File name:	TLauncher-Installer-1.5.3.exe
Full analysis:	https://app.any.run/tasks/9e3ba94b-62b0-4e89-bc0c-7f8c712f7c58
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	October 16, 2024, 04:21:57
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx lua stealer loader arch-scr
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	002ED4FC4D853D378C2DAF7483CA878A
SHA1:	EF4A63E8635237AEC19C95680F72E57780E1510D
SHA256:	046AD8BFC9B4D80C36D13AEBC335CCE7C9B8FAC5886DE3E9A7E476B1B9D64BF9
SSDEEP:	196608:DFmOskAh+4OaNvJN8cOuOl0e+d3bRnTEWkRo/F7z+OilEoZiGsk4pPl:DFLFAhSabiZjmnlRAoN+xlEoZ2k4

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:08:28 18:19:38+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	23552
InitializedDataSize:	142336
UninitializedDataSize:	-
EntryPoint:	0x2ce1
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.5.3.0
ProductVersionNumber:	2.9297.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	ASCII
Comments:	TLauncher Setup
CompanyName:	TLauncher Inc.
FileDescription:	TLauncher Setup
FileVersion:	1.5.3.0
InternalName:	TLauncher
LegalCopyright:	TLauncher Copyright © 2024
LegalTrademarks:	TLauncher
OriginalFileName:	suf_launch.exe
ProductName:	TLauncher
ProductVersion:	2.9297.0.0


(PID) Process:	(5984) irsetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5984) irsetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5984) irsetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5984) irsetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:	delete value	Name:	AddToFavoritesInitialSelection
Value:
(PID) Process:	(5984) irsetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:	delete value	Name:	AddToFeedsInitialSelection
Value:
(PID) Process:	(6336) 360-installer-bro.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\360Safe\Liveup
Operation:	write	Name:	mid
Value: 80342cb959da2233832ae840f019ccba8b56b331eb673be97c52113eab1cd1bc
(PID) Process:	(6336) 360-installer-bro.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\LiveUpdate360
Operation:	write	Name:	proxytype
Value: 1
(PID) Process:	(6336) 360-installer-bro.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\360-installer-bro_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6336) 360-installer-bro.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\360-installer-bro_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(6336) 360-installer-bro.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\360-installer-bro_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
5984	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat		—
		MD5:—	SHA256:—
6344	TLauncher-Installer-1.5.3.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe		executable
		MD5:9560159D5D7BA708370FB746D1A27763	SHA256:C492565DFF407D41F4621DF3D0D5395F7438CEE6F44E70344B8E8C5FCBBCA428
6344	TLauncher-Installer-1.5.3.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll		executable
		MD5:C333AF59FA9F0B12D1CD9F6BBA111E3A	SHA256:FAD540071986C59EC40102C9CA9518A0DDCE80CF39EB2FD476BB1A7A03D6EB34
5984	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG		image
		MD5:AABD4C083C195527E4DFBB9652EAC9BF	SHA256:A0C30C35957C6888ED69B80ED8993E0D094F180488811C83B53677B5CDE5ACA3
5984	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNG		image
		MD5:72FF9CD0DC523E907793C35C5586A4F5	SHA256:DADC512F40E10038EEC765F87E9F7914FBCDC9093CD411B3A608D8BAFEAA77ED
5984	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP		image
		MD5:3ADF5E8387C828F62F12D2DD59349D63	SHA256:1D7A67B1C0D620506AC76DA1984449DFB9C35FFA080DC51E439ED45EECAA7EE0
5984	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP		image
		MD5:F35117734829B05CFCEAA7E39B2B61FB	SHA256:9C893FE1AB940EE4C2424AA9DD9972E7AD3198DA670006263ECBBB5106D881E3
5984	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNG		image
		MD5:A8DF408CECD74582525FD2961F1A3401	SHA256:CA2C7D8D2CAF8793EE292F1F2116ED173A3D0677ECAFC86AC2AED6A0EC55D19E
5984	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMP		image
		MD5:F5D6A81635291E408332CC01C565068F	SHA256:4C85CDDDD497AD81FEDB090BC0F8D69B54106C226063FDC1795ADA7D8DC74E26
5984	irsetup.exe	C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG		image
		MD5:FC3F90BBE22A9C1E929E84F2DA008985	SHA256:D7006C0DE3DAFD5956E302208677AC9263E909C75692A19E76F5C8358E25B3B5

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6944	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	973 b	whitelisted
6944	svchost.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	1.01 Kb	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	973 b	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	973 b	whitelisted
—	—	GET	200	104.20.36.13:443	https://dl2.tlauncher.org/check_latest_tl.php	US	text	50 b	malicious
6336	360-installer-bro.exe	GET	200	54.254.196.234:80	http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1060&pid=WW.TLauncher.CPI202307&os=10.0&mid=80342cb959da2233832ae840f019ccba&state=153	SG	—	—	whitelisted
—	—	GET	200	151.236.71.147:443	https://free.360totalsecurity.com/totalsecurity/360TS_Setup_Mini_WW.TLauncher.CPI202307_6.6.0.1054.exe	RU	executable	1.42 Mb	whitelisted
6336	360-installer-bro.exe	GET	200	18.66.102.36:80	http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab	US	compressed	656 b	whitelisted
6336	360-installer-bro.exe	GET	200	54.254.196.234:80	http://s.360safe.com/safei18n/query_env.htm?v611=DgY0MAEI8xL8NgABAADMOGmtgsoMZz999UsqGrj5MWvxrVJsPuVqa%2BuTEOoW7Ah3PXrFOnhF%2B%2BK0VNzH%2BS01atAKxbWI8Q7cMihbDg4TdtpHlUFmut4PuEWmb34dHqZiv63GZzJskNw68zQrpRuhsnZCLnGrnCXi3HpTPjpbKif9eqCzSB6ZR8DORso22kS%2F%2FhLAXXiKSIyLl4a%2FN0ncefWLUu8zFpyuW8sx049oEp8%2FQl56mQFKMbkctWmeCE0O8x0Q%2FfF%2BqSOAJ2aPoX3HSZsISMoeyla1UqoQvOjbEOiTyWpWJwFNQ9xdJ2s3SpL0EZAIhJ452iQhACkqolv3h50RHeGkKlZy2UvOnAYgZkLPAvkT3gsQqwMkaMKkLezp2w2gNQj4QBzQYkHPiEa4eRE9TxLZNr8utFVVeWiJedAdo7eto3HVkkv1aOlDhUW8s%2BgWSrd51YurMUw0AUw%3D	SG	—	—	whitelisted
6336	360-installer-bro.exe	GET	200	54.254.196.234:80	http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=80342cb959da2233832ae840f019ccba&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=656&tdl=656&tds=646&terr=0&tes=Status\|1,ErrorCode\|0,DnCount\|6,HttpNum\|1,DnFailCount\|6,FStatus\|1,P2SS\|656,P2PS\|0,PDMode\|2&tfl=656&tp=t&tst=1&ttdl=656&ttm=1015&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS	SG	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6944	svchost.exe	2.16.164.49:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
6944	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5488	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
5984	irsetup.exe	104.20.37.13:443	dl2.tlauncher.org	CLOUDFLARENET	—	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	216.58.212.174	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.120	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
dl2.tlauncher.org	104.20.37.13 104.20.36.13	malicious
free.360totalsecurity.com	104.192.108.17 104.192.108.20 104.192.108.21	malicious
st.p.360safe.com	54.77.42.29	whitelisted
s.360safe.com	54.254.196.234 54.255.136.181	whitelisted
iup.360safe.com	18.66.102.115 18.66.102.108 18.66.102.36 18.66.102.80	whitelisted
tr.p.360safe.com	54.76.174.118	whitelisted

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
6336	360-installer-bro.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

General Info

TLauncher-Installer-1.5.3.exe

002ED4FC4D853D378C2DAF7483CA878A

EF4A63E8635237AEC19C95680F72E57780E1510D

046AD8BFC9B4D80C36D13AEBC335CCE7C9B8FAC5886DE3E9A7E476B1B9D64BF9

196608:DFmOskAh+4OaNvJN8cOuOl0e+d3bRnTEWkRo/F7z+OilEoZiGsk4pPl:DFLFAhSabiZjmnlRAoN+xlEoZ2k4

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Checks for Java to be installed

Checks Windows Trust Settings

Reads Microsoft Outlook installation path

Process requests binary or script from the Internet

Potential Corporate Privacy Violation

Reads Internet Explorer settings

Creates a software uninstall entry

Starts itself from another location

Creates file in the systems drive root

The process verifies whether the antivirus software is installed

Drops 7-zip archiver for unpacking

INFO

Reads the computer name

Checks supported languages

The process uses the downloaded file

Create files in a temporary directory

Process checks computer location settings

The process uses Lua

UPX packer has been detected

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Disables trace logs

Creates files or folders in the user directory

Creates files in the program directory

Manual execution by a user

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections