8535bf7f8914c54823a1b57e5977c84add0caebfc967567dcf13f8fd843b8b1d

Resubmissions

06-08-2024 22:57

240806-2xkhbaxbqb 8

06-08-2024 22:55

240806-2v9dnatblm 7

Analysis

max time kernel
90s
max time network
87s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-08-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.4.9.exe
Size

24.1MB
MD5

79673d0cd668ac6e4ecfc7dcc4db5b23
SHA1

0a576f857765e759f582126f099b0c04c6c6349e
SHA256

8535bf7f8914c54823a1b57e5977c84add0caebfc967567dcf13f8fd843b8b1d
SHA512

a9d1c9d47cf67bf80a60c6250cd84151551e549a1ff179faa62381260d03d531dbd5b1df2bc83a43f71ab5a699aaf593ba6606416e3c8957b6c2fa8e3863f8c9
SSDEEP

786432:+KAWuabJBM9irrKJBH5lFRqH0fYk/pUJ8a:+KDMQPKJBZlCUfYSpUJ8

Score

8^/10

defense_evasion discovery upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
4536	irsetup.exe
4524	TLauncher-Installer-1.4.9.exe
4816	irsetup.exe

Loads dropped DLL 6 IoCs

pid	Process
4536	irsetup.exe
4536	irsetup.exe
4536	irsetup.exe
4816	irsetup.exe
4816	irsetup.exe
4816	irsetup.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002aa5c-5.dat	upx
behavioral1/memory/4536-14-0x0000000000510000-0x00000000008F9000-memory.dmp	upx
behavioral1/memory/4536-706-0x0000000000510000-0x00000000008F9000-memory.dmp	upx
behavioral1/memory/4816-922-0x00000000006E0000-0x0000000000AC9000-memory.dmp	upx
behavioral1/memory/4816-1619-0x00000000006E0000-0x0000000000AC9000-memory.dmp	upx

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	irsetup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	irsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\TLauncher-Installer-1.4.9.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher-Installer-1.4.9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TLauncher-Installer-1.4.9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133674587337171213"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\TLauncher-Installer-1.4.9.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2104	chrome.exe
2104	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe
Token: SeShutdownPrivilege	2104	chrome.exe
Token: SeCreatePagefilePrivilege	2104	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe
2104	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4536	irsetup.exe
4536	irsetup.exe
4536	irsetup.exe
4536	irsetup.exe
4536	irsetup.exe
4524	TLauncher-Installer-1.4.9.exe
4816	irsetup.exe
4816	irsetup.exe
4816	irsetup.exe
4816	irsetup.exe
4816	irsetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 4536	440	TLauncher-Installer-1.4.9.exe	83
PID 440 wrote to memory of 4536	440	TLauncher-Installer-1.4.9.exe	83
PID 440 wrote to memory of 4536	440	TLauncher-Installer-1.4.9.exe	83
PID 2104 wrote to memory of 4452	2104	chrome.exe	92
PID 2104 wrote to memory of 4452	2104	chrome.exe	92
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 3512	2104	chrome.exe	93
PID 2104 wrote to memory of 2304	2104	chrome.exe	94
PID 2104 wrote to memory of 2304	2104	chrome.exe	94
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95
PID 2104 wrote to memory of 3656	2104	chrome.exe	95

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.9.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:440
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.4.9.exe" "__IRCT:3" "__IRTSS:25232289" "__IRSID:S-1-5-21-242286936-336880687-2152680090-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4536

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\85cc04c98f204fab82b5cd90fb1859ac /t 4684 /p 4536
1⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe43b5cc40,0x7ffe43b5cc4c,0x7ffe43b5cc58
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,10766387527690780897,5307040472305402180,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,10766387527690780897,5307040472305402180,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2108,i,10766387527690780897,5307040472305402180,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2396 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,10766387527690780897,5307040472305402180,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,10766387527690780897,5307040472305402180,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4464,i,10766387527690780897,5307040472305402180,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4280,i,10766387527690780897,5307040472305402180,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,10766387527690780897,5307040472305402180,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4444 /prefetch:8
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:1404
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff640cc4698,0x7ff640cc46a4,0x7ff640cc46b0
    3⤵
    - Drops file in Windows directory
    PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4308,i,10766387527690780897,5307040472305402180,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4720,i,10766387527690780897,5307040472305402180,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3692 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5108,i,10766387527690780897,5307040472305402180,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5252,i,10766387527690780897,5307040472305402180,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4680
- C:\Users\Admin\Downloads\TLauncher-Installer-1.4.9.exe
  "C:\Users\Admin\Downloads\TLauncher-Installer-1.4.9.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-Installer-1.4.9.exe" "__IRCT:3" "__IRTSS:25232289" "__IRSID:S-1-5-21-242286936-336880687-2152680090-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4816

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
6232bc8df34cfa667776a897019837d2

SHA1
5f86afc4d941bb2cdaae2276086b5e0f759765eb

SHA256
3d4583e3458fe78df0b86cba79d1da655856992a4e3066faf05fad8b94e829fe

SHA512
11e239d3da04a5c74a6aec173343374fcce89dc164fd9dd2be088abb945e973e77c041a317f29252c2c793c73c8403033367eb8eb5671fb4498936648e961ea1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1d4bab7bdc495b1f804f8c830c34e94e

SHA1
e3faee50b45dcfa3a744f25015407593fbb60b1c

SHA256
02d3c5d0cd665b04d8faddafbac9c6121ebe7295589f6ec438e286b7d2ec9d43

SHA512
027fa183ae023228252389a9dff6b07c79a8a2f1fc43bf98bba2906a62738e51c2af4d4294fd17f2770db2b1c46b9aa6b46af71373c0669ebc86021f9111aca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
68b7b3e1af84131644021b64e3e96ed8

SHA1
e183773834429f23b33702ab9d6acae94c814e53

SHA256
3918b909a541d6958a4223e69e9ac991c6149107ad6a08f4ed2be9cf32f2c400

SHA512
5f6e84b8e91463817fd9e327470bdfa805cbc978471ffcf5e97084d3383f450ad3f6160d9d0ed8ebf98fae0e5846618780935fe1681d96e45152eb8ff41d6d60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3cec063b613a29d063a73bc24391de9a

SHA1
c650bc99d840a8214af3a6d73ec345cf976cc3f6

SHA256
3798a1609cc77141f0fb3584d039db27f0a1df9f9c1f9dc09cff7642bbc23931

SHA512
568e5ee4252a57ac9c4129702e4f1f5319f649c8697b26c3b00d0e498d9df60ba125d73dbe22207fa1fb781a50bc77bd27f8edc24c2cdfce87b948b834a554b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3226c50266a1ab39cd1600b66e5fe5f0

SHA1
92dcac1db47651e8f215cc41eaf1ed9ed6399d15

SHA256
4c473a0aa97aee28901dfd994f809c12abb8eca7a1da563c7b705ef2676042fe

SHA512
a7d980f250ebf373c7ea29553a3790f9210254f2c5a86bc2550068d666bb3ebf685a7637c581c25f14146dd8d4238547e2549a122a8158d587bc5c3d095a6ae7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
facb1651f493d54de86f647a2bde0f08

SHA1
aaa0e8feea74b85b19450afb7a6ef28b1de049b0

SHA256
b663a95106c8573b7f9707cd7de554a2f5d678b494cd3c3c506f88a9cef951c4

SHA512
a0714fbc3cf2c04cef8e0afc5334bec13a37237d0b3ea15562066d97d73881de0c124dc54eb5ebee5f7c62bbd2f96199512a698040a66dcc34a77650c5023344

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
7c1226e08959d256c9c800904da57c7c

SHA1
ce73a499d773dab81c0fcbbd66133fcdfb44c1a0

SHA256
01dad2360cfd4b3cdda666512f7d4653e3a139c494d385ac47b7a78075683417

SHA512
a4f266a1f2c5fa476896df738f8476942b6c96a83bc5bd30a81defc40141a3c5428ce4cd82152de33510506aff8ecfb0f7b9ecada9e5f25d4d23e774d3a4f76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
199e6e6533c509fb9c02a6971bd8abda

SHA1
b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

SHA256
4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

SHA512
34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

Filesize
1.8MB

MD5
5c9fb63e5ba2c15c3755ebbef52cabd2

SHA1
79ce7b10a602140b89eafdec4f944accd92e3660

SHA256
54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

SHA512
262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
f3b300079862aff353b412d490bf5abc

SHA1
b61ad13daa7d39a02aa1329788ece0737390a45d

SHA256
c052cb74d9b0ce37efba9c018b5bcf74c51cfbdcaf990ae53cb9772ea318945a

SHA512
d6e02701ec0990fd9a4b0e82ce69048a35ac114e7515ed2ed6a445ec9f8ad9f98287491e087a269b3e973fb55da360e2df1a516a9fa850c68cfcfaadacb2fbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\IRIMG1.BMP

Filesize
12KB

MD5
3adf5e8387c828f62f12d2dd59349d63

SHA1
bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

SHA256
1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

SHA512
e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\IRIMG1.PNG

Filesize
45KB

MD5
66f6065f9f54487aa740e0dcaa2951b4

SHA1
6ee958852ac17dd5e7ad2614f697e61dd72c2d80

SHA256
2264bcdf6498620779f0c4b8fe23da78c7f7773d9649e0d8efd38e6df0cca232

SHA512
4694bea262f6c516d51581a1c652163d9fdafbdfb7540b12b8a972cf2faa612dcf849c56b9b74d4247324e78f9ca5561205fc3ba1542c3104c1fa0986e3c5731

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\IRIMG2.BMP

Filesize
12KB

MD5
f35117734829b05cfceaa7e39b2b61fb

SHA1
342ae5f530dce669fedaca053bd15b47e755adc2

SHA256
9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

SHA512
1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\IRIMG3.BMP

Filesize
12KB

MD5
f5d6a81635291e408332cc01c565068f

SHA1
72fa5c8111e95cc7c5e97a09d1376f0619be111b

SHA256
4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

SHA512
33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

Filesize
7.8MB

MD5
1ce84d00958cf602fe5212df2ee8f16b

SHA1
d2eeb31ce966b6068f7f77dca886339577fd59fb

SHA256
1b753d82577e885c1ca5643b2947295fa67c18c6bf812b811f1a729bfcbb085f

SHA512
9a7d13b72788238b3c57ede48eb164a0e1210809a6d7b9c318cd13846a59a90566f4608f09241a494f8e4415916af02ecd6bfa3fc214b5b86613930585bcf7f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\check_latest_tl.txt

Filesize
50B

MD5
be27a7da181fe2e0f9daaae4c93dc291

SHA1
79bbf661f01c7d11916343bd98f0ec594a4c2434

SHA256
ccdb663ffa26bada8c166707005ebe784ca0beb9297de2f183f662950ac8d31d

SHA512
caced540aa47296317a88ac0c1a0932bfd3eced56ed653ba74e9c2b5bc0c02b20b3fb79f814a2ecfbc85f65c592ce1c0bec4495b2928b2ddbbd41300b083062e

Download Submit
C:\Users\Admin\Downloads\TLauncher-Installer-1.4.9.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 948908.crdownload

Filesize
24.1MB

MD5
79673d0cd668ac6e4ecfc7dcc4db5b23

SHA1
0a576f857765e759f582126f099b0c04c6c6349e

SHA256
8535bf7f8914c54823a1b57e5977c84add0caebfc967567dcf13f8fd843b8b1d

SHA512
a9d1c9d47cf67bf80a60c6250cd84151551e549a1ff179faa62381260d03d531dbd5b1df2bc83a43f71ab5a699aaf593ba6606416e3c8957b6c2fa8e3863f8c9

Download Submit
memory/4536-682-0x0000000006D60000-0x0000000006D63000-memory.dmp

Filesize
12KB

Download
memory/4536-14-0x0000000000510000-0x00000000008F9000-memory.dmp

Filesize
3.9MB

Download
memory/4536-681-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4536-707-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4536-706-0x0000000000510000-0x00000000008F9000-memory.dmp

Filesize
3.9MB

Download
memory/4816-1589-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4816-922-0x00000000006E0000-0x0000000000AC9000-memory.dmp

Filesize
3.9MB

Download
memory/4816-1620-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4816-1619-0x00000000006E0000-0x0000000000AC9000-memory.dmp

Filesize
3.9MB

Download