File name:

TLauncher-Installer-1.4.9.exe

Full analysis: https://app.any.run/tasks/a0cb66f3-2f8b-417d-8fee-81d466b0789e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 07, 2024, 22:10:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
upx
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

79673D0CD668AC6E4ECFC7DCC4DB5B23

SHA1:

0A576F857765E759F582126F099B0C04C6C6349E

SHA256:

8535BF7F8914C54823A1B57E5977C84ADD0CAEBFC967567DCF13F8FD843B8B1D

SSDEEP:

196608:AFKpioh+4OaNvJN8cOuOl0e+d3bRnTEWkRo/F7zNvbuvFeFZh9ZNl2RSLxll5:AF9ohSabiZjmnlRAoNlbuUjZn2R8n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • TLauncher-Installer-1.4.9.exe (PID: 6568)
      • BrowserInstaller.exe (PID: 6312)
      • irsetup.exe (PID: 6804)
      • irsetup.exe (PID: 6288)

    • Actions looks like stealing of personal data

      • irsetup.exe (PID: 6804)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • TLauncher-Installer-1.4.9.exe (PID: 6568)
      • irsetup.exe (PID: 6804)
      • BrowserInstaller.exe (PID: 6312)
      • irsetup.exe (PID: 6288)

    • Reads the date of Windows installation

      • TLauncher-Installer-1.4.9.exe (PID: 6568)
      • irsetup.exe (PID: 6804)
      • BrowserInstaller.exe (PID: 6312)
      • irsetup.exe (PID: 6288)

    • Executable content was dropped or overwritten

      • TLauncher-Installer-1.4.9.exe (PID: 6568)
      • BrowserInstaller.exe (PID: 6312)
      • irsetup.exe (PID: 6804)
      • irsetup.exe (PID: 6288)

    • Reads the Windows owner or organization settings

      • irsetup.exe (PID: 6804)
      • irsetup.exe (PID: 6288)

    • Reads Microsoft Outlook installation path

      • irsetup.exe (PID: 6804)

    • Checks for Java to be installed

      • irsetup.exe (PID: 6804)

    • Checks Windows Trust Settings

      • irsetup.exe (PID: 6804)
      • irsetup.exe (PID: 6288)

    • Reads Internet Explorer settings

      • irsetup.exe (PID: 6804)

    • Creates a software uninstall entry

      • irsetup.exe (PID: 6804)

  • INFO

    • Checks supported languages

      • TLauncher-Installer-1.4.9.exe (PID: 6568)
      • irsetup.exe (PID: 6804)
      • BrowserInstaller.exe (PID: 6312)
      • irsetup.exe (PID: 6288)
      • avast-installer-bro.exe (PID: 4664)

    • Reads the computer name

      • TLauncher-Installer-1.4.9.exe (PID: 6568)
      • irsetup.exe (PID: 6804)
      • irsetup.exe (PID: 6288)
      • BrowserInstaller.exe (PID: 6312)
      • avast-installer-bro.exe (PID: 4664)

    • Process checks computer location settings

      • TLauncher-Installer-1.4.9.exe (PID: 6568)
      • irsetup.exe (PID: 6804)
      • BrowserInstaller.exe (PID: 6312)
      • irsetup.exe (PID: 6288)

    • Create files in a temporary directory

      • TLauncher-Installer-1.4.9.exe (PID: 6568)
      • irsetup.exe (PID: 6804)
      • BrowserInstaller.exe (PID: 6312)
      • irsetup.exe (PID: 6288)

    • Process checks Internet Explorer phishing filters

      • irsetup.exe (PID: 6804)

    • UPX packer has been detected

      • irsetup.exe (PID: 6804)

    • Checks proxy server information

      • irsetup.exe (PID: 6804)
      • irsetup.exe (PID: 6288)

    • Reads the machine GUID from the registry

      • irsetup.exe (PID: 6804)
      • irsetup.exe (PID: 6288)
      • avast-installer-bro.exe (PID: 4664)

    • Reads the software policy settings

      • irsetup.exe (PID: 6804)
      • irsetup.exe (PID: 6288)

    • Creates files or folders in the user directory

      • irsetup.exe (PID: 6804)

    • Creates files in the program directory

      • irsetup.exe (PID: 6804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:08:28 18:19:38+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 23552
InitializedDataSize: 142336
UninitializedDataSize: -
EntryPoint: 0x2ce1
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.4.9.0
ProductVersionNumber: 2.923.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
Comments: TLauncher Setup
CompanyName: TLauncher Inc.
FileDescription: TLauncher Setup
FileVersion: 1.4.9.0
InternalName: TLauncher
LegalCopyright: TLauncher Copyright © 2024
LegalTrademarks: TLauncher
OriginalFileName: suf_launch.exe
ProductName: TLauncher
ProductVersion: 2.923.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start tlauncher-installer-1.4.9.exe THREAT irsetup.exe browserinstaller.exe irsetup.exe avast-installer-bro.exe tlauncher-installer-1.4.9.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4664"C:\Users\admin\AppData\Local\Temp\avast-installer-bro.exe" /silentC:\Users\admin\AppData\Local\Temp\avast-installer-bro.exe
irsetup.exe
User:
admin
Company:
Gen Digital Inc.
Integrity Level:
HIGH
Description:
Avast Installer
Exit code:
2250
Version:
2.1.125.0
Modules
Images
c:\users\admin\appdata\local\temp\avast-installer-bro.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6288"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe" /NOINIT /S:C:\Users\admin\AppData\Local\Temp\setuparguments.ini __IRAOFF:1679762 "__IRAFN:C:\Users\admin\AppData\Local\Temp\BrowserInstaller.exe" "__IRCT:3" "__IRTSS:1709878" "__IRSID:S-1-5-21-1693682860-607145093-2874071422-1001"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_1\irsetup.exe
BrowserInstaller.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
Setup Application
Exit code:
0
Version:
9.6.0.1
Modules
Images
c:\users\admin\appdata\local\temp\_ir_sf_temp_1\irsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6312"C:\Users\admin\AppData\Local\Temp\BrowserInstaller.exe" /NOINIT /S:C:\Users\admin\AppData\Local\Temp\setuparguments.iniC:\Users\admin\AppData\Local\Temp\BrowserInstaller.exe
irsetup.exe
User:
admin
Company:
TLauncher Inc.
Integrity Level:
HIGH
Description:
Installer of Browser Offers in TLauncher
Exit code:
0
Version:
3.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\browserinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6476"C:\Users\admin\Desktop\TLauncher-Installer-1.4.9.exe" C:\Users\admin\Desktop\TLauncher-Installer-1.4.9.exeexplorer.exe
User:
admin
Company:
TLauncher Inc.
Integrity Level:
MEDIUM
Description:
TLauncher Setup
Exit code:
3221226540
Version:
1.4.9.0
Modules
Images
c:\users\admin\desktop\tlauncher-installer-1.4.9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6568"C:\Users\admin\Desktop\TLauncher-Installer-1.4.9.exe" C:\Users\admin\Desktop\TLauncher-Installer-1.4.9.exe
explorer.exe
User:
admin
Company:
TLauncher Inc.
Integrity Level:
HIGH
Description:
TLauncher Setup
Version:
1.4.9.0
Modules
Images
c:\users\admin\desktop\tlauncher-installer-1.4.9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6804"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\admin\Desktop\TLauncher-Installer-1.4.9.exe" "__IRCT:3" "__IRTSS:25232289" "__IRSID:S-1-5-21-1693682860-607145093-2874071422-1001"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
TLauncher-Installer-1.4.9.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
Setup Application
Version:
9.6.0.1
Modules
Images
c:\users\admin\appdata\local\temp\_ir_sf_temp_0\irsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
24 678
Read events
24 610
Write events
56
Delete events
12

Modification events

(PID) Process:(6568) TLauncher-Installer-1.4.9.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6568) TLauncher-Installer-1.4.9.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6568) TLauncher-Installer-1.4.9.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6568) TLauncher-Installer-1.4.9.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6804) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6804) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6804) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6804) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6804) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6804) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
15
Suspicious files
5
Text files
820
Unknown types
0

Dropped files

PID
Process
Filename
Type
6804irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat
MD5:
SHA256:
6568TLauncher-Installer-1.4.9.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exeexecutable
MD5:F3B300079862AFF353B412D490BF5ABC
SHA256:C052CB74D9B0CE37EFBA9C018B5BCF74C51CFBDCAF990AE53CB9772EA318945A
6804irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG5.BMPimage
MD5:E3E2115B669FF7BF83E2335AD9DC20C7
SHA256:BEC04616F5E6F2313FF008BA90FDF61D1903350CED09747AABE708B89B1D2076
6568TLauncher-Installer-1.4.9.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dllexecutable
MD5:C333AF59FA9F0B12D1CD9F6BBA111E3A
SHA256:FAD540071986C59EC40102C9CA9518A0DDCE80CF39EB2FD476BB1A7A03D6EB34
6804irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMPimage
MD5:F35117734829B05CFCEAA7E39B2B61FB
SHA256:9C893FE1AB940EE4C2424AA9DD9972E7AD3198DA670006263ECBBB5106D881E3
6804irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMPimage
MD5:3ADF5E8387C828F62F12D2DD59349D63
SHA256:1D7A67B1C0D620506AC76DA1984449DFB9C35FFA080DC51E439ED45EECAA7EE0
6804irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.PNGimage
MD5:66F6065F9F54487AA740E0DCAA2951B4
SHA256:2264BCDF6498620779F0C4B8FE23DA78C7F7773D9649E0D8EFD38E6DF0CCA232
6804irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.BMPimage
MD5:F5D6A81635291E408332CC01C565068F
SHA256:4C85CDDDD497AD81FEDB090BC0F8D69B54106C226063FDC1795ADA7D8DC74E26
6804irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG4.PNGimage
MD5:BEFEA87E5BB3FBB2E93FD23F812A7E8E
SHA256:7E4CF8DC3FE613B14F317EA00A365841BF8A2178A691726E557F314072AE603D
6804irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG5.PNGimage
MD5:EAB779CD0FFDCCFF52A53FC83E980136
SHA256:8F5AAEA0F6FC9980F420527C2CF120424BBD02EC1728F929572DC3B1C61FE82B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
null:443
https://tlauncher.org/installerstat.php?key=cfHGbf4fghng4T&os64bit=1&installerlang=English&vclient=2%2e923&avaststatus=666&vinstaller=1%2e4%2e9&memory=4090&os=Windows%2010&usersid=0&complang=English&diskfree=218467%2e1&error=0&errorstep=avast%2dStep%2d4%2e2250
unknown
4664
avast-installer-bro.exe
POST
204
34.117.223.223:80
http://v7event.stats.avast.com/cgi-bin/iavsevents.cgi
unknown
unknown
4664
avast-installer-bro.exe
POST
200
172.217.23.110:80
http://www.google-analytics.com/collect
unknown
unknown
GET
200
104.20.36.13:443
https://dl2.tlauncher.org/check_latest_tl.php
unknown
text
50 b
GET
200
184.30.215.79:443
https://bits.avcdn.net/productfamily_ANTIVIRUS/insttype_FREE/platform_WIN/installertype_ONLINE/build_RELEASE/cookie_mmm_msd_ppi_008_070_m
unknown
executable
241 Kb
POST
204
104.126.37.144:443
https://www.bing.com/threshold/xls.aspx
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
svchost.exe
239.255.255.250:1900
whitelisted
4936
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4060
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6804
irsetup.exe
104.20.36.13:443
dl2.tlauncher.org
CLOUDFLARENET
unknown
6288
irsetup.exe
23.51.100.213:443
bits.avcdn.net
Akamai International B.V.
US
unknown
4664
avast-installer-bro.exe
172.217.23.110:80
www.google-analytics.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
dl2.tlauncher.org
  • 104.20.36.13
  • 104.20.37.13
unknown
bits.avcdn.net
  • 23.51.100.213
whitelisted
www.google-analytics.com
  • 172.217.23.110
whitelisted
v7event.stats.avast.com
  • 34.117.223.223
whitelisted
tlauncher.org
  • 104.20.37.13
  • 104.20.36.13
unknown
www.bing.com
  • 104.126.37.163
  • 104.126.37.130
  • 104.126.37.162
  • 104.126.37.128
  • 104.126.37.153
  • 104.126.37.146
  • 104.126.37.186
  • 104.126.37.144
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TLauncher-Installer-1.4.9.exe