Malware analysis TLauncher.exe Malicious activity | ANY.RUN

Add for printing

File name:	TLauncher.exe
Full analysis:	https://app.any.run/tasks/78631495-07a0-4cf3-b0d7-6f6b96038c82
Verdict:	Malicious activity
Analysis date:	June 26, 2025, 23:14:09
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	java arch-doc antivm
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 9 sections
MD5:	24FF8F0A6D7252FD7C181731E7E74216
SHA1:	E93E67BE1310598D444A475F89CD8BF10B484676
SHA256:	D3E6E960183D69E98551789D5E95B9477173B1D0CCCF75A2C7057C40ECEEEE41
SSDEEP:	98304:NmvrK66+5uwL5tpvviSUTgbIveWkTd2phL9jywONzv+j+TULHnkQdrAWqC91+jPb:NorIvb8udvvRdLlYOL62trYd17R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Checks for Java to be installed
  - TLauncher.exe (PID: 5808)
- Reads security settings of Internet Explorer
  - javaw.exe (PID: 5768)
  - java.exe (PID: 5952)
- Executable content was dropped or overwritten
  - javaw.exe (PID: 5768)
  - java.exe (PID: 5952)
- Process drops legitimate windows executable
  - javaw.exe (PID: 5768)
  - java.exe (PID: 5952)
- The process drops C-runtime libraries
  - javaw.exe (PID: 5768)
  - java.exe (PID: 5952)
- There is functionality for taking screenshot (YARA)
  - javaw.exe (PID: 5768)
  - java.exe (PID: 5952)
- Starts CMD.EXE for commands execution
  - java.exe (PID: 5952)
- Starts application with an unusual extension
  - cmd.exe (PID: 4948)
  - cmd.exe (PID: 6896)
  - cmd.exe (PID: 3876)
  - cmd.exe (PID: 1044)
- Uses WMIC.EXE to obtain CPU information
  - cmd.exe (PID: 4948)
- There is functionality for VM detection VirtualBox (YARA)
  - java.exe (PID: 5952)
- There is functionality for VM detection VMWare (YARA)
  - java.exe (PID: 5952)
- Uses WMIC.EXE to obtain quick Fix Engineering (patches) data
  - cmd.exe (PID: 1044)
- There is functionality for VM detection antiVM strings (YARA)
  - java.exe (PID: 5952)
- The process creates files with name similar to system file names
  - java.exe (PID: 5952)
INFO
- Checks supported languages
  - TLauncher.exe (PID: 5808)
  - javaw.exe (PID: 5768)
  - java.exe (PID: 5952)
  - chcp.com (PID: 6892)
  - chcp.com (PID: 316)
  - chcp.com (PID: 1056)
  - chcp.com (PID: 3888)
- The sample compiled with english language support
  - TLauncher.exe (PID: 5808)
  - javaw.exe (PID: 5768)
  - java.exe (PID: 5952)
- Application based on Java
  - javaw.exe (PID: 5768)
- Creates files in the program directory
  - javaw.exe (PID: 5768)
- Create files in a temporary directory
  - javaw.exe (PID: 5768)
  - java.exe (PID: 5952)
- Creates files or folders in the user directory
  - javaw.exe (PID: 5768)
  - java.exe (PID: 5952)
  - dxdiag.exe (PID: 728)
- Reads the computer name
  - javaw.exe (PID: 5768)
  - java.exe (PID: 5952)
- Reads the machine GUID from the registry
  - javaw.exe (PID: 5768)
  - java.exe (PID: 5952)
- Reads CPU info
  - java.exe (PID: 5952)
- Process checks computer location settings
  - java.exe (PID: 5952)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 4816)
  - dxdiag.exe (PID: 728)
  - WMIC.exe (PID: 2220)
- Changes the display of characters in the console
  - cmd.exe (PID: 4948)
  - cmd.exe (PID: 3876)
  - cmd.exe (PID: 6896)
  - cmd.exe (PID: 1044)
- Reads the software policy settings
  - dxdiag.exe (PID: 728)
  - slui.exe (PID: 4816)
- Checks proxy server information
  - slui.exe (PID: 4816)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:04:18 07:44:34+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	2.22
CodeSize:	44032
InitializedDataSize:	29184
UninitializedDataSize:	38912
EntryPoint:	0x1590
OSVersion:	4
ImageVersion:	1
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.252.0.0
ProductVersionNumber:	1.252.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Windows NT
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	TLauncher Inc.
FileDescription:	TLauncher
FileVersion:	1.252
InternalName:	TLauncher
LegalCopyright:	TLauncher Inc.
LegalTrademarks:	Default organization
OriginalFileName:	TLauncher.exe
ProductName:	TLauncher
ProductVersion:	1.252.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

158

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

316

chcp 437

C:\Windows\System32\chcp.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Change CodePage Utility

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

728

dxdiag /whql:off /t C:\Users\admin\AppData\Roaming\.minecraft\logs\tlauncher\dxdiag.txt

C:\Windows\System32\dxdiag.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft DirectX Diagnostic Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dxdiag.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1044

cmd.exe /C chcp 437 & wmic qfe get HotFixID

C:\Windows\System32\cmd.exe

—

java.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

1056

chcp 437

C:\Windows\System32\chcp.com

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Change CodePage Utility

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

1800

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2128

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

java.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2200

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2220

wmic qfe get HotFixID

C:\Windows\System32\wbem\WMIC.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll

3520

C:\WINDOWS\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\System32\icacls.exe

—

javaw.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

3876

cmd.exe /C chcp 437 & dxdiag /whql:off /t C:\Users\admin\AppData\Roaming\.minecraft\logs\tlauncher\dxdiag.txt

C:\Windows\System32\cmd.exe

—

java.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

19 360

Read events

19 245

Write events

Delete events

Modification events


(PID) Process:	(728) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	write	Name:	DxDiag In SystemInfo
Value: 1
(PID) Process:	(728) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	delete value	Name:	DxDiag In SystemInfo
Value:
(PID) Process:	(728) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	delete value	Name:	DxDiag In DirectDraw
Value:
(PID) Process:	(728) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	write	Name:	DxDiag In DirectSound
Value: 1
(PID) Process:	(728) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	delete value	Name:	DxDiag In DirectSound
Value:
(PID) Process:	(728) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	write	Name:	DxDiag In VideoCapture
Value: 1
(PID) Process:	(728) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	write	Name:	DxDiag In Diagnostics
Value: 1
(PID) Process:	(728) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	write	Name:	DxDiag In DirectDraw
Value: 1
(PID) Process:	(728) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	delete value	Name:	DxDiag In VideoCapture
Value:
(PID) Process:	(728) dxdiag.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX Diagnostic Tool
Operation:	delete value	Name:	DxDiag In Media Foundation
Value:

Add for printing

Executable files

416

Suspicious files

2 232

Text files

839

Unknown types

Dropped files

PID	Process	Filename		Type
5768	javaw.exe	C:\Users\admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.9331\dependencies.json.metadata		binary
		MD5:10BA80F2FCE9F16EE41D0F0594D262E1	SHA256:2C686595C88C50BCB588049BE6E69FFD1168CA8BEECD425FC45DC1A822F56C6C
5768	javaw.exe	C:\Users\admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\appConfig.json.metadata		binary
		MD5:D1C15E54F7D9BCC1A22849B4AF5BC264	SHA256:22EFFB56C46910C5732329972DFBFDAE1F373FD6527C982EFB00B56F0F8DB9DC
5768	javaw.exe	C:\Users\admin\AppData\Local\Temp\imageio6930434179676808511.tmp		image
		MD5:794EB92E3B9D16B375D8E07B08BA29A6	SHA256:3AA536E4A0EAF52249C31AD4C033CF59AF476D71682D0A14656059220F6FD217
5768	javaw.exe	C:\Users\admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\appConfig.json		binary
		MD5:F207B79BF8BC25CDF5FB8CD03A4B3474	SHA256:982029808AB61B04455AF3F464FD6605765707F197C64F732AD33A05FCDE17A4
5768	javaw.exe	C:\Users\admin\AppData\Local\Temp\imageio2941955692448178601.tmp		image
		MD5:A439014382612E34B571515B64A71058	SHA256:AB54464948DEC30D9D13E624BD5E5D0D59EF641B9EFDAB4EB869FB255A54E357
5768	javaw.exe	C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\83aa4cc77f591dfc2374580bbd95f6ba_bb926e54-e3ca-40fd-ae90-2764341e7792		binary
		MD5:C8366AE350E7019AEFC9D1E6E6A498C6	SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
5768	javaw.exe	C:\Users\admin\AppData\Roaming\.tlauncher\logs\starter\log.2025-06-26_23.log		text
		MD5:774891F4C3FC115D4FCF8DE5DF241164	SHA256:BC074FE9852F2AA783B6D6000C42A72CEEEA16CD3A6BE6FD4229448A30790566
5768	javaw.exe	C:\Users\admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\javaConfig21.json		binary
		MD5:2CD65344565414BD87799D7022652780	SHA256:4380E5CB04F27B184DBEA1FB0CC92FBA1A467BF401D21CECE987581CA3270D75
5768	javaw.exe	C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c8061.timestamp		text
		MD5:8E9F5B0DB0115C28034BEA4984F073D9	SHA256:2BC6B663A93173E0550DA81C979BEBA1D877B049617BB4725A24CAB7D4B0FA83
5768	javaw.exe	C:\Users\admin\AppData\Roaming\.tlauncher\starter\cache\https_repo.tlauncher.org\tlauncher-sources\prod\release\tlauncher\2.9331\dependencies.json.temp		binary
		MD5:89C57C68EC9969DBFACBB9828AA74B39	SHA256:667BFA079F072722C4D69E7D62C2973E2E30F51350E3E4DE4B4AF2591A406FDB

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5768	javaw.exe	GET	200	178.63.69.206:80	http://advancedrepository.net/check.bin	DE	binary	48.8 Kb	unknown
5952	java.exe	GET	200	104.26.10.134:80	http://img.fastrepo.org/update/downloads/configs/client/images/img-up-for-server.png	US	image	3.03 Kb	unknown
5104	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	DE	binary	420 b	whitelisted
5952	java.exe	HEAD	200	104.20.7.182:80	http://page.tlauncher.org/	unknown	—	—	malicious
5104	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	DE	binary	408 b	whitelisted
2940	svchost.exe	GET	200	69.192.161.44:80	http://x1.c.lencr.org/	DE	binary	734 b	whitelisted
1268	svchost.exe	GET	200	2.16.168.119:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	RU	binary	825 b	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	814 b	whitelisted
2212	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	DE	binary	471 b	whitelisted
5952	java.exe	GET	200	104.26.10.134:80	http://img.fastrepo.org/update/downloads/configs/client/video/tl-discord-en.png	US	image	49.2 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4100	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5768	javaw.exe	178.63.69.206:80	advancedrepository.net	Hetzner Online GmbH	DE	unknown
5768	javaw.exe	178.63.69.207:443	repo.fastrepo.org	Hetzner Online GmbH	DE	unknown
5768	javaw.exe	185.175.46.50:443	stat.tlauncher.ru	OOO Network of data-centers Selectel	RU	suspicious
5768	javaw.exe	104.20.7.182:443	page.tlauncher.org	CLOUDFLARENET	—	whitelisted
5768	javaw.exe	104.26.10.134:443	resource.fastrepo.org	CLOUDFLARENET	US	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59 51.104.136.2	whitelisted
google.com	216.58.206.46	whitelisted
repo.fastrepo.org	178.63.69.207	unknown
page.tlauncher.org	104.20.7.182 172.66.129.18	unknown
advancedrepository.net	178.63.69.206	unknown
stat.tlauncher.ru	185.175.46.50	unknown
resource.tlauncher.org	104.20.7.182 172.66.129.18	unknown
resource.fastrepo.org	104.26.10.134 172.67.70.32 104.26.11.134	unknown
repo.tlauncher.org	104.20.7.182 172.66.129.18	whitelisted
repo.tlauncher.ru	5.188.131.5	unknown

Threats

PID	Process	Class	Message
5768	javaw.exe	Potentially Bad Traffic	ET INFO Vulnerable Java Version 1.8.x Detected
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2200	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile

Add for printing

No debug info

General Info

TLauncher.exe

24FF8F0A6D7252FD7C181731E7E74216

E93E67BE1310598D444A475F89CD8BF10B484676

D3E6E960183D69E98551789D5E95B9477173B1D0CCCF75A2C7057C40ECEEEE41

98304:NmvrK66+5uwL5tpvviSUTgbIveWkTd2phL9jywONzv+j+TULHnkQdrAWqC91+jPb:NorIvb8udvvRdLlYOL62trYd17R

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Checks for Java to be installed

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Process drops legitimate windows executable

The process drops C-runtime libraries

There is functionality for taking screenshot (YARA)

Starts CMD.EXE for commands execution

Starts application with an unusual extension

Uses WMIC.EXE to obtain CPU information

There is functionality for VM detection VirtualBox (YARA)

There is functionality for VM detection VMWare (YARA)

Uses WMIC.EXE to obtain quick Fix Engineering (patches) data

There is functionality for VM detection antiVM strings (YARA)

The process creates files with name similar to system file names

INFO

Checks supported languages

The sample compiled with english language support

Application based on Java

Creates files in the program directory

Create files in a temporary directory

Creates files or folders in the user directory

Reads the computer name

Reads the machine GUID from the registry

Reads CPU info

Process checks computer location settings

Reads security settings of Internet Explorer

Changes the display of characters in the console

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests