Resubmissions
01-09-2024 18:17
240901-wwz9gsyejc 401-09-2024 17:51
240901-we6pyayaja 401-09-2024 17:40
240901-v8z9ksxcqj 8Analysis
-
max time kernel
345s -
max time network
340s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2024 17:40
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation TLauncher-Installer-1.5.1.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation TLauncher-Installer-1.5.1.exe -
Executes dropped EXE 4 IoCs
pid Process 1420 TLauncher-Installer-1.5.1.exe 4132 irsetup.exe 3984 TLauncher-Installer-1.5.1.exe 2976 irsetup.exe -
Loads dropped DLL 6 IoCs
pid Process 4132 irsetup.exe 4132 irsetup.exe 4132 irsetup.exe 2976 irsetup.exe 2976 irsetup.exe 2976 irsetup.exe -
resource yara_rule behavioral1/files/0x000500000001d9e6-298.dat upx behavioral1/memory/4132-305-0x0000000000CD0000-0x00000000010B9000-memory.dmp upx behavioral1/memory/4132-998-0x0000000000CD0000-0x00000000010B9000-memory.dmp upx behavioral1/memory/2976-1060-0x0000000000350000-0x0000000000739000-memory.dmp upx behavioral1/memory/2976-1763-0x0000000000350000-0x0000000000739000-memory.dmp upx -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast irsetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir irsetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast irsetup.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir irsetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TLauncher-Installer-1.5.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irsetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TLauncher-Installer-1.5.1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irsetup.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696862726026898" chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4652 chrome.exe 4652 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe 2764 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4652 chrome.exe 4652 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe Token: SeShutdownPrivilege 4652 chrome.exe Token: SeCreatePagefilePrivilege 4652 chrome.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
pid Process 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe 4652 chrome.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1420 TLauncher-Installer-1.5.1.exe 4132 irsetup.exe 4132 irsetup.exe 4132 irsetup.exe 4132 irsetup.exe 4132 irsetup.exe 3984 TLauncher-Installer-1.5.1.exe 2976 irsetup.exe 2976 irsetup.exe 2976 irsetup.exe 2976 irsetup.exe 2976 irsetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4652 wrote to memory of 732 4652 chrome.exe 83 PID 4652 wrote to memory of 732 4652 chrome.exe 83 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 2656 4652 chrome.exe 84 PID 4652 wrote to memory of 976 4652 chrome.exe 85 PID 4652 wrote to memory of 976 4652 chrome.exe 85 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86 PID 4652 wrote to memory of 4068 4652 chrome.exe 86
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tlauncher.org/en/1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff83db7cc40,0x7ff83db7cc4c,0x7ff83db7cc582⤵PID:732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,11372009774783644425,288669978886522981,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1916 /prefetch:22⤵PID:2656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,11372009774783644425,288669978886522981,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2108 /prefetch:32⤵PID:976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,11372009774783644425,288669978886522981,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2572 /prefetch:82⤵PID:4068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,11372009774783644425,288669978886522981,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:12⤵PID:3496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,11372009774783644425,288669978886522981,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:3252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,11372009774783644425,288669978886522981,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4772 /prefetch:82⤵PID:4748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5080,i,11372009774783644425,288669978886522981,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4992 /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5200,i,11372009774783644425,288669978886522981,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5236 /prefetch:82⤵PID:428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5244,i,11372009774783644425,288669978886522981,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5376 /prefetch:82⤵PID:1944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5188,i,11372009774783644425,288669978886522981,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5584 /prefetch:82⤵PID:3640
-
-
C:\Users\Admin\Downloads\TLauncher-Installer-1.5.1.exe"C:\Users\Admin\Downloads\TLauncher-Installer-1.5.1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-Installer-1.5.1.exe" "__IRCT:3" "__IRTSS:25259921" "__IRSID:S-1-5-21-1302416131-1437503476-2806442725-1000"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4132
-
-
-
C:\Users\Admin\Downloads\TLauncher-Installer-1.5.1.exe"C:\Users\Admin\Downloads\TLauncher-Installer-1.5.1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-Installer-1.5.1.exe" "__IRCT:3" "__IRTSS:25259921" "__IRSID:S-1-5-21-1302416131-1437503476-2806442725-1000"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2976
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2972
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\76f19afd06e54fda95849c50a7b52a61 /t 628 /p 41321⤵PID:3084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5faa2c35694acbb7f09cdb887b8beec1a
SHA160ab5b4077f8f1382554e4fa475f870ac6ba3b60
SHA256b53ecf0e953d54b234257cbd3d2e882e814596d357a076af98aafec3a76be0a0
SHA51233d7d7e1e22e60638dc1e00f620ab66dcdc9fc80a70d602114ac540f1ab654d3e438af57bf01c0d33d477e6ee00f49afcba78c1ca8bd4dc27635368d158bc74a
-
Filesize
432B
MD51985902e223c97eee2e06860e75a9b87
SHA109c405f14902dcca93de85505127622ddc621d49
SHA256c40de4228f5bd1bdd17e8ce10efb145938406c480602d90ae93bdd63a447afe0
SHA512d8a1f61956ae8a37d77b4ce3e45f99e989ce2f70e15718f74cfc6deda39bc1c9fc076712e07b52d182332a8de8a1c3490a364c33969dd214b82df2e294168ffb
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2KB
MD5b713879304c4c9591fe95da1dc4bcf31
SHA196aab8660e475ab3633f5ffe56049073911cb9fc
SHA25681b5d1b603ec1feb5c4ac40503c9283f8cc2d7866689d171fc0868a41f087c75
SHA5124eed9e100a3db4391c7515f83025cc9f937b6c7133dee2068fce17f0de02186f9a6f48dbc889a25760fa0f198aa51aa4b7180a6bbebe200a22b2d864055dc542
-
Filesize
3KB
MD507e8dbef72d3ad9f018ef6771c8bfc4d
SHA1638e6a8e0192f95964016398bc7f6a868b8a981a
SHA2566e3cc9b46145601934c2e284d5a6c2d6b7f3e4c75f92c212235abd52e1f02db5
SHA5125c279824032b64290c0f8146fa91153f2ed762769fcec867564fecb5c7fe7a48439482bba5743516e914c203901bb4bb2f61fd8273ab78a64bd407b830462267
-
Filesize
1KB
MD53e72e45f9b8c0628c1df6dce41dec40c
SHA144e15c8f8247c477f133e71a72fe2d1eb050d18f
SHA2567d6ab5d24812edfbcc90766a689b45dae0d1ab7e9c87f6573723e8d1ac03fd5f
SHA5127ba4c37542e53b9c1262d5350001068a3ab6106470f680901132f34a04753eb72f278f0c7ecad0e719bc91838b4206101e42634d31e6d09878b7e6ee08daa395
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5ce7ea84707fd1366de89303244b817da
SHA16d56a7b2a32e6e582bea2e223a64109796711b8c
SHA2562b22656ae292fa279bac8a229aebcb4186cb3710910d47ad55987e04f00e3fa1
SHA512f6d41169da7542448b6ce80a8294145d249957931e6ac8249a7085dab7d318dc20cbed777e7c0254dc1f35c35a36c7157f77e1d05509f1c1b6ef000aceeb387b
-
Filesize
1KB
MD5fed3ac96b78ddfec01ea4d5a114d3de9
SHA1eaac1df46a4594b1725f6abaadf513869527c343
SHA256a6528202164fbcc6ce9bd25da287b4b061493d5a7d115bf8725256e18c74fc33
SHA5120c81bf62cdcd81f64294f263cf3c18d81ada964a2d9946b7975e941988e4e66bc51894bf8f1dc8a0c6d6a29b089d7acd81234c5829cb0844699e2bfaa94004ab
-
Filesize
1KB
MD57fe70f9a2dbc8032634887ba5c8a3673
SHA17abccc7c87b21311ed8cec68c47272900cbc0d5a
SHA2566e2b54c2d68790340a7a77735dfee13ed54dca22c4562644e253d0cb58b2c2e5
SHA512fe7e89a13227ef4a5c61fe13937053b3287f028f0e95647f994d679c76b7d37f0985ea5212b468e6f1eda4dc7888fb267bede2a4c0c1f97f95066435a63cd0a8
-
Filesize
1KB
MD51823ea8c3d4775bdd835a4cce5b84ad2
SHA15afbf486c84584498b252c200c357db470958e9f
SHA2561fb84fa3ed3341c67806715697f1dc547d11fbc724aeb36c5cc9ebef090e910e
SHA5120d1597869c1dd0e650a2c6dc8874add71391e72d009da549d2f8264f690bbe7708c91eb09e6eae4c11d5a32783d6704bffbb5c0a93355432b747fdf23a371bff
-
Filesize
9KB
MD505ce74eed2bc0f32df931d0ccdb7106e
SHA1250954fccde383aafb7503caa6dad369b89da667
SHA25647c88bf93b6483f05a7e7a0e45c9c35bc6632952a21c6f1bea7ae34472a096dd
SHA512e9abf87f57ff124a1b2a533dffef2e7063c912ccbedfb1c5f9568cd133239db36a9afd965da749975267ef897e88da560856e3cdf7f7871d842e83704239c9a6
-
Filesize
10KB
MD52048e6b1eca77c5650811a0f40a2ea54
SHA151cecc8370c9241516e8c934ee64dfa0a0502eff
SHA256112398d2ea089ad36f30d8bc9bd3b23ebdb336a43306cf861e5d6cc8eab1496d
SHA51281c71a485906e955d2dfb93cac8c61f49d549653698502cec88e27a859c3461cae98eeba509e7636ac912439c62bf4bcf627a4fd546ca3724dc133b9d96a386e
-
Filesize
10KB
MD56bf5ce712c33599c927d04f078241610
SHA15b4e630a0a7eb7d4c5985b285af7df8ce83c934f
SHA256e9a7514093efd6c9323ad963f2aeb85a9f7cc900f099853bb443d70974ef6b28
SHA5128131e11d868f06ffecd1f998e7fd23784f6aaf2c88929e8e13966ebf28be5cce8adc9214cc4115421c786357a9d5df626845ebeee4b2be27c4b196a0187e7450
-
Filesize
9KB
MD5627bcd69061b0c5ec1784613c0b7e190
SHA1fc5ae00b960db0cddd67f569f7ee76617f07e5ce
SHA25637c1b166bc2c9ac527cc01d3c22ba1bfa067cb3169627ceb060af6e023886074
SHA512e0a0d095476e0e1225ccdff7090350b35f1a6ce22b492b241748ed662903b0668ae5c3f86f815a1f31e3c8649fb32a809ced83a6fb2b084f139a02063046d412
-
Filesize
10KB
MD5704649ecdd2f9ed4efe8ac43e1d1ea3a
SHA1f271b56c87592b3a9ec07f839e114e184346456d
SHA25660e9480f7b8898af8aae83ec08b3eeccb0808f1664da3e2d82fde5addba9460b
SHA512ccdf2c5c5ebe6aa3dd5b394e733c82a63b24078678ed53c6cd0410503f8114939de54dad18a914e372de826b2b1b7c2bf501788c40d945d796582d1fe7ae4f3b
-
Filesize
10KB
MD593854408e7801b4c0890fb4aa51400f3
SHA14be968e6104804186aa30dfe4635f89abd7925a3
SHA2566fb505703beb46d847e052fbbe7f279e79f56bc0a6a38622d900ced7f43c00e8
SHA512bbaa183c130d3e23f25a4331f6fffcec8b1f9706efed814f6219b558a2c6c79f5d5dbe538615b5edf4bdfd4dad7f10454014863d31d7189c5b11d21b736b28bf
-
Filesize
9KB
MD500d99dfe395e3f4c9bd7d70a5443c052
SHA16fc124f36ec41a9636a3f3fcf88a7a61bdecbcdd
SHA25623e4468ddfcb5780d9a661b49550e74b1d3a5f34cc27f327c4b26efa41e60e23
SHA51250c881173a2171638ab1d353a7628e08ce2a4f6a68dcc03b1fcdbc308592a3f872c27097ab344219bb94a197f4d3e0d6830ea37d7f21996446e85e93bfec1bc1
-
Filesize
10KB
MD50d72c78de24dee98ef22fd9a8e66282d
SHA103203cf8ff1d4b0e50aeaacedb0c14efe375d8ac
SHA2561a77825154d6c98236bedf537192ce3fcb8142ac541c172300480ed527e88a42
SHA512e51b0f5ce911a30c92961ad9936983c071346fb85c36aa74e7e61caf9093845c70085466462da084ff8f1c0052cd730300f280d88d8a8c4628b8ffc4bb1bf573
-
Filesize
10KB
MD515cb4189879c617df89c88e71a3090ff
SHA1ee3bf0acdcc5bcd6a60400d3fe53600639a80b20
SHA256d94600562421e52b48ad40239c168a4fe2d7948d03fede191f76074c7f0c2bce
SHA51272b2d8cff2beac7a90ec4ca247a953766b1c8544f6f717cfe9ebf5558fe595d0eed5b1b94eeb324d09181ded2c9daa0e3031e334bffb62efef0d4b7aa433bf03
-
Filesize
10KB
MD5d8d1eeb21e1d21a7e9c0d84aa3f40dc5
SHA1496b308ce1792742fae6fa88f24008ebba79be6d
SHA2564bf5a7e4e9308f68078ea415551b32309304f18a118a217ae6b42a6dff4acf45
SHA512a418a0592d21b409b270799da09c3f43ea4bd4c7a0b22b54740d33901fd04a6f7c44294b4593a73f574ded5b6ba72cf7f27607d843bc2431591e0b62c48e1ece
-
Filesize
10KB
MD5da6c28578e973c3aed6003364941462c
SHA1756ab1c433f536e75e895b30ec8c978dd41a5f0b
SHA25670abc229693cfe4fa3cd4cfc5b55dafe97b97ab0b5d3a87d8224768bd71cb4f0
SHA51240847345da7b25fb80535bc937b8814fc20d80e1064f358999596bbf052c5ffe9ec7c619dda887e5585de6c693c14577bbd6752b86ed1580f318a620c58df38e
-
Filesize
10KB
MD5dd12ae77569a9d832a49b0bab503dc03
SHA1c400a77a9e1b88f9d03800cb749dd50b387456d7
SHA25646f14abd0259059a5ff8a423b65b9adac856ae1da74bf8bb91745b17d1a399ad
SHA51263d38abf1cb56da695a74233af33d0ee642d488cc475cf6cd08c7b9b16f9303200a3c627df5a9f418bb1d13f5cd97e5b286051cc675b66095725ed7a8d40dec0
-
Filesize
10KB
MD53b26fa478af4a8e51239cc9a7d32d6d8
SHA1a491fa28e2a484741315e7ab3b08dce63855c242
SHA2568d1c7d899e89e73d2a25f66ce28f1f978023d1d95fbf5ea7d8895ee42b638d59
SHA512bf4f77a11e538ab6bfcabdf32556e9fff0fa7e174318195dc717085474c6b6652dba8b7cd0194f4ce5ec3c66272b2ae5e3a4f25a7d840081550d38875138f283
-
Filesize
10KB
MD59f0a91727770e5ee89bf4cecf84be973
SHA142463dc81fb363c705617eeb04818082730177c3
SHA2560d4fd811f355c14d86eff6cd48aa2709ab358735ad6b209fec03f8efe13b182d
SHA512373f024c459debcfdf6d24df31377c5c3d9e13d07e27d607afcdfbae18ba0a9d55ab8524940f55f89d964d5e0a291be4cada04a6e10ec9ed282de2c01a2faf21
-
Filesize
10KB
MD59cc722a96498560fe73f01983b1106e3
SHA17263239689d383c013d39459a5d9c803fae61886
SHA2561af88bf666860d3ffb8f6af35061065c53b77d32dbf41af5c3909b6ad4ba864b
SHA512e4b2e1ce1353db4955da5c7eaf290ca4aed1b6d65e7c51419655a1cbab796f387fb2df035ab231e3d3659739350425815b77c58daffd2160dfa6e86d4e1ea97d
-
Filesize
10KB
MD5277f481f26a2f031bd89cba790314c65
SHA1ca0c4e9c96c49c3bd24ad33846dbfa1785e537b6
SHA2569da1d82294d5293ee5ddae2d9cb955d17e105d9b9e44cd47a13625cf81bb48a1
SHA5120cfc45452767729d1789e9810a4c2b6693aa0c79bca2f67782b211e402ce9ac165443b2119ba1976202dce98cd350fe73aa522d6aa4e4def91ba5f372e5a5d2b
-
Filesize
10KB
MD5a2abb41e2099c141fc124edd4e0e66d4
SHA19755971bdee78e425a0077968bd260ca042fea51
SHA256ba673d45d7116b57f389bb317755810313cfa2aa24044e94c3a7e729dec1f008
SHA51252954d2d6342257024425da03c8ab4eedfd7dd63049a053e9970255b3848bbab5e01eab3debd46b73bb0b1c6141cde417daa36b7df3bdd3ecd7551c6d31ad93b
-
Filesize
10KB
MD52f4f49ee84c2bf11d255edb12aec66b3
SHA1ecc137508226b55ca38a86e33f99d78727fce7f6
SHA2566b23c60bb16c61ec9e2f13d0251fa025d36489e61b08c7db98e5f6ade72a9d95
SHA512c1419b46ceb0e9e02dbd3171d768297462b7c3d40e5370a82ec46a36156adcde145ec98a5bf8b86a67495914c2ce64eaac7d6d51bfa3a4d2c9a62a199573cf9a
-
Filesize
99KB
MD5335433f77fe652c2abebdac3da0fec21
SHA13b6fbadd7202f6cd8b408545fe3eee1bd7108933
SHA25615a5e3aacd0248a9850f8507f342c7e4d3f8e9cb180fa3b7bf074aacbeb9ce8c
SHA51268074dbfcddf8447259f9d0e218f45b2a978101b7613500098012d2c0a818a044a344a8ef8bdd8fac26da340bf5fa0bf8f6f1a5045cdedac78f5e3816f9312b8
-
Filesize
99KB
MD54fd819b5e4b00d687c3cc33fe7480f09
SHA1a9d48417bcab1a3611c6649762679404acbefbcc
SHA25691a56ca1028a88eb54414654118df4f8279881c9f0dc0a6608ecfacbe5b0636c
SHA512c83be0c90620291258df978b8732c9ae6c2a8ad42772820838b477c32f91ffdf10b4701aa9f8bb1987b414875358433ec73615fec5a18be5ae45480d75b7e070
-
Filesize
116KB
MD5e043a9cb014d641a56f50f9d9ac9a1b9
SHA161dc6aed3d0d1f3b8afe3d161410848c565247ed
SHA2569dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946
SHA5124ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f
-
Filesize
1.6MB
MD5199e6e6533c509fb9c02a6971bd8abda
SHA1b95e5ef6c4c5a15781e1046c9a86d7035f1df26d
SHA2564257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8
SHA51234d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579
-
Filesize
1.8MB
MD55c9fb63e5ba2c15c3755ebbef52cabd2
SHA179ce7b10a602140b89eafdec4f944accd92e3660
SHA25654ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7
SHA512262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584
-
Filesize
1.7MB
MD5dabd469bae99f6f2ada08cd2dd3139c3
SHA16714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b
SHA25689acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606
SHA5129c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915
-
Filesize
97KB
MD5da1d0cd400e0b6ad6415fd4d90f69666
SHA1de9083d2902906cacf57259cf581b1466400b799
SHA2567a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a
-
Filesize
1.2MB
MD5981c6bd23ad276e43a0716eb2c2d86c2
SHA19fcf7d51c0bc47a6bbd07c98a98bcdab041cd961
SHA2566fb77e0ab35e79e357ab4172f65e58a8c8904653b088be2d867619ad66cbb309
SHA51244cc99cbea974ee1fcab4ca9a58ddaec073555c9ba202452cb579a199e63dccaf83a4b0413b54a788ae44f9cdde1c78d887661483f66eaf05ad2e42cdde1469d
-
Filesize
325KB
MD5c333af59fa9f0b12d1cd9f6bba111e3a
SHA166ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0
SHA256fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34
SHA5122f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4
-
Filesize
12KB
MD53adf5e8387c828f62f12d2dd59349d63
SHA1bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a
SHA2561d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0
SHA512e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be
-
Filesize
45KB
MD5bb4e23b158ae7c30af4f853b3c9549e4
SHA10b89279b32eb997bbf40c6b16ea41838fbd60455
SHA2563c1b91e8138e076eae0b3f59fb986d0315fd0afa4e91f19fcd3415c725714ccb
SHA51229692c12ae7fabc031ed1c04f6c35ae119f3eab7ff007352f01ebfc9b0d98f8f5e5b948b7629dd0882cebd72723c950379ab8e21fc5edbf170cfa711c3a63723
-
Filesize
12KB
MD5f35117734829b05cfceaa7e39b2b61fb
SHA1342ae5f530dce669fedaca053bd15b47e755adc2
SHA2569c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3
SHA5121805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471
-
Filesize
12KB
MD5f5d6a81635291e408332cc01c565068f
SHA172fa5c8111e95cc7c5e97a09d1376f0619be111b
SHA2564c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26
SHA51233333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a
-
Filesize
7.8MB
MD50851f8c0781f9736d4d998956f06273f
SHA17726f596e87922fdd6320432137555e26c258de1
SHA2564fcae9a021f0e1b4c30971959ced38556443b526ffc8061e97ed2cf113367d29
SHA512f21c5101d6dc1f7abedfd197d8e8355fe772fb85df00e2ce70d4a1d56d9b78775d7d264f973499ed20732a1330710014f41902e9da3f59fc1a70009fea4b4d88
-
Filesize
50B
MD5be27a7da181fe2e0f9daaae4c93dc291
SHA179bbf661f01c7d11916343bd98f0ec594a4c2434
SHA256ccdb663ffa26bada8c166707005ebe784ca0beb9297de2f183f662950ac8d31d
SHA512caced540aa47296317a88ac0c1a0932bfd3eced56ed653ba74e9c2b5bc0c02b20b3fb79f814a2ecfbc85f65c592ce1c0bec4495b2928b2ddbbd41300b083062e
-
Filesize
24.1MB
MD5f245d48c03c913315a2ddef555484f0f
SHA18b15789d7ea71a80e57d745531376fb9b778d750
SHA2562aab5f27a6947ef86868c5118a09743e54123444f8e846064b05277f51060723
SHA5120f6baf1e5180e82b59a91cb3079d07bfaf1520fa974ca94bed9bec2cc0bf681d5081b880fa3aacfa59add88d5bae7980cfc4d5aa95aa1ab9d8f46e66c7892a96