hxxp://tlauncher[.]org

Analysis

max time kernel
229s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://tlauncher.org

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	TLauncher-2.899-Installer-1.1.5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	TLauncher-2.899-Installer-1.1.5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	TLauncher-2.899-Installer-1.1.5.exe

Executes dropped EXE 6 IoCs

pid	Process
912	TLauncher-2.899-Installer-1.1.5.exe
2856	irsetup.exe
3992	TLauncher-2.899-Installer-1.1.5.exe
4904	irsetup.exe
2216	TLauncher-2.899-Installer-1.1.5.exe
752	irsetup.exe

Loads dropped DLL 9 IoCs

pid	Process
2856	irsetup.exe
2856	irsetup.exe
2856	irsetup.exe
4904	irsetup.exe
4904	irsetup.exe
4904	irsetup.exe
752	irsetup.exe
752	irsetup.exe
752	irsetup.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000000753-477.dat	upx
behavioral1/memory/2856-484-0x0000000000410000-0x00000000007F8000-memory.dmp	upx
behavioral1/memory/2856-756-0x0000000000410000-0x00000000007F8000-memory.dmp	upx
behavioral1/files/0x0004000000000755-791.dat	upx
behavioral1/memory/4904-793-0x0000000000020000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/4904-1074-0x0000000000020000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/752-1109-0x0000000000D50000-0x0000000001138000-memory.dmp	upx
behavioral1/memory/752-1390-0x0000000000D50000-0x0000000001138000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 764369.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1876	msedge.exe
1876	msedge.exe
4760	msedge.exe
4760	msedge.exe
228	identity_helper.exe
228	identity_helper.exe
2876	msedge.exe
2876	msedge.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe
4024	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3760	taskmgr.exe
Token: SeSystemProfilePrivilege	3760	taskmgr.exe
Token: SeCreateGlobalPrivilege	3760	taskmgr.exe
Token: 33	3760	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3760	taskmgr.exe
Token: SeDebugPrivilege	5048	taskmgr.exe
Token: SeSystemProfilePrivilege	5048	taskmgr.exe
Token: SeCreateGlobalPrivilege	5048	taskmgr.exe
Token: 33	5048	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5048	taskmgr.exe
Token: SeDebugPrivilege	4024	taskmgr.exe
Token: SeSystemProfilePrivilege	4024	taskmgr.exe
Token: SeCreateGlobalPrivilege	4024	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
4760	msedge.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
3760	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe
5048	taskmgr.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
912	TLauncher-2.899-Installer-1.1.5.exe
2856	irsetup.exe
2856	irsetup.exe
2856	irsetup.exe
2856	irsetup.exe
2856	irsetup.exe
3992	TLauncher-2.899-Installer-1.1.5.exe
4904	irsetup.exe
4904	irsetup.exe
4904	irsetup.exe
4904	irsetup.exe
4904	irsetup.exe
2216	TLauncher-2.899-Installer-1.1.5.exe
752	irsetup.exe
752	irsetup.exe
752	irsetup.exe
752	irsetup.exe
752	irsetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4080	4760	msedge.exe	84
PID 4760 wrote to memory of 4080	4760	msedge.exe	84
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 4992	4760	msedge.exe	86
PID 4760 wrote to memory of 1876	4760	msedge.exe	85
PID 4760 wrote to memory of 1876	4760	msedge.exe	85
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87
PID 4760 wrote to memory of 4448	4760	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tlauncher.org
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa88ba46f8,0x7ffa88ba4708,0x7ffa88ba4718
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1872 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2132 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6448 /prefetch:8
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2240,16129961388054418920,5731299623320126836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:560

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3760

C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.1.5.exe
"C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.1.5.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:912
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.1.5.exe" "__IRCT:3" "__IRTSS:26073958" "__IRSID:S-1-5-21-1815711207-1844170477-3539718864-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2856

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5048

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\3e1e21154c294468949ea1e7874324a9 /t 4704 /p 2856
1⤵
PID:544

C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.1.5.exe
"C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.1.5.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3992
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.1.5.exe" "__IRCT:3" "__IRTSS:26073958" "__IRSID:S-1-5-21-1815711207-1844170477-3539718864-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4904

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\ff8d731871044dccbffe0876758d325d /t 3576 /p 4904
1⤵
PID:4176

C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.1.5.exe
"C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.1.5.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2216
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.1.5.exe" "__IRCT:3" "__IRTSS:26073958" "__IRSID:S-1-5-21-1815711207-1844170477-3539718864-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d5564ccbd62bac229941d2812fc4bfba

SHA1
0483f8496225a0f2ca0d2151fab40e8f4f61ab6d

SHA256
d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921

SHA512
300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0df27d7e-81ca-4f9f-82da-bb997db60d32.tmp

Filesize
6KB

MD5
186e983d807440c0a71b189c379a7e75

SHA1
ec2e9a290b21991b9cd9bdb4854f8314ea360bd6

SHA256
53625232da7f1f9dd32a835ce0e8f0a50fac136081eba8c94ac6b2f14ed524de

SHA512
c527a81ebb6df472b864e569d0db5093861c02d3597ec025f68cb8b7f2625246e3772fd9d6dbe1a4f572f03fc905c84f27b3de4844977312a200ee2a85315f7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
89KB

MD5
46b0096ca61dcb5db8bced022071ea5d

SHA1
9b6e5e9253b67f74a3e03f4a96835749692d4ddc

SHA256
2b5860a37022d9a69cf95302b244c86e317d136437aff52e4fa261a1e294104c

SHA512
27d90e5ea69b0f54958a82e5b456b400ff00e0ec56d1e74af189121c81badd9b8619b053510e3e8ddf3bb3fac2a870e2da2a419241a6503db328f186e6e4014b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
106KB

MD5
b01676f57d0f8e6a613232835fb0e6e2

SHA1
427940768d12d841e7ea2e23e1221e4252c987bf

SHA256
052455f750901663f45c62be385d6a5d82e779ddd28b846090ebd85aceb7cf3e

SHA512
5be6d576480ca48ba4879065e413e6f7a54d3dd23b6af0a609486dd317c20d3571102f1bb3ec265f407b35f11670ccc927b745e8d8d698535e405253e9923500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
194KB

MD5
ac84f1282f8542dee07f8a1af421f2a7

SHA1
261885284826281a99ff982428a765be30de9029

SHA256
193b8f571f3fd65b98dc39601431ff6e91ade5f90ee7790bfc1fba8f7580a4b0

SHA512
9f4f58ab43ddadad903cea3454d79b99a750f05e4d850de5f25371d5bec16fc312015a875b8f418154f1124c400ae1c82e2efd862870cd35c3f0961426c8cd82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
28aa3aa607507c6f1e374d02e284dacf

SHA1
b87ffc4e8197a8b806b4abad8713b81c86d53a01

SHA256
e4d380cc1ed862cd93aae4e68585827a43cbad1570f0b72dc5146f43ebc276d2

SHA512
9e0a352149c97fc59cea680c27b7f5f00db3becacf18f4b9b01498755efbd428bab46cf6f8e9f1611e0073a93bea7bc5eae252207131b08d73e8b45c21dd9b01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6d9d31b3cda4367c5efa11f6cb8d8f8c

SHA1
ac066fce920c71c692f6472832034f0d864dc507

SHA256
7ba3e29d28576e1adfb82edad4ed8c8a2896d74f257a37fef72204e57f4a906b

SHA512
be07d7726ee4cdc481b4a6b8ceb7af311b8a25fc8def77d37b2cba5ee689b3e2d638b5cd075b9c468e9fee04601965525cf480c10180600e584fbb13f57af3d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
097c536406135dc6ea550fc1c6852435

SHA1
e2b23f93e0ee47c039eefff473b1de505786e463

SHA256
0c5eb5fbedd23bf5a40f248284b82e34576531eb455b5ec422f039cffd634cce

SHA512
84e6a4e8c947cdaa536d0fb69c64662adf4a17b04616c2930e3f5d08e3389de9e16c5bb112512951b978fd86f0e1de6558bf727ee95edc84eeaffc12057fd8e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b903cff0994c36d89862cd27c63e2fb6

SHA1
6e8e5fe45672869331ccb4fc0fae3ba4cb6a4013

SHA256
82f200f1db7b14c6a40ae25617ead1dea643ae1b626f5aec465e7f9529d752be

SHA512
525b6d0f7927e6466ad5571271527f2c46ccade4ab6e91ff4dd23e6ee4753073d45d35301708983ebe1a22bea44c21e7c9a3ab1ab66d15dedfe4479ab867e90b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bda080ee422900414b767da821b1c0b6

SHA1
f95512a479716e644ffc9ef8faf7010bb408f791

SHA256
8b3af1298a9b3c9d873c4e3052dc79b19d516e18de905e25b2e7259b3302af50

SHA512
9cd81e8512b8b09e5ef932ef35009907da90b38104c9b0aaad3e0de8cc5f1ec0d016f6ceca94cfa12edcedcd779e6a696a79ad657354bfb36ba77091e47a81dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
24f2bea504ae9ddeedea945dec96d75d

SHA1
58b2ff2fe0229c0e33d6b50330fa7aa52bdba747

SHA256
08df3f86ed14121523a6be9172c20ee2fd9eddef5d57ef0cac5b8d6dff53bfe8

SHA512
6df78d98ce960f778539bba11ad08b7454f9630cdc668a1061cf50e856aedcb5b2fa32f0541adf19719f5c1a104563c086facb906923f75085f1c9bb544a177b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f10272cc70d260e62579c52e1536c37b

SHA1
9d54749f46524812fbc129ec87dd611a78064194

SHA256
12f829a271e65e117a3906764ec90310817a89a2285c12e0dae277afdd8729d7

SHA512
719bb59d06af7fb6a75ba2ed1e2f5a6f365b802625537bad8129223aa8683e362f59b7635a4245db5715704b89dd97edd9f8b9ae1c51fc249df247096484fbcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1d1c7c7f0b54eb8ba4177f9e91af9dce

SHA1
2b0f0ceb9a374fec8258679c2a039fbce4aff396

SHA256
555c13933eae4e0b0e992713ed8118e2980442f89fbdfb06d3914b607edbbb18

SHA512
4c8930fe2c805c54c0076408aba3fbfb08c24566fba9f6a409b5b1308d39c7b26c96717d43223632f1f71d2e9e68a01b43a60031be8f1ca7a541fe0f56f4d9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
adc0c2c274c9b69184aa3975081702a7

SHA1
6e4aa70d4a46c348fcc6706848d915898a7e9311

SHA256
15e91d8a4bdef842e2d7e04b834c3f745b06de4f2f706d65f97b9735e52e6072

SHA512
78d4352143727b00a54f04a0e8b4a3461b7f469b6d93717350c669f6dd53ebc9748e015fb58e636bbd86aec15517cc8a33dfaeb7d27f2b5527c7802ed66eaa77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b28650e7f7fe30e00873a94006d4026a

SHA1
e341ff0f44a784aa3a548b32810e142f5f772bb6

SHA256
3cdc5cb8f5f2e64a254aa6270796ba3816d9350ef4b7de15028fa79c21fc4bf1

SHA512
44466dc17cf89e789264501725616503d141c279e29c46d5bcb0ec42f6993b5032937966e403bfce06da794045d7297702caa40d2cd87ea6ddf5ee2f6e2b6e7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f1c5aae3b77b013512e113090f4c0ffc

SHA1
3ae6e19c9ad90b2f9024cef256c44aa54c4504a7

SHA256
a4b61a16e31b2bd34ce575da5a8d0e5edae5a8bcdfcd2a3ee6114b218bf53130

SHA512
5d46caa4101c5555dff2403279c866ec2b8fa5cd163168182f50f47a6ef77276111d162ca67d5f93f39cf03988737bf7b3a332c1929cb2bab03c4b05e594fdc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cb2f.TMP

Filesize
1KB

MD5
8853b1cb5a2a420bbeb8c85124aa92f9

SHA1
9454e56ed54433e0eb7af5c773e7f8322847ea82

SHA256
78d9c167aa58a1f1aa3a0be9d98105e617a80d18091427bc66be68a4d9514c9f

SHA512
21abbcec632de535769d71f471b9726ee032d181030b383839162ed6b2c045625e61208740d6d5b4c2b83c215180549caa69ef62190400726c95727a3ae83978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
13ef3eeac21d8f3512a8a18a741be05e

SHA1
50c68e2bb9502bbde71e69cd0fe6b0b96544a6e6

SHA256
e492a99bb621339bcd8372de7a24c101cf8e553db1b072fb86a317f772036c2c

SHA512
7447dad84a6e442b5c2b3d9dc24be53dc3b38b38589df26233fba9e8f1903c3a9d432fc9825f489c3bad5baef883a4f73c31a0ecf8f62e8fd5fa7edc29e1f539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8e56eb81b5a3cf5545fee19e9c6d31c4

SHA1
443f8f74b5437bea7feb395a0f0827e6362b270f

SHA256
bd4f86ed520b08f10156fc94b30a241dab2f35696c42c30d595b22c81316a481

SHA512
2ade8590c2b497a948458d5c192e65f40902bdeff1e08aa21f5dbfee9e57e2fdee8ea4bbadb46c60c4bef15299e6054a78f5494f0478880139b8038fa7c28c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
bba68732fb535f542f19acd46af00ddf

SHA1
501b7058ce18858a22f6ce198dfc34fff832872d

SHA256
da4577994a0653b6eccea81ecd078397f2088935d24dde5d8de30fbf178dd0e3

SHA512
36b3d68b7163b7be4a12cc9b6fed2136300c8fdc4941e00b42faffe94f40436d104788808d4fcccfb7340e3b4a4bc4740bd66dab840260461a8ecc7785fe43b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
3.5MB

MD5
7f39f9817621ee8683fe55e18c569812

SHA1
2f55807f87897e289a3e3b9cde2e22daeafebd36

SHA256
14d6a6564e66ea0c8235392f3a68e77ff794dc9d76195c2cb59740d2b5778e8b

SHA512
d7fbdfa36439f0a1b6da3e2f4efb36b872b9218550b4586d69ba396aecc8c839ae95d6e818ec3a2f8794eff8eff1b28ade19c8be4325b661efe86c1bee0b3ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe

Filesize
203KB

MD5
16a9954d6b97dbf331c4eff440407e17

SHA1
430737e3b08e5361ba13f9e1eab66077dc089d94

SHA256
cb71fca83a642031e66359269bbe3f6bf988fe72a9edce521d1d06cfe6907242

SHA512
262508a02e5841275348280e3e0392d2ea9386f6308355b470f90c49390952b0992d318dd0210f50e4817c701244309083808315c85f614ce3162a49132f23f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\IRIMG1.PNG

Filesize
339B

MD5
e03bd571cc5d6ee141d605b551c159df

SHA1
514ed140a60de87dee350eea098e6eaab48e0011

SHA256
af8531e28dbaf03f838592c535495f564c9254e981a411e01fd2ffdc22cc3bb2

SHA512
64ebae57ee5d093521d162defbd823d65a8fa3676e27dad7b0606bce34ad76ea1c88154451dc1da83a4b40cb571ba2b34377a4efb40280a73426a6bc6bbad969

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\IRIMG2.PNG

Filesize
280B

MD5
fd067308f6ecdda0ac1f8c6c3db13073

SHA1
9f5e3d184ef9decadeaad47c92f7d89fa25e6221

SHA256
e71fdeb30be88572674bf52b8caf9076c01e55a40ebd027c28849280a979a959

SHA512
fcfd0467df08958c7a4ac0603852a0433a3f2c762010c2ce7a03cfc42a8d7642c20f011131da80ea86812b49fc6ed4323c9edbfa4c7c0e5109974217bbf1f8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\IRIMG3.PNG

Filesize
281B

MD5
45ee4bb308bde05d4a114960fae2b9b8

SHA1
4c33fc5e4543ba014133f6d98e7c15fa7c562565

SHA256
53658222455fc8320207c6d00597586462d1ddafd80a5b07eb1dfd114f17d1b6

SHA512
de441586f1e8da32e3c5afcd779e6f8a01c29ca904db3e6db04b49335753067a4d0142beb2828af33152d09458937cefb8b4be951cc57e9d12f736b76580d360

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\IRIMG4.PNG

Filesize
45KB

MD5
bad9fa79fb5bbef1cea454473769e0a1

SHA1
4aec795850507f2ca31127d4494ab1fe88e7cbb1

SHA256
6dc072d178babb4060ff77ff76148e2eaf75e32707dee7f1496258667f1cd49d

SHA512
8157d469b231d0b51843efd5a5401edaf44aaf2d79a28011365fdd6c3f3677ce98e2866ec686ddd8a0d0986387445e91fdfc9799d0d4ea5619c7569f193dc42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\IRZip.lmd

Filesize
256KB

MD5
81975ca4c6c7f6f454d02e8dd316eca5

SHA1
4a19ab925981b7f34c9c54118657cd789e037529

SHA256
00d4fa894c0228f0448e1cc507bfb005c8973d3c700c32afb51ca6670813834b

SHA512
5332f9ccb5e74ece13eb28925f81ec734c8ee67eb820453ebbb7f5e62a3228dbf668ff7bc78b935651fc4e1ef3ad0b5a391ee7ef603245921f3435f013edb62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\Menu1Text1EN.html

Filesize
1KB

MD5
1d50f45abc86da4d44b5cf801cff4d77

SHA1
207d11362728d28b808196150eb616fd5a3c279b

SHA256
333eda6f2b5eb3f2069dd57d4d6c621600dd647d1c055c280a84f282f9a41660

SHA512
b0b114683d00858b57f22113227ac36b0a750f4a0203cc3c9670c4026718ae4bd10e0b714556d1b3fcfd33ccf69ee38ef4250261601ca246ace70d098e5a6580

Download Submit
C:\Users\Admin\AppData\Local\Temp\check_latest_tl.txt

Filesize
42B

MD5
0e116c78b9954f29fae4e8b23146d744

SHA1
24de694a6865ec494519fc909c3bc2b47a618468

SHA256
8e1b9cf7d1a4a1614f0e77e7fe8a1f1c82df634d5bac5c3e7e9f9bfadda6b004

SHA512
4d9ffac3d80f0fff46bb91e0b8cf20c0346abf18815b0dc8f978dd5b93af1f4d264662c291a4bdf81df9abef3e8e645af00ece63e678e03ab3788123902f36d1

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.1.5.exe

Filesize
19.2MB

MD5
e5cf760c7b70a196cfabe562640a81a7

SHA1
632a6a6254bffff859bfe601d58774a39221cb6b

SHA256
9febcc4db4d2bac30a792428fd85de4d8a72b28a5bda3af2c6860b834196256b

SHA512
2331f7f310319b7152d632511e184b94a00b5246f1b1842242ebe9adbba6f3c4b206f07f6e50416f1cd461d41cdf631a547a35221d35e4b4e7dfdaedc2fb88ee

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.1.5.exe

Filesize
9.1MB

MD5
e3dac94b508fa1ec9951d8859da0b8c5

SHA1
0f87e2fe4d0f2838d23c1ca0410356297f2a38f1

SHA256
cf1bec66d47c9e313cc445ad294c3fd19f0acb05f49d257b2d8e23ab932fa110

SHA512
b96eb0515bdf8b22831d72de89783ba3899f843020e2442819e9cb1501ac86f4454545c97df53cbf46dbf4fe16f4fc36669ede3a0def7b1c04012968fdbc6971

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.1.5.exe

Filesize
7.0MB

MD5
b285384c5ca08d7991fff036636ded43

SHA1
f3e03b224cea4bf0f00749dfcb1e0b62169e3359

SHA256
4182f0ade7c1e17e4b3fe09a47d499ccdd4e64d03f0626f354215625304f770e

SHA512
c2c04de812ac5435cbbf19086213fbc1eded23f648ba2689550fd0561bc15d119c485b4c704e2f80c67732c24c42b035b4a02a7e8a5d7f0151224d79e921909a

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.1.5.exe

Filesize
5.7MB

MD5
e55e53988377540671df252b29d380ff

SHA1
5e3bc9e011116bb2e4b2d0bc22ca357576eb9d9b

SHA256
5354eddf90c63673c3cf0bffdbb1f6570ed84ea0981cc116058ec1880c6404ac

SHA512
aaf1c04ac65db4676cf9b8fd764d7ffba24aae60b509e66b4ebae3fc0270828941bde3f6cd8a4fc1fcaf2c1f262ceabe593b68f160ffe9e4f516969b94fd682f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 764369.crdownload

Filesize
24.9MB

MD5
dc18b7f4917cb800b1fa51251bc5b6b3

SHA1
268524e70c51f2f1e0eeb82ef183943aa5285a7c

SHA256
0b1b9037233b62a601b31def961ed5a43773b7407d864c7ad40da9ab9ab91b71

SHA512
e02ace9761c7736175b5a2c2541a51246adc5090c87724962362ec540118b331be1aeffbecd15b469eb4ee0ec29d436cd76b005ef7f7f34cad9084bb2ff03420

Download Submit
memory/752-1109-0x0000000000D50000-0x0000000001138000-memory.dmp

Filesize
3.9MB

Download
memory/752-1364-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/752-1391-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/752-1390-0x0000000000D50000-0x0000000001138000-memory.dmp

Filesize
3.9MB

Download
memory/752-1370-0x0000000006B60000-0x0000000006B63000-memory.dmp

Filesize
12KB

Download
memory/2856-484-0x0000000000410000-0x00000000007F8000-memory.dmp

Filesize
3.9MB

Download
memory/2856-745-0x00000000062C0000-0x00000000062C3000-memory.dmp

Filesize
12KB

Download
memory/2856-757-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/2856-756-0x0000000000410000-0x00000000007F8000-memory.dmp

Filesize
3.9MB

Download
memory/2856-739-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/3760-459-0x0000017911DC0000-0x0000017911DC1000-memory.dmp

Filesize
4KB

Download
memory/3760-458-0x0000017911DC0000-0x0000017911DC1000-memory.dmp

Filesize
4KB

Download
memory/3760-457-0x0000017911DC0000-0x0000017911DC1000-memory.dmp

Filesize
4KB

Download
memory/3760-463-0x0000017911DC0000-0x0000017911DC1000-memory.dmp

Filesize
4KB

Download
memory/3760-464-0x0000017911DC0000-0x0000017911DC1000-memory.dmp

Filesize
4KB

Download
memory/3760-469-0x0000017911DC0000-0x0000017911DC1000-memory.dmp

Filesize
4KB

Download
memory/3760-468-0x0000017911DC0000-0x0000017911DC1000-memory.dmp

Filesize
4KB

Download
memory/3760-467-0x0000017911DC0000-0x0000017911DC1000-memory.dmp

Filesize
4KB

Download
memory/3760-466-0x0000017911DC0000-0x0000017911DC1000-memory.dmp

Filesize
4KB

Download
memory/3760-465-0x0000017911DC0000-0x0000017911DC1000-memory.dmp

Filesize
4KB

Download
memory/4904-1074-0x0000000000020000-0x0000000000408000-memory.dmp

Filesize
3.9MB

Download
memory/4904-1075-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4904-1053-0x0000000005B70000-0x0000000005B73000-memory.dmp

Filesize
12KB

Download
memory/4904-1048-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4904-793-0x0000000000020000-0x0000000000408000-memory.dmp

Filesize
3.9MB

Download
memory/5048-774-0x000002A1CF370000-0x000002A1CF371000-memory.dmp

Filesize
4KB

Download
memory/5048-773-0x000002A1CF370000-0x000002A1CF371000-memory.dmp

Filesize
4KB

Download
memory/5048-772-0x000002A1CF370000-0x000002A1CF371000-memory.dmp

Filesize
4KB

Download
memory/5048-770-0x000002A1CF370000-0x000002A1CF371000-memory.dmp

Filesize
4KB

Download
memory/5048-771-0x000002A1CF370000-0x000002A1CF371000-memory.dmp

Filesize
4KB

Download
memory/5048-769-0x000002A1CF370000-0x000002A1CF371000-memory.dmp

Filesize
4KB

Download
memory/5048-764-0x000002A1CF370000-0x000002A1CF371000-memory.dmp

Filesize
4KB

Download
memory/5048-763-0x000002A1CF370000-0x000002A1CF371000-memory.dmp

Filesize
4KB

Download
memory/5048-762-0x000002A1CF370000-0x000002A1CF371000-memory.dmp

Filesize
4KB

Download