File name:	TLauncher-Installer-1.5.3.exe
Full analysis:	https://app.any.run/tasks/7d2e3517-dd30-4e70-a6d1-5297965ffa1f
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	October 20, 2024, 11:26:19
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	lua upx loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	002ED4FC4D853D378C2DAF7483CA878A
SHA1:	EF4A63E8635237AEC19C95680F72E57780E1510D
SHA256:	046AD8BFC9B4D80C36D13AEBC335CCE7C9B8FAC5886DE3E9A7E476B1B9D64BF9
SSDEEP:	196608:DFmOskAh+4OaNvJN8cOuOl0e+d3bRnTEWkRo/F7z+OilEoZiGsk4pPl:DFLFAhSabiZjmnlRAoN+xlEoZ2k4

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:08:28 18:19:38+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	23552
InitializedDataSize:	142336
UninitializedDataSize:	-
EntryPoint:	0x2ce1
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.5.3.0
ProductVersionNumber:	2.9297.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	ASCII
Comments:	TLauncher Setup
CompanyName:	TLauncher Inc.
FileDescription:	TLauncher Setup
FileVersion:	1.5.3.0
InternalName:	TLauncher
LegalCopyright:	TLauncher Copyright © 2024
LegalTrademarks:	TLauncher
OriginalFileName:	suf_launch.exe
ProductName:	TLauncher
ProductVersion:	2.9297.0.0


(PID) Process:	(6604) irsetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6604) irsetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6604) irsetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6604) irsetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:	delete value	Name:	AddToFavoritesInitialSelection
Value:
(PID) Process:	(6604) irsetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:	delete value	Name:	AddToFeedsInitialSelection
Value:
(PID) Process:	(6348) 360-installer-bro.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\360Safe\Liveup
Operation:	write	Name:	mid
Value: 80342cb959da2233832ae840f019ccba8b56b331eb673be97c52113eab1cd1bc
(PID) Process:	(6348) 360-installer-bro.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\LiveUpdate360
Operation:	write	Name:	proxytype
Value: 1
(PID) Process:	(6348) 360-installer-bro.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\360-installer-bro_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6348) 360-installer-bro.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\360-installer-bro_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6348) 360-installer-bro.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\360-installer-bro_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
6604	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat		—
		MD5:—	SHA256:—
300	TLauncher-Installer-1.5.3.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll		executable
		MD5:C333AF59FA9F0B12D1CD9F6BBA111E3A	SHA256:FAD540071986C59EC40102C9CA9518A0DDCE80CF39EB2FD476BB1A7A03D6EB34
6604	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG7.PNG		image
		MD5:9E0C17B574876552AED2DB4A0CCE5E72	SHA256:7DC428825AD9ABDB0B2350E7D56228CF74631804C98DD5F69922364F43245625
6604	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP		image
		MD5:F5D6A81635291E408332CC01C565068F	SHA256:4C85CDDDD497AD81FEDB090BC0F8D69B54106C226063FDC1795ADA7D8DC74E26
6604	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG6.PNG		image
		MD5:2854D53C7A87DBB3B377A663EEACF0E3	SHA256:31CA2F6760A44FA5F22E6D7D61DE6CFBB0FA763AB2503AB12F44D8E7697CF509
6604	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP		image
		MD5:F35117734829B05CFCEAA7E39B2B61FB	SHA256:9C893FE1AB940EE4C2424AA9DD9972E7AD3198DA670006263ECBBB5106D881E3
6604	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG		image
		MD5:FC3F90BBE22A9C1E929E84F2DA008985	SHA256:D7006C0DE3DAFD5956E302208677AC9263E909C75692A19E76F5C8358E25B3B5
6604	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG5.PNG		image
		MD5:73A1616BA13ABFF63D30467E04E83F13	SHA256:1175C8E665514D2B0CF2734A4264A3CC9112D4545EC3AA0D946CFAEBFD378592
6604	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG4.PNG		image
		MD5:2C51595D82E5577CD86A22939AEE04B8	SHA256:268AFE86E40FA9FAE9B10010E132E2A6D524CF7D786D6F0A32E925B152B929A0
6604	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG8.PNG		image
		MD5:15F9D2BFFEF76A348C1A00F966788A29	SHA256:6060DACABE85C78EB1C928B7D020B87C98CB0CFC5AE724A833BA8BB9217D6E28

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2444	RUXIMICS.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2444	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6348	360-installer-bro.exe	GET	200	52.29.179.141:80	http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1060&pid=WW.TLauncher.CPI202307&os=10.0&mid=80342cb959da2233832ae840f019ccba&state=153	unknown	—	—	whitelisted
6348	360-installer-bro.exe	GET	200	52.29.179.141:80	http://s.360safe.com/safei18n/query_env.htm?v611=DgY0MAEIY58z9AABAABJDP4ioJXW%2BsSCsEOTIJB6zZhEmgfzaqBH4cFwFuOQLE03E%2F0oxnWvRLjuFP8I6%2FwcSmAX4D64%2FKZcYnhpE1x9x29FtHd9nqnd38PVI%2Bwgxt6I8uFyePIz4BWMaGXFs8Yy1XLAjPyoipOVSa3vWhelTLZrRIA2eDObn%2FqOiGH8Zjrbz7hqRZ%2BXMnwpNdtPC%2BcLn38rG9av9cjF9i%2BmpkCj3r9LWECS7Xgpb820b9pFWg7%2FmHf%2FmJTCzHZEfl9SOGave8GA0QPPELuMviVFBkwTeMp3GYNLEmAZ8AhufN86wgWwu4ZPM%2FvdNW5KccR5vYckuQ2%2Fo6rbMxc7vr5vmUmDJkacvagaiy9%2Fr8hCyhyh6bnVASBbmSYla8sDjP1oZNywAmo5746yLnKt9nw52dhW94cZ%2FcgZvpEYuEiysnGQtVNqJvUQFdbSePLn8cQjX5Y%3D	unknown	—	—	whitelisted
6348	360-installer-bro.exe	GET	200	52.29.179.141:80	http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=80342cb959da2233832ae840f019ccba&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=656&tdl=656&tds=645&terr=0&tes=Status\|1,ErrorCode\|0,DnCount\|6,HttpNum\|1,DnFailCount\|1,FStatus\|1,P2SS\|656,P2PS\|0,PDMode\|2&tfl=656&tp=t&tst=1&ttdl=656&ttm=1016&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS	unknown	—	—	whitelisted
6348	360-installer-bro.exe	GET	—	104.192.108.21:80	http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1138.exe	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6944	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2444	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5488	MoUsoCoreWorker.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
2444	RUXIMICS.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5488	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
6944	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2 40.127.240.158	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
dl2.tlauncher.org	104.20.37.13 104.20.36.13	malicious
free.360totalsecurity.com	151.236.90.111	whitelisted
st.p.360safe.com	54.77.42.29	whitelisted
s.360safe.com	52.29.179.141 18.184.178.29	whitelisted
iup.360safe.com	91.231.239.87	whitelisted
tr.p.360safe.com	54.76.174.118	whitelisted

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

General Info

TLauncher-Installer-1.5.3.exe

002ED4FC4D853D378C2DAF7483CA878A

EF4A63E8635237AEC19C95680F72E57780E1510D

046AD8BFC9B4D80C36D13AEBC335CCE7C9B8FAC5886DE3E9A7E476B1B9D64BF9

196608:DFmOskAh+4OaNvJN8cOuOl0e+d3bRnTEWkRo/F7z+OilEoZiGsk4pPl:DFLFAhSabiZjmnlRAoN+xlEoZ2k4

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

SUSPICIOUS

Executable content was dropped or overwritten

Checks Windows Trust Settings

Reads security settings of Internet Explorer

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Process requests binary or script from the Internet

Potential Corporate Privacy Violation

Creates a software uninstall entry

The process executes via Task Scheduler

Checks for Java to be installed

INFO

The process uses the downloaded file

Reads the computer name

Create files in a temporary directory

Reads the software policy settings

Reads the machine GUID from the registry

Process checks computer location settings

Checks supported languages

Checks proxy server information

Disables trace logs

Creates files or folders in the user directory

Creates files in the program directory

The process uses Lua

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings