Malware Analysis Report

2024-09-22 06:28

Sample ID 230316-dpnb8sba4w
Target TLauncher-2.876-Installer-1.0.6-global.exe
SHA256 7efd1055ea05a8fb0e8dab395b68017720d468d3ffb3ef3baeb501f809528827
Tags
bazarbackdoor backdoor discovery upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7efd1055ea05a8fb0e8dab395b68017720d468d3ffb3ef3baeb501f809528827

Threat Level: Known bad

The file TLauncher-2.876-Installer-1.0.6-global.exe was found to be: Known bad.

Malicious Activity Summary

bazarbackdoor backdoor discovery upx

BazarBackdoor

Bazar/Team9 Backdoor payload

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

UPX packed file

Checks installed software on the system

Enumerates physical storage devices

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-03-16 03:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-16 03:11

Reported

2023-03-16 03:15

Platform

win7-20230220-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1264 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1264 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1264 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1264 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1264 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1264 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
PID 1952 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
PID 1952 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
PID 1952 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
PID 1952 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
PID 1952 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
PID 1952 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
PID 1952 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe
PID 1816 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1816 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1816 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1816 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1816 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1816 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1816 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
PID 1952 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 1952 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 1952 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 1952 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe C:\Users\Admin\AppData\Local\Temp\jre-windows.exe
PID 884 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe C:\Users\Admin\AppData\Local\Temp\jds7220085.tmp\jre-windows.exe
PID 884 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe C:\Users\Admin\AppData\Local\Temp\jds7220085.tmp\jre-windows.exe
PID 884 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\jre-windows.exe C:\Users\Admin\AppData\Local\Temp\jds7220085.tmp\jre-windows.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe" "__IRCT:3" "__IRTSS:23643746" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /S:C:\Users\Admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1816850 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe" "__IRCT:3" "__IRTSS:1840872" "__IRSID:S-1-5-21-2647223082-2067913677-935928954-1000"

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

"C:\Users\Admin\AppData\Local\Temp\jre-windows.exe" STATIC=1

C:\Users\Admin\AppData\Local\Temp\jds7220085.tmp\jre-windows.exe

"C:\Users\Admin\AppData\Local\Temp\jds7220085.tmp\jre-windows.exe" "STATIC=1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl2.tlauncher.org udp
US 104.20.234.70:443 dl2.tlauncher.org tcp
US 8.8.8.8:53 tlauncher.org udp
US 104.20.235.70:443 tlauncher.org tcp
US 8.8.8.8:53 javadl.oracle.com udp
NL 69.192.71.29:80 javadl.oracle.com tcp
NL 69.192.71.29:443 javadl.oracle.com tcp
US 8.8.8.8:53 sdlc-esd.oracle.com udp
GB 23.44.232.84:443 sdlc-esd.oracle.com tcp

Files

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 5b4c988e2c4f9b703e7c14ea3ba5115d
SHA1 6191f653571a192ed43f637be0be2d0713c355de
SHA256 6a295ca07cc92c2d463b1ae9606f9c3017814edee923073737a4af9022f7fa69
SHA512 5a51728631c11391c92f3f46e55ad574c3bf63de896689249127922f5c42db80cf131353ded2ba04446e5f4e0f459f487d964b973a9f91bd8242132570077473

memory/1264-60-0x0000000002F80000-0x0000000003368000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 5b4c988e2c4f9b703e7c14ea3ba5115d
SHA1 6191f653571a192ed43f637be0be2d0713c355de
SHA256 6a295ca07cc92c2d463b1ae9606f9c3017814edee923073737a4af9022f7fa69
SHA512 5a51728631c11391c92f3f46e55ad574c3bf63de896689249127922f5c42db80cf131353ded2ba04446e5f4e0f459f487d964b973a9f91bd8242132570077473

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 5b4c988e2c4f9b703e7c14ea3ba5115d
SHA1 6191f653571a192ed43f637be0be2d0713c355de
SHA256 6a295ca07cc92c2d463b1ae9606f9c3017814edee923073737a4af9022f7fa69
SHA512 5a51728631c11391c92f3f46e55ad574c3bf63de896689249127922f5c42db80cf131353ded2ba04446e5f4e0f459f487d964b973a9f91bd8242132570077473

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 5b4c988e2c4f9b703e7c14ea3ba5115d
SHA1 6191f653571a192ed43f637be0be2d0713c355de
SHA256 6a295ca07cc92c2d463b1ae9606f9c3017814edee923073737a4af9022f7fa69
SHA512 5a51728631c11391c92f3f46e55ad574c3bf63de896689249127922f5c42db80cf131353ded2ba04446e5f4e0f459f487d964b973a9f91bd8242132570077473

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 5b4c988e2c4f9b703e7c14ea3ba5115d
SHA1 6191f653571a192ed43f637be0be2d0713c355de
SHA256 6a295ca07cc92c2d463b1ae9606f9c3017814edee923073737a4af9022f7fa69
SHA512 5a51728631c11391c92f3f46e55ad574c3bf63de896689249127922f5c42db80cf131353ded2ba04446e5f4e0f459f487d964b973a9f91bd8242132570077473

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 5b4c988e2c4f9b703e7c14ea3ba5115d
SHA1 6191f653571a192ed43f637be0be2d0713c355de
SHA256 6a295ca07cc92c2d463b1ae9606f9c3017814edee923073737a4af9022f7fa69
SHA512 5a51728631c11391c92f3f46e55ad574c3bf63de896689249127922f5c42db80cf131353ded2ba04446e5f4e0f459f487d964b973a9f91bd8242132570077473

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 5b4c988e2c4f9b703e7c14ea3ba5115d
SHA1 6191f653571a192ed43f637be0be2d0713c355de
SHA256 6a295ca07cc92c2d463b1ae9606f9c3017814edee923073737a4af9022f7fa69
SHA512 5a51728631c11391c92f3f46e55ad574c3bf63de896689249127922f5c42db80cf131353ded2ba04446e5f4e0f459f487d964b973a9f91bd8242132570077473

memory/1952-143-0x0000000000B00000-0x0000000000EE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

MD5 e043a9cb014d641a56f50f9d9ac9a1b9
SHA1 61dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA256 9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA512 4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

MD5 1bbf5dd0b6ca80e4c7c77495c3f33083
SHA1 e0520037e60eb641ec04d1e814394c9da0a6a862
SHA256 bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b
SHA512 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

memory/1952-364-0x0000000010000000-0x0000000010051000-memory.dmp

memory/1952-365-0x00000000005C0000-0x00000000005C3000-memory.dmp

memory/1952-366-0x0000000000B00000-0x0000000000EE8000-memory.dmp

memory/1952-367-0x0000000010000000-0x0000000010051000-memory.dmp

memory/1264-382-0x0000000002F80000-0x0000000003368000-memory.dmp

memory/1952-383-0x0000000000B00000-0x0000000000EE8000-memory.dmp

memory/1952-388-0x0000000000B00000-0x0000000000EE8000-memory.dmp

memory/1952-389-0x0000000010000000-0x0000000010051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

MD5 3e4f9ad22e78d1916883ba8ec1b40391
SHA1 4eb8e83f9e4f24d6252c83640061cf6fbf8daf08
SHA256 20ed02f9caeab1a1947e436aa39f99f8e69653e6f9ba5da3b88e31a461676e88
SHA512 d80793d15dc318fa2ab89252d153398ee5924391b0d3ff63b1063bea076c6681f9692284b6e744dd68abdca240c3c1b3eaa224a0449eddadd2c7bd7e943e8190

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

MD5 342916f21c1e06bea05bbf019607713c
SHA1 93a20cbead12b1d710aa30b7ad11f322b6e253fc
SHA256 93fb9f9ed1a680f419d545084a11db8a1ff1a9466cedec71ac33d78f39c367d1
SHA512 321a5b6120008c510cbb43813b56eefeacbba3cc67fe1d9fc579579a6b8577999ac1a14e17301c4a3bdf3c98644a1c3519c63b6d079d06e614eca4b79fdc7518

memory/1952-419-0x0000000000B00000-0x0000000000EE8000-memory.dmp

memory/1952-420-0x0000000010000000-0x0000000010051000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 5b4c988e2c4f9b703e7c14ea3ba5115d
SHA1 6191f653571a192ed43f637be0be2d0713c355de
SHA256 6a295ca07cc92c2d463b1ae9606f9c3017814edee923073737a4af9022f7fa69
SHA512 5a51728631c11391c92f3f46e55ad574c3bf63de896689249127922f5c42db80cf131353ded2ba04446e5f4e0f459f487d964b973a9f91bd8242132570077473

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG46.PNG

MD5 bd8b796fabf29bce107b327cd690807f
SHA1 edde96dc69ec4c6a8374069e56b27cfa98b50694
SHA256 8f65c8b2c3c27ce8bb37fc64aba53eb01ded825f26f9f09bd4b03c6bc41b6ca2
SHA512 b4091792afe29bb346350928b7726c1a4411bbae732f4d7a862faa909453b6efb79417053a10db1c70f11315a2064682842655bdbd2c374cb6564693f5f1fbfa

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG

MD5 27e7f3d4f0383f5aa2747a73b2247056
SHA1 bab94178cde996a35dfaa905cede8015da321552
SHA256 71d7808cae47025784d1a5a759d80c07704d5c745661c07d2bb5f883e821a7b7
SHA512 56f486ca2dff3a94db51696f402d73b43b9f7adc576299c7fca1472dd1194c03cc36c9933dccb94579aaf87d6943c0b108a26a09b269f8fab07bec26067a9ac7

memory/1952-452-0x0000000002F50000-0x0000000002F60000-memory.dmp

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 e801c5847f5f9d207db53aaaf5c6f3a2
SHA1 8e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 e801c5847f5f9d207db53aaaf5c6f3a2
SHA1 8e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 e801c5847f5f9d207db53aaaf5c6f3a2
SHA1 8e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 e801c5847f5f9d207db53aaaf5c6f3a2
SHA1 8e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 e801c5847f5f9d207db53aaaf5c6f3a2
SHA1 8e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 e801c5847f5f9d207db53aaaf5c6f3a2
SHA1 8e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

MD5 e801c5847f5f9d207db53aaaf5c6f3a2
SHA1 8e6818ce66555e2cca92e5c5f32551fb4a91645e
SHA256 196eb4b81988326f6b44b1efcc4fa7a31a289bcf3893a16c3db6f889aa439b03
SHA512 303ab54112fd38a36c10484037f8ff4eeadd0c6f7dde18cf4f3b7f64bf7f7756b30f634427be1cf596ec995f41923c8678040a9a06244129f2337a3fe2f9bab3

C:\Users\Admin\AppData\Local\Temp\setuparguments.ini

MD5 01a5f8e33ce9ada586e0f6154f8a3ecd
SHA1 615d8cc80f0c8c007319c2453eee400a050ddb47
SHA256 cac05fb6b82be73c71ea713e97106a9f8bb6f86f31850c50883125515476643d
SHA512 cd18c449846e05ad90a404b1251b9a83b9ff19d94446669065a7a8f461a22ccab0af98c515c07d38d460b6f3a9e6bf963848577da62d7d675b2ab8c9597d35fa

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\AdditionalExecuteTL.exe

MD5 aa4de04ccc16b74a4c2301da8d621ec1
SHA1 d05c6d8200f6e6b1283df82d24d687adc47d9664
SHA256 e2b0c8e54983b6fcd847a891c5443cb321fb4f0c9106ec8ed6a37cab5ebcc81b
SHA512 28d62bbe394bc2300d60263971cdee15fa417c6fcc7e44ecd2b3b567821e99953377383d137b0827f3f904d30deb508732bcb77cd37d444032d6ffc25c60712e

memory/1816-474-0x0000000003080000-0x0000000003468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

MD5 51be149c8e20df63087c584165516ecd
SHA1 feabbb95b65e6929f086266b06ee1cfef83539a7
SHA256 b949eb246d81688efea07a7655652107ad435f37d493d93dd68c88a9fe6f3e33
SHA512 6f24e4caafd6af85c2f8641d7f2b066dfafa7d6abb512fa62f3642eaa42b549692b15043a3bf0e13cb1fae377fc1d3139dcf5cea3d4def24de197f75297e17f0

memory/1816-477-0x0000000003080000-0x0000000003468000-memory.dmp

memory/1816-478-0x0000000003080000-0x0000000003468000-memory.dmp

memory/2020-479-0x0000000000D80000-0x0000000001168000-memory.dmp

memory/2020-492-0x0000000000D80000-0x0000000001168000-memory.dmp

memory/1952-493-0x0000000000B00000-0x0000000000EE8000-memory.dmp

memory/1952-495-0x0000000000B00000-0x0000000000EE8000-memory.dmp

C:\Users\Admin\AppData\Roaming\.minecraft\TLauncher.exe

MD5 f08d9bbc61cff8e8c3504524c3220bef
SHA1 b4268c667469620bb528c04eaa819d508159b398
SHA256 2c4d8b48344ae221e349e525ac16eb364ffb5ab8deae80c7caa28dd5967cabdb
SHA512 a64a03d959487399fb57e1bd062c0e9f88a17ff9b3ad15e6b96a4b7332341d0fc9186ef99b2ab9bdcfa51864f21d08bce48479202c01d15470916e90fb09fef4

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

MD5 7e77eb033acfcf56af655391af50d13c
SHA1 a3aac78db28ef3db542e72ecf71e1c9c79936b45
SHA256 3c2a34738619d96dcc43957632c4afea9241456399e4486db9aac784e9e5e3e3
SHA512 bfe55b771c9d9dad142cbe172302a14059b01fbbcb03e8b026ab3306ae9e8c04a17f9aebb3e96630f07e0e6e999485350c9f82f7972442596e857aa03e84f49f

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG4.PNG

MD5 c00a190340711134584dc004bf18b506
SHA1 72bbbf9ab0e5b3fbf825b0a46da1b25641fbf346
SHA256 db127cc179eb800b489b1d0d014d6d5b5bf04988b23b55ce7b2d108a4852f343
SHA512 597ce1ae67201158e554f2e85218f2bb3321d0b47593c845d5130d80f7817b5ad4b92f30053ef0809315c4f02299edfe09fa67870e11cdc6095390683c0b4d56

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG5.PNG

MD5 d2462eb1e0591d5128d496df81adb09b
SHA1 71bfe6ef2f6b42950b9504ea9f3be42a9274e1ea
SHA256 a9592b4657867255adb69ee757da5858a0cb005b7388b4dd9ed4a814a31cc3f7
SHA512 cb22e19cb876bf3111434bbeb0243265b9899a40cf346ebd5b12d40db324cd776494f43f8570a64fada10f86d76644184e6982fb6bbd0af251c170f107ac50f5

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG22.PNG

MD5 1c9e24d780e12c81094546db7dba85ac
SHA1 9a21b5304a8326f4d115f1aeed413191969f82ca
SHA256 06fd6ea5ff0c58b5dd1ee0ff062e79f66f40a2ab4a0cb3937949781db90b0ad7
SHA512 a0d66cdf4e11fcb991acf2faae92f91dbb2144694a353a41e450ede37c9de605cedf5772744c90967eddcd88055023ba6e4a9bf1a8a6875f8750aedffcf6618a

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG23.PNG

MD5 15bfc779ca849b269af035c19524f515
SHA1 4a82eff7f31c2d688a00376ed36403d4d52d538c
SHA256 18c77fc1a6092e0169f574e46d72636578abe3744b76f632ad7430d576519353
SHA512 ce05807a115b2e8fd7c5874c3a01155501ee37095c02c5679f6e3b848093caad05e45086a88b16128da0e3d95c204e6810667463d08e411529ffde0e79b2ec51

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG42.PNG

MD5 82b5905aadccafd519f5baaba8b4235c
SHA1 ac20c24c050d67ac9cf6d5d012f6c4e3e109dc6d
SHA256 7b0e92663780a8c412e31cde6f5abc18ed58bb19e3791208e8bd77ff9df2a4e7
SHA512 28a04532b8416eec31022493b725150711036cab5b87a7e4a39284ff4799e024abb34b808fc2182318cdad282c75958210d68368222ecc583ac139e6c1f0b802

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG41.PNG

MD5 96df483076fe5b82a193e0f74ae9427c
SHA1 e2914a84864c5a0507406b7e013c915eb64c5d88
SHA256 b08c9f5d1d5375498e555889886992e45c805658e7fb18def814a4ea6539c096
SHA512 732dc92695e193f359b42bd0eea7310406fade281ab3965727ca22b707ccedbae4c7f7706597b8b23ba93f9c259229e9c14a1d1efd959c6acb17905b36d52769

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG45.PNG

MD5 343b2dec000aeb270da2da3d091cccee
SHA1 8ab8987520beb6f4ee7ecf85f5d3caf88afb4c9c
SHA256 36d9a038c082d934df2209fccdd5ddf7bfd15b393581bfd48f510cc161db5232
SHA512 3ab0006fe9be943285f8294752d9ee14959284103676af7418fa2f59c967056bb2646fd48432af0e97be00c608ba493f08b160aa725898084bc726c904ffaa0c

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG1.BMP

MD5 0b445ace8798426e7185f52b7b7b6d1e
SHA1 7a77b46e0848cc9b32283ccb3f91a18c0934c079
SHA256 2bbf97ccba3f87d469eac909c4ce8a3f13ed29c8f31b611e7d5cf89a0619eda6
SHA512 51523d5b711481293305465a3a3c6a3a50dca984cdc8cca1f4c44f3c21bfa430cd9aac1a8782d9605e6954cbafb307beb6b1a52e9785de1bc3f71067d80c6b6e

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG48.PNG

MD5 fd59d734aeb9fc2e4b9fb8953f1030f2
SHA1 4eeaa16cfcdae90383fb4e38fd6cc52180201705
SHA256 509323570038a79f2f494cb2323e141ba345bd5f0af6316b334553b411a4efac
SHA512 5319c35e80f13be56b8f450a364802ae922352baa2ed7858bdf0e43c66f44da3af8b9f4485a04e8c83f985c492543be6665e25edb650ed4ddb6a48d6d60d5397

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG66.PNG

MD5 f2664610dabb317dfe1120518e323887
SHA1 33f8a173d6a0d4b7ecd4b5be9fd052795d689919
SHA256 67d18f4a1cdf8906751fed972deb353a773101fea9c62929e434cf4a31124cc9
SHA512 16ef6bd74c99e4c805ddc53d2cfb6ea3913f8e78ca674e3f61c3b49510c40d7b2b7a96f80e72dd428a28334deebe6859f59d3fdd40e44a0356224695c8cb8eb9

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\IRIMG67.PNG

MD5 4065249457c60ff8868e439399f9a3b5
SHA1 1432b33e9704b0346899e6897103e4a9a29f7dde
SHA256 c230c0787a4a68aab9175ac6630abc6cf012aa74dc67229554a4d9853aeb62f6
SHA512 9cd3387d8191305d7954cb32055c3dd8f7cbcec481c949d9873fe5c9533ccce3e6d73c6f30613e9495493f513beea9e7059d3fbcd3ad480885bdafd0b2dcc3c3

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG109.PNG

MD5 8691619d3729db635b36abf4cb92b722
SHA1 5f65a27c0b8d2a25a3c107eadcde937a6c9620b1
SHA256 386db08587c847acba938e16a37f345f8d95cc1c77ed562b3c2cc71c1ccbfc1c
SHA512 0f2e192e6f23a512c7e0b75ecf54bfe8cdfcd4c18f48cb4a4ccbb879881ece3308e1fb97891583f1248c2a833c36509e8e1b81bf39958189676b05d9bd9605a6

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG124.PNG

MD5 add45fcce9e1d8992e60401842562c2e
SHA1 7869dc6ad6116e2c864f32b959a489ee4100aa2e
SHA256 4c9e68ac4cebbfde2f2f5a9318b597825f3d7a41f32cd288e3fa964b95a69fff
SHA512 2f98fc864d4bf46c8595f94c4296e6d4213d90591ee197679b2c4f5f4a27b248a52a941b811fceca2f8d32044d42dfe589ec981baaba86a7e4d844d687d048fb

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

MD5 1bbf5dd0b6ca80e4c7c77495c3f33083
SHA1 e0520037e60eb641ec04d1e814394c9da0a6a862
SHA256 bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b
SHA512 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

C:\Users\Admin\AppData\Roaming\.tlauncher\Uninstall\uninstall.xml

MD5 a9bd5c298f84886a96fecaa0a1ac4207
SHA1 12d15f88e61d417fce8c240b6591d76276fae985
SHA256 7988ed09615eb10e19e6522c589535a8747f614f000704a138f8c63d673ef559
SHA512 c900d40286a8a838bcb77044156dff60d5e2c02ca166d88f4ca08a3112041a6c70c7e63901922b98b75631993aeeaa39fd8af0296c90eb09cd1f630b3c82d3ef

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG86.PNG

MD5 be778d72fc00a94c08f8d34a7f4808eb
SHA1 6a9ac4c50c259f13c811aec861b7d8a178226a2a
SHA256 6b87aaec39e8dcaa1ff58dd1ce9b4ff963111281197efb498feda447374ca362
SHA512 4ea18bb91fdf830d55250a245af0c5777657844ee1d9293a35cdb2f56e50ceafdeaf49135e9266bb7615c8f0a57a1ee26b7d74c6d4e98b2cab38dae5085c8a3f

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG85.PNG

MD5 e0901ba1513ace1b39991bfa0b911498
SHA1 4ce82072212487c2f484bacf1de20e179b3fac6e
SHA256 c571b49df24291011ff427f5f450b673531409c7b4576c34ca3f284ef3c55493
SHA512 7ff181c9ea32ca2828ef7d1e34c96c6855dac906108eb680a90da5dd9f2008d815c96969263b3314b7db1a83bf7032da631c878dfa4a99976d8cabf79ea62b8d

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG104.PNG

MD5 d0283575c47a16d567f02b70550e22a9
SHA1 189ce85ca43d3aa4336c2e7719cf206691257999
SHA256 44464fa74b703a959540202a83383c33cee05f7affc69898e0d3b541b1e87970
SHA512 5b70a22b0a48aa3c6e88123c4d3ff928b02bbe158d63e565bd558aa990482a4d9a98e710ec3dded8fef6042eedb5a1ed62ffc632fe9d102a9cb49342727c515d

memory/1952-1320-0x0000000000B00000-0x0000000000EE8000-memory.dmp

memory/1952-1321-0x0000000010000000-0x0000000010051000-memory.dmp

memory/1952-1330-0x0000000010000000-0x0000000010051000-memory.dmp

memory/1952-1333-0x0000000000B00000-0x0000000000EE8000-memory.dmp

memory/1952-1335-0x0000000000B00000-0x0000000000EE8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d7a69a520a695dcc25c5bcaf5254c86
SHA1 1ebb12d17ff0f2f661b57028f2fe1bfa5e878504
SHA256 8508d169b37d9c73546ef8593583a34eda35747c34bea61f727280e440ddc94b
SHA512 7d616f536f73b015f76113ca76fd64cb037da1ad3af146f60ab6b6b58450d1a749c5ecba586912f042c3efe769a14587731fe3b0e1d70747956ca307ff6f595a

C:\Users\Admin\AppData\Local\Temp\CabF9FC.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

memory/1952-1356-0x0000000000B00000-0x0000000000EE8000-memory.dmp

memory/1952-1357-0x0000000010000000-0x0000000010051000-memory.dmp

\Users\Admin\AppData\Local\Temp\jre-windows.exe

MD5 7542ec421a2f6e90751e8b64c22e0542
SHA1 d207d221a28ede5c2c8415f82c555989aa7068ba
SHA256 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6
SHA512 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

C:\Users\Admin\AppData\Local\Temp\jre-windows.exe

MD5 7542ec421a2f6e90751e8b64c22e0542
SHA1 d207d221a28ede5c2c8415f82c555989aa7068ba
SHA256 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6
SHA512 8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc

memory/1952-1366-0x0000000000B00000-0x0000000000EE8000-memory.dmp

\Users\Admin\AppData\Local\Temp\jds7220085.tmp\jre-windows.exe

MD5 6c51e6ea1e5c0e347582ad0ca2f78a28
SHA1 65b47fe20f0285071516838bc5bd64ccf86453ae
SHA256 53d96260ff3c4a5461709e5f0e8668553bc5cae2b5541a31b79c8abda870e6c0
SHA512 b65450ac53a7294de7332f09985ba96678fbeffef24db1d1031ddc1ecf77b9ade967d36f37293ed78cb478530176d72c65d037beb85b4fd72625656d1a439193

C:\Users\Admin\AppData\Local\Temp\jds7220085.tmp\jre-windows.exe

MD5 c61fc1edef08b3bfb75f62652496fe2d
SHA1 9d16d3f096fd0879f4a2ae294aa079ac3d03ab3f
SHA256 55239fe55eac5b2ae4f227b8fa206cb79b335b3b87918f8881226a20be52f0c0
SHA512 d55a39d5ef895c364f8a8089a8c2fca72934f44d54a4676540c6758e430f4042bdabd38b92b2b9893bb43e50fbc78403a73bfd7c8b6fca3168d92c9562dbe0f2

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 27dcc47a00553675aca204ef888c0c1d
SHA1 959bcc2b80bc622c0a092a268adb8a92196b5ae1
SHA256 1c1d388b63db2e5d9a5b65360ff85da95ae4278904fbdf5ecc9f6e31efa8c24f
SHA512 c2b56107dd98e81ff5b36ec9970a9e1c61649f05e24a1bd18dce2f23bd6818f5886afde30839a6d29c20cf8cfd9bd10580e206d300ed10d82bd035c4adedc68e

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 27dcc47a00553675aca204ef888c0c1d
SHA1 959bcc2b80bc622c0a092a268adb8a92196b5ae1
SHA256 1c1d388b63db2e5d9a5b65360ff85da95ae4278904fbdf5ecc9f6e31efa8c24f
SHA512 c2b56107dd98e81ff5b36ec9970a9e1c61649f05e24a1bd18dce2f23bd6818f5886afde30839a6d29c20cf8cfd9bd10580e206d300ed10d82bd035c4adedc68e

C:\Users\Admin\AppData\Local\Temp\jusched.log

MD5 c36ada006ccf981680dba52cc8222335
SHA1 5c069b2c4a6b00e892f3c784b00b5a09289b0b2f
SHA256 a39b25ecad6f25709270adad2b8e783950feefa3130aa670b97f87655dbf4a74
SHA512 a46be3e940e939a8791e31d85d8c03c638172ca901b2a3bc80cd60b883e001aba82f88e88499a1b9feb2981c9e3a038807be9d61454b290758fc3be2eea43399

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-16 03:11

Reported

2023-03-16 03:15

Platform

win10v2004-20230220-en

Max time kernel

143s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe

"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.876-Installer-1.0.6-global.exe" "__IRCT:3" "__IRTSS:23643746" "__IRSID:S-1-5-21-2275444769-3691835758-4097679484-1000"

Network

Country Destination Domain Proto
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 dl2.tlauncher.org udp
US 104.20.234.70:443 dl2.tlauncher.org tcp
US 8.8.8.8:53 70.234.20.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 177.238.32.23.in-addr.arpa udp
US 20.189.173.5:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
NL 8.238.177.126:80 tcp
NL 8.238.177.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 5b4c988e2c4f9b703e7c14ea3ba5115d
SHA1 6191f653571a192ed43f637be0be2d0713c355de
SHA256 6a295ca07cc92c2d463b1ae9606f9c3017814edee923073737a4af9022f7fa69
SHA512 5a51728631c11391c92f3f46e55ad574c3bf63de896689249127922f5c42db80cf131353ded2ba04446e5f4e0f459f487d964b973a9f91bd8242132570077473

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 5b4c988e2c4f9b703e7c14ea3ba5115d
SHA1 6191f653571a192ed43f637be0be2d0713c355de
SHA256 6a295ca07cc92c2d463b1ae9606f9c3017814edee923073737a4af9022f7fa69
SHA512 5a51728631c11391c92f3f46e55ad574c3bf63de896689249127922f5c42db80cf131353ded2ba04446e5f4e0f459f487d964b973a9f91bd8242132570077473

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 5b4c988e2c4f9b703e7c14ea3ba5115d
SHA1 6191f653571a192ed43f637be0be2d0713c355de
SHA256 6a295ca07cc92c2d463b1ae9606f9c3017814edee923073737a4af9022f7fa69
SHA512 5a51728631c11391c92f3f46e55ad574c3bf63de896689249127922f5c42db80cf131353ded2ba04446e5f4e0f459f487d964b973a9f91bd8242132570077473

memory/3332-145-0x0000000000470000-0x0000000000858000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

MD5 e043a9cb014d641a56f50f9d9ac9a1b9
SHA1 61dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA256 9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA512 4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

MD5 1bbf5dd0b6ca80e4c7c77495c3f33083
SHA1 e0520037e60eb641ec04d1e814394c9da0a6a862
SHA256 bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b
SHA512 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

MD5 1bbf5dd0b6ca80e4c7c77495c3f33083
SHA1 e0520037e60eb641ec04d1e814394c9da0a6a862
SHA256 bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b
SHA512 97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

memory/3332-440-0x0000000010000000-0x0000000010051000-memory.dmp

memory/3332-441-0x0000000002CD0000-0x0000000002CD3000-memory.dmp

memory/3332-456-0x0000000000470000-0x0000000000858000-memory.dmp

memory/3332-457-0x0000000010000000-0x0000000010051000-memory.dmp

memory/3332-464-0x0000000000470000-0x0000000000858000-memory.dmp

memory/3332-481-0x0000000010000000-0x0000000010051000-memory.dmp