File name:

TLauncher-Installer-1.9.5.5.exe

Full analysis: https://app.any.run/tasks/69c3c394-f38c-4b9c-bdc0-61b40997d5e1
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 21, 2026, 09:34:42
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
stealer
upx
lua
java
cve-2025-35250
antivm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

B8BFD677E1F883D7426EB926412A237E

SHA1:

A481924B16C095878878D60B921FD54A588D2A6B

SHA256:

04627ACFABAE38EE0F33647D0383A1BB689215440219CF9488DB17404730F8AF

SSDEEP:

196608:R576klCN1dFZjHOaNvJN8cOuOl0e+d3bRnTEWkRo/F7z6CZhcIQ8HxL70bWXl8Ae:DYNPjuabiZjmnlRAoN7vcIV3yAii

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • irsetup.exe (PID: 2988)

    • CVE-2025-35250 has been detected

      • dxdiag.exe (PID: 5516)

  • SUSPICIOUS

    • Reads the Internet Settings

      • TLauncher-Installer-1.9.5.5.exe (PID: 2408)
      • irsetup.exe (PID: 2988)
      • irsetup.exe (PID: 4284)
      • BrowserInstaller.exe (PID: 3376)
      • WMIC.exe (PID: 4944)
      • WMIC.exe (PID: 7016)

    • Checks for Java to be installed

      • irsetup.exe (PID: 2988)
      • TLauncher.exe (PID: 3388)

    • Reads settings of System Certificates

      • irsetup.exe (PID: 2988)
      • irsetup.exe (PID: 4284)
      • dxdiag.exe (PID: 5516)

    • Reads Internet Explorer settings

      • irsetup.exe (PID: 2988)

    • Reads Microsoft Outlook installation path

      • irsetup.exe (PID: 2988)

    • Starts CMD.EXE for commands execution

      • java.exe (PID: 2068)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 5528)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6756)
      • cmd.exe (PID: 6304)
      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 5272)

    • Uses WMIC.EXE to obtain quick Fix Engineering (patches) data

      • cmd.exe (PID: 5272)

    • There is functionality for VM detection VMWare (YARA)

      • java.exe (PID: 2068)

    • The process creates files with name similar to system file names

      • java.exe (PID: 2068)

    • There is functionality for VM detection VirtualBox (YARA)

      • java.exe (PID: 2068)

    • There is functionality for VM detection antiVM strings (YARA)

      • java.exe (PID: 2068)

    • Creates/Modifies COM task schedule object

      • dxdiag.exe (PID: 5516)

  • INFO

    • The sample compiled with english language support

      • TLauncher-Installer-1.9.5.5.exe (PID: 2408)

    • Create files in a temporary directory

      • TLauncher-Installer-1.9.5.5.exe (PID: 2408)
      • irsetup.exe (PID: 2988)
      • BrowserInstaller.exe (PID: 3376)
      • irsetup.exe (PID: 4284)
      • javaw.exe (PID: 2476)
      • java.exe (PID: 2068)

    • Checks supported languages

      • TLauncher-Installer-1.9.5.5.exe (PID: 2408)
      • irsetup.exe (PID: 2988)
      • irsetup.exe (PID: 4284)
      • BrowserInstaller.exe (PID: 3376)
      • javaw.exe (PID: 2476)
      • TLauncher.exe (PID: 3388)
      • chcp.com (PID: 6784)
      • chcp.com (PID: 4332)
      • java.exe (PID: 2068)
      • chcp.com (PID: 2896)
      • chcp.com (PID: 3984)

    • Reads the computer name

      • TLauncher-Installer-1.9.5.5.exe (PID: 2408)
      • irsetup.exe (PID: 2988)
      • BrowserInstaller.exe (PID: 3376)
      • irsetup.exe (PID: 4284)
      • javaw.exe (PID: 2476)
      • java.exe (PID: 2068)

    • Reads security settings of Internet Explorer

      • TLauncher-Installer-1.9.5.5.exe (PID: 2408)
      • irsetup.exe (PID: 2988)
      • BrowserInstaller.exe (PID: 3376)
      • irsetup.exe (PID: 4284)
      • WMIC.exe (PID: 4944)
      • dxdiag.exe (PID: 5516)
      • WMIC.exe (PID: 7016)

    • Checks proxy server information

      • irsetup.exe (PID: 2988)
      • irsetup.exe (PID: 4284)

    • Reads the machine GUID from the registry

      • irsetup.exe (PID: 2988)
      • irsetup.exe (PID: 4284)
      • javaw.exe (PID: 2476)
      • java.exe (PID: 2068)

    • There is functionality for taking screenshot (YARA)

      • irsetup.exe (PID: 2988)
      • TLauncher-Installer-1.9.5.5.exe (PID: 2408)
      • javaw.exe (PID: 2476)
      • java.exe (PID: 2068)

    • The process uses Lua

      • irsetup.exe (PID: 2988)

    • UPX packer has been detected

      • irsetup.exe (PID: 2988)

    • Creates a software uninstall entry

      • irsetup.exe (PID: 2988)

    • Creates files or folders in the user directory

      • irsetup.exe (PID: 4284)
      • irsetup.exe (PID: 2988)
      • javaw.exe (PID: 2476)
      • java.exe (PID: 2068)
      • dxdiag.exe (PID: 5516)

    • Creates files in the program directory

      • irsetup.exe (PID: 2988)
      • javaw.exe (PID: 2476)

    • Application based on Java

      • javaw.exe (PID: 2476)

    • Changes the display of characters in the console

      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 6756)
      • cmd.exe (PID: 6304)
      • cmd.exe (PID: 5272)

    • Reads CPU info

      • java.exe (PID: 2068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (54.3)
.exe | Win64 Executable (generic) (34.8)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2026:01:05 16:18:52+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 1125376
InitializedDataSize: 576000
UninitializedDataSize: -
EntryPoint: 0xf157b
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.9.5.5
ProductVersionNumber: 2.9.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
Comments: TL Setup
CompanyName: TL Inc.
FileDescription: TL Setup
FileVersion: 1.9.5.5
InternalName: TL
LegalCopyright: TL Copyright © 2026
LegalTrademarks: TL
OriginalFileName: suf_launch.exe
ProductName: TL
ProductVersion: 2.9.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
28
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start tlauncher-installer-1.9.5.5.exe irsetup.exe browserinstaller.exe no specs irsetup.exe tlauncher.exe no specs javaw.exe icacls.exe no specs conhost.exe no specs java.exe conhost.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs conhost.exe no specs chcp.com no specs #CVE-2025-35250 dxdiag.exe cmd.exe no specs conhost.exe no specs chcp.com no specs wmic.exe no specs tiworker.exe tlauncher-installer-1.9.5.5.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1636\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1736C:\Windows\system32\svchost.exe -k NetworkService -pC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
2064\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2068C:\Users\admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-21.0.91-windows-x64\bin\java.exe -Dsun.java2d.uiScale.enabled=false -Xmx1536m -Dfile.encoding=UTF8 -Djava.net.preferIPv4Stack=true --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.time=ALL-UNNAMED --add-opens=java.desktop/java.awt=ALL-UNNAMED --add-opens=java.desktop/sun.awt.image=ALL-UNNAMED --add-opens=java.desktop/sun.java2d=ALL-UNNAMED --add-opens=java.desktop/java.awt.color=ALL-UNNAMED --add-opens=java.desktop/java.awt.image=ALL-UNNAMED --add-opens=java.desktop/com.apple.eawt=ALL-UNNAMED --add-opens=java.base/java.util.regex=ALL-UNNAMED --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.desktop/java.beans=ALL-UNNAMED --add-opens=javafx.web/com.sun.webkit.network=ALL-UNNAMED --add-opens=javafx.web/javafx.scene.web=ALL-UNNAMED --add-opens=javafx.web/com.sun.webkit=ALL-UNNAMED --add-opens=javafx.web/com.sun.webkit.event=ALL-UNNAMED -cp C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\annotations-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\aopalliance-1.0.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\arns-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\auth-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\aws-core-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\aws-query-protocol-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\aws-xml-protocol-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\checker-qual-3.12.0.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\checksums-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\checksums-spi-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-codec-1.9.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-compress-1.23.0.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-io-2.11.0.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-lang3-3.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-logging-1.2.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-logging-api-1.1.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\commons-vfs2-2.0.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\crt-core-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\desktop-common-util-1.267.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\DiscordIPC-0.5.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\dnsjava-2.1.8.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\endpoints-spi-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\error_prone_annotations-2.18.0.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\eventstream-1.0.1.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\failureaccess-1.0.1.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\filters-2.0.235.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\fluent-hc-4.5.2.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\gson-2.13.2.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\guava-31.0.1-jre.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\guice-7.0.0.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\guice-assistedinject-7.0.0.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\http-auth-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\http-auth-aws-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\http-auth-aws-eventstream-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\http-auth-spi-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\http-client-spi-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\http-download-1.267.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\httpclient-4.5.2.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\httpcore-4.4.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\identity-spi-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\j2objc-annotations-1.3.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\jackson-annotations-2.13.0.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\jakarta.inject-api-2.0.1.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\java-image-scaling-0.8.6.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-base-21.0.9-win.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-base-21.0.9.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-controls-21.0.9-win.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-controls-21.0.9.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-graphics-21.0.9-win.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-graphics-21.0.9.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-media-21.0.9-win.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-media-21.0.9.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-swing-21.0.9-win.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-swing-21.0.9.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-web-21.0.9-win.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\javafx-web-21.0.9.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\javax.annotation-api-1.3.2.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\jaxb-api-2.3.0.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\jaxb-core-2.3.0.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\jaxb-impl-2.3.0.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\jcl-over-slf4j-1.7.25.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\jopt-simple-5.0.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\json-20230227.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\json-utils-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\jsr305-3.0.2.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\junixsocket-common-2.6.2.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\junixsocket-native-common-2.6.2.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\junrar-0.7.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\log4j-1.2.17.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\logback-classic-1.2.10.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\logback-core-1.2.10.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\lombok-1.18.30.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\maven-scm-api-1.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\maven-scm-provider-svn-commons-1.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\maven-scm-provider-svnexe-1.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\metrics-spi-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\MinecraftServerPing-1.0.2.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\mockserver-netty-no-dependencies-5.14.0.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\modpack-dto-2.282.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\picture-bundle-3.72.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\plexus-utils-1.5.6.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\profiles-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\protocol-core-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\reactive-streams-1.0.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\regexp-1.3.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\regions-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\retries-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\retries-spi-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\s3-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\sdk-core-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\skin-api-1.7.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\slf4j-api-1.7.25.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\statistics-dto-1.73.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\third-party-jackson-core-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\tlauncher-resource-1.6.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\utils-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\utils-lite-2.40.4.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\dependencies\xz-1.9.jar;C:\Users\admin\AppData\Roaming\.tlauncher\starter\original-TLauncher-2.9359.jar; org.tlauncher.tlauncher.rmo.TLauncher -starterConfig=C:\Users\admin\AppData\Roaming\.tlauncher\starter\starter.json -requireUpdate=false -currentAppVersion=2.9359 -starterDomainAvailabilityV1=C:\Users\admin\AppData\Roaming\.tlauncher\starter\domainAvailability.json -country=${country} "-starterJVM=C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -starterWorkingDirectory=C:\Users\admin\Desktop -starterJarFile=C:\Users\admin\AppData\Roaming\.minecraft\TLauncher.exe -starterFileEncoding=windows-1252C:\Users\admin\AppData\Roaming\.tlauncher\starter\jre_default\jre-21.0.91-windows-x64\bin\java.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
HIGH
Description:
Java(TM) Platform SE binary
Version:
21.0.9.0
Modules
Images
c:\users\admin\appdata\roaming\.tlauncher\starter\jre_default\jre-21.0.91-windows-x64\bin\java.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\.tlauncher\starter\jre_default\jre-21.0.91-windows-x64\bin\jli.dll
c:\windows\system32\advapi32.dll
c:\users\admin\appdata\roaming\.tlauncher\starter\jre_default\jre-21.0.91-windows-x64\bin\vcruntime140.dll
c:\windows\system32\msvcrt.dll
2160\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2408"C:\Users\admin\Desktop\TLauncher-Installer-1.9.5.5.exe" C:\Users\admin\Desktop\TLauncher-Installer-1.9.5.5.exe
explorer.exe
User:
admin
Company:
TL Inc.
Integrity Level:
HIGH
Description:
TL Setup
Exit code:
0
Version:
1.9.5.5
Modules
Images
c:\users\admin\desktop\tlauncher-installer-1.9.5.5.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
2476"C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\.minecraft\TLauncher.exe"C:\Program Files\Java\jre1.8.0_351\bin\javaw.exe
TLauncher.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
HIGH
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.3510.10
Modules
Images
c:\program files\java\jre1.8.0_351\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2896chcp 437 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
2988"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:3970330 "__IRAFN:C:\Users\admin\Desktop\TLauncher-Installer-1.9.5.5.exe" "__IRCT:3" "__IRTSS:26677398" "__IRSID:S-1-5-21-166304369-59083888-3082702900-1001"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
TLauncher-Installer-1.9.5.5.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
Setup Application
Exit code:
0
Version:
10.2.0.0
Modules
Images
c:\users\admin\appdata\local\temp\_ir_sf_temp_0\irsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
3376"C:\Users\admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\admin\AppData\Local\Temp\setuparguments.iniC:\Users\admin\AppData\Local\Temp\BrowserInstaller.exeirsetup.exe
User:
admin
Company:
TLauncher Inc.
Integrity Level:
HIGH
Description:
Installer of Browser Offers in TLauncher
Exit code:
0
Version:
7.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\browserinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
Total events
30 740
Read events
30 534
Write events
175
Delete events
31

Modification events

(PID) Process:(2408) TLauncher-Installer-1.9.5.5.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2408) TLauncher-Installer-1.9.5.5.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2408) TLauncher-Installer-1.9.5.5.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2408) TLauncher-Installer-1.9.5.5.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2988) irsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2988) irsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2988) irsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2988) irsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2988) irsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2988) irsetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
6 587

Dropped files

PID
Process
Filename
Type
2988irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat
MD5:
SHA256:
2988irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNGbinary
MD5:8E7047AF311DCB9DE4A479282A055297
SHA256:5E9D83669B32F30E992254883A54574A6ECE80C25B7B6E82924C918F1B81655E
2988irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG7.PNGbinary
MD5:9276C6564B13C58E0566114770D9DA30
SHA256:3F434C438794D740019F3D959FE5B9F7A996851CB271E4CDD1245E4BD1B439EE
2988irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNGbinary
MD5:ADB98FA64ECE4A3E088ADDC0254CBD85
SHA256:DFCE0B1B77373B8D6607D8AC6810A37B44AE88B637EA5852FD80B8C7ADA89F11
2988irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMPbinary
MD5:3ADF5E8387C828F62F12D2DD59349D63
SHA256:1D7A67B1C0D620506AC76DA1984449DFB9C35FFA080DC51E439ED45EECAA7EE0
2988irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG5.PNGbinary
MD5:D198B7C7D35AF5B0F229BB41A65A8F7B
SHA256:7B58CEA18A836E8D607B6666355CFDE042D08350159BB851DEBF45341C36BE5C
2988irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG6.PNGbinary
MD5:2B0B30583288CD587F1F03F3280C5621
SHA256:DF4BEBFB898469CD99C0027389780D10A6B160D3581ED99EFAA3E71A89C6D03D
2988irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG10.PNGbinary
MD5:30B5E9744DCE4F26F61FD54F62917259
SHA256:A9287A38644850E535FD988AE8F4F0BD2CA6D0AA6D9391E7FF2D1D5253ABA097
2988irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG11.PNGbinary
MD5:A8D7EDCBEE993C7E7FF3BE0474DA7FE9
SHA256:6972C80892A40B4A00B7EF3B8134367FA52BD224BA181C8FD6D97705FCA20F4B
2988irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG8.PNGbinary
MD5:DC1CDED627678F25364FE51BFFD23DD2
SHA256:A0FD551E32BA4A818B7AF4E5BBD07412E9F848B91EE33C752D7BB18BBC6C801E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
103
DNS requests
50
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4284
irsetup.exe
GET
200
104.20.7.182:443
https://tlauncher.org/installerstat.php?vinstaller=1%2e9%2e5%2e4&vclient=2%2e9&diskfree=216631%2e3&os=Windows%2011&memory=6138%2e0&installerlang=English&complang=English&key=cfHGbf4fghng4T&os64bit=1&operastatus=0&usersid=S%2d1%2d5%2d21%2d166304369%2d59083888%2d3082702900%2d1001
unknown
unknown
4080
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d09582ee1e97bc07
unknown
unknown
GET
200
184.25.50.104:80
http://www.msftconnecttest.com/connecttest.txt
unknown
unknown
3292
OfficeClickToRun.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f96c87c460a48b0c
unknown
unknown
4080
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3292
OfficeClickToRun.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
2988
irsetup.exe
GET
200
104.20.7.182:80
http://dl2.tlauncher.org/
unknown
unknown
2988
irsetup.exe
GET
200
104.20.7.182:80
http://dl2.tlauncher.org/
unknown
unknown
2988
irsetup.exe
GET
200
104.20.7.182:443
https://dl2.tlauncher.org/check_latest_tl.php?optime=0
unknown
binary
55 b
unknown
4284
irsetup.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
52.110.17.44:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
184.25.50.104:80
AKAMAI-ASN1
NL
whitelisted
5276
svchost.exe
95.100.70.200:443
fs.microsoft.com
AKAMAI-AS
US
whitelisted
3876
svchost.exe
239.255.255.250:1900
whitelisted
4080
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4080
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
4080
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
3292
OfficeClickToRun.exe
104.208.16.91:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3292
OfficeClickToRun.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.110.17.44
  • 52.110.17.61
  • 52.110.17.75
  • 52.110.17.54
  • 52.110.17.73
  • 52.110.17.53
  • 52.110.17.67
  • 52.110.17.74
  • 52.110.17.21
  • 52.110.17.51
  • 52.110.17.70
  • 52.110.17.60
  • 52.110.17.26
  • 52.110.17.17
  • 52.110.17.64
  • 52.110.17.59
whitelisted
google.com
  • 192.178.203.113
  • 192.178.203.101
  • 192.178.203.138
  • 192.178.203.139
  • 192.178.203.100
  • 192.178.203.102
whitelisted
fs.microsoft.com
  • 95.100.70.200
whitelisted
login.live.com
  • 20.190.159.68
  • 40.126.31.69
  • 40.126.31.128
  • 20.190.159.0
  • 20.190.159.73
  • 20.190.159.128
  • 20.190.159.129
  • 20.190.159.2
  • 20.190.160.22
  • 20.190.160.66
  • 20.190.160.132
  • 40.126.32.72
  • 20.190.160.3
  • 40.126.32.136
  • 20.190.160.128
  • 40.126.32.140
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
self.events.data.microsoft.com
  • 104.208.16.91
whitelisted
dl2.tlauncher.org
  • 104.20.7.182
  • 172.66.129.18
whitelisted
tlauncher.org
  • 104.20.7.182
  • 172.66.129.18
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
2476
javaw.exe
Potentially Bad Traffic
ET INFO Vulnerable Java Version 1.8.x Detected
1736
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
1184
MoUsoCoreWorker.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Process
Message
TiWorker.exe
Populating UpdatePolicy AllowList
TiWorker.exe
All policies are allowed
TiWorker.exe
SKU MDM licensing allow list string from SLAPI:
TiWorker.exe
TiWorker.exe
AboveLock|Accounts|ActiveXControls|ADMXIngest|AllowMessageSync|AppHVSI|ApplicationDefaults|AllowAllTrustedApps|AllowAppStoreAutoUpdate|AllowAutomaticAppArchiving|AllowDeveloperUnlock|AllowGameDVR|AllowSharedUserAppData|ApplicationRestrictions|Audit|ConfigureChatIcon|LaunchAppAfterLogOn|MSIAllowUserControlOverInstall|MSIAlwaysInstallWithElevatedPrivileges|RestrictAppDataToSystemVolume|RestrictAppToSystemVolume|AppRuntime|AttachmentManager|Authentication|Autoplay|BitLocker|BITS|Bluetooth|Browser|Camera|Cellular|Connectivity|ControlPolicyConflict|CredentialProviders|CredentialsDelegation|CredentialsUI|Cryptography|DataProtection|DataUsage|Defender|DeliveryOptimization|Desktop|ConfigureSystemGuardLaunch|EnableVirtualizationBasedSecurity|DeviceHealthMonitoring|DeviceInstallation|DeviceLock|Display|DmaGuard|ErrorReporting|Eap|Education|EnterpriseCloudPrint|EventLogService|AllowClipboardHistory|AllowCopyPaste|AllowCortana|AllowDeviceDiscovery|AllowManualMDMUnenrollment|AllowSaveAsOfOfficeFiles|AllowScreenCapture|AllowSharingOfOfficeFiles|AllowSIMErrorDialogPromptWhenNoSIM|AllowSyncMySettings|AllowTailoredExperiencesWithDiagnosticData|AllowTaskSwitcher|AllowThirdPartySuggestionsInWindowsSpotlight|AllowVoiceRecording|DoNotShowFeedbackNotifications|DoNotSyncBrowserSettings|AllowFindMyDevice|ExploitGuard|Feeds|FileExplorer|Games|Handwriting|HumanPresence|InternetExplorer|Kerberos|KioskBrowser|Knobs|LanmanWorkstation|Licensing|LocalPoliciesSecurityOptions|LocalUsersAndGroups|Lockdown|Maps|MemoryDump|MSSecurityGuide|MSSLegacy|Multitasking|NetworkIsolation|NetworkListManager|NewsAndInterests|Notifications|OneDrive|Power|Printers|Privacy|RemoteAssistance|RemoteDesktopServices|RemoteDesktop|RemoteManagement|RemoteProcedureCall|RemoteShell|RestrictedGroups|Search|Security|Settings|SmartScreen|Speech|Start|Storage|System|SystemServices|TaskManager|TaskScheduler|TenantRestrictions|TextInput|TimeLanguageSettings|Troubleshooting|Update|UserRights|VirtualizationBasedTechnology|WiFi|WindowsLogon|WirelessDisplay|Location|WindowsAutopilot|WindowsConnectionManager|WindowsDefenderSecurityCenter|WindowsInkWorkspace|WindowsPowerShell|WindowsSandbox|WiredNetwork|ADMX_
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TLauncher-Installer-1.9.5.5.exe