File verdict·Decided by the MT AI Engine
Our call

Suspicious

Signed TLauncher launcher with PUP detections, process injection, LSASS access, and direct-IP contacts.

generikVerified · TLauncher Inc.
Trust score45Caution
MT AI confidence · 72%
suf_launch.exe
25.5 MB
0619bd07d3183a8ae05f5d211227
Antivirus engines
4 of 74 flagged
Code signing
Signed by TLauncher Inc.
Age
First seen 8mo ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

72%Confidence
High
Reasoning

Low tier-1 consensus and mostly PUP labels point away from clear malware, yet the combination of revoked certificate, offensive MITRE techniques, direct-IP C2, and community reports of TLauncher distributing unwanted software create mixed signals. The file is prevalent but carries consistent negative indicators across signing, behaviour, and detections. No malicious children or external intel hits reduce severity but do not clear the behavioural red flags.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines.topDetections[0]: ESET-NOD32 tier1 'Generik.HANDXBM potentially unwanted application' (adwarePua=true)

  2. behaviour.offensiveTechniques: T1055 and T1548 observed in sandbox

  3. signing.signer: 'TLauncher Inc.' verified but signerStats.found=false and tags=['revoked-cert','invalid-signature']

  4. triggeredHeuristics[1]: MalwareTips.Synth.ProcessInjection high severity with evidence svchost.exe injection

  5. prevalence.classification: common_old (67244 submissions) yet reputation=-1

Points in its favour
  • Only 1 tier-1 malicious detection
  • No malicious dropped children
  • No known-malicious contacted hosts
  • High prevalence (common_old) with thousands of submitters
Points against
  • Revoked/invalid certificate on verified signer
  • T1055 process injection observed
  • Direct-IP C2 with no domains
  • LSASS access (credential-dumper shape)
  • PUP/adware labels from tier-1 and tier-2 engines
  • Community reports linking TLauncher to malware distribution
What to do

Treat as suspicious PUP; do not run and remove if present. Use a different launcher with established clean signing history.

Threat family attribution

generik corroborated by 2 sources

  • VT (74 engines)
    generik
  • MT AI Engine
    generik
Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
15

Adversary techniques mapped to the MITRE ATT&CK framework.

T1012T1027T1027.002T1036T1055T1070T1071T1082T1083T1112T1129T1497.001T1539T1548T1573
Spawned processes
15
$(unnamed)
"C:\Users\<USER>\Desktop\file.exe"
$(unnamed)
C:\Windows\system32\services.exe
$(unnamed)
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p
$(unnamed)
"C:\Users\<USER>\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:3969818 "__IRAFN:C:\Users\<USER>\Desktop\file.exe" "__IRCT:3" "__IRTSS:26673860" "__IRSID:S-1-5-21-4005801669-2598574594-602355426-1001"
$(unnamed)
C:\Windows\System32\svchost.exe -k NetworkService -p
$(unnamed)
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
$(unnamed)
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
$(unnamed)
C:\Windows\system32\lsass.exe
+7 more processes captured.
Network activity
10
IP addresses7
  • 104.20.7.182
  • 8.8.8.8
  • 172.66.129.18
  • 199.232.210.172
  • 199.232.214.172
  • 23.3.75.132
  • 162.159.36.2
URLs3
  • http://dl2.tlauncher.org/
  • https://dl2.tlauncher.org:443/check_latest_tl.php?optime=0
  • https://dl2.tlauncher.org/check_latest_tl.php?optime=0
Filesystem & mutexes
30
Files written15
  • C:\Users\<USER>\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  • C:\Users\<USER>\AppData\Local\Temp\_ir_sf_temp_0\lua5.3.dll
  • C:\Users\<USER>\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat
  • C:\Users\<USER>\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.BMP
  • C:\Users\<USER>\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.BMP
+10 more
Files deleted13
  • C:\Users\<USER>\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  • C:\Users\<USER>\AppData\Local\Temp\_ir_sf_temp_0
  • C:\Users\<USER>\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat
  • C:\Users\<USER>\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe
  • C:\Users\<USER>\AppData\Local\Temp\check_latest_tl.txt
+8 more
Mutexes created2
  • Global\OneSettingQueryMutex+compat+encapsulation
  • Global\AmiProviderMutex_InventoryApplicationFile
Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen
  • 96070b2d82b6bffd54715ea430Never scanned
    never seen before
  • eef58c3dae331da03872daa819Never scanned
    never seen before
  • e575119e8aaefa43dcaac33c54Never scanned
    never seen before
  • 1d7a67b1c0d620506ac7aa7ee0Never scanned
    never seen before
  • 9c893fe1ab940ee4c242d881e3Never scanned
    never seen before
  • 4c85cdddd497ad81fedbc74e26Never scanned
    never seen before
  • a42ab4d62c5a5286202d60ade1Never scanned
    never seen before
  • c87a64c876918d64fc2f4f36bcNever scanned
    never seen before
  • d339d7a5fcaff7229215a3a897Never scanned
    never seen before
  • 3207283d0abc0dd36c09f28106Never scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

3 synthesis
MITRE ATT&CK profile
Defense evasion× 1Cred access× 1C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjectionhigh

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p
  • CredentialDumpermedium

    Sandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.

    Evidence
    C:\Windows\system32\lsass.exe
  • DirectIpC2medium

    Sample contacted 7 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    104.20.7.182 · 8.8.8.8 · 172.66.129.18
Antivirus engine breakdown

4 detections across 74 engines

4 malicious0 suspicious70 clean
Tier-117 engines
1flag
Top commercial AVs (low FP rate)
Tier-238 engines
1flag
Mainstream engines with mixed FP rates
Low-trust19 engines
2flag
Heuristic / generic-AI engines (high FP rate)
ESET-NOD32
malicious
Generik.HANDXBM potentially unwanted application
Malwarebytes
malicious
PUP.Optional.TLauncher
McAfeeD
malicious
ti!0619BD07D318
Rising
malicious
Adware.SoftBundler/SFACTORY!1.13C85 (CLOUD)
Hash 0619bd07d318… cross-referenced against 74 AV engines via our AV network.
PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

ent 7.99Unpacked
Section entropy5 sections
.text
6.52
.rdata
4.99
.data
4.70
.rsrc
5.52
.reloc
4.90
0.0Packed threshold 7.28.0
Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old
Unique uploaders
3,669
Hundreds of people have uploaded this — common.
Total submissions
67,244
Includes repeat uploads by the same source.
First seen by VT
8mo ago
Nov 16, 2025
Prevalence quadrant
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
here
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
11/16/2025, 8:03:52 AM
First seen (MalwareBazaar)
Last analysis (VT)
7/5/2026, 2:38:40 AM
Scanned here
7/5/2026, 3:53:43 AM
File name
suf_launch.exe
Size
25.46 MB
MIME type
(unknown)
Detected type
Win32 EXE
SHA-256
0619bd07d3183a8ae0cb1be408c6ad32295d47ddd666b2d51edd4d5f5d211227
MD5
de90bdf89be7e8f55b9ea1e9f0a88613
SHA-1
ea25984a475c95ad41abae25885db7b24514a7af
PE imphash
edb0a89022b9c14b574f0c2cef13dfa2
First seen (VT)
11/16/2025, 8:03:52 AM
Last analysis (VT)
7/5/2026, 2:38:40 AM
First scan (MalwareTips)
7/5/2026, 3:53:43 AM
Last scan (MalwareTips)
7/5/2026, 3:53:43 AM
Code signer
TLauncher Inc.verified
Community reputation
-1flagged
Behavior tags
revoked-certsignedpeexeinvalid-signatureoverlaychecks-disk-space
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.