0439b7bde87eb1e7a8e5106c6adb73d2c9b1de07111e8478dd38b48cf6fdd8c5

Analysis

max time kernel
258s
max time network
266s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StandKnife.exe
Size

626KB
MD5

b715c7e7bc0ecc71a00dd6e078dd5c65
SHA1

255618829aef836e5cf56fb56f19790dc1f45dae
SHA256

0439b7bde87eb1e7a8e5106c6adb73d2c9b1de07111e8478dd38b48cf6fdd8c5
SHA512

e27fbf7abd010a64a44d55e5bc4b8e40a0f5c4e40dacefa413261485a2417b5d14713ff67ce0e15f1eeb9846cb4e66073c0a3c8e2caf140078da870160b035a3
SSDEEP

12288:2dYQutYFoYviP3QQTQQLQQbQQQQQbDmHQDNAXulUXFuozasIKVTecs:2dtIlMUXFuQasIQT3

Score

8^/10

discovery upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	TLauncher-2.885-Installer-1.1.3.exe

Executes dropped EXE 2 IoCs

pid	Process
3768	TLauncher-2.885-Installer-1.1.3.exe
3096	irsetup.exe

Loads dropped DLL 3 IoCs

pid	Process
3096	irsetup.exe
3096	irsetup.exe
3096	irsetup.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000022ec7-344.dat	upx
behavioral1/files/0x0007000000022ec7-349.dat	upx
behavioral1/files/0x0007000000022ec7-350.dat	upx
behavioral1/memory/3096-351-0x0000000000840000-0x0000000000C28000-memory.dmp	upx
behavioral1/memory/3096-648-0x0000000000840000-0x0000000000C28000-memory.dmp	upx
behavioral1/memory/3096-668-0x0000000000840000-0x0000000000C28000-memory.dmp	upx
behavioral1/memory/3096-674-0x0000000000840000-0x0000000000C28000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133435078594248423"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3444	chrome.exe
3444	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe
Token: SeShutdownPrivilege	3444	chrome.exe
Token: SeCreatePagefilePrivilege	3444	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe
3444	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3096	irsetup.exe
3096	irsetup.exe
3096	irsetup.exe
3096	irsetup.exe
3096	irsetup.exe
3096	irsetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4812	3444	chrome.exe	116
PID 3444 wrote to memory of 4812	3444	chrome.exe	116
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2100	3444	chrome.exe	117
PID 3444 wrote to memory of 2340	3444	chrome.exe	120
PID 3444 wrote to memory of 2340	3444	chrome.exe	120
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118
PID 3444 wrote to memory of 4344	3444	chrome.exe	118

C:\Users\Admin\AppData\Local\Temp\StandKnife.exe
"C:\Users\Admin\AppData\Local\Temp\StandKnife.exe"
1⤵
PID:4016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff845809758,0x7ff845809768,0x7ff845809778
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:2
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3152 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3172 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4748 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3976 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5436 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:2504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5684 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6096 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:3412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5300 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5264 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1060 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5140 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5416 --field-trial-handle=1920,i,17843648534510523392,6105846739273759894,131072 /prefetch:8
  2⤵
  PID:3652
- C:\Users\Admin\Downloads\TLauncher-2.885-Installer-1.1.3.exe
  "C:\Users\Admin\Downloads\TLauncher-2.885-Installer-1.1.3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.885-Installer-1.1.3.exe" "__IRCT:3" "__IRTSS:23661420" "__IRSID:S-1-5-21-3811856890-180006922-3689258494-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3096

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:628

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\bfb7f64f33aa4a2db38b190800b39ef1 /t 2144 /p 3096
1⤵
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
c5911f09e9c82b9caa3cfb94025467a1

SHA1
87e540a7d874e0fc7b1d4a322b05bcadd1f5f564

SHA256
76191dc762cadeddd1ea4189a7f24a17ff94969559292a90207f54d44eb7493f

SHA512
76f69644734f69cc0959e6346ec74b172e99bf9707a5d81028595d8d86bd89db0cf45c4553dd4e99124b2320f0e63e91b71f331f71f4ef188324e2db8caa613c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
9ab3b7a36e63f30531cb6d78fe7826b8

SHA1
b555a9a46980ca7accbea1d8bf23e76734005bc7

SHA256
b598004af5864833d73e6ba08a123d552a960d68e035811128a49fa666f8b92c

SHA512
8869e361f7471179e782e3629c26b3c14bc8515e009ea060c0812205f47464c68c84b0fcd8ec3a564f571861692c7d485465cc5d1cb25cee79922a456335e9c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d77a421597562c4eaa5387ada25e558f

SHA1
93fc1c92ead27b06e87694ec737aa9ab09423a20

SHA256
38da805fd6392d3acd527f760d1f6b72a91fc054c88ec3e24f43c15b1a074bad

SHA512
bfa5eedbe04bb302536fa727d87ebd1525d2c7957b4a9b7fd16d8b356e67f5945353dda1c2d7806f76262590c8bc23a6a2666f312fc9261c54943ecb9d62ef57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
35bda72438311a0bc5e423f0b2af2631

SHA1
b574fbc0d77380390cf2adbd631cc959142f74c0

SHA256
c2f41d36d60be768795190e6f34b6029b0bd168dbd5580ff0835f66388f45229

SHA512
9afccf5081a530edc6fbf4a4339c5ff959ce7726ad449d456a7941d170e16cf23109c7731f3319c2050ce28b933958dfeb030b3c989193c986034789bebf7627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
2ab24c7f82dd8c89d2855f9a4ff494fc

SHA1
592532e39c90f540b6a9720ad4d82551a79cfe0e

SHA256
7cce555241350b6d591b152bca6d74880d68628d92676cba13e02b89e718dac5

SHA512
0d77a07a6076dd14aa71b454597e51640852a7e4bce51717ec3103ccde2a21e64693c4506c1c5e8bd37e25779da8b436874621d6af474ca83223f21b570410e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
a7baea8c5276516e568de5121bdf30e8

SHA1
114328c234b3dacf1d97eddf49ca2542de8aacd7

SHA256
151dd9821e8c1304048d02de8bd29fc9a34dd361c338cd2ef1f31bfa137fcd56

SHA512
ef179c4b533ebee9dda9021587776e4c7e4466122b478e228115b055f9648d2f73e3f568bb42d19e5faf775e99b5ed04bfc00e25780da1c8399a4e8a523a868c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5a0bbb05307fc9e28af47145d6cbb99b

SHA1
899b6623d55d8d0b600355d8a14834f620dce2c8

SHA256
82dd91264d5d09ff4a26aeff502bf12ffd930d6c596147050b76ecf28796b59b

SHA512
f8dbf6d041e6d046efdf9e5f1d3c62344e0d3e7e541e89b8a25475d9736c2c969736d0f7b8c7868c5622d2835f9f351ac8f1222e59bd51d5beebf14f53cd1f34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
74ab8d75771e9a109b27342b2ed69c0a

SHA1
d2d6daf25bc16790d9f509f5d484af41101dd370

SHA256
3d6670b8ec47ee3fc3ef318a7917369bae67b79a25ac7db7088faf586afce312

SHA512
4496e2d1a990e150f0c50632aa564a9cc1372e49b1a9b8ff83d3eac9f8d71bce42fe4afaab1a64d427bb48eb66ec2cd31a3572ba8e61d9133dfe8b943f131bbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5ea9ece0fd6c8f79e9a003bef10bce12

SHA1
ac7a971a1ad1f75b3ee510621108c3639340a9a6

SHA256
7bd9391e098a7ad87a0fb1af6a5680acf91751b9c8397081192680dce86e7d29

SHA512
624bf5f8f536ffef721c972cd006ca63c69de99bf0bca7569acfb56b9b1f3421ef76618054d0b949f5050f35a2cd92a306a866df2ade57271cf5b37abd391d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3264c2159bed1ae43e94c458a4346903

SHA1
486f1dc27e285c233bd906851999ff48ced147fa

SHA256
6fcb2e342646e618eb9d47d815384f6e42938d985306ca0f2314a4e5694fa4ad

SHA512
61a032cb89e7cb4fd03bc75f08ac116c318897f324e386080c259cdac6ed3761eac90345006f1ab05dcf60b2b3467834afad64af9aa4b882a099e31bb3a67af7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
94badb3922e230d99bb575cd37c29136

SHA1
45693b5d5aae9345b17e3571c5fe2f54aa79b557

SHA256
f4ea3d1d02804924a620efe5188dd20e355f36b2a498e1db7a72b3df3d1148d1

SHA512
0a5c0bbb5094842e280c984a28f93cfb07ab0c8ff614569be40b09baad34629215f021eceb63bd7e9f566fc6f59a649596d43eb03f8096afe1e03462e86bd584

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0b97568f2978582167e8f073c250fe5f

SHA1
532dee4e6a26789c6c1af9ef4ec885b18b8025bb

SHA256
843654a7c2713d9b94d315b9ef998df0c2577bc990c2be3d0b6f3d25da9f9408

SHA512
52607a0a87b4af26f795994b6dd26ce019e4bd39a095093a37d94538da8fc2273315ad812566314887a40f4f6e13f296b18507cdfdbcd00d65f9e0a43cde16c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
219KB

MD5
9a7e9abdd36ad936df9e553569692c7d

SHA1
832b5b422c9239663646df3a76a37f681dfc34df

SHA256
7e6c23020e2ce0a2681a85e1eaa85f6fec28be434b8906f7ebdc3d0aabec8667

SHA512
cf88e5df7923955f0b45b3e00067a1e1b3c08dc402819079f496da02693b5a33644c9234b10ce6f99ba37fdfc5618e01ec80ed8aa6c92ae4e224f60db5b01e49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
219KB

MD5
fbc10bf96ca533fef4fc6b4022f15463

SHA1
fc46c05bdb9370e8621e424be1d863d5e0d4f2a4

SHA256
256063f445a58b07413de9ceb5b7cb3ccb75605d5d8e68d2b020f69394c3d1c4

SHA512
4a8f20798f5e1a0cb922d5c6966e075eecc07be2b09add28d8342bef2fdc4d25d2d0f5f78ee8bfc92df1d550044c2eb36418cf0c0c963fc0be33e2fc43db6458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
116KB

MD5
64b64dcd65348c5436c1ba7db2a025b2

SHA1
ed8927ac6c067ee129f3d667c903f994fbe5fd0c

SHA256
0d0787ee99c460735757158dfb827fc96cbed714427ec3e45555371ba832b837

SHA512
9da73d1b8fa9bfb4954427d051c70c7de6bb91dcba7286ade497aa61890f32092fa3784c7b234edc97bb29f74c0302c0163e26802d69954a5672f10b259367ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59b3c6.TMP

Filesize
97KB

MD5
adfe6687f4969b466fbb3a18cbe4b23c

SHA1
eee7b6d69eca1f5e04f2c3d4fea3235f8b593263

SHA256
052f7c195066619fdb27a106ba7ff6708a3345dbcdfbb82f5a42804a0653266d

SHA512
825777fa60c7fa99439e20c4d5ac5076f0e9930f61aad4a254aaae2e83d8c8564fb547ff7d04b9a2854f6201f864894314d0a391249bd95811f853e4620660ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.885-Installer-1.1.3.exe

Filesize
22.6MB

MD5
bd3eefe3f5a4bb0c948251a5d05727e7

SHA1
b18722304d297aa384a024444aadd4e5f54a115e

SHA256
f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0

SHA512
d7df966eeda90bf074249ba983aac4ba32a7f09fe4bb6d95811951df08f24e55e01c790ffebc3bc50ce7b1c501ff562f0de5e01ca340c8596881f69f8fed932d

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.885-Installer-1.1.3.exe

Filesize
22.6MB

MD5
bd3eefe3f5a4bb0c948251a5d05727e7

SHA1
b18722304d297aa384a024444aadd4e5f54a115e

SHA256
f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0

SHA512
d7df966eeda90bf074249ba983aac4ba32a7f09fe4bb6d95811951df08f24e55e01c790ffebc3bc50ce7b1c501ff562f0de5e01ca340c8596881f69f8fed932d

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.885-Installer-1.1.3.exe

Filesize
22.6MB

MD5
bd3eefe3f5a4bb0c948251a5d05727e7

SHA1
b18722304d297aa384a024444aadd4e5f54a115e

SHA256
f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0

SHA512
d7df966eeda90bf074249ba983aac4ba32a7f09fe4bb6d95811951df08f24e55e01c790ffebc3bc50ce7b1c501ff562f0de5e01ca340c8596881f69f8fed932d

Download Submit
memory/3096-641-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/3096-351-0x0000000000840000-0x0000000000C28000-memory.dmp

Filesize
3.9MB

Download
memory/3096-642-0x0000000006380000-0x0000000006383000-memory.dmp

Filesize
12KB

Download
memory/3096-648-0x0000000000840000-0x0000000000C28000-memory.dmp

Filesize
3.9MB

Download
memory/3096-668-0x0000000000840000-0x0000000000C28000-memory.dmp

Filesize
3.9MB

Download
memory/3096-669-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/3096-674-0x0000000000840000-0x0000000000C28000-memory.dmp

Filesize
3.9MB

Download
memory/3096-675-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download