hxxps://www[.]roblox[.]com/games/13815196156/HELLMET-READ-DESC

Analysis

max time kernel
1796s
max time network
1684s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.roblox.com/games/13815196156/HELLMET-READ-DESC

Score

8^/10

discovery upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	TLauncher-2.899-Installer-1.2.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	TLauncher-2.899-Installer-1.2.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	TLauncher-2.899-Installer-1.2.2.exe

Executes dropped EXE 6 IoCs

pid	Process
1064	TLauncher-2.899-Installer-1.2.2.exe
2244	TLauncher-2.899-Installer-1.2.2.exe
5048	irsetup.exe
968	irsetup.exe
5236	TLauncher-2.899-Installer-1.2.2.exe
5604	irsetup.exe

Loads dropped DLL 9 IoCs

pid	Process
5048	irsetup.exe
968	irsetup.exe
5604	irsetup.exe
5048	irsetup.exe
5048	irsetup.exe
968	irsetup.exe
968	irsetup.exe
5604	irsetup.exe
5604	irsetup.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000000731-711.dat	upx
behavioral1/memory/5048-723-0x00000000002A0000-0x0000000000689000-memory.dmp	upx
behavioral1/memory/968-734-0x00000000009E0000-0x0000000000DC9000-memory.dmp	upx
behavioral1/files/0x0006000000023438-1495.dat	upx
behavioral1/memory/5604-1511-0x00000000003F0000-0x00000000007D9000-memory.dmp	upx
behavioral1/memory/5048-2208-0x00000000002A0000-0x0000000000689000-memory.dmp	upx
behavioral1/memory/968-2210-0x00000000009E0000-0x0000000000DC9000-memory.dmp	upx
behavioral1/memory/5604-2212-0x00000000003F0000-0x00000000007D9000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1497073144-2389943819-3385106915-1000\{FE0AEF2D-3AF1-4161-A32F-DBCA801579B9}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 402253.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3128	msedge.exe
3128	msedge.exe
4804	msedge.exe
4804	msedge.exe
376	identity_helper.exe
376	identity_helper.exe
4808	msedge.exe
4808	msedge.exe
624	msedge.exe
624	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2244	TLauncher-2.899-Installer-1.2.2.exe
1064	TLauncher-2.899-Installer-1.2.2.exe
5048	irsetup.exe
968	irsetup.exe
968	irsetup.exe
5048	irsetup.exe
968	irsetup.exe
5048	irsetup.exe
5236	TLauncher-2.899-Installer-1.2.2.exe
5604	irsetup.exe
5604	irsetup.exe
5604	irsetup.exe
5048	irsetup.exe
5048	irsetup.exe
968	irsetup.exe
968	irsetup.exe
5604	irsetup.exe
5604	irsetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 1116	4804	msedge.exe	85
PID 4804 wrote to memory of 1116	4804	msedge.exe	85
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 4756	4804	msedge.exe	86
PID 4804 wrote to memory of 3128	4804	msedge.exe	87
PID 4804 wrote to memory of 3128	4804	msedge.exe	87
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88
PID 4804 wrote to memory of 4372	4804	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.roblox.com/games/13815196156/HELLMET-READ-DESC
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb48a146f8,0x7ffb48a14708,0x7ffb48a14718
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4080 /prefetch:8
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5820 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7344 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:624
- C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.2.2.exe
  "C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.2.2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.2.2.exe" "__IRCT:3" "__IRTSS:26445115" "__IRSID:S-1-5-21-1497073144-2389943819-3385106915-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:968
- C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.2.2.exe
  "C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.2.2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.2.2.exe" "__IRCT:3" "__IRTSS:26445115" "__IRSID:S-1-5-21-1497073144-2389943819-3385106915-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5048
- C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.2.2.exe
  "C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.2.2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5236
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.2.2.exe" "__IRCT:3" "__IRTSS:26445115" "__IRSID:S-1-5-21-1497073144-2389943819-3385106915-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10260844346764879881,15055483281269213873,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4808 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4240

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\e8e822413f4f4d5e80eff74dd00d987a /t 5612 /p 5604
1⤵
PID:6052

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\331589cf3d3542c289fbf5c010f13add /t 1832 /p 968
1⤵
PID:5920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
64561a8c03a79d4aedc719571c848229

SHA1
19d08f5d20486f74545361dd33cc4eb214348f5b

SHA256
866568443ba1e85bb4e28206fffeefc97ee4727f4d666bf945fca1f28cdceba2

SHA512
a28a6f9a33fe93caef2e21b45c766075024c143b0413158b22625ce8831bc025fc66fc62853e33c52d9ada0d02232672514423d25f6a4932e1450b05b00fa51f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
24d5f5ee6b6b3ac7a360032e9d79fb87

SHA1
84236f5f8e12b246153ef7bd0ce987ca1e292ffa

SHA256
d10459a3c990126b2bd20b2a306b4ed2038f0069c3b381c8faf659f5f50e2c5f

SHA512
32efb1b6a89a93ca6fb80dce21ba013e1c1451c177329d47359dc46361401ccff47c403fd706b0f8ecefcee1245921405d4770ea2bf5fc26735dca978bb07916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
cae188f48d98877872423ff6322762c5

SHA1
93ab4c29508c569618cf32c4c799439ec4456f99

SHA256
ecde4ba859f992d7d8efcb008b7acebae3d04782a337b81c4ff2b2fd89a903bd

SHA512
16d85a9414ab101ef6ac1c78d105eaa51c029b0674c2067d63bf720c968fc41e311c99ade5dd389e0f16577cfba47a89d86293516f64070ec8dc87df9748afc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ced2bfb9d3614b59f319a2eedd5091fe

SHA1
9e10c00e7b84a6bc129111bec39e50c9b79dd63b

SHA256
e73597dea026af61fb910af0a277e115e4106cc5c9d1f4a2d73e848ccad00d18

SHA512
e6f3ff39bff5149fa3ae0c67fe6ccfdf320413cdd799fbf8e59071ef85958d7fdc5e5c54984329970cf5e44bf969c30631e239a096dc4676b5f65bb7397f41c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bc62083e4222d6ae15e85e252892f1dd

SHA1
ab6cdedd66433d5bef9a8efb97adaf51e0470614

SHA256
1582c6cb090255257f011be795d69d6ed3ac1be2fe256ec6c21bb34ed28afd80

SHA512
6cd0a2b414d808aa26b22d0d2de105e00ba76a10f259c17b23bd472aa9bde0e14ef487727507235c7cdce116ecce2f60961cd78124dfe945ef9e0d866f8cd3dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5425fbad4fa536249886537245e07d02

SHA1
1f48652756f565827b4314cf7b4d2d19715b3a47

SHA256
4ed51eabd2b8b72246ccea2ae171085f40461e81ea2a03272dc7ab789e9bc7f4

SHA512
991081ba2892e3cdd1c7f7e7a833731ab900ed8bd0b4ef435a7550c8db1e9b9715e5aa32ced121ddada01ef4127cf27345a959fdd143e9ac532b652de6268f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f66b4f0c1671f8031d730282f55a9ee2

SHA1
1090c6c9fd676b90c4f4f243fbc4607829823658

SHA256
959ad7011908e1b20d96ec2ac7eae3364ed6e87fffa7dca559e67549f0cf41e4

SHA512
d970a7ebf8f0dcffe883fdb13ffa95e43c6370f7a2792394771ccdac14b982691997937c548ecdb78cd7dcfe9dc69434818e91cf6b0399404e74e5f14fe5e483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
7a6d7d5213e145b717682f65be8f1e0a

SHA1
49cd773829ec2edaec855d0da4b2dc6d5834ec56

SHA256
dcd5fe559eae5a413b95de046ae74ab3753632a4ee06ed5c2e555f8321ae2d2b

SHA512
4113a6c25ed4a46b10d2b3077c368241c14f50802174ddecd9404a1cc25bf83585417a36f36c6ce5abca8aa8e13ec61d462e853d69099737c8f41e1a7badac6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
6a7adb2fd9f5799b5f8467fb77a3f9f8

SHA1
ad2fa83942477f233db1a1a1d5d2135ed4c32d01

SHA256
bfeb44b6251d3692465c0673f939d45b08f59bd8faede6776ed1394c1f8ab889

SHA512
ad72c5d645a18c955095f2b1687ae8fc81a52de2e521479a73a10ccf35dfa56ecc13ed4a09f618843b1688162e52d0072a3edd4a76f4763ffca6f4a4eabec953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
58b63f3dd68904112bcefebcd58d006f

SHA1
2f838a1218b76d5d26d713066ef027299b228213

SHA256
4e7bf7c2fbf9ea2de3cedf8c9a6623953ad062a4d8a1050da7fd8ab39845362c

SHA512
e02074365e750264675c67c2e0668fcf16a203ffb86d18d195947f1f1bfc469855181658ea6b2090613439c972564be463838634890e2d5977ec683337820515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
340679009fb575af95c2365d424e68cf

SHA1
3a3f561f22c7c0788a329c9b01333a262d937960

SHA256
3fe99b0455cbf9a6032961bab4b15a76cddb4e54cec30a5f014c7f749924178f

SHA512
4e00313200d1d8a2c00b09ffe58062bc02245359cacccc4e2ff258991713f409b9156d3f818564e03c96ac7f464d7c08bca2189194286114cce6a9ede9b754ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2cfd72cf539ccb3a2dc6985569742053

SHA1
251316f15a4ea40a0a801408e5f8e6003e7dceb7

SHA256
b09aa6fde58718aa2dd36a48d9bb86b21b41216c30436748c5f6806e302a0463

SHA512
b1b4ef953add69dfda59e28c7f6180c4ff281db93c035a9e3499154f816f9eaf100cd9636bd49c8328beab6ccbacdf8c1f6f28f5ceeda1e24587f1e563608c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
1e963f143a80d14e782efb3a87929d22

SHA1
f130ea1936681e292dad1557cef378d3551fb28f

SHA256
6f993d90bbc1ad85dc03fef8a03f791054f9e279e8a7c656a933073336cdc803

SHA512
edc3065e1cb7890c394226e6076e23208c56e7c9327ebdcbf31bacbaa95e22494982520188bd59bc604aecb23a7127befd326caf8f49fa065aac6cd2f84edb3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a604.TMP

Filesize
2KB

MD5
930672ed38fde3fb236718008692e9c3

SHA1
2b9ff6f9d87d9456f2026de78929f10ec33e4468

SHA256
7ab8963e70f4190a5d4fb8c67e8c4a096e04a0d0e4f9b6761a387861d4afd0a5

SHA512
93e91d7a273ff431044ce56e5da64efd8604ff3318fdecd1822a6285a7e14967f2b4901498d6e50fa379abcc6236c844a1af361414961f316f9455c727868575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\aa585c33-aa04-4025-ab0a-e43f674053e1.tmp

Filesize
6KB

MD5
f53e7dcc2ba8ad1774a09af21e11356d

SHA1
7ad4469624cf9d6a598c4327557ce303c05a2996

SHA256
1784be2a09bd62eb8bf5c8197f057a5fef37c9a950e45ee3104561f5efe16923

SHA512
283fc07ee37f3de08fcdd98002312bb8ffaa0865875a0f072416ed6fbe50d7b5248d28440009f8f2fe9c6ce7cfea4d8649c4ba125e365995b68a294a98db71e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7711d486e305df1fbdfa83cdc624efda

SHA1
ff3d5c51d8454e5a3150ccb9e060445433f6e954

SHA256
6ba444184850f02ad3b5a19ebe787d5920a3a5bcadca5bca66051bc618e5aded

SHA512
b2909d8369e89ee79c1941be1ee3744cdfecf06da3da38e6b7db54ae0b02ce35e1cf4acecbfc200aea2236619b4707da98c1b2b4551a0f69f82bfa2d0b538e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.4MB

MD5
6f2d8f857c0f51a9fd5b24a16b7064a0

SHA1
3b9a1f02635df5b6c0ed1ab37ea7a2339df99deb

SHA256
12b549bc20e983eceec09a73a34657e754289eb5fffef1d68e075ae1617c7be9

SHA512
b5de19d8002206dcf6a9ca79f66f7d7e916736f637f6f4ae227fe58f06972e5e2e383851b5ea07d705b16873a1a8eac9ad0d9323b10dacdaad89f969d31ea506

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.3MB

MD5
8836a466a03c9fa9161598d7ed322a46

SHA1
965ff4f325aab5ab72a74c405dc539b4a6266bd4

SHA256
1283661fcc6a94a4c812619463c99557fe3ebdadfaf67dfaebd432f9b3975011

SHA512
e782361e2e864ec4fc6b3b453d662496727ec2975230c1462fff07fa29eb1df53a013305521e1f55cd6a0a29744294dd8e86bf5ae69aa153c0e6c38a6ed9d138

Download Submit
C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

Filesize
1.6MB

MD5
6273b2c7648966796d6e2b2808e64bdb

SHA1
2b6e4488a8824ad418e203d56b751428790f8f5a

SHA256
205fa38f2ad078e658271148d22279b86c786b863040e8d2694bab21206fecfc

SHA512
80c9784965ea5a91a9c0e65fd9c2278f7c46b9c5cab4bb9a5789b4f738413542019dbce89269d6ed3fee24ac5bf0e473d22a87d732467d95975cba45f55c50e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG

Filesize
339B

MD5
6e8d17a440a31b72a48d940ecdde3999

SHA1
3e16d78dcb2459224585d40d4085062d90c95511

SHA256
54ec15c3277123fbf7993c882cf2b981a91594fd5025e0b32f85b9f71f99f575

SHA512
7fd1e6d26377a98405259f96f250f7d1cf38ed14582ff31f72041a9865401b4f8a25879ebe043eedf5709ddaa01c861c96dd0c1f5b7a7cf71dc1104256d679df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

Filesize
280B

MD5
fc68c55156d4088ec51f934e8ecd3ccc

SHA1
fab1e66ed1f82aafe20622c44d235d440587bf00

SHA256
26d53869ebd1433df1b5b1f770c312c97ca23bd3008645769d564f6c6a79c919

SHA512
80fce59a3cb5123e78663cb2cab9deec1e46259275ea1c00e4536ec985f09c8cef1c5f0da6d0b41f03a524761303b706d87b8cdfd43dca2c96eb35c889ac8099

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

Filesize
281B

MD5
49af47ca2aac874a9f68c41bdda6af3e

SHA1
c0fe752d5e630235e825c32a3314e9c3a8986054

SHA256
6ff40d4bdefc9a8948f24f6e24d38c72b588870d1b1997e42f24c86b5cab1909

SHA512
ce3e112b754dc4f10398eff0c8e858a1eb0462f87af6aa1d163d26c505dce40ab95a218317c7d61768fc9f5187ba2d8e9193694974f7deebac206598312abf1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG4.PNG

Filesize
45KB

MD5
3e0d3fe08b5cba8ab6a7ed62404bed5f

SHA1
ecfecee859708148d65b8e4a1385d3aa5e5bf90d

SHA256
a3e0b5386fea88612e0da44d2536f05dfc1092cc21e6037402ed833f30bcc5c0

SHA512
693cc26e25e67015cdb39d87e7e0abf8d2f4fd10a985124d05ab1ed3924a748018ca708711e816c0ca0b0f9a48b3804598282d6e36e1c32129cbca85ce0fc656

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
73c259b3e4073cfae14d3831890f3d56

SHA1
7d5d57d9d6cf66cfecc43e9479a11e0e385d2d53

SHA256
50cbf9de4a6f42db84fc3367b60a75058fb726180948ab51261b9e9cef46faeb

SHA512
4f5d789ec42eb530f9acbf57e224b1a50e567601b7a69175c61390a6a1f1098a2cb53a73c73843d409a3dfd1dd8f689f5c7c8b0117dc5c5cecb504083758060b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\Menu1Text1EN.html

Filesize
1KB

MD5
1d50f45abc86da4d44b5cf801cff4d77

SHA1
207d11362728d28b808196150eb616fd5a3c279b

SHA256
333eda6f2b5eb3f2069dd57d4d6c621600dd647d1c055c280a84f282f9a41660

SHA512
b0b114683d00858b57f22113227ac36b0a750f4a0203cc3c9670c4026718ae4bd10e0b714556d1b3fcfd33ccf69ee38ef4250261601ca246ace70d098e5a6580

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
6.9MB

MD5
34ec73e4f46768928763a0d319fef706

SHA1
033821779a483a8dacf3d956ce3d2ecc5f4e9e04

SHA256
3dc2aee341197fb9e96b193d96a171448d56649db2546a707f5278500616bc34

SHA512
dc4376e72cfe763320a1b16db557a5341f403d05e97e5a0527f368c089815e574aa1069eec1297b70b80868bcab81b242bd85bd26c940153693850de6faf8ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_2\irsetup.exe

Filesize
192KB

MD5
f8da6cb22a24108089afd60b4f778e4d

SHA1
d9645e4d58f4a7406c37adf13b691a41030cef3c

SHA256
08996747a58ed611c418c7c49b6a4074d8eabac00c608c124e42dc832c87ad99

SHA512
4a11de02c595c6c9ac857897ced07fed3bfa3f7a8860b6937380914c0cfca485f14561d5d9699e3a2ad356582c36e949359c70fc73df25ce4be02285168b425a

Download Submit
C:\Users\Admin\AppData\Local\Temp\check_latest_tl.txt

Filesize
38B

MD5
79d2c55e39e9f6f35e25678fb5fa2419

SHA1
2e987d70a56b1d2f5838330f4e031fda7ac51bd8

SHA256
08ef10a513966ccf7674296c66aff6c215120f56e20b2673d121030bee162dbc

SHA512
476dbf61aaba40a3989bf3abb201186aeba9943b1564c582c633fe382002e7be155e906ae0ee2d1de8f5d1a804b76a5ad76c9cb90d07205e7d05e1dc4f25098d

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.2.2.exe

Filesize
21.9MB

MD5
1258d454cc50e342caeabce89d6a6361

SHA1
e2c41de98a9e87dd76b5265376bacd4ae68cf76e

SHA256
42fcb7b089b9748830f73d16f3c55aec183a532466e8d40052c361a6ad465ddf

SHA512
6a6ef2c36e207d664f67f9e8013fc42aab01a7a52204fc7e65600e263c400f256dee7a948bada8f23fd98a04808254a1ab58cdff59d10e26311cb00e5cb2008c

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.2.2.exe

Filesize
23.4MB

MD5
234f01207dd4dca29be9859c1d554c8d

SHA1
31ecbb7caa95e3da2d3026f72f31d3a6fdce1e4a

SHA256
27e117780336fc34ccbbf10cd3926b57913a219c0f716826a9f7ddcbadf19762

SHA512
bda1df4d79b4e4b575036970a6b5ebdf5084aa9cfb477bc91570ddcec5fdcb43e021bf597b1a972d2f0412dcf7180d5536736f6d4e6e867f675634531ae378dc

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.899-Installer-1.2.2.exe

Filesize
1.7MB

MD5
9c3229d53e1a6a587b30db468f17c0a6

SHA1
3b2093b922cb968129701c1f7fca4127abaa26fc

SHA256
2e3cfe29e124cca9d528ae8bcf0a34c4faabaa014700821b3c6f30b29cfb9cdd

SHA512
6b8206fee93d0e1e9d46db79d557e28f84451ad68b7f0341af8d3a6a0f36fba8e214bf647099484f19b8051b2265d841056c32cc6e164dfc1cc827db7da31317

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 402253.crdownload

Filesize
25.2MB

MD5
cd015217060c1ddeeb4b2c432dfa7600

SHA1
29814b447f6b0bf261981c9ddc5c6c730fbb37ae

SHA256
7603d15e2245d9af74eb967b4bf589f7c4cd5aa91746aff8ff4f4260317c25ef

SHA512
bb073eea34dc361e9a9c0c7a87459e76875763565f3ac537a4a55d5b8b29f6c9aeef52bbc389bc3d1c20ccb77b6fa552548d6defac5beaecd66bb1e7606b73a2

Download Submit
memory/968-734-0x00000000009E0000-0x0000000000DC9000-memory.dmp

Filesize
3.9MB

Download
memory/968-2211-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/968-2210-0x00000000009E0000-0x0000000000DC9000-memory.dmp

Filesize
3.9MB

Download
memory/968-1670-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/5048-2208-0x00000000002A0000-0x0000000000689000-memory.dmp

Filesize
3.9MB

Download
memory/5048-723-0x00000000002A0000-0x0000000000689000-memory.dmp

Filesize
3.9MB

Download
memory/5048-2209-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/5048-1658-0x00000000062A0000-0x00000000062A3000-memory.dmp

Filesize
12KB

Download
memory/5048-1657-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/5048-2276-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/5048-2290-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/5604-1511-0x00000000003F0000-0x00000000007D9000-memory.dmp

Filesize
3.9MB

Download
memory/5604-2212-0x00000000003F0000-0x00000000007D9000-memory.dmp

Filesize
3.9MB

Download
memory/5604-2213-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/5604-2170-0x0000000002E80000-0x0000000002E83000-memory.dmp

Filesize
12KB

Download
memory/5604-2163-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download