Analysis

  • max time kernel
    43s
  • max time network
    44s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 15:27

General

  • Target

    https://tlauncher.org

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://tlauncher.org
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8568146f8,0x7ff856814708,0x7ff856814718
      2⤵
        PID:4836
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
        2⤵
          PID:4144
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2060
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
          2⤵
            PID:1284
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
            2⤵
              PID:3120
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
              2⤵
                PID:2616
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
                2⤵
                  PID:3192
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4160
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
                  2⤵
                    PID:3432
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
                    2⤵
                      PID:3980
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5464 /prefetch:8
                      2⤵
                        PID:644
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
                        2⤵
                          PID:4412
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
                          2⤵
                            PID:4588
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
                            2⤵
                              PID:4032
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6908 /prefetch:8
                              2⤵
                                PID:5160
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
                                2⤵
                                  PID:5344
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,9819824869049507081,1122442853534856362,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4212 /prefetch:8
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5452
                                • C:\Users\Admin\Downloads\TLauncher-Installer-1.5.4.exe
                                  "C:\Users\Admin\Downloads\TLauncher-Installer-1.5.4.exe"
                                  2⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5576
                                  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
                                    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-Installer-1.5.4.exe" "__IRCT:3" "__IRTSS:25260914" "__IRSID:S-1-5-21-940901362-3608833189-1915618603-1000"
                                    3⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:5848
                                • C:\Users\Admin\Downloads\TLauncher-Installer-1.5.4.exe
                                  "C:\Users\Admin\Downloads\TLauncher-Installer-1.5.4.exe"
                                  2⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5936
                                  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
                                    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-Installer-1.5.4.exe" "__IRCT:3" "__IRTSS:25260914" "__IRSID:S-1-5-21-940901362-3608833189-1915618603-1000"
                                    3⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:6048
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2732
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:2032

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    e55832d7cd7e868a2c087c4c73678018

                                    SHA1

                                    ed7a2f6d6437e907218ffba9128802eaf414a0eb

                                    SHA256

                                    a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

                                    SHA512

                                    897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                    Filesize

                                    152B

                                    MD5

                                    c2d9eeb3fdd75834f0ac3f9767de8d6f

                                    SHA1

                                    4d16a7e82190f8490a00008bd53d85fb92e379b0

                                    SHA256

                                    1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

                                    SHA512

                                    d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                    Filesize

                                    360B

                                    MD5

                                    241f032fe2d87a08089fa576ac200fcd

                                    SHA1

                                    fd4ad1f23310ee8620a4ddf1ffc2504fe4330df6

                                    SHA256

                                    3ac4eceed0d26fb73e20286f18f85065f4aca875da4f4d6e7276c6851e440c5c

                                    SHA512

                                    68c1a86e27c95042a9074bf421dbf94cccba5c2905dab87cc066c22fb97c9fcedc0451cf74930bd9ab2f1d9e2fa0a0bb92bcbe6eba6be9b1f094af5c9ac7ece3

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    46295cac801e5d4857d09837238a6394

                                    SHA1

                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                    SHA256

                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                    SHA512

                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    5KB

                                    MD5

                                    9e5e11631bace2698fbb05fc57133bf9

                                    SHA1

                                    8805f8dfc8530d903b6b5a7a42bd606072800e40

                                    SHA256

                                    1520f9a641d8d6c081c2374263f6a5c6d6405eb201afc4c3cb111d189ebb58d7

                                    SHA512

                                    5776a417c28136ea9ee41832cc81e694a98b9eabe72f6f0fc103ba67a67c77762850d567cf4d18e2208526706573957f1540aea6bf7cccc14ee144fd2c2d651b

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    75f2ab120a18a59f5c9d152cf7906c53

                                    SHA1

                                    8c8fa565124058d46c823b94d9acb0a5ec9760a5

                                    SHA256

                                    86f7168ce4c49d827cdbe1fd5e113790a8c2eb8bc467f099a0c58e315ff5b776

                                    SHA512

                                    b030bc83f01818bc4e6a4afeff5a8ae7186d0bcef3e775758bf895aef13d69e68365227fe045175d103d508dd6f20fa3d65f94e26d2153826552148df1f0129c

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    3a00bd714df95405ddedd6637f491089

                                    SHA1

                                    c3bd21257ac8675c66422752c6765b69eb6d171e

                                    SHA256

                                    1df3b24cd735cf6c46ed2e916b9c694b3da076099221aaebcdda9cf313174cbc

                                    SHA512

                                    e8c7cfc13fe9a321e2a13df7c4d51ad6012a25af55dce7908afa1402110b3eed0bea76b945aa7a2f87092a65b69b63348edf84d9709297367c1048b13c6509e8

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                    Filesize

                                    6KB

                                    MD5

                                    2c5f6b1c5bdd39e191b161c8e920f243

                                    SHA1

                                    27b3d653117846c5ade4c1c6536e73c155ddc0f7

                                    SHA256

                                    b122e6e672c53bf668942d6526ef6ae8a975e1512975ad8a5b3d0b1319b6ad79

                                    SHA512

                                    5b53c1d414701a205dd2b39e774abf811cc9718f391bf25df11176276ac2674923409d0be4aef5b1ecb425e27addbfdef73338005d962a4cba1ee9b71934e378

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                    Filesize

                                    1KB

                                    MD5

                                    6e76d8fecf786936f641ccaa033777e0

                                    SHA1

                                    701ae406a08090f444b5b24261662398874143a4

                                    SHA256

                                    22c37cf9146be2575881bd5ac37fa10a568ab3ae4e5517d0474f91ce3cc8cbf7

                                    SHA512

                                    5e42737e6a7010ab8f94423a855484b057fe7cc31e5456485f19bcec711dc00d28a13a7c8de64e43454d01bc9afe2dd40d20de57ed1c5d701870bb42e54d4672

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581d57.TMP

                                    Filesize

                                    1KB

                                    MD5

                                    786f992c74338adfaf4df4a9b1e92006

                                    SHA1

                                    70e659b1a2c1b0d4a7e87c1e1340bc10473a8d48

                                    SHA256

                                    89089aabd88072026f31548da7a07c44403ddea6e7bbba585b4fe1c6675d63b9

                                    SHA512

                                    9e738b6e205839b0f18d7ffad8c8ef9f06d1d2cb3f0e99025c19613e22531fcf6ea0383284ea11f3a0374186da1d3e67cbc501da1394980d2631a60272b99512

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    10KB

                                    MD5

                                    56210cd33b03c94712d5f1a14de3b2b4

                                    SHA1

                                    9ae401fd9f81023bbdefb63b10e9b3d752a05b1c

                                    SHA256

                                    551caf53afe08200536955fbb9b1b7fd66e20616eea78802c20c51cfe1a6ddc7

                                    SHA512

                                    54a82ad3b7398c1f5fa40e566895f0f5578cdf46129013f30224401dd4e8ba9db4f86c63e4a446bdd183fbec4d6b7edc59657c93c78b4923f8237bd986ac9c31

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    10KB

                                    MD5

                                    5eb395252643919364af23c4bb7fb058

                                    SHA1

                                    cde72981427e2a4581cd169e4df5a52050ade15c

                                    SHA256

                                    e3b991cf0bde6ee13dc9386446e06ab1b94c9fbdd3583315dc8c037d6f2c1786

                                    SHA512

                                    cc8f6b14ea222ef7ae3de7065544cc0e11085c099782c9edaa6369f48b586a48c421356d5924888bfe64cddf041334e9ff7388999ea4b2cfd35dc33ba3ec85f0

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                    Filesize

                                    10KB

                                    MD5

                                    5160b26d4582433ea7119b3f1923197c

                                    SHA1

                                    4f32bc91a9ad409348efa6b8fa278e6e120e799b

                                    SHA256

                                    f438150705bbc1485be89e05a07cf0fb2751631b195fc003a650da4d1de1c5a1

                                    SHA512

                                    a024fffa900df269ac6855107d463c5d1bf985493448dc40d940c38f57995f6b36b21adfa1f549c900bfab7af214369be45f9a75f4b70fbf6304a11a938fc6c2

                                  • C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

                                    Filesize

                                    912KB

                                    MD5

                                    84df90ea9beb0df55aefdd027fe11ddb

                                    SHA1

                                    2806db62a63dae870ad85dae4f19bee69c4fb0f5

                                    SHA256

                                    1ebb1681c6539ed6f0ac7fb19027c6ff06048a505882d5bf2c71dba971ee9abf

                                    SHA512

                                    e1766eae9ca22d96bdc8d8c9d4c43b56f6ec8a60d657fd33981b0534b2d9cfb4487fde57e3538ec5a087ae573d78863573e2f60966477b85f3593bcedd7dcb20

                                  • C:\Users\Admin\AppData\Local\Temp\BrowserInstaller.exe

                                    Filesize

                                    1.6MB

                                    MD5

                                    199e6e6533c509fb9c02a6971bd8abda

                                    SHA1

                                    b95e5ef6c4c5a15781e1046c9a86d7035f1df26d

                                    SHA256

                                    4257d06e14dd5851e8ac75cd4cbafe85db8baec17eaebd8f8a983b576cd889f8

                                    SHA512

                                    34d90fa78bd5c26782d16421e634caec852ca74b85154b2a3499bc85879fc183402a7743dd64f2532b27c791df6e9dd8113cc652dcb0cdf3beae656efe79c579

                                  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

                                    Filesize

                                    116KB

                                    MD5

                                    e043a9cb014d641a56f50f9d9ac9a1b9

                                    SHA1

                                    61dc6aed3d0d1f3b8afe3d161410848c565247ed

                                    SHA256

                                    9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

                                    SHA512

                                    4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

                                  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG49.BMP

                                    Filesize

                                    1.8MB

                                    MD5

                                    5c9fb63e5ba2c15c3755ebbef52cabd2

                                    SHA1

                                    79ce7b10a602140b89eafdec4f944accd92e3660

                                    SHA256

                                    54ee86cd55a42cfe3b00866cd08defee9a288da18baf824e3728f0d4a6f580e7

                                    SHA512

                                    262c50e018fd2053afb101b153511f89a77fbcfd280541d088bbfad19a9f3e54471508da8b56c90fe4c1f489b40f9a8f4de66eac7f6181b954102c6b50bdc584

                                  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

                                    Filesize

                                    1.7MB

                                    MD5

                                    dabd469bae99f6f2ada08cd2dd3139c3

                                    SHA1

                                    6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

                                    SHA256

                                    89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

                                    SHA512

                                    9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

                                  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

                                    Filesize

                                    97KB

                                    MD5

                                    da1d0cd400e0b6ad6415fd4d90f69666

                                    SHA1

                                    de9083d2902906cacf57259cf581b1466400b799

                                    SHA256

                                    7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

                                    SHA512

                                    f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

                                  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

                                    Filesize

                                    1.2MB

                                    MD5

                                    0b689a412150e3e6b39c6ec69146504e

                                    SHA1

                                    b690cecdb4217d05947f46eb3720fd3c10f0ebd2

                                    SHA256

                                    ee52474483d6f29d606aa7061d3c3b958d95c9c940bfab7578c75403be59d656

                                    SHA512

                                    e978b873cef32a8d6a8e692cf12728bbf8089b7af67ccd972eeeab69f88a3abecc5aa1b51dcae35e28ad01152ab7c978cc4df2e9580db438bc179dc5ea9f115e

                                  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

                                    Filesize

                                    325KB

                                    MD5

                                    c333af59fa9f0b12d1cd9f6bba111e3a

                                    SHA1

                                    66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

                                    SHA256

                                    fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

                                    SHA512

                                    2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

                                  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\IRIMG1.BMP

                                    Filesize

                                    12KB

                                    MD5

                                    3adf5e8387c828f62f12d2dd59349d63

                                    SHA1

                                    bd065d74b7fa534e5bfb0fb8fb2ee1f188db9e3a

                                    SHA256

                                    1d7a67b1c0d620506ac76da1984449dfb9c35ffa080dc51e439ed45eecaa7ee0

                                    SHA512

                                    e4ceb68a0a7d211152d0009cc0ef9b11537cfa8911d6d773c465cea203122f1c83496e655c9654aabe2034161e132de8714f3751d2b448a6a87d5e0dd36625be

                                  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\IRIMG1.PNG

                                    Filesize

                                    45KB

                                    MD5

                                    75ad0ac83402e7a8ecf154efa31feba1

                                    SHA1

                                    db2df40416a26580c651581b4ba1a0b5b26357eb

                                    SHA256

                                    e290ef30a761839e4f2ee4baab625d3466ef183d0c4e2419c08374624591a545

                                    SHA512

                                    f8e268138fadc3aa3055ec445e9c4b2122811603b28e0e2b8cd360f696167810556c13c6f78217e638b37d61e7c1bd68016f64b6c0814edc54620a92749d0ec2

                                  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\IRIMG2.BMP

                                    Filesize

                                    12KB

                                    MD5

                                    f35117734829b05cfceaa7e39b2b61fb

                                    SHA1

                                    342ae5f530dce669fedaca053bd15b47e755adc2

                                    SHA256

                                    9c893fe1ab940ee4c2424aa9dd9972e7ad3198da670006263ecbbb5106d881e3

                                    SHA512

                                    1805b376ab7aae87061e9b3f586e9fdef942bb32488b388856d8a96e15871238882928c75489994f9916a77e2c61c6f6629e37d1d872721d19a5d4de3e77f471

                                  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\IRIMG3.BMP

                                    Filesize

                                    12KB

                                    MD5

                                    f5d6a81635291e408332cc01c565068f

                                    SHA1

                                    72fa5c8111e95cc7c5e97a09d1376f0619be111b

                                    SHA256

                                    4c85cdddd497ad81fedb090bc0f8d69b54106c226063fdc1795ada7d8dc74e26

                                    SHA512

                                    33333761706c069d2c1396e85333f759549b1dfc94674abb612fd4e5336b1c4877844270a8126e833d0617e6780dd8a4fee2d380c16de8cbf475b23f9d512b5a

                                  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.dat

                                    Filesize

                                    7.8MB

                                    MD5

                                    7d59406199bb0dc15868de4cd763e833

                                    SHA1

                                    11358676ae6f2f296a14bb670b5e551274bd3916

                                    SHA256

                                    92cb2f5817ff912241c24bf82139e150188c2076d9c8c624701d813e2eb29a7d

                                    SHA512

                                    132d5fd76650b0a17495da8cd76cc7382d0d208c05c0c2d9f8e9c573c280374d21c5b78468970aa5766ad944213d9943d784f27bca44bf27705c157be39e6790

                                  • C:\Users\Admin\AppData\Local\Temp\check_latest_tl.txt

                                    Filesize

                                    50B

                                    MD5

                                    be27a7da181fe2e0f9daaae4c93dc291

                                    SHA1

                                    79bbf661f01c7d11916343bd98f0ec594a4c2434

                                    SHA256

                                    ccdb663ffa26bada8c166707005ebe784ca0beb9297de2f183f662950ac8d31d

                                    SHA512

                                    caced540aa47296317a88ac0c1a0932bfd3eced56ed653ba74e9c2b5bc0c02b20b3fb79f814a2ecfbc85f65c592ce1c0bec4495b2928b2ddbbd41300b083062e

                                  • C:\Users\Admin\Downloads\Unconfirmed 946276.crdownload

                                    Filesize

                                    24.1MB

                                    MD5

                                    18f27581ee61474a5661fb3625022df0

                                    SHA1

                                    265d21bff7bb85d42a7eb2779a75c6e1468a9a79

                                    SHA256

                                    f59628d7b563e099c5769b93df66123bd2274ef43e262337b1dc0e41785faf45

                                    SHA512

                                    99dc67916fb4dc1c1ab93a98455f1db3cb3d23fb5b42f7cbf7f8f6c098ace89abd75cffb0059548409068bb7ea738584b817c9c694e724f7d7afabe487f3cc5c

                                  • memory/5848-1538-0x0000000010000000-0x0000000010051000-memory.dmp

                                    Filesize

                                    324KB

                                  • memory/5848-1599-0x0000000000C20000-0x0000000001009000-memory.dmp

                                    Filesize

                                    3.9MB

                                  • memory/5848-1601-0x0000000010000000-0x0000000010051000-memory.dmp

                                    Filesize

                                    324KB

                                  • memory/5848-189-0x0000000000C20000-0x0000000001009000-memory.dmp

                                    Filesize

                                    3.9MB

                                  • memory/6048-213-0x00000000007D0000-0x0000000000BB9000-memory.dmp

                                    Filesize

                                    3.9MB

                                  • memory/6048-1602-0x00000000007D0000-0x0000000000BB9000-memory.dmp

                                    Filesize

                                    3.9MB

                                  • memory/6048-1604-0x0000000010000000-0x0000000010051000-memory.dmp

                                    Filesize

                                    324KB

                                  • memory/6048-1560-0x0000000010000000-0x0000000010051000-memory.dmp

                                    Filesize

                                    324KB