AdditionalExecuteTL.exe 4344 irsetup.exe 2172 TLauncher.exe 1480 TLauncher.exe 3808 TLauncher.exe 1764 TLauncher.exe -
Loads dropped DLL 4 IoCs
Processes:
irsetup.exeirsetup.exepid process 4348 irsetup.exe 4348 irsetup.exe 4348 irsetup.exe 4344 irsetup.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe upx behavioral1/memory/4348-244-0x0000000000080000-0x0000000000468000-memory.dmp upx behavioral1/memory/4348-307-0x0000000000080000-0x0000000000468000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe upx C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe upx behavioral1/memory/4344-381-0x00000000009F0000-0x0000000000DD8000-memory.dmp upx behavioral1/memory/4344-462-0x00000000009F0000-0x0000000000DD8000-memory.dmp upx behavioral1/memory/4348-508-0x0000000000080000-0x0000000000468000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
bcastdvr.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini bcastdvr.exe -
Drops file in Program Files directory 12 IoCs
Processes:
javaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe -
Drops file in Windows directory 4 IoCs
Processes:
taskmgr.exetaskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 10 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exeGamePanel.exetaskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 GamePanel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 GamePanel.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags GamePanel.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags GamePanel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exetaskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\TLauncher-2.871-Installer-1.0.6-global.exe:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
taskmgr.exetaskmgr.exepid process 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
firefox.exetaskmgr.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 2080 firefox.exe Token: SeDebugPrivilege 2080 firefox.exe Token: SeDebugPrivilege 4640 taskmgr.exe Token: SeSystemProfilePrivilege 4640 taskmgr.exe Token: SeCreateGlobalPrivilege 4640 taskmgr.exe Token: 33 4640 taskmgr.exe Token: SeIncBasePriorityPrivilege 4640 taskmgr.exe Token: SeDebugPrivilege 3308 taskmgr.exe Token: SeSystemProfilePrivilege 3308 taskmgr.exe Token: SeCreateGlobalPrivilege 3308 taskmgr.exe Token: 33 3308 taskmgr.exe Token: SeIncBasePriorityPrivilege 3308 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
firefox.exetaskmgr.exetaskmgr.exepid process 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
firefox.exetaskmgr.exetaskmgr.exepid process 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 4640 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe 3308 taskmgr.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
Processes:
firefox.exeTLauncher-2.871-Installer-1.0.6-global.exeirsetup.exeAdditionalExecuteTL.exeirsetup.exeTLauncher.exejavaw.exejavaw.exejavaw.exepid process 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 2080 firefox.exe 3332 TLauncher-2.871-Installer-1.0.6-global.exe 4348 irsetup.exe 4348 irsetup.exe 4348 irsetup.exe 4348 irsetup.exe 4348 irsetup.exe 4348 irsetup.exe 4348 irsetup.exe 3304 AdditionalExecuteTL.exe 4344 irsetup.exe 4344 irsetup.exe 4344 irsetup.exe 2172 TLauncher.exe 812 javaw.exe 812 javaw.exe 4468 javaw.exe 4468 javaw.exe 4468 javaw.exe 4468 javaw.exe 4300 javaw.exe 4300 javaw.exe 4300 javaw.exe 4300 javaw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 4852 wrote to memory of 2080 4852 firefox.exe firefox.exe PID 4852 wrote to memory of 2080 4852 firefox.exe firefox.exe PID 4852 wrote to memory of 2080 4852 firefox.exe firefox.exe PID 4852 wrote to memory of 2080 4852 firefox.exe firefox.exe PID 4852 wrote to memory of 2080 4852 firefox.exe firefox.exe PID 4852 wrote to memory of 2080 4852 firefox.exe firefox.exe PID 4852 wrote to memory of 2080 4852 firefox.exe firefox.exe PID 4852 wrote to memory of 2080 4852 firefox.exe firefox.exe PID 4852 wrote to memory of 2080 4852 firefox.exe firefox.exe PID 2080 wrote to memory of 3616 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 3616 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 1576 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 4168 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 4168 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 4168 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 4168 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 4168 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 4168 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 4168 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 4168 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 4168 2080 firefox.exe firefox.exe PID 2080 wrote to memory of 4168 2080 firefox.exe firefox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\koid.exe"C:\Users\Admin\AppData\Local\Temp\koid.exe"1⤵PID:1524
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.0.1681562954\1305913784" -parentBuildID 20200403170909 -prefsHandle 1500 -prefMapHandle 1492 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 1580 gpu3⤵PID:3616
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.3.1427439711\1597662117" -childID 1 -isForBrowser -prefsHandle 1996 -prefMapHandle 2220 -prefsLen 156 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 2248 tab3⤵PID:1576
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.13.120927895\2027591898" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3476 -prefsLen 6938 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 3496 tab3⤵PID:4168
-
C:\Users\Admin\Downloads\TLauncher-2.871-Installer-1.0.6-global.exe"C:\Users\Admin\Downloads\TLauncher-2.871-Installer-1.0.6-global.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.871-Installer-1.0.6-global.exe" "__IRCT:3" "__IRTSS:24771453" "__IRSID:S-1-5-21-1099808672-3828198950-1535142148-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1840872" "__IRSID:S-1-5-21-1099808672-3828198950-1535142148-1000"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4344 -
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2172 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"4⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:812
-
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"1⤵
- Executes dropped EXE
PID:1480 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:4468
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4640
-
C:\Windows\System32\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer1⤵PID:4236
-
C:\Windows\System32\GamePanel.exe"C:\Windows\System32\GamePanel.exe" 00000000000B0060 /startuptips1⤵PID:2652
-
C:\Windows\System32\bcastdvr.exe"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer1⤵
- Drops desktop.ini file(s)
PID:3144
-
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"1⤵
- Executes dropped EXE
PID:3808 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:4300
-
C:\Windows\System32\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer1⤵PID:4832
-
C:\Windows\System32\GamePanel.exe"C:\Windows\System32\GamePanel.exe" 00000000000302F6 /startuptips1⤵
- Checks SCSI registry key(s)
PID:4168
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3308
-
C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"1⤵
- Executes dropped EXE
PID:1764 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe"2⤵PID:1480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD5adc6b787bdcada3c6b0bfbb430909ba5
SHA1b2ccec6654947339d13bb24eb29db7276c841f76
SHA2568ebd8a544183fb1547f833fb9740b9f8cbeedb6691ca9bc341afdf1676190e1b
SHA51267edbdf0dc48a23b5250f366e78e931c389d3d5b77e25b786fd0673beac7be17fa61aeb9ce6a09d11907e70cd214d3bffbc7030fcda0f225fe5b1399e5f65782
-
Filesize
50B
MD5fd8ca02108c3a2132b628b0e29099d0e
SHA13d67d082f1195073704945f3505a6d1519b23266
SHA256eab88954bf5c18d8d6c56bf23b824f506bb5ea5065df6d66b24053adfc14f0c6
SHA5124b8bb1510a36a8c71ef1188191cc269bbc582dcd9cc535ef434c9dc464261fac38d1aada4bc7a1156ff6e9ec27a996a7c5652015c0ee81bc2461e38297e212ea
-
Filesize
162KB
MD50d02b03a068d671348931cc20c048422
SHA167b6deacf1303acfcbab0b158157fdc03a02c8d5
SHA25644f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0
SHA512805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358
-
Filesize
2KB
MD5a2942665b12ed000cd2ac95adef8e0cc
SHA1ac194f8d30f659131d1c73af8d44e81eccab7fde
SHA256bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374
SHA5124e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9
-
Filesize
1.8MB
MD5aa4de04ccc16b74a4c2301da8d621ec1
SHA1d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA51228d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e
-
Filesize
1.8MB
MD5aa4de04ccc16b74a4c2301da8d621ec1
SHA1d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA51228d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e
-
Filesize
1.3MB
MD57e08af319c9eb3297e09ca7bb8387de4
SHA14cf091f77a3eb9437ef33985e64bd10c1257284f
SHA2566c006c982746826a613bc0f09890955a1cdca309d9d98572aed35ad782dd11c8
SHA512bb7aaebd3f6c1ff18bd0cb9eb9347894f0785dc011ec9765d9bc180de9b60769c891151626fdef88aa3fd53ae6246c1cb91f723933da54920bfbc8a5a24f8851
-
Filesize
1.3MB
MD57e08af319c9eb3297e09ca7bb8387de4
SHA14cf091f77a3eb9437ef33985e64bd10c1257284f
SHA2566c006c982746826a613bc0f09890955a1cdca309d9d98572aed35ad782dd11c8
SHA512bb7aaebd3f6c1ff18bd0cb9eb9347894f0785dc011ec9765d9bc180de9b60769c891151626fdef88aa3fd53ae6246c1cb91f723933da54920bfbc8a5a24f8851
-
Filesize
326KB
MD580d93d38badecdd2b134fe4699721223
SHA1e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA5129f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4
-
Filesize
1.3MB
MD5e801c5847f5f9d207db53aaaf5c6f3a2
SHA18e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3
-
Filesize
1.3MB
MD5e801c5847f5f9d207db53aaaf5c6f3a2
SHA18e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3
-
Filesize
326KB
MD580d93d38badecdd2b134fe4699721223
SHA1e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA5129f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4
-
Filesize
649B
MD5ed32bec12cf5fde15ca31e276e2729d7
SHA1cfccf890db1ece9841415f33a406b0cca8cbb0a7
SHA2563cef31a44168980290bf54b32fe0a57410a311fe43941e2dbd8bda6cb1212935
SHA512ed9dfb326d97706b3debd9ed70e903858b479c9185854bca34efcee8c12fd62c6b53f8043a39dc97c213b6aec8685dbe9a0775332ba3006761b3769df4d6cf8d
-
Filesize
6.3MB
MD5f08d9bbc61cff8e8c3504524c3220bef
SHA1b4268c667469620bb528c04eaa819d508159b398
SHA2562c4d8b48344ae221e349e525ac16eb364ffb5ab8deae80c7caa28dd5967cabdb
SHA512a64a03d959487399fb57e1bd062c0e9f88a17ff9b3ad15e6b96a4b7332341d0fc9186ef99b2ab9bdcfa51864f21d08bce48479202c01d15470916e90fb09fef4
-
Filesize
6.3MB
MD5f08d9bbc61cff8e8c3504524c3220bef
SHA1b4268c667469620bb528c04eaa819d508159b398
SHA2562c4d8b48344ae221e349e525ac16eb364ffb5ab8deae80c7caa28dd5967cabdb
SHA512a64a03d959487399fb57e1bd062c0e9f88a17ff9b3ad15e6b96a4b7332341d0fc9186ef99b2ab9bdcfa51864f21d08bce48479202c01d15470916e90fb09fef4
-
Filesize
6.3MB
MD5f08d9bbc61cff8e8c3504524c3220bef
SHA1b4268c667469620bb528c04eaa819d508159b398
SHA2562c4d8b48344ae221e349e525ac16eb364ffb5ab8deae80c7caa28dd5967cabdb
SHA512a64a03d959487399fb57e1bd062c0e9f88a17ff9b3ad15e6b96a4b7332341d0fc9186ef99b2ab9bdcfa51864f21d08bce48479202c01d15470916e90fb09fef4
-
Filesize
6.3MB
MD5f08d9bbc61cff8e8c3504524c3220bef
SHA1b4268c667469620bb528c04eaa819d508159b398
SHA2562c4d8b48344ae221e349e525ac16eb364ffb5ab8deae80c7caa28dd5967cabdb
SHA512a64a03d959487399fb57e1bd062c0e9f88a17ff9b3ad15e6b96a4b7332341d0fc9186ef99b2ab9bdcfa51864f21d08bce48479202c01d15470916e90fb09fef4
-
Filesize
6.3MB
MD5f08d9bbc61cff8e8c3504524c3220bef
SHA1b4268c667469620bb528c04eaa819d508159b398
SHA2562c4d8b48344ae221e349e525ac16eb364ffb5ab8deae80c7caa28dd5967cabdb
SHA512a64a03d959487399fb57e1bd062c0e9f88a17ff9b3ad15e6b96a4b7332341d0fc9186ef99b2ab9bdcfa51864f21d08bce48479202c01d15470916e90fb09fef4
-
Filesize
13B
MD59ca519c81140421fa9c6bfed6fe58956
SHA10c8f083a1a9254e82c91dbf0b2c2e8e1515d5eba
SHA256ef7b5c78b4386096550aa8e8448bb540ba9941cfdcd63561e9c74697a1038fb7
SHA512bcb37bc31f9d48c24e4cff06bf48500fa73a4ba1b07f78e6e85ed1a95ef767daece509b7e06726886fe359b71b99f360fea29bd85da55f4bd3580228ccf86cdf
-
Filesize
23.6MB
MD57a4472a78d0651e11d20aa08e43cc045
SHA1aab1d5f80d7399ae2c1982201733be7681d100b1
SHA256318df7404e6c4d5538a6d31997b95af52bbb8d40caf5553b3cbd9b1bc4f6db96
SHA512c152c9d21b0615548173dcc61accb1a1afd5b6f98e6ec21f6a7119536397f07a54ad4087669716c3344dd338ce4f24cecf9989d472f65eaa18c87d496f23c681
-
Filesize
23.6MB
MD57a4472a78d0651e11d20aa08e43cc045
SHA1aab1d5f80d7399ae2c1982201733be7681d100b1
SHA256318df7404e6c4d5538a6d31997b95af52bbb8d40caf5553b3cbd9b1bc4f6db96
SHA512c152c9d21b0615548173dcc61accb1a1afd5b6f98e6ec21f6a7119536397f07a54ad4087669716c3344dd338ce4f24cecf9989d472f65eaa18c87d496f23c681
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c
-
Filesize
1.7MB
MD51bbf5dd0b6ca80e4c7c77495c3f33083
SHA1e0520037e60eb641ec04d1e814394c9da0a6a862
SHA256bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b
SHA51297bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab
-
Filesize
97KB
MD5da1d0cd400e0b6ad6415fd4d90f69666
SHA1de9083d2902906cacf57259cf581b1466400b799
SHA2567a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a
-
Filesize
326KB
MD580d93d38badecdd2b134fe4699721223
SHA1e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA5129f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4
-
Filesize
326KB
MD580d93d38badecdd2b134fe4699721223
SHA1e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA5129f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4