File name:

suf_launch.exe

Full analysis: https://app.any.run/tasks/df9f24ba-5a5c-4d52-8cb3-4a0fd20429b1
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 27, 2025, 16:17:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
upx
lua
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

32DD596FAF1A51668AC1CA7ED3D1ACC4

SHA1:

EA86CB6CB2C90281792A1924A18BAAFF5AF28D8B

SHA256:

5CBAE5501E6CC897884DC74BC7F563DE5E9D61F15AC6A3F082301344EE007FE7

SSDEEP:

196608:uIMjFltgd2BL/YuN1dFZPZVOaNvJN8cOuOl0e+d3bRnTEWkRo/F7z6EQ2hgFfhT/:StHMuNPRgabiZjmnlRAoN5LhiJTwRXU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • irsetup.exe (PID: 4864)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • suf_launch.exe (PID: 6808)
      • irsetup.exe (PID: 4864)
      • BrowserInstaller.exe (PID: 4124)
      • irsetup.exe (PID: 5188)
      • opera-installer-bro.exe (PID: 1976)
      • setup.exe (PID: 6408)
      • setup.exe (PID: 5884)
      • setup.exe (PID: 6292)
      • setup.exe (PID: 2980)
      • setup.exe (PID: 3932)

    • Reads security settings of Internet Explorer

      • suf_launch.exe (PID: 6808)
      • irsetup.exe (PID: 4864)
      • BrowserInstaller.exe (PID: 4124)
      • irsetup.exe (PID: 5188)
      • setup.exe (PID: 6408)

    • Checks for Java to be installed

      • irsetup.exe (PID: 4864)

    • Reads Microsoft Outlook installation path

      • irsetup.exe (PID: 4864)

    • There is functionality for taking screenshot (YARA)

      • suf_launch.exe (PID: 6808)
      • BrowserInstaller.exe (PID: 4124)
      • irsetup.exe (PID: 4864)
      • setup.exe (PID: 5884)
      • setup.exe (PID: 6408)
      • setup.exe (PID: 3932)
      • setup.exe (PID: 2980)

    • Reads Internet Explorer settings

      • irsetup.exe (PID: 4864)

    • Creates a software uninstall entry

      • irsetup.exe (PID: 4864)

    • Application launched itself

      • setup.exe (PID: 6408)
      • setup.exe (PID: 2980)

    • Starts itself from another location

      • setup.exe (PID: 6408)

  • INFO

    • The sample compiled with english language support

      • suf_launch.exe (PID: 6808)
      • irsetup.exe (PID: 4864)
      • BrowserInstaller.exe (PID: 4124)
      • opera-installer-bro.exe (PID: 1976)
      • setup.exe (PID: 6408)
      • setup.exe (PID: 5884)
      • setup.exe (PID: 6292)
      • setup.exe (PID: 2980)
      • setup.exe (PID: 3932)

    • Reads the computer name

      • suf_launch.exe (PID: 6808)
      • irsetup.exe (PID: 4864)
      • BrowserInstaller.exe (PID: 4124)
      • irsetup.exe (PID: 5188)
      • setup.exe (PID: 6408)
      • setup.exe (PID: 2980)

    • Process checks computer location settings

      • suf_launch.exe (PID: 6808)
      • irsetup.exe (PID: 4864)
      • BrowserInstaller.exe (PID: 4124)
      • irsetup.exe (PID: 5188)

    • Create files in a temporary directory

      • suf_launch.exe (PID: 6808)
      • irsetup.exe (PID: 4864)
      • BrowserInstaller.exe (PID: 4124)
      • irsetup.exe (PID: 5188)
      • opera-installer-bro.exe (PID: 1976)
      • setup.exe (PID: 6408)
      • setup.exe (PID: 5884)
      • setup.exe (PID: 6292)
      • setup.exe (PID: 2980)
      • setup.exe (PID: 3932)

    • Checks supported languages

      • suf_launch.exe (PID: 6808)
      • irsetup.exe (PID: 4864)
      • BrowserInstaller.exe (PID: 4124)
      • irsetup.exe (PID: 5188)
      • setup.exe (PID: 6408)
      • opera-installer-bro.exe (PID: 1976)
      • setup.exe (PID: 5884)
      • setup.exe (PID: 6292)
      • setup.exe (PID: 2980)
      • setup.exe (PID: 3932)

    • The sample compiled with portuguese language support

      • suf_launch.exe (PID: 6808)
      • BrowserInstaller.exe (PID: 4124)
      • irsetup.exe (PID: 4864)

    • Checks proxy server information

      • irsetup.exe (PID: 4864)
      • irsetup.exe (PID: 5188)
      • setup.exe (PID: 6408)
      • slui.exe (PID: 4552)

    • Reads the machine GUID from the registry

      • irsetup.exe (PID: 4864)
      • irsetup.exe (PID: 5188)
      • setup.exe (PID: 6408)

    • Reads the software policy settings

      • irsetup.exe (PID: 4864)
      • irsetup.exe (PID: 5188)
      • setup.exe (PID: 6408)
      • slui.exe (PID: 4552)

    • UPX packer has been detected

      • irsetup.exe (PID: 4864)
      • irsetup.exe (PID: 5188)

    • The process uses Lua

      • irsetup.exe (PID: 4864)
      • irsetup.exe (PID: 5188)

    • Creates files in the program directory

      • irsetup.exe (PID: 4864)

    • Creates files or folders in the user directory

      • irsetup.exe (PID: 4864)
      • setup.exe (PID: 6408)
      • setup.exe (PID: 5884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (54.3)
.exe | Win64 Executable (generic) (34.8)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:25 15:19:56+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 1125376
InitializedDataSize: 576000
UninitializedDataSize: -
EntryPoint: 0xf165b
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.8.8.0
ProductVersionNumber: 2.9334.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
Comments: TLauncher Setup
CompanyName: TLauncher Inc.
FileDescription: TLauncher Setup
FileVersion: 1.8.8.0
InternalName: TLauncher
LegalCopyright: TLauncher Copyright © 2025
LegalTrademarks: TLauncher
OriginalFileName: suf_launch.exe
ProductName: TLauncher
ProductVersion: 2.9334.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
13
Malicious processes
2
Suspicious processes
5

Behavior graph

Click at the process to see the details
start suf_launch.exe irsetup.exe browserinstaller.exe irsetup.exe slui.exe opera-installer-bro.exe setup.exe setup.exe setup.exe setup.exe setup.exe svchost.exe suf_launch.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1976"C:\Users\admin\AppData\Local\Temp\opera-installer-bro.exe" --silent --allusers=0C:\Users\admin\AppData\Local\Temp\opera-installer-bro.exe
irsetup.exe
User:
admin
Integrity Level:
HIGH
Description:
Opera installer SFX
Version:
120.0.5543.106
Modules
Images
c:\users\admin\appdata\local\temp\opera-installer-bro.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2980"C:\Users\admin\AppData\Local\Temp\7zS8B7EA489\setup.exe" --backend --install --import-browser-data=0 --enable-crash-reporting=1 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --vought_browser=0 --launchopera=1 --showunbox=0 --installfolder="C:\Users\admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=6408 --package-dir-prefix="C:\Users\admin\AppData\Local\Temp\.opera\0661519f-a5dd-40d0-9044-67fe3e7fd258 Opera GX Installer Temp\opera_package_20250727161850" --session-guid=fc7b609f-8f09-48a3-ac0c-e562ce3fdd8f --server-tracking-blob=NzIzYTA2MjE4MTEyYzU5ODNjOGIzODE0NjM4MmFlOTg5YTgxOTI5ZGMxMmQ5YWMwOWI1MDM5ZDdkZTVmYzE5YTp7ImNvdW50cnkiOiJVQSIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yLz91dG1fc291cmNlPU1TVEwmdXRtX21lZGl1bT1wYiZ1dG1fY2FtcGFpZ249T3BlcmFHWCIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTc1MzYzMzA5Mi4wMDIxIiwidXNlcmFnZW50IjoiU2V0dXAgRmFjdG9yeSA4LjAiLCJ1dG0iOnsiY2FtcGFpZ24iOiJPcGVyYUdYIiwibWVkaXVtIjoicGIiLCJzb3VyY2UiOiJNU1RMIn0sInV1aWQiOiJhZTZhODA2YS0zYzM0LTQzNzEtYWUxOC1kNDkwN2YyMzMyMGMifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=1C09000000000000C:\Users\admin\AppData\Local\Temp\7zS8B7EA489\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera GX Installer
Version:
120.0.5543.106
Modules
Images
c:\users\admin\appdata\local\temp\7zs8b7ea489\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3148"C:\Users\admin\Desktop\suf_launch.exe" C:\Users\admin\Desktop\suf_launch.exeexplorer.exe
User:
admin
Company:
TLauncher Inc.
Integrity Level:
MEDIUM
Description:
TLauncher Setup
Exit code:
3221226540
Version:
1.8.8.0
Modules
Images
c:\users\admin\desktop\suf_launch.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3932C:\Users\admin\AppData\Local\Temp\7zS8B7EA489\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktopGX --annotation=ver=120.0.5543.106 --initial-client-data=0x2a0,0x2a4,0x2a8,0x274,0x2ac,0x7ffc42f9be08,0x7ffc42f9be14,0x7ffc42f9be20C:\Users\admin\AppData\Local\Temp\7zS8B7EA489\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera GX Installer
Version:
120.0.5543.106
Modules
Images
c:\users\admin\appdata\local\temp\7zs8b7ea489\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4124"C:\Users\admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\admin\AppData\Local\Temp\setuparguments.iniC:\Users\admin\AppData\Local\Temp\BrowserInstaller.exe
irsetup.exe
User:
admin
Company:
TLauncher Inc.
Integrity Level:
HIGH
Description:
Installer of Browser Offers in TLauncher
Version:
7.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\browserinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4552C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4864"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:3933458 "__IRAFN:C:\Users\admin\Desktop\suf_launch.exe" "__IRCT:3" "__IRTSS:26631380" "__IRSID:S-1-5-21-1693682860-607145093-2874071422-1001"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
suf_launch.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
Setup Application
Version:
10.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\_ir_sf_temp_0\irsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5188"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:3839250 "__IRAFN:C:\Users\admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:3869932" "__IRSID:S-1-5-21-1693682860-607145093-2874071422-1001"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
BrowserInstaller.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
Setup Application
Version:
10.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\_ir_sf_temp_1\irsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5884C:\Users\admin\AppData\Local\Temp\7zS8B7EA489\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktopGX --annotation=ver=120.0.5543.106 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x7ffc4515be08,0x7ffc4515be14,0x7ffc4515be20C:\Users\admin\AppData\Local\Temp\7zS8B7EA489\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera GX Installer
Version:
120.0.5543.106
Modules
Images
c:\users\admin\appdata\local\temp\7zs8b7ea489\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
17 751
Read events
17 711
Write events
28
Delete events
12

Modification events

(PID) Process:(4864) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4864) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4864) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4864) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFavoritesInitialSelection
Value:
(PID) Process:(4864) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFeedsInitialSelection
Value:
(PID) Process:(4864) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TLauncher
Operation:writeName:URLInfoAbout
Value:
https://tlauncher.org/
(PID) Process:(4864) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TLauncher
Operation:writeName:HelpLink
Value:
https://tlauncher.org/
(PID) Process:(4864) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TLauncher
Operation:writeName:Contact
Value:
TLauncher Inc.
(PID) Process:(4864) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TLauncher
Operation:writeName:DisplayVersion
Value:
2.9334
(PID) Process:(4864) irsetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\TLauncher
Operation:writeName:RegOwner
Value:
TLauncher Inc.
Executable files
22
Suspicious files
7
Text files
652
Unknown types
0

Dropped files

PID
Process
Filename
Type
4864irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat
MD5:
SHA256:
4864irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNGimage
MD5:3BEECC6C3706DC3C982E1766AD6D2DC1
SHA256:11AF515015BFB2DF00BE8275EACED0B08F0F48BEA6A9B12ED0480942E53E3211
6808suf_launch.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.3.dllexecutable
MD5:4EED99FD77F4FF9C252F56E153F9C9AB
SHA256:B78F7178B201D3CF4ECFD83226F2B8CC774891442882695751A218B597658E30
4864irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMPimage
MD5:F35117734829B05CFCEAA7E39B2B61FB
SHA256:9C893FE1AB940EE4C2424AA9DD9972E7AD3198DA670006263ECBBB5106D881E3
6808suf_launch.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeexecutable
MD5:84A686F92CE76C7BDA36D07AD932A70C
SHA256:B115AEFB1FFD7CBA7E15E69E0F3FF4BFF977D851164F505A8A2BB6D4CCABE358
4864irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMPimage
MD5:3ADF5E8387C828F62F12D2DD59349D63
SHA256:1D7A67B1C0D620506AC76DA1984449DFB9C35FFA080DC51E439ED45EECAA7EE0
4864irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG8.PNGimage
MD5:CB043D68F9732E9DF25BC1391170701E
SHA256:CB367FDB5C690994BF797DE5B8A3BBF058FFB747B16431940CA86C06136646AD
4864irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG4.BMPimage
MD5:C87F44BE2C13B601E3C6C2D2FE07A60A
SHA256:64DA5BD044908B2C3A725C5A55EDEC1644BE498F41EA05D42A6AE8CD797F1D80
4864irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG9.PNGimage
MD5:B4856BB45B58AB3DECE790C6D428CEF1
SHA256:D8DA172E560CDF67C2834B1D52E0FCB0E6C672FF36F7F76D2F568E871B2CA528
4864irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG6.BMPimage
MD5:E3E2115B669FF7BF83E2335AD9DC20C7
SHA256:BEC04616F5E6F2313FF008BA90FDF61D1903350CED09747AABE708B89B1D2076
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
36
DNS requests
16
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4540
RUXIMICS.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.110.211:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4540
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4864
irsetup.exe
GET
200
172.66.129.18:80
http://dl2.tlauncher.org/
unknown
malicious
GET
200
104.20.7.182:443
https://dl2.tlauncher.org/check_latest_tl.php?optime=0
unknown
text
55 b
unknown
4864
irsetup.exe
GET
200
172.66.129.18:80
http://dl2.tlauncher.org/
unknown
malicious
GET
200
18.185.195.146:443
https://net.geo.opera.com/opera_gx/stable/edition/std-2/?utm_source=MSTL&utm_medium=pb&utm_campaign=OperaGX
unknown
executable
4.22 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4540
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4540
RUXIMICS.exe
23.55.110.211:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.55.110.211:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.55.110.211:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4540
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.106.86.13
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.55.110.211
  • 23.55.110.193
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
dl2.tlauncher.org
  • 172.66.129.18
  • 104.20.7.182
unknown
net.geo.opera.com
  • 185.26.182.112
  • 185.26.182.111
whitelisted
self.events.data.microsoft.com
  • 51.104.15.252
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
desktop-netinstaller-sub.osp.opera.software
  • 82.145.217.121
whitelisted
autoupdate.opera.com
  • 185.26.182.123
  • 185.26.182.124
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
Potential Corporate Privacy Violation
ET INFO Outgoing Basic Auth Base64 HTTP Password detected unencrypted
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
Potential Corporate Privacy Violation
ET INFO Outgoing Basic Auth Base64 HTTP Password detected unencrypted
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
suf_launch.exe