URL:

https://tlauncher.org/installer

Full analysis: https://app.any.run/tasks/5fbc255c-f2e1-4ca6-91a7-f71b4bdf3455
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 21, 2024, 21:57:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
java
arch-doc
arch-html
arch-scr
loader
upx
lua
Indicators:
MD5:

F5818708A23ED11C618056110D380758

SHA1:

54790604A2BD759EBCCAF7CCE7EFB49CE24FCEAA

SHA256:

B4C6549734FB3075A2AE0A3ED4106A25D1A79981A00321E959B20FDE6B4644BD

SSDEEP:

3:N8BEeLu5MiqOXn:2K5kOXn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • irsetup.exe (PID: 2612)
      • irsetup.exe (PID: 7140)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • TLauncher-Installer-1.5.8.exe (PID: 7084)
      • TLauncher-Installer-1.5.8.exe (PID: 5872)
      • irsetup.exe (PID: 2612)
      • irsetup.exe (PID: 7140)
      • BrowserInstaller.exe (PID: 6872)
      • javaw.exe (PID: 6924)
      • java.exe (PID: 4428)

    • Reads security settings of Internet Explorer

      • TLauncher-Installer-1.5.8.exe (PID: 7084)
      • TLauncher-Installer-1.5.8.exe (PID: 5872)
      • irsetup.exe (PID: 2612)
      • irsetup.exe (PID: 7140)
      • BrowserInstaller.exe (PID: 6872)
      • javaw.exe (PID: 6924)
      • GameBar.exe (PID: 2736)
      • java.exe (PID: 4428)

    • Checks for Java to be installed

      • irsetup.exe (PID: 2612)
      • irsetup.exe (PID: 7140)
      • TLauncher.exe (PID: 6908)

    • Checks Windows Trust Settings

      • irsetup.exe (PID: 2612)
      • irsetup.exe (PID: 7140)

    • Reads Microsoft Outlook installation path

      • irsetup.exe (PID: 2612)
      • irsetup.exe (PID: 7140)

    • Reads Internet Explorer settings

      • irsetup.exe (PID: 7140)
      • irsetup.exe (PID: 2612)

    • Creates a software uninstall entry

      • irsetup.exe (PID: 7140)

    • Process drops legitimate windows executable

      • javaw.exe (PID: 6924)
      • java.exe (PID: 4428)

    • The process drops C-runtime libraries

      • javaw.exe (PID: 6924)
      • java.exe (PID: 4428)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 1416)
      • cmd.exe (PID: 6620)
      • cmd.exe (PID: 6812)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 2904)

    • Process requests binary or script from the Internet

      • java.exe (PID: 4428)

    • Starts CMD.EXE for commands execution

      • java.exe (PID: 4428)

    • Creates/Modifies COM task schedule object

      • dxdiag.exe (PID: 3828)

    • Uses WMIC.EXE to obtain quick Fix Engineering (patches) data

      • cmd.exe (PID: 6812)

    • The process creates files with name similar to system file names

      • java.exe (PID: 4428)

  • INFO

    • The sample compiled with english language support

      • chrome.exe (PID: 3608)
      • TLauncher-Installer-1.5.8.exe (PID: 7084)
      • TLauncher-Installer-1.5.8.exe (PID: 5872)
      • irsetup.exe (PID: 2612)
      • irsetup.exe (PID: 7140)
      • BrowserInstaller.exe (PID: 6872)
      • javaw.exe (PID: 6924)
      • java.exe (PID: 4428)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 3608)

    • Application launched itself

      • chrome.exe (PID: 3608)

    • Checks supported languages

      • TLauncher-Installer-1.5.8.exe (PID: 7084)
      • irsetup.exe (PID: 2612)
      • irsetup.exe (PID: 7140)
      • TLauncher-Installer-1.5.8.exe (PID: 5872)
      • BrowserInstaller.exe (PID: 6872)
      • irsetup.exe (PID: 6784)
      • TLauncher.exe (PID: 6908)
      • GameBar.exe (PID: 2736)
      • java.exe (PID: 4428)
      • javaw.exe (PID: 6924)
      • chcp.com (PID: 6608)
      • chcp.com (PID: 5856)
      • chcp.com (PID: 3208)
      • chcp.com (PID: 6464)

    • The process uses the downloaded file

      • chrome.exe (PID: 2796)
      • TLauncher-Installer-1.5.8.exe (PID: 7084)
      • chrome.exe (PID: 3608)
      • TLauncher-Installer-1.5.8.exe (PID: 5872)
      • irsetup.exe (PID: 7140)
      • BrowserInstaller.exe (PID: 6872)

    • Create files in a temporary directory

      • TLauncher-Installer-1.5.8.exe (PID: 7084)
      • TLauncher-Installer-1.5.8.exe (PID: 5872)
      • irsetup.exe (PID: 7140)
      • irsetup.exe (PID: 2612)
      • BrowserInstaller.exe (PID: 6872)
      • irsetup.exe (PID: 6784)
      • javaw.exe (PID: 6924)
      • java.exe (PID: 4428)

    • Reads the computer name

      • TLauncher-Installer-1.5.8.exe (PID: 7084)
      • irsetup.exe (PID: 2612)
      • TLauncher-Installer-1.5.8.exe (PID: 5872)
      • irsetup.exe (PID: 7140)
      • BrowserInstaller.exe (PID: 6872)
      • irsetup.exe (PID: 6784)
      • javaw.exe (PID: 6924)
      • GameBar.exe (PID: 2736)
      • java.exe (PID: 4428)

    • Process checks computer location settings

      • TLauncher-Installer-1.5.8.exe (PID: 7084)
      • TLauncher-Installer-1.5.8.exe (PID: 5872)
      • irsetup.exe (PID: 7140)
      • BrowserInstaller.exe (PID: 6872)
      • java.exe (PID: 4428)

    • Checks proxy server information

      • irsetup.exe (PID: 7140)
      • irsetup.exe (PID: 2612)

    • Reads the software policy settings

      • irsetup.exe (PID: 2612)
      • irsetup.exe (PID: 7140)
      • dxdiag.exe (PID: 3828)

    • Reads the machine GUID from the registry

      • irsetup.exe (PID: 2612)
      • irsetup.exe (PID: 7140)
      • javaw.exe (PID: 6924)
      • java.exe (PID: 4428)

    • Creates files in the program directory

      • irsetup.exe (PID: 7140)
      • javaw.exe (PID: 6924)

    • Creates files or folders in the user directory

      • irsetup.exe (PID: 7140)
      • java.exe (PID: 4428)
      • javaw.exe (PID: 6924)
      • dxdiag.exe (PID: 3828)

    • The process uses Lua

      • irsetup.exe (PID: 2612)

    • UPX packer has been detected

      • irsetup.exe (PID: 2612)

    • Application based on Java

      • javaw.exe (PID: 6924)

    • Reads CPU info

      • java.exe (PID: 4428)

    • Changes the display of characters in the console

      • cmd.exe (PID: 2904)
      • cmd.exe (PID: 1416)
      • cmd.exe (PID: 6620)
      • cmd.exe (PID: 6812)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 3540)
      • dxdiag.exe (PID: 3828)
      • WMIC.exe (PID: 4164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
177
Monitored processes
43
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs tlauncher-installer-1.5.8.exe no specs tlauncher-installer-1.5.8.exe irsetup.exe tlauncher-installer-1.5.8.exe no specs tlauncher-installer-1.5.8.exe irsetup.exe browserinstaller.exe irsetup.exe no specs tlauncher.exe no specs javaw.exe icacls.exe no specs conhost.exe no specs gamebarpresencewriter.exe no specs gamebar.exe no specs java.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs conhost.exe no specs chcp.com no specs dxdiag.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs wmic.exe no specs tiworker.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1292\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1416cmd.exe /C chcp 437 & set processorC:\Windows\System32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1804"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4804 --field-trial-handle=1860,i,11339847900177568429,14936913481872190832,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2088C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Exit code:
0
Version:
10.0.19041.3989 (WinBuild.160101.0800)
2612"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1776394 "__IRAFN:C:\Users\admin\Downloads\TLauncher-Installer-1.5.8.exe" "__IRCT:3" "__IRTSS:25358014" "__IRSID:S-1-5-21-1693682860-607145093-2874071422-1001"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
TLauncher-Installer-1.5.8.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
Setup Application
Exit code:
5
Version:
9.7.0.0
Modules
Images
c:\users\admin\appdata\local\temp\_ir_sf_temp_0\irsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2736"C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe" -ServerName:App.AppXbdkk0yrkwpcgeaem8zk81k8py1eaahny.mcaC:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\program files\windowsapps\microsoft.xboxgamingoverlay_2.34.28001.0_x64__8wekyb3d8bbwe\gamebar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\windowsapps\microsoft.vclibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\vccorlib140_app.dll
c:\windows\system32\oleaut32.dll
c:\program files\windowsapps\microsoft.vclibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\vcruntime140_app.dll
2796"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5816 --field-trial-handle=1860,i,11339847900177568429,14936913481872190832,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2904cmd.exe /C chcp 437 & wmic CPU get NAMEC:\Windows\System32\cmd.exejava.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
3208chcp 437 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Total events
29 368
Read events
29 180
Write events
160
Delete events
28

Modification events

(PID) Process:(3608) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3608) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3608) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3608) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(3608) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(2796) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
0100000000000000DBE10F59F353DB01
(PID) Process:(3608) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
1
(PID) Process:(3608) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:GoogleChromeAutoLaunch_A822CA3D40D4B8944864CFEA751D8D57
Value:
(PID) Process:(7140) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7140) irsetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
452
Suspicious files
5 320
Text files
2 408
Unknown types
108

Dropped files

PID
Process
Filename
Type
3608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF1360e0.TMP
MD5:
SHA256:
3608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF1360e0.TMP
MD5:
SHA256:
3608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
3608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF1360f0.TMP
MD5:
SHA256:
3608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
3608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF1360f0.TMP
MD5:
SHA256:
3608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF13611e.TMP
MD5:
SHA256:
3608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
3608chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
133
DNS requests
56
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5572
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5572
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2612
irsetup.exe
GET
200
104.20.37.13:80
http://dl2.tlauncher.org/
unknown
malicious
7140
irsetup.exe
GET
200
104.20.37.13:80
http://dl2.tlauncher.org/
unknown
malicious
6276
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7140
irsetup.exe
GET
200
104.20.37.13:80
http://dl2.tlauncher.org/
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2548
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.209.130:443
www.bing.com
Akamai International B.V.
GB
whitelisted
3608
chrome.exe
239.255.255.250:1900
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted
6532
chrome.exe
104.20.36.13:443
tlauncher.org
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
google.com
  • 172.217.23.110
whitelisted
www.bing.com
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.179
  • 2.23.209.189
  • 2.23.209.177
  • 2.23.209.176
  • 2.23.209.187
  • 2.23.209.140
  • 2.23.209.185
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
tlauncher.org
  • 104.20.36.13
  • 104.20.37.13
unknown
accounts.google.com
  • 142.251.173.84
whitelisted
dl2.tlauncher.org
  • 104.20.36.13
  • 104.20.37.13
malicious
login.live.com
  • 40.126.32.74
  • 40.126.32.133
  • 40.126.32.72
  • 40.126.32.140
  • 20.190.160.14
  • 20.190.160.20
  • 40.126.32.138
  • 20.190.160.17
whitelisted

Threats

PID
Process
Class
Message
6924
javaw.exe
Potentially Bad Traffic
ET POLICY Vulnerable Java Version 1.8.x Detected
4428
java.exe
Potentially Bad Traffic
ET POLICY Vulnerable Java Version 17.0.x Detected
4428
java.exe
Potentially Bad Traffic
ET POLICY Vulnerable Java Version 17.0.x Detected
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://tlauncher.org/installer