0b74c13914f712fce5bb41c25a443c4214a97792bdbb6fea05b98350901405ff

Analysis

max time kernel
84s
max time network
86s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
24-05-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TelamonCleaner_id66510e9929ef0tr.exe
Size

2.3MB
MD5

6a80889e81911157ca27df5bc5ac2e09
SHA1

02ac28dd7124317e294fac847a05b69411c9cdb2
SHA256

0b74c13914f712fce5bb41c25a443c4214a97792bdbb6fea05b98350901405ff
SHA512

329ec105834f4531386090074994e5c4ddbdaf4cc4801956b675e258e9167f9e70cf31b8d636d119b59b57af0912decdc259d12999842008cec807a967c89aef
SSDEEP

24576:U7FUDowAyrTVE3U5FR7EqKt4QqImIRxbFCtrzARkiXP9oZcEo4V2cUifUjYRm96F:UBuZrEUuXpqIzfbFsW/aOEPrSgmKvrjb

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

TelamonCleaner_id66510e9929ef0tr.tmptt-installer-helper.exett-installer-helper.exe7za.exett-cleaner.exett-cleaner.exeQtWebEngineProcess.exe

pid	process
4908	TelamonCleaner_id66510e9929ef0tr.tmp
1924	tt-installer-helper.exe
4488	tt-installer-helper.exe
2660	7za.exe
4628	tt-cleaner.exe
3784	tt-cleaner.exe
844	QtWebEngineProcess.exe

Loads dropped DLL 57 IoCs

Processes:

TelamonCleaner_id66510e9929ef0tr.tmptt-cleaner.exett-cleaner.exeQtWebEngineProcess.exe

pid	process
4908	TelamonCleaner_id66510e9929ef0tr.tmp
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
4628	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
844	QtWebEngineProcess.exe
844	QtWebEngineProcess.exe
844	QtWebEngineProcess.exe
844	QtWebEngineProcess.exe
844	QtWebEngineProcess.exe
844	QtWebEngineProcess.exe
844	QtWebEngineProcess.exe
844	QtWebEngineProcess.exe
844	QtWebEngineProcess.exe
844	QtWebEngineProcess.exe
844	QtWebEngineProcess.exe
3784	tt-cleaner.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

tt-cleaner.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	tt-cleaner.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	tt-cleaner.exe

Drops file in Program Files directory 64 IoCs

Processes:

7za.exett-cleaner.exett-cleaner.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\resources\qtwebengine_resources_100p.pak	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\manifest.json	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\last-pages.715ac269.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\registry-active.6951662d.svg	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\api-ms-win-core-datetime-l1-1-0.dll	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\api-ms-win-crt-convert-l1-1-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\precache-manifest.4791a96b40638b7bce1fa8447902dea9.js	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\error.26262d77.svg	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\uninstall.15dd42e9.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\api-ms-win-core-handle-l1-1-0.dll	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\api-ms-win-crt-conio-l1-1-0.dll	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\libGLESV2.dll	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\Qt5WebEngineWidgets.dll	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\vccorlib140.dll	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\optimizing-active.4f64d5b9.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\resources	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\archive.6aff718f.png	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\basket.08447196.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\lock.d6e850fb.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\system-trash.a3d98939.svg	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\images\payment_offer.png	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\api-ms-win-crt-private-l1-1-0.dll	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\api-ms-win-crt-process-l1-1-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\API-MS-Win-core-xstate-l2-1-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\api-ms-win-crt-filesystem-l1-1-0.dll	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\styles\qwindowsvistastyle.dll	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\basket.811779cf.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\cache.170ed16b.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\virus.39255d86.svg	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\logs\tt-cln-app-2024-05-24-22-06-14.log	tt-cleaner.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\check.a47976cf.svg	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\error.26262d77.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\link.38b2b97f.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\config	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\api-ms-win-crt-multibyte-l1-1-0.dll	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\D3Dcompiler_47.dll	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\images\after_activation.png	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\robots.txt	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\alert.1191a968.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\large-files.6b7da8c8.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\notification.a48d7bfd.svg	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\registry.8cd67b72.svg	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\virus.56b6669e.svg	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\virus.f2fabc80.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\large_success.ec6f36b9.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\launch.3c193b4e.svg	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\link.df9cc295.svg	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\api-ms-win-core-errorhandling-l1-1-0.dll	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\large_success.ec6f36b9.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\config\autorunConfig.xml	tt-cleaner.exe
File created	C:\Program Files (x86)\Telamon Cleaner\Qt5Gui.dll	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\resources\qtwebengine_resources.pak	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\libcurl.dll	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\vcruntime140.dll	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\expansion.2379eba9.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\registry_success.efbf644e.svg	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\stop.e89bd789.svg	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\Qt5QuickWidgets.dll	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\basket.811779cf.svg	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\api-ms-win-core-handle-l1-1-0.dll	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\images\special_event_offer.gif	7za.exe
File created	C:\Program Files (x86)\Telamon Cleaner\ui\static\media\refresh.3c1a10bd.svg	7za.exe
File opened for modification	C:\Program Files (x86)\Telamon Cleaner\images\update_offer.gif	7za.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1432 schtasks.exe
3840 schtasks.exe

pid	process
1432	schtasks.exe
3840	schtasks.exe

Modifies registry class 1 IoCs

Processes:

tt-cleaner.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3062789476-783164490-2318012559-1000\{A3D6935D-9CB4-450A-A250-F3BD54382885}	tt-cleaner.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

tt-cleaner.exe

pid process

3784 tt-cleaner.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

TelamonCleaner_id66510e9929ef0tr.tmpQtWebEngineProcess.exe

pid process

4908 TelamonCleaner_id66510e9929ef0tr.tmp
4908 TelamonCleaner_id66510e9929ef0tr.tmp
844 QtWebEngineProcess.exe
844 QtWebEngineProcess.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

tt-cleaner.exe

pid process

3784 tt-cleaner.exe

pid	process
3784	tt-cleaner.exe

pid	process
3784	tt-cleaner.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7za.exe

description	pid	process
Token: SeRestorePrivilege	2660	7za.exe
Token: 35	2660	7za.exe
Token: SeSecurityPrivilege	2660	7za.exe
Token: SeSecurityPrivilege	2660	7za.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

TelamonCleaner_id66510e9929ef0tr.tmptt-cleaner.exe

pid	process
4908	TelamonCleaner_id66510e9929ef0tr.tmp
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

tt-cleaner.exe

pid process

3784 tt-cleaner.exe
3784 tt-cleaner.exe
3784 tt-cleaner.exe
3784 tt-cleaner.exe
3784 tt-cleaner.exe
3784 tt-cleaner.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

tt-cleaner.exe

pid process

3784 tt-cleaner.exe
3784 tt-cleaner.exe
3784 tt-cleaner.exe

pid	process
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe

pid	process
3784	tt-cleaner.exe
3784	tt-cleaner.exe
3784	tt-cleaner.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

TelamonCleaner_id66510e9929ef0tr.exeTelamonCleaner_id66510e9929ef0tr.tmpcmd.execmd.exett-cleaner.exett-cleaner.exe

description	pid	process	target process
PID 2512 wrote to memory of 4908	2512	TelamonCleaner_id66510e9929ef0tr.exe	TelamonCleaner_id66510e9929ef0tr.tmp
PID 2512 wrote to memory of 4908	2512	TelamonCleaner_id66510e9929ef0tr.exe	TelamonCleaner_id66510e9929ef0tr.tmp
PID 2512 wrote to memory of 4908	2512	TelamonCleaner_id66510e9929ef0tr.exe	TelamonCleaner_id66510e9929ef0tr.tmp
PID 4908 wrote to memory of 472	4908	TelamonCleaner_id66510e9929ef0tr.tmp	cmd.exe
PID 4908 wrote to memory of 472	4908	TelamonCleaner_id66510e9929ef0tr.tmp	cmd.exe
PID 4908 wrote to memory of 472	4908	TelamonCleaner_id66510e9929ef0tr.tmp	cmd.exe
PID 472 wrote to memory of 1924	472	cmd.exe	tt-installer-helper.exe
PID 472 wrote to memory of 1924	472	cmd.exe	tt-installer-helper.exe
PID 472 wrote to memory of 1924	472	cmd.exe	tt-installer-helper.exe
PID 4908 wrote to memory of 964	4908	TelamonCleaner_id66510e9929ef0tr.tmp	cmd.exe
PID 4908 wrote to memory of 964	4908	TelamonCleaner_id66510e9929ef0tr.tmp	cmd.exe
PID 4908 wrote to memory of 964	4908	TelamonCleaner_id66510e9929ef0tr.tmp	cmd.exe
PID 964 wrote to memory of 4488	964	cmd.exe	tt-installer-helper.exe
PID 964 wrote to memory of 4488	964	cmd.exe	tt-installer-helper.exe
PID 964 wrote to memory of 4488	964	cmd.exe	tt-installer-helper.exe
PID 4908 wrote to memory of 2660	4908	TelamonCleaner_id66510e9929ef0tr.tmp	7za.exe
PID 4908 wrote to memory of 2660	4908	TelamonCleaner_id66510e9929ef0tr.tmp	7za.exe
PID 4908 wrote to memory of 2660	4908	TelamonCleaner_id66510e9929ef0tr.tmp	7za.exe
PID 4908 wrote to memory of 4628	4908	TelamonCleaner_id66510e9929ef0tr.tmp	tt-cleaner.exe
PID 4908 wrote to memory of 4628	4908	TelamonCleaner_id66510e9929ef0tr.tmp	tt-cleaner.exe
PID 4908 wrote to memory of 4628	4908	TelamonCleaner_id66510e9929ef0tr.tmp	tt-cleaner.exe
PID 4628 wrote to memory of 1432	4628	tt-cleaner.exe	schtasks.exe
PID 4628 wrote to memory of 1432	4628	tt-cleaner.exe	schtasks.exe
PID 4628 wrote to memory of 1432	4628	tt-cleaner.exe	schtasks.exe
PID 4628 wrote to memory of 3840	4628	tt-cleaner.exe	schtasks.exe
PID 4628 wrote to memory of 3840	4628	tt-cleaner.exe	schtasks.exe
PID 4628 wrote to memory of 3840	4628	tt-cleaner.exe	schtasks.exe
PID 4628 wrote to memory of 3784	4628	tt-cleaner.exe	tt-cleaner.exe
PID 4628 wrote to memory of 3784	4628	tt-cleaner.exe	tt-cleaner.exe
PID 4628 wrote to memory of 3784	4628	tt-cleaner.exe	tt-cleaner.exe
PID 3784 wrote to memory of 844	3784	tt-cleaner.exe	QtWebEngineProcess.exe
PID 3784 wrote to memory of 844	3784	tt-cleaner.exe	QtWebEngineProcess.exe
PID 3784 wrote to memory of 844	3784	tt-cleaner.exe	QtWebEngineProcess.exe

C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id66510e9929ef0tr.exe
"C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id66510e9929ef0tr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\Temp\is-RJHNB.tmp\TelamonCleaner_id66510e9929ef0tr.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RJHNB.tmp\TelamonCleaner_id66510e9929ef0tr.tmp" /SL5="$60108,1520969,918016,C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id66510e9929ef0tr.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\tt-installer-helper.exe" --getuid > "C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\~execwithresult.txt""
3⤵
- Suspicious use of WriteProcessMemory
PID:472

C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\tt-installer-helper.exe
"C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\tt-installer-helper.exe" --getuid
4⤵
- Executes dropped EXE
PID:1924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /S /C ""C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id66510e9929ef0tr.exe > "C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\~execwithresult.txt""
3⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\tt-installer-helper.exe
"C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\tt-installer-helper.exe" --saveinstallpath --filename=C:\Users\Admin\AppData\Local\Temp\TelamonCleaner_id66510e9929ef0tr.exe
4⤵
- Executes dropped EXE
PID:4488

C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\tt-install.zip" -o"C:\Program Files (x86)\Telamon Cleaner\" * -r -aoa
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Program Files (x86)\Telamon Cleaner\tt-cleaner.exe
"C:\Program Files (x86)\Telamon Cleaner\tt-cleaner.exe" --install --l=t
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /sc "onlogon" /tn "Telamon Cleaner" /tr "\"C:\Program Files (x86)\Telamon Cleaner\tt-cleaner.exe\" --autorun" /rl "highest"
4⤵
- Creates scheduled task(s)
PID:1432

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Telamon Cleaner Autorun After Wake Up" /XML "C:\Program Files (x86)\Telamon Cleaner\config\autorunConfig.xml"
4⤵
- Creates scheduled task(s)
PID:3840

C:\Program Files (x86)\Telamon Cleaner\tt-cleaner.exe
"C:\Program Files (x86)\Telamon Cleaner\tt-cleaner.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3784

C:\Program Files (x86)\Telamon Cleaner\QtWebEngineProcess.exe
"C:\Program Files (x86)\Telamon Cleaner\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --use-gl=angle --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,BlinkGenPropertyTrees,MojoVideoCapture,NetworkServiceNotSupported,OriginTrials,SmsReceiver,UsePdfCompositorServiceForPrint,UseSurfaceLayerForVideo,VizDisplayCompositor,WebAuthentication,WebAuthenticationCable,WebPayments,WebUSB --lang=en-US --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=8262455398521466789 --renderer-client-id=3 --mojo-platform-channel-handle=2864 /prefetch:1
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Telamon Cleaner\Qt5Core.dll
Filesize
5.0MB

MD5
a8aadbf8569b2666ed428cac867ab3a8

SHA1
1bb02bd74b5389d81c55db271d3193ab53231a03

SHA256
cf8e93aaa512d06c33eeda299f9a9e2f03ce2579cc3019cc700c14dc712c044e

SHA512
75cf1b1257beebcaaf6e012ee79c1349bc7610fb309d07979f7d22744a14368f472db5230c18f64a2341fc8810b99417a547ae341ec39fdbcec62a7f2ec2cac0

Download Submit
C:\Program Files (x86)\Telamon Cleaner\Qt5Gui.dll
Filesize
5.7MB

MD5
806e5fdf1b7f8bf1ff3b5b2932a9cc51

SHA1
97f72fb4962d8f4c34eee2f31c1d463dd8809a3b

SHA256
c4f002232626cb9acecd55eb83f4ffbe48a9143327ee6c80e98d3609454e2ac2

SHA512
3c7d81c87b3d2dc8765839fa3e537e87b4519ce1f303f5baed2f48e09273fb11d9b1ccc9c61613b560462de1702bcaf70157e3279bf1b9a07daca128138c8902

Download Submit
C:\Program Files (x86)\Telamon Cleaner\Qt5Network.dll
Filesize
1.1MB

MD5
461ebc61de9df636ebedff159ee29a11

SHA1
d23a55c4497aa981f6e88a192776fa8651fc7189

SHA256
836ac6225b472b803c37ff2cee850be512007c0c4533fd01d4f3d68f901dc011

SHA512
3ed4f61fd0a05b7dc9b78b9e88f91c5cb4efd993f786f10e2c167a199802771d26e9a5cdd512520eb1924991628e4199a299d46418aadf8935a0062d75eb52e9

Download Submit
C:\Program Files (x86)\Telamon Cleaner\Qt5Positioning.dll
Filesize
264KB

MD5
fb7361707f2a4bf54dec582fb1ea91c7

SHA1
4f592c71c076cdfedbf4ace30a34a82c858c3011

SHA256
13f5f4810e697198b044f83164d9859cd6493138e569dfe7710b64cb38f9c572

SHA512
72e59c9876cb555a6c13bc81eca424b5ee350a26e734a069563940b93d1d2c8c9c6fc70ca839f719c1825386fd4074544173d2f6dd83eb3868a8f40bcffdc772

Download Submit
C:\Program Files (x86)\Telamon Cleaner\Qt5PrintSupport.dll
Filesize
267KB

MD5
3ca8d13593039367ab8b3b2f65d73c85

SHA1
9ec8edb23c334b308b41347bfb1f496b08a66b6d

SHA256
b4b097fdc36b39e5461133a25eedbb4070dee28c809f1e671aaa77f0eb0bd951

SHA512
563ae51a5040623a60a5aa2db72361583858bbfbf7098d654ec39b0d5421f74f6bd8ef047ca893811d20e313c0cbb5081143bab2b4c58cea29886b249f429118

Download Submit
C:\Program Files (x86)\Telamon Cleaner\Qt5Qml.dll
Filesize
3.0MB

MD5
6e5907142c07044dcf0a8768e119729d

SHA1
1db673acee16a92327f2d70c1f16cd79db714d8f

SHA256
4833bce18ad0dc5f2f287c52afdb8d5e821a59e9a43e1cf1f521ae7e910aab56

SHA512
3576a471d2fb81fe096db86555434cca0d86afa8a8bb7551ae96011e2e2a7d105d819f11a1d2c7eb5feeae61b15ebd2ac6f354e7a6cf31e1b1dd3c4485d67872

Download Submit
C:\Program Files (x86)\Telamon Cleaner\Qt5QmlModels.dll
Filesize
409KB

MD5
25f45cb9dceda77d1ba7195231e3d26b

SHA1
f20ca5c5cfd14ac89d12c5a742c6ad22062ee012

SHA256
db769c3b34bf9775543d939e574d920237d1ebd00f9e1cbd909affda2b46c252

SHA512
13be1a19e6fcf614441bf21ffa1891d61b6bb8a7a1f7b9cc321ce0b5dc35e7cbd4dfdf10741f5b13b8f571f164c3b5b1a205e92572f592b57ba6d24cc6ddfc9b

Download Submit
C:\Program Files (x86)\Telamon Cleaner\Qt5Quick.dll
Filesize
3.5MB

MD5
7326e1eedbc7578fe74281dafe854a99

SHA1
b5a907f2dd8d637e31794a16c9451a933343fff2

SHA256
ceee311e5bce28242cc604158576d503a2d577479ac7aa89c2ca3c8af6bc6f63

SHA512
2f0cc9b22bd4d8afab11f9c84fc55be3b89db49969bc4476a900697472084e8cd17e820fe9bbfeeea270e2995fc46f10ac9f380bc97907f8a72f908803532aa1

Download Submit
C:\Program Files (x86)\Telamon Cleaner\Qt5QuickWidgets.dll
Filesize
64KB

MD5
f13ad9472f4e5fb5519c49057ee68342

SHA1
a391917f3af1762cf6953e7d39346eb423ede575

SHA256
9bea8e64280c8ce7452cd0e70720230ee1a84db9e839e09f7097a34467c199b0

SHA512
45f63baad32f285a2a83ac1b345ea6ca1f6dd6941f87d7ddb0199fd52397c02e9eae4e30a260e37248cb5009a0e6832996466734f407cc1683f445f17fb740b3

Download Submit
C:\Program Files (x86)\Telamon Cleaner\Qt5WebChannel.dll
Filesize
104KB

MD5
d8eb1fede1aa1f08d6946c17de7d3c48

SHA1
3998d1e4c4ff740109a0d870a09ff84a2d69c9de

SHA256
bcdf9970c9de4417991d69356a3259ceb7fdd03eba26ebf40d6c90fdd9eeac8f

SHA512
ee1cb44986a4aa0192dfd99c986f349f277e5ad116c68d96a48eeb1b00b01a50797299fb0deb43e87cbdf01fd6aa72c0f1196df9ef06e05466da50ea8224d37b

Download Submit
C:\Program Files (x86)\Telamon Cleaner\Qt5WebEngineWidgets.dll
Filesize
204KB

MD5
a215940ce5c2b159c95315e08e718467

SHA1
d45d867afe80e1b6919dafc477436ec3547bc34a

SHA256
02a7982ed67b43b258b34b3ed181da4e07947c23f2f336eb3d1b30c7f1c2d219

SHA512
c82095aca5360491c6ff9b12f4b0b75f6e44db7fe2acd48c816f294bbbab7d1ce525c189d296e896631027bf94e97c00f897a1a2d3d7045106261e0586dcec4e

Download Submit
C:\Program Files (x86)\Telamon Cleaner\Qt5Widgets.dll
Filesize
4.4MB

MD5
e0be43fee11c1a9ba5c1f28b2b3dc875

SHA1
2fbfd08c39fbefa4c855f1fd6f8c75748796a9cf

SHA256
a8a34fa960cd1dfb3500b5d2b486d9ad60125e2b78fa7dbb08141f3861092330

SHA512
3a150ab899569afb4c7cd29c269ff03f966217f459a03bbc4e626ca2ae772398eacf053f21dbafc74a5c48426f9bc6f4782ae039c894484f98cf786cfd3498ee

Download Submit
C:\Program Files (x86)\Telamon Cleaner\Qt5WinExtras.dll
Filesize
440KB

MD5
05116916bf374eb876bbc1cb1eb36eaa

SHA1
dca6d33eb8886c12a09157531b9b138d644afbc0

SHA256
29ac8950ee5b77f411360ecab4e4cac8b27c722b27cf1520fc2d942bf5dd2f9c

SHA512
087a072faac64ad0967a1a5d1fe49fae3165910328b6ff5a44f38e5970b9c15a2e357be03ec159206cd73928568e3b4b230e2808995f5ebc593ccf559cddd526

Download Submit
C:\Program Files (x86)\Telamon Cleaner\config\autorunConfig.xml
Filesize
3KB

MD5
7cb88d3d43729feb43d157378dd599ad

SHA1
9ec198a301c8d525eeea22072bc19e3fd644b9a1

SHA256
e2a065010539526115892ca4277c34d502498356273aca086a0a97139375bedc

SHA512
a3c5068522c7e6245d3220b8f788c1b0dafc79f0dd037ea434e1b06275032a4726e179267dd5106d4c6f4562f185588d25748ab5275612ed9317564e5c292d51

Download Submit
C:\Program Files (x86)\Telamon Cleaner\libcurl.dll
Filesize
272KB

MD5
b2233cefad05c0e103903d375bf4051d

SHA1
bf7ce266ba1b2c46e297933ff70e8f67e4d4aab5

SHA256
f18ae7bc8509d6a13231c36167fc905a40e866f5ce43aeb21a5e6db5536e8284

SHA512
c1fa1d2de28ce4748c7e9b358fd51593985cda46418ad85c964e954e31632b3bba431a7bd6b98cdd8cb37a56ace2445e8b3b92e82f360f100ff71e03d8a6d70d

Download Submit
C:\Program Files (x86)\Telamon Cleaner\msvcp140.dll
Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Program Files (x86)\Telamon Cleaner\tt-cleaner.exe
Filesize
4.2MB

MD5
faeba07d5d3dc41f6c3dd7944e10807d

SHA1
cb17d441a4620f5b3d5bf6532d1f4ceb417b19cb

SHA256
32f9e84d5bdcb86d2c66f877c2ebd743cb37e763c67ae39bb8d559a9efb69c96

SHA512
ee9cd5dfedeedb309fe5aa8eddd3df16104edfd1c7d274ae6a74b3e4fa76c44e484fba0e8b7d1ca8c7fa4838b6e04a14809492f897dc3ebd8158e29d38bdfb74

Download Submit
C:\Program Files (x86)\Telamon Cleaner\vcruntime140.dll
Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Program Files (x86)\Telamon Cleaner\zlib1.dll
Filesize
71KB

MD5
5f76c6adb059326861912520f4c775ca

SHA1
88486f746af48a854245ddd165ebf7b030a0ebf1

SHA256
d985e63ddc5a5c2b1ccdf10d395a8e3e13b3cead5f0cbe688248fafb6b3560a6

SHA512
c263ce22d4922da58a400690090685d4c83fcafa82dd721002474165dd670d7f0e8febdb25e9c6b31ddab3e6915c7e2d6c10d26eee56705473e39ad2c47aa37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\7za.exe
Filesize
773KB

MD5
dfd1cf824c781069def1d239a626d43e

SHA1
bbe24cbae89166de829a7cf91eebfb518d8f45be

SHA256
31fd52f8996986623cf52c3b4d0f7ac74a9dec63fc16c902cef673eed550c435

SHA512
0413adecc5560ddb18133eec70b3a717d82738f304bdbe6eb6e2dad9ada57314c60bbd48ac0aa948af77ae76f7d522ada4f6089fffab88f882872c56bd12ca20

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\idp.dll
Filesize
232KB

MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\tt-installer-helper.exe
Filesize
404KB

MD5
5b4c8e63be988b83b09e13e9d1d74bb9

SHA1
bcb242f54ee83f232df6b871aebc0f3d44e434c6

SHA256
8ae877bd5f45975d827280bee2e19021c3401b5ba069df0e556f6911798adb4d

SHA512
a31f9e24a4a27847516808b24f312d4df6b865eb421f84d8d4fc022bdb309e08e5648c52c13772a48456c578f3771d232539c7d30132a82a08e8ebbabcbffa0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-243RK.tmp\~execwithresult.txt
Filesize
77B

MD5
9d45449b32ff23a3597fa0f854816761

SHA1
d6f3a8ac51644ec2d7a335e692a2126b087465eb

SHA256
8155b74e3a55aa2028f1f13511c2e8a0bd85964f8d61f53c16de9953907c32d5

SHA512
80217029762ef2c17951c4cc4e42069cb9e04c3464d065b27150899beed3ccc60209ac90d1e0e7fbb43b66e272ef9c47508f18fb701484f26e7206c7c7218e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RJHNB.tmp\TelamonCleaner_id66510e9929ef0tr.tmp
Filesize
3.1MB

MD5
292d91bef15a5a5d5f5c06425a96e0ee

SHA1
5f4400c94ceebf54825e94cb5d9f616850331e96

SHA256
b6f6cbd03951a6feee4d4766443ce0b7623db000cbfe774146ee43f5a5831373

SHA512
0aca0538ce4c94ef9a8008846add36f51db001905f6cdb373a0348094f11762269aaf92928c6761eb41b1b22cd045ece325b9cd71c67944a1e6c092a72fca200

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Telamon Cleaner\Telamon Cleaner Uninstall.lnk
Filesize
2KB

MD5
8b80b5ff97bd75f3501594e912e0885e

SHA1
642a32d4f8aaa12e77527a23e36fa3ee54705cf4

SHA256
c910f20e70eb4b53befabf5d6784d5ee16137d08ec484f360ffbf340dc9f529d

SHA512
69ce3915dfd84e186418ab9a9036bc5fc1295bc95882825655a3112389cbd29d8bfab15c59c0537a9b24fcf2530c851e25b604067f902f66c6521723d4f7f590

Download Submit
memory/2512-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2512-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2512-19-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2512-538-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/4908-8-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/4908-20-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/4908-536-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/4908-220-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download
memory/4908-32-0x0000000000400000-0x0000000000729000-memory.dmp

Filesize
3.2MB

Download