f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0

Analysis

max time kernel
262s
max time network
261s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
14-10-2023 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-2.885-Installer-1.1.3.exe
Size

22.6MB
MD5

bd3eefe3f5a4bb0c948251a5d05727e7
SHA1

b18722304d297aa384a024444aadd4e5f54a115e
SHA256

f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0
SHA512

d7df966eeda90bf074249ba983aac4ba32a7f09fe4bb6d95811951df08f24e55e01c790ffebc3bc50ce7b1c501ff562f0de5e01ca340c8596881f69f8fed932d
SSDEEP

393216:KXGWOLBh2NPfs/dQETVlOBbpFEjdGphRqV56HpkoaH3D8P2Q6YS6x9DOc:K2/BhSHExi73qqHpu34kYbzOc

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4144	irsetup.exe

Loads dropped DLL 3 IoCs

pid	Process
4144	irsetup.exe
4144	irsetup.exe
4144	irsetup.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001afcb-4.dat	upx
behavioral1/memory/4144-6-0x0000000000350000-0x0000000000738000-memory.dmp	upx
behavioral1/files/0x000600000001afcb-5.dat	upx
behavioral1/memory/4144-303-0x0000000000350000-0x0000000000738000-memory.dmp	upx
behavioral1/memory/4144-323-0x0000000000350000-0x0000000000738000-memory.dmp	upx
behavioral1/memory/4144-337-0x0000000000350000-0x0000000000738000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 50 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	mspaint.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "2"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000d0916df7b8e7d9017dca42f1c0e7d9017dca42f1c0e7d90114000000	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2713497151-363818805-1301026598-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	mspaint.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4564	mspaint.exe
4564	mspaint.exe
2840	mspaint.exe
2840	mspaint.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTcbPrivilege	1832	svchost.exe
Token: SeRestorePrivilege	1832	svchost.exe
Token: SeDebugPrivilege	168	taskmgr.exe
Token: SeSystemProfilePrivilege	168	taskmgr.exe
Token: SeCreateGlobalPrivilege	168	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4564	mspaint.exe
2840	mspaint.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe
168	taskmgr.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4144	irsetup.exe
4144	irsetup.exe
4144	irsetup.exe
4144	irsetup.exe
4144	irsetup.exe
4144	irsetup.exe
4144	irsetup.exe
4564	mspaint.exe
4564	mspaint.exe
4564	mspaint.exe
4564	mspaint.exe
2840	mspaint.exe
2840	mspaint.exe
2840	mspaint.exe
2840	mspaint.exe
2840	mspaint.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 4144	4900	TLauncher-2.885-Installer-1.1.3.exe	71
PID 4900 wrote to memory of 4144	4900	TLauncher-2.885-Installer-1.1.3.exe	71
PID 4900 wrote to memory of 4144	4900	TLauncher-2.885-Installer-1.1.3.exe	71
PID 1832 wrote to memory of 1236	1832	svchost.exe	84
PID 1832 wrote to memory of 1236	1832	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-2.885-Installer-1.1.3.exe" "__IRCT:3" "__IRTSS:23661420" "__IRSID:S-1-5-21-2713497151-363818805-1301026598-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4144

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4564

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\system32\dashost.exe
  dashost.exe {ab2c6ac1-e181-43d6-99b00be2a088e8e5}
  2⤵
  PID:1236

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2840

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Untitled.png

Filesize
10KB

MD5
c79553cea42dc24f84e577cb4402f891

SHA1
2f495bb6ae9a4178c18d767b9a0b4342249c9dc3

SHA256
b6a753af5e589f1f3cce456af8a17604273caf0b6800c86e9b9f9f3ccd27c756

SHA512
ce7ce2437d0c6407cf2b8713cd7415816f396ed9ac8401903cf0f07ec8433bb90a51c3fd52fb8876e08877361435de23654e6d419513cd092d37c40bf3910504

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

Filesize
280B

MD5
5803b5d5f862418b64caa83396e69c7f

SHA1
97b6c8209b8ad65f4f9f3b953fe966bb09ee4e13

SHA256
ee340f8560ba2e71d7e6d305b959ff8fa77869dac916287da2bff7ce5aa2e159

SHA512
e9bf37f0c89299bfa369a8677ac56b12177dd3153246e5e6a9390577658111b731b0ab987044d30f43e05cb41d79ed31dae3b6f4521f225925920617d0414edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

Filesize
281B

MD5
60a19921c7ff3c75e28c302f95460994

SHA1
07ac64ffbb153c8675e2ce0651afeaa5e8c6652d

SHA256
33341d30463fbc7cf3fba5070925569c822b6835aabdb8ef2c3cf09547912d46

SHA512
b30b960152dc13b1a9d384c4972169392cd405bdf4d3ecf73f85cf8a9a68a075131b2495c0348f54d43d0e7a279907bc7b76ac103f4a624738cbfc73bbeeba02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\Desktop\Untitled.png

Filesize
10KB

MD5
c79553cea42dc24f84e577cb4402f891

SHA1
2f495bb6ae9a4178c18d767b9a0b4342249c9dc3

SHA256
b6a753af5e589f1f3cce456af8a17604273caf0b6800c86e9b9f9f3ccd27c756

SHA512
ce7ce2437d0c6407cf2b8713cd7415816f396ed9ac8401903cf0f07ec8433bb90a51c3fd52fb8876e08877361435de23654e6d419513cd092d37c40bf3910504

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
944ee35b083e1b20a27bb1db5e783d6b

SHA1
18e493ebca960899e7897cccf22b27b18ffb1097

SHA256
d68edaac7a1c27c9a0e19fb2362da71718bb8ebdbd87bddd676b278d35afdc58

SHA512
550cac524d850a4a07842fa5fecace3c4bdd9e0f37697f12e3a15c3049f7061f830d469c0523b2a6d2f772979aaecc5dc91244f2ed2422f7a421677bf6684f54

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
memory/4144-303-0x0000000000350000-0x0000000000738000-memory.dmp

Filesize
3.9MB

Download
memory/4144-323-0x0000000000350000-0x0000000000738000-memory.dmp

Filesize
3.9MB

Download
memory/4144-324-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4144-295-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4144-337-0x0000000000350000-0x0000000000738000-memory.dmp

Filesize
3.9MB

Download
memory/4144-338-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4144-297-0x00000000069A0000-0x00000000069A3000-memory.dmp

Filesize
12KB

Download
memory/4144-6-0x0000000000350000-0x0000000000738000-memory.dmp

Filesize
3.9MB

Download