Malware analysis TLauncher.exe Malicious activity | ANY.RUN

Add for printing

File name:	TLauncher.exe
Full analysis:	https://app.any.run/tasks/1b6e6946-acb3-4675-b226-773b258aeeb4
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	January 09, 2025, 20:01:26
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader java arch-doc arch-scr arch-html
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 6 sections
MD5:	545C62B3D98EE4CC02AF837A72DD09C4
SHA1:	54446A007FD9B7363D9415673B0AC0232D5D70D5
SHA256:	738029A4F974128180FA2CD239E873B01E456E8BF53BFDBF34B8BA8B57897BE4
SSDEEP:	196608:5f7ffML5vgtXB0IXf2tT2MzlHShlhmN7DGL:ulNIOtT22ShlA2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Checks for Java to be installed
  - TLauncher.exe (PID: 6056)
- Process requests binary or script from the Internet
  - javaw.exe (PID: 3992)
  - javaw.exe (PID: 5448)
  - javaw.exe (PID: 6996)
  - javaw.exe (PID: 2200)
- Process drops legitimate windows executable
  - javaw.exe (PID: 3992)
- Executable content was dropped or overwritten
  - javaw.exe (PID: 3992)
  - javaw.exe (PID: 5448)
- Reads security settings of Internet Explorer
  - javaw.exe (PID: 5448)
- Application launched itself
  - javaw.exe (PID: 5448)
  - javaw.exe (PID: 6996)
- The process drops C-runtime libraries
  - javaw.exe (PID: 3992)
- Starts CMD.EXE for commands execution
  - javaw.exe (PID: 2200)
- Uses WMIC.EXE to obtain CPU information
  - cmd.exe (PID: 1616)
- Starts application with an unusual extension
  - cmd.exe (PID: 4120)
  - cmd.exe (PID: 1476)
  - cmd.exe (PID: 1616)
INFO
- Checks supported languages
  - TLauncher.exe (PID: 6056)
  - javaw.exe (PID: 3992)
  - GameBar.exe (PID: 6204)
  - javaw.exe (PID: 6996)
  - javaw.exe (PID: 5448)
- The sample compiled with english language support
  - TLauncher.exe (PID: 6056)
  - javaw.exe (PID: 3992)
  - javaw.exe (PID: 5448)
- Application based on Java
  - javaw.exe (PID: 3992)
- Creates files or folders in the user directory
  - javaw.exe (PID: 3992)
  - javaw.exe (PID: 5448)
- Reads the machine GUID from the registry
  - javaw.exe (PID: 3992)
  - javaw.exe (PID: 5448)
- Reads the computer name
  - javaw.exe (PID: 3992)
  - GameBar.exe (PID: 6204)
  - javaw.exe (PID: 2200)
  - javaw.exe (PID: 5448)
- Create files in a temporary directory
  - javaw.exe (PID: 3992)
  - javaw.exe (PID: 2200)
  - javaw.exe (PID: 5448)
  - javaw.exe (PID: 6996)
- Creates files in the program directory
  - javaw.exe (PID: 5448)
- Changes the display of characters in the console
  - cmd.exe (PID: 1616)
  - cmd.exe (PID: 4120)
  - cmd.exe (PID: 1476)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 936)
- Reads the software policy settings
  - dxdiag.exe (PID: 4544)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (41)
.exe	\|	Win64 Executable (generic) (36.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.6)
.exe	\|	Win32 Executable (generic) (5.9)
.exe	\|	Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:03:29 09:33:15+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	2.22
CodeSize:	25088
InitializedDataSize:	16896
UninitializedDataSize:	36864
EntryPoint:	0x1290
OSVersion:	4
ImageVersion:	1
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	2.879.0.0
ProductVersionNumber:	2.879.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Windows NT
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	TLauncher Inc.
FileDescription:	TLauncher
FileVersion:	2.879
InternalName:	TLauncher
LegalCopyright:	TLauncher Inc.
LegalTrademarks:	-
OriginalFileName:	TLauncher.exe
ProductName:	TLauncher
ProductVersion:	2.879.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

157

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

936

wmic CPU get NAME

C:\Windows\System32\wbem\WMIC.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

1476

cmd.exe /C chcp 437 & dxdiag /whql:off /t C:\Users\admin\AppData\Roaming\.minecraft\logs\tlauncher\dxdiag.txt

C:\Windows\System32\cmd.exe

—

javaw.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Version:

10.0.19041.1 (WinBuild.160101.0800)

1616

cmd.exe /C chcp 437 & wmic CPU get NAME

C:\Windows\System32\cmd.exe

—

javaw.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll

1944

chcp 437

C:\Windows\System32\chcp.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Change CodePage Utility

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

2144

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2200

C:\Users\admin\AppData\Roaming\.tlauncher\jvms\jre1.8.0_281\bin\javaw.exe -Xmx1024m -Dfile.encoding=UTF8 -cp C:\Users\admin\AppData\Local\Temp\TLauncher.exe;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\inject\guice\4.1.0\guice-4.1.0.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\inject\extentions\guice-assistedinject\4.1.0\guice-assistedinject-4.1.0.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\javax\inject\javax.inject\1\javax.inject-1.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\aopalliance\aopalliance\1.0\aopalliance-1.0.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\guava\guava\19.0\guava-19.0.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\apache\commons\commons-lang3\3.4\commons-lang3-3.4.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\net\sf\jopt-simple\jopt-simple\4.9\jopt-simple-4.9.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\log4j\log4j\1.2.17\log4j-1.2.17.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tukaani\xz\1.5\xz-1.5.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\picture-bundle\3.72\picture-bundle-3.72.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\skin-server-API\1.0\skin-server-API-1.0.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\tlauncher\tlauncher-resource\1.4\tlauncher-resource-1.4.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\github\junrar\junrar\0.7\junrar-0.7.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\dnsjava\dnsjava\2.1.8\dnsjava-2.1.8.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\apache\httpcomponents\fluent-hc\4.5.13\fluent-hc-4.5.13.jar;C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\apache\logging\log4j\log4j-core\2.14.1\log4j-core-2.14.1.jar; org.tlauncher.tlauncher.rmo.TLauncher

C:\Users\admin\AppData\Roaming\.tlauncher\jvms\jre1.8.0_281\bin\javaw.exe

javaw.exe

User:

admin

Company:

Oracle Corporation

Integrity Level:

MEDIUM

Description:

Java(TM) Platform SE binary

Version:

8.0.2810.9

Modules

Images
c:\users\admin\appdata\roaming\.tlauncher\jvms\jre1.8.0_281\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

3992

"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\TLauncher.exe"

C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe

TLauncher.exe

User:

admin

Company:

Oracle Corporation

Integrity Level:

MEDIUM

Description:

Java(TM) Platform SE binary

Exit code:

Version:

8.0.2710.9

Modules

Images
c:\program files\java\jre1.8.0_271\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

4120

cmd.exe /C chcp 437 & set processor

C:\Windows\System32\cmd.exe

—

javaw.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

4144

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

icacls.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4320

C:\WINDOWS\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\System32\icacls.exe

—

javaw.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

12 622

Read events

12 483

Write events

120

Delete events

Modification events


(PID) Process:	(6204) GameBar.exe	Key:	\REGISTRY\A\{47dd2a4e-2883-5fd3-0e5e-681c5b540e64}\LocalState
Operation:	write	Name:	InstalledVersionMajor
Value: 0200DD4F775FD162DB01
(PID) Process:	(6204) GameBar.exe	Key:	\REGISTRY\A\{47dd2a4e-2883-5fd3-0e5e-681c5b540e64}\LocalState
Operation:	write	Name:	InstalledVersionMinor
Value: 22006EB3795FD162DB01
(PID) Process:	(6204) GameBar.exe	Key:	\REGISTRY\A\{47dd2a4e-2883-5fd3-0e5e-681c5b540e64}\LocalState
Operation:	write	Name:	InstalledVersionBuild
Value: 616D6EB3795FD162DB01
(PID) Process:	(6204) GameBar.exe	Key:	\REGISTRY\A\{47dd2a4e-2883-5fd3-0e5e-681c5b540e64}\LocalState
Operation:	write	Name:	InstalledVersionRevision
Value: 00006EB3795FD162DB01
(PID) Process:	(6204) GameBar.exe	Key:	\REGISTRY\A\{47dd2a4e-2883-5fd3-0e5e-681c5b540e64}\LocalState
Operation:	write	Name:	PreviousAppTerminationFromSuspended
Value: 006EB3795FD162DB01
(PID) Process:	(6204) GameBar.exe	Key:	\REGISTRY\A\{47dd2a4e-2883-5fd3-0e5e-681c5b540e64}\LocalState
Operation:	write	Name:	CurrentDisplayMonitor
Value: 670061006D0065000000E97D7E5FD162DB01
(PID) Process:	(6204) GameBar.exe	Key:	\REGISTRY\A\{47dd2a4e-2883-5fd3-0e5e-681c5b540e64}\LocalState
Operation:	write	Name:	StartupTipIndex
Value: 0100000000000000E934835FD162DB01
(PID) Process:	(6204) GameBar.exe	Key:	\REGISTRY\A\{47dd2a4e-2883-5fd3-0e5e-681c5b540e64}\LocalState
Operation:	write	Name:	InstalledVersionMajor
Value: 0200C1C51A61D162DB01
(PID) Process:	(6204) GameBar.exe	Key:	\REGISTRY\A\{47dd2a4e-2883-5fd3-0e5e-681c5b540e64}\LocalState
Operation:	write	Name:	InstalledVersionMinor
Value: 2200C1C51A61D162DB01
(PID) Process:	(6204) GameBar.exe	Key:	\REGISTRY\A\{47dd2a4e-2883-5fd3-0e5e-681c5b540e64}\LocalState
Operation:	write	Name:	InstalledVersionBuild
Value: 616DC1C51A61D162DB01

Add for printing

Executable files

175

Suspicious files

Text files

191

Unknown types

Dropped files

PID	Process	Filename		Type
3992	javaw.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\83aa4cc77f591dfc2374580bbd95f6ba_bb926e54-e3ca-40fd-ae90-2764341e7792		binary
		MD5:C8366AE350E7019AEFC9D1E6E6A498C6	SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
3992	javaw.exe	C:\Users\admin\AppData\Roaming\.tlauncher\jvms\jre-8u281-windows-x64.tar.gz.tlauncherdownload		—
		MD5:—	SHA256:—
3992	javaw.exe	C:\Users\admin\AppData\Roaming\.tlauncher\jvms\jre-8u281-windows-x64.tar.gz		—
		MD5:—	SHA256:—
3992	javaw.exe	C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\apache\commons\commons-lang3\3.4\commons-lang3-3.4.jar		compressed
		MD5:8667A442EE77E509FBE8176B94726EB2	SHA256:734C8356420CC8E30C795D64FD1FCD5D44EA9D90342A2CC3262C5158FBC6D98B
3992	javaw.exe	C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\log4j\log4j\1.2.17\log4j-1.2.17.jar.tlauncherdownload		java
		MD5:04A41F0A068986F0F73485CF507C0F40	SHA256:1D31696445697720527091754369082A6651BD49781B6005DEB94E56753406F9
3992	javaw.exe	C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\org\apache\commons\commons-lang3\3.4\commons-lang3-3.4.jar.tlauncherdownload		compressed
		MD5:8667A442EE77E509FBE8176B94726EB2	SHA256:734C8356420CC8E30C795D64FD1FCD5D44EA9D90342A2CC3262C5158FBC6D98B
3992	javaw.exe	C:\Users\admin\AppData\Roaming\.tlauncher\doubleRunningProtection.txt		text
		MD5:F1A961FB9F86B7A9C814BFF76CBEE31D	SHA256:152174B9B2907E2747291384EE6E62DC18C0D0E1C8EEB9ABA06C37933841A0FC
3992	javaw.exe	C:\Users\admin\AppData\Roaming\.minecraft\tlauncher_libraries\com\google\guava\guava\19.0\guava-19.0.jar.tlauncherdownload		java
		MD5:43BFC49BDC7324F6DAAA60C1EE9F3972	SHA256:58D4CC2E05EBB012BBAC568B032F75623BE1CB6FB096F3C60C72A86F7F057DE4
3992	javaw.exe	C:\Users\admin\AppData\Roaming\.tlauncher\tlauncher-2.0.properties		text
		MD5:CCD12D28C23CC6E06F63A48B5764C445	SHA256:5151D6FCB0A4129007E528A190D627309A47980D45B08F72AE62976A3FCEFBC0
3992	javaw.exe	C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c8061.timestamp		text
		MD5:B6EEE5D9BA83C600242ABFAF6FC43049	SHA256:1A46C5C1018BCFE073DF142FCDC709252BA78B5827A8C21875CE9C52F32826B9

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3992	javaw.exe	GET	302	104.20.37.13:80	http://res.tlauncher.org/b/client/jre/windows/jre-8u281-windows-x64.tar.gz	unknown	—	—	whitelisted
3992	javaw.exe	GET	302	104.20.37.13:80	http://res.tlauncher.org/b/libraries/com/google/guava/guava/19.0/guava-19.0.jar	unknown	—	—	whitelisted
68	svchost.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3992	javaw.exe	GET	302	104.20.37.13:80	http://res.tlauncher.org/b/libraries/org/apache/commons/commons-lang3/3.4/commons-lang3-3.4.jar	unknown	—	—	whitelisted
68	svchost.exe	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3992	javaw.exe	GET	302	104.20.37.13:80	http://res.tlauncher.org/b/libraries/log4j/log4j/1.2.17/log4j-1.2.17.jar	unknown	—	—	whitelisted
3992	javaw.exe	GET	302	104.20.37.13:80	http://res.tlauncher.org/b/libraries/net/sf/jopt-simple/jopt-simple/4.9/jopt-simple-4.9.jar	unknown	—	—	whitelisted
3992	javaw.exe	GET	302	104.20.37.13:80	http://res.tlauncher.org/b/libraries/org/tlauncher/tlauncher-resource/1.4/tlauncher-resource-1.4.jar	unknown	—	—	whitelisted
3992	javaw.exe	GET	302	104.20.37.13:80	http://res.tlauncher.org/b/libraries/com/github/junrar/junrar/0.7/junrar-0.7.jar	unknown	—	—	whitelisted
3992	javaw.exe	GET	302	104.20.37.13:80	http://res.tlauncher.org/b/libraries/org/apache/httpcomponents/fluent-hc/4.5.13/fluent-hc-4.5.13.jar	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5460	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
68	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.227.215:443	—	Ooredoo Q.S.C.	QA	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
3992	javaw.exe	104.20.37.13:80	res.tlauncher.org	CLOUDFLARENET	—	whitelisted
3992	javaw.exe	104.20.36.13:443	res.tlauncher.org	CLOUDFLARENET	—	whitelisted
68	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
68	svchost.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
68	svchost.exe	184.30.230.103:80	www.microsoft.com	AKAMAI-AS	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 4.231.128.59 51.124.78.146 20.44.239.154	whitelisted
google.com	142.250.186.110	whitelisted
res.tlauncher.org	104.20.37.13 104.20.36.13	whitelisted
cdn-cl-res.tlauncher.org	104.20.36.13 104.20.37.13	unknown
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	184.30.230.103	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.23 40.126.31.67 20.190.159.0 20.190.159.71 20.190.159.4 40.126.31.69 40.126.31.73 20.190.159.75	whitelisted
go.microsoft.com	23.56.254.14	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted

Threats

PID	Process	Class	Message
3992	javaw.exe	Potentially Bad Traffic	ET POLICY Vulnerable Java Version 1.8.x Detected
3992	javaw.exe	Potentially Bad Traffic	ET POLICY Vulnerable Java Version 1.8.x Detected
3992	javaw.exe	Misc activity	ET INFO JAVA - Java Archive Download By Vulnerable Client
3992	javaw.exe	Potentially Bad Traffic	ET INFO JAR Size Under 30K Size - Potentially Hostile

Add for printing

No debug info

General Info

TLauncher.exe

545C62B3D98EE4CC02AF837A72DD09C4

54446A007FD9B7363D9415673B0AC0232D5D70D5

738029A4F974128180FA2CD239E873B01E456E8BF53BFDBF34B8BA8B57897BE4

196608:5f7ffML5vgtXB0IXf2tT2MzlHShlhmN7DGL:ulNIOtT22ShlA2

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Checks for Java to be installed

Process requests binary or script from the Internet

Process drops legitimate windows executable

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Application launched itself

The process drops C-runtime libraries

Starts CMD.EXE for commands execution

Uses WMIC.EXE to obtain CPU information

Starts application with an unusual extension

INFO

Checks supported languages

The sample compiled with english language support

Application based on Java

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads the computer name

Create files in a temporary directory

Creates files in the program directory

Changes the display of characters in the console

Reads security settings of Internet Explorer

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Modules

Information

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings