b4bc1908f636e8bcbe6dddcd6dea9a4b29d96691595fc10205ddb270b84e41cf

Analysis

max time kernel
147s
max time network
115s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
02/09/2023, 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfsvc.exe
Size

100KB
MD5

149b5294672f6d611945b901832f455a
SHA1

7607cece2f794d57a719340b63fd0408fb5fc6eb
SHA256

b4bc1908f636e8bcbe6dddcd6dea9a4b29d96691595fc10205ddb270b84e41cf
SHA512

92b6e4f02fae1594ed65a0ff2c8770fee68c599384a1b49e880cf9612605b57eafdd0d3c9907074db21bfa03a840d9bd6534d6ed5f82d72763c255e1c9690b91
SSDEEP

1536:f/0hcbnpWUj8tlf0nJ+ddqXxNft9QK8d5sctYeu0BKREg:hpWntl+IdqXxNft9mAcqeu0oRl

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3468	TLauncher-2.885-Installer-1.1.3.exe
4540	irsetup.exe

Loads dropped DLL 3 IoCs

pid	Process
4540	irsetup.exe
4540	irsetup.exe
4540	irsetup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001b04a-388.dat	upx
behavioral1/memory/4540-391-0x0000000001140000-0x0000000001528000-memory.dmp	upx
behavioral1/files/0x000800000001b04a-387.dat	upx
behavioral1/memory/4540-804-0x0000000001140000-0x0000000001528000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-307324125-4249701739-3835089310-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\TLauncher-2.885-Installer-1.1.3.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3824	vlc.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3824	vlc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	firefox.exe
Token: SeDebugPrivilege	4568	firefox.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
4568	firefox.exe
4568	firefox.exe
4568	firefox.exe
4568	firefox.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
3824	vlc.exe
4568	firefox.exe
4568	firefox.exe
4568	firefox.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
4876	AcroRd32.exe
3824	vlc.exe
4568	firefox.exe
4568	firefox.exe
4568	firefox.exe
4568	firefox.exe
4568	firefox.exe
4568	firefox.exe
4568	firefox.exe
3468	TLauncher-2.885-Installer-1.1.3.exe
4540	irsetup.exe
4540	irsetup.exe
4540	irsetup.exe
4540	irsetup.exe
4540	irsetup.exe
4540	irsetup.exe
4540	irsetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 216	4876	AcroRd32.exe	73
PID 4876 wrote to memory of 216	4876	AcroRd32.exe	73
PID 4876 wrote to memory of 216	4876	AcroRd32.exe	73
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 4056	216	RdrCEF.exe	74
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75
PID 216 wrote to memory of 316	216	RdrCEF.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
"C:\Users\Admin\AppData\Local\Temp\bfsvc.exe"
1⤵
PID:4820

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=07DDB245177722734D242AE5CF19081D --mojo-platform-channel-handle=1620 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4056
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AE15AFCDD78E909AFA5DCC24149EF822 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AE15AFCDD78E909AFA5DCC24149EF822 --renderer-client-id=2 --mojo-platform-channel-handle=1640 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:316

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RepairReset.WTV"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3576
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4568.0.1380094197\1673446899" -parentBuildID 20221007134813 -prefsHandle 1744 -prefMapHandle 1724 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {82a877cc-aff7-4f35-bbf8-f9f507fefd7f} 4568 "\\.\pipe\gecko-crash-server-pipe.4568" 1828 250aedd8e58 gpu
    3⤵
    PID:4544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4568.1.1241778500\1119216841" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {177e2a19-c918-4680-88d8-0277e789d1ac} 4568 "\\.\pipe\gecko-crash-server-pipe.4568" 2184 250aed04a58 socket
    3⤵
    - Checks processor information in registry
    PID:4812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4568.2.801893734\1153828423" -childID 1 -isForBrowser -prefsHandle 2748 -prefMapHandle 2932 -prefsLen 21120 -prefMapSize 232675 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9456b3d1-1487-4e92-aba0-a2aaa7a634d5} 4568 "\\.\pipe\gecko-crash-server-pipe.4568" 3036 250b2fa7958 tab
    3⤵
    PID:2592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4568.3.1240382435\124927019" -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 3504 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20f315e7-87f4-4546-95e8-f2377211f1a5} 4568 "\\.\pipe\gecko-crash-server-pipe.4568" 3524 250a3d62558 tab
    3⤵
    PID:4072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4568.4.1447941941\1516511020" -childID 3 -isForBrowser -prefsHandle 3580 -prefMapHandle 3560 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d15a064-3542-4ac6-ab78-cf274b0fa08b} 4568 "\\.\pipe\gecko-crash-server-pipe.4568" 4292 250b425b958 tab
    3⤵
    PID:4140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4568.6.939651988\974132492" -childID 5 -isForBrowser -prefsHandle 4848 -prefMapHandle 4852 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b887610-716b-4f89-ba5d-ad7d4d4457bb} 4568 "\\.\pipe\gecko-crash-server-pipe.4568" 4840 250b54dee58 tab
    3⤵
    PID:4028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4568.7.483397565\1415240855" -childID 6 -isForBrowser -prefsHandle 5044 -prefMapHandle 5048 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4a32643-972c-4f6c-835c-d87514a1abdd} 4568 "\\.\pipe\gecko-crash-server-pipe.4568" 5032 250b54df158 tab
    3⤵
    PID:708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4568.5.187472593\1015938494" -childID 4 -isForBrowser -prefsHandle 4684 -prefMapHandle 4720 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {feca96b8-2dec-4108-ad58-5420e36132b3} 4568 "\\.\pipe\gecko-crash-server-pipe.4568" 4692 250b54de558 tab
    3⤵
    PID:208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4568.8.1808705631\238762846" -childID 7 -isForBrowser -prefsHandle 5608 -prefMapHandle 4700 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1260 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fc71664-3cd7-4ec8-8a5d-9b41fb512de4} 4568 "\\.\pipe\gecko-crash-server-pipe.4568" 5684 250b6c84758 tab
    3⤵
    PID:3820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4568.9.1986684371\1741069481" -parentBuildID 20221007134813 -prefsHandle 5860 -prefMapHandle 5840 -prefsLen 26620 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da2e54ee-9b10-4156-bcc3-bd15c55b0707} 4568 "\\.\pipe\gecko-crash-server-pipe.4568" 5944 250b2f45858 rdd
    3⤵
    PID:2376
- - C:\Users\Admin\Downloads\TLauncher-2.885-Installer-1.1.3.exe
    "C:\Users\Admin\Downloads\TLauncher-2.885-Installer-1.1.3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3468
  - - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1910546 "__IRAFN:C:\Users\Admin\Downloads\TLauncher-2.885-Installer-1.1.3.exe" "__IRCT:3" "__IRTSS:23661420" "__IRSID:S-1-5-21-307324125-4249701739-3835089310-1000"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
eaa0c69f4aaffe13407f8d936df9f6e4

SHA1
e10dd1eb3468b3cb4f33c8e23aeae1aad3124cff

SHA256
f863b4751687eb177c9d2505587b0d24233c92be3676857be63d1aa62796e970

SHA512
edff2687dcb4c212825d03b08d7a625eef131cedddfb518a7c6e1fd76c1a8728a70b9975904f307067f4f1c794e0080fa36157414beafa334beae602a6024b57

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\cache2\entries\0023CCD27A4401E92F32259AA01669BD277B955F

Filesize
97KB

MD5
2d727a51cff969a545eb69b9aaeba5c3

SHA1
3b3b8d8a90168c1cf7c96fad0509668771d7f1f9

SHA256
62b5290b9c1584e68e95d4311c8abf15fc9f04a967be10dc065a9acfeb129459

SHA512
3eedb8cf1bd27202ceb17ae459ce1ecf4b8c58d6fb6b97bfab3572c9f1dabd37520a2915907cd2ddcb36f33a6276076088020b1b28b79734b1409bee23be02f1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\cache2\entries\1CF6D2D2772DCC0228C36F2F7A4F85445E7D41F2

Filesize
100KB

MD5
5c43b8ee7743df85fb04940fd57a9d5e

SHA1
17ff0d0183737e2001437cef65514731e307e1f9

SHA256
108b561b26dfb307f8ea48da7d4028501d108c200d2038cc72e808adc6c979c0

SHA512
1304d5863cfc25f1dea4d01f2662816ea4a5f245dece26dec86f21cd38c72c4b03800c379a93f4892fb6895a64601d1401fd61265d6988aa98b4e82c7592f8fa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\cache2\entries\1E2837FDB4C2FC65E6EAB5051F758940F72C710B

Filesize
101KB

MD5
8065629dbf1b4672eef5a102d84543be

SHA1
b0fda07bcefcfed307f23ca359feeec977490c2d

SHA256
895fcd7a89ae407614874a262aa993467d86997a8003f55bde081cd72bfaef32

SHA512
18ecac4a251217327190f9e3b9d8e29ef9d526306da9ab9505dc43b29b8d1ed8a41f41f5bcca80b775840abb761c056f60b09a07fabe5869d5827f3409367d52

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\cache2\entries\689A54C433D668CF1C908E0E85AB6CD088E81D9F

Filesize
147KB

MD5
d722806db693441172d69b7c6206e86c

SHA1
b87dd771bb75bc9a51901b885baad38e5e6fc1cf

SHA256
e12f03c35e12141fb8689ec612b49938cad964efc7275a4ebed89e758e4199bf

SHA512
c1e951e79ea52dc43f902f5bcff17cdc952e8bbfa34e80d77837fc9ce7c5d184438656711b57419b34082683aa7d10efdea837d45b7784cd79c5340d4c9f2753

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\cache2\entries\A6B899A083E3028F76EC91C412E6C3342FAAF1B3

Filesize
334KB

MD5
a3b40fe78bfb082d73ecf22f3c9bd80a

SHA1
61def2baa56d756a3179bb3b18a4b3dddfd7657e

SHA256
947d3312c4273d99f217303dfa788eff78967285580923e27324a6cf138412c5

SHA512
fd9c520fdb284843e60cf86b4b5f399bc986d2841b4367b8c7b952b8b348b43b570b6e4d154e2c2693d4e11bbd3fb88fbc033f64d860588c5420f48ff738fbca

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\cache2\entries\C81DDBFCC00DD73C2638811E1AF17016922748E2

Filesize
291KB

MD5
4a603bec205759155ed28d295578676d

SHA1
c1f5a1ca0321ba19499037310980fb36844db3af

SHA256
29be48f7247289d9b7bfc06a842a26fd2d1a47d947ce0250454f740df0a6c35d

SHA512
45fc49b80bba886bb9153f832f55a8e86a2b0d13d98346d27b6bf28caa7bbdcdb3cefbdbc60d79193624f714b6019aa21ce38bd3ee76846279990a702c216f06

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\cache2\entries\DD91F5C51DC8743666B995BB4C8835F15C86D1C3

Filesize
433KB

MD5
94435f20aeecd4ea603c40cdf2cb376d

SHA1
9cd206501b35e51924191d73ece7937fadc414be

SHA256
3bec79f47443e65b08a3705b04b65d9faee2f3b15d38bdb2cac5bbd04d1a384e

SHA512
c5832b3203a949242bef400847ab948172f562a08cc64ce1568be1f6452d0277aff76a659b9abe0bfaa0149cf20d3e61a56f91aff6ac97aaafda0dfe8b1c11bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.8MB

MD5
cb50d496ae05fa1c8bfbcb3b7f910bfe

SHA1
3ec4d77b73c4d7e9858b11224314e99d082497a8

SHA256
7616c72f6659a3a2439d0452190459cd4ceb83fab2307e3e47c9604fa29d9f34

SHA512
22051de06c7e52a37ad36250aa095a8ccc0b0e1cdbfa2e9073c146e77e278cbdbe89bdb078dcfd8babf48baec1902b303ac39cc9db4114ce1516b06552dc924d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.PNG

Filesize
280B

MD5
5803b5d5f862418b64caa83396e69c7f

SHA1
97b6c8209b8ad65f4f9f3b953fe966bb09ee4e13

SHA256
ee340f8560ba2e71d7e6d305b959ff8fa77869dac916287da2bff7ce5aa2e159

SHA512
e9bf37f0c89299bfa369a8677ac56b12177dd3153246e5e6a9390577658111b731b0ab987044d30f43e05cb41d79ed31dae3b6f4521f225925920617d0414edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG3.PNG

Filesize
281B

MD5
60a19921c7ff3c75e28c302f95460994

SHA1
07ac64ffbb153c8675e2ce0651afeaa5e8c6652d

SHA256
33341d30463fbc7cf3fba5070925569c822b6835aabdb8ef2c3cf09547912d46

SHA512
b30b960152dc13b1a9d384c4972169392cd405bdf4d3ecf73f85cf8a9a68a075131b2495c0348f54d43d0e7a279907bc7b76ac103f4a624738cbfc73bbeeba02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
a70accbc1f1001cbf1c4a139e4e5d7af

SHA1
138de36067af0c8f98e1f7bc4c6bea1d73bc53ab

SHA256
b000fef41ce0267255701aacc76c02159d207212c4595437077e7904b7968ca6

SHA512
46fde27847dfab38d2f6fefca31677a0d5a5ac775951fc19f1fc0b4ec56969622f0c4f036ecacc05b33854871f03232a4944f3e93a747280cac622503f5c4f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\prefs-1.js

Filesize
6KB

MD5
91a97867cfbfe4614546eb6dec81d661

SHA1
e2698036f37d5c237f7e2311b6d9a6ca266a3a2b

SHA256
b02e313a0c98ecc7ed9c9299b0a009cca360d868bd118df083ae173bd59f65a5

SHA512
719bcbd4418f379eb2a5cd42e3190363da72ed51471f76ab54fb75dc606c6f275cdfb60f60e514efcd529af216cf55386964dd35a3f085ab4f611c5ece5555c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\prefs-1.js

Filesize
7KB

MD5
d4f662973d382703362f505a47745016

SHA1
3a2f38e7aafa25b3d886d87577f1db4861af0032

SHA256
c2278533ddd9f2b1cc414f4be948ee7288f9064aee5ec3c12d03ac47c1727b7d

SHA512
b73ee3c0f6517476f4b754ca55d7f5cc248132f2bfecf192a581b793c7285ca3f9f38e3e1880df14bfbc2fc534e4be7dc9e7c4dbbcbe90ab6798aaf6e3603684

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\prefs-1.js

Filesize
7KB

MD5
ad88c0336f8196385d544cc61fd97b27

SHA1
5a39a4e40ab7243542b72796eac18693491bd7d0

SHA256
41e0e810d8fd11369c55320b445ac92ccccab15cf2a4344913cd1b7fe6dd66f0

SHA512
40d6e518943ff3ca4beb348149a46bf122900383d8d4d74318f62515a401a6799d9347a40eedaeab31a81714a299f4fde643b4863375feb5ac642cb3b354687a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\prefs.js

Filesize
6KB

MD5
d81a0d9336f92d988bb31c76f2a41826

SHA1
c7a2acaa33302ad8499150e3a8eae3c3a314866f

SHA256
7390c056b75a0d161bc6ab5ac33b52c40178a8a821935c045cfaf9c955c96c4b

SHA512
e424409604f95d7cddd679788c5386103d847c2ec0482351c7785577a153bb6d12fa8bcc4717a73349bc8003a2b777d4c988c109d907e02e37d4351c651a51ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
7e1f44b2beaa12050d1e9753949f4630

SHA1
fdee2493c531d635fe9ba080cff15c076db5aecd

SHA256
989d808915a1cb90bdd7b183cba85423f56c1a4fa81bdaa35774f58f7bd8c6e1

SHA512
0144e43f2212de2225d3a8e5328e7c62a2d4152dabb07c47c36fa7e5aadc507699f5a0613e45289c62e1716adbb31d802d5037358fa1bf71da66f227ae3744ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
6b1a6910044fa6a3d77f4be541854bc8

SHA1
41fa9df78cd975cbaac06ce94588cbce48dbe131

SHA256
d8b3d1afe4324763f1ac089290d4d4c5a87011026d31574495ab63eeaa99bec4

SHA512
948819bf9dca942d71712c91673fad5ad4133a3ed99d78647ff31cf14b79bf523449c643323986423b87303127347a4db68b9052cda7fe334333651190bfb285

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
2b6785ee2390e0f538c1d3134edf7d01

SHA1
fa2308d461a9931fa00adb3d818e5c35bb31ed7f

SHA256
661c095f1e9fb68ff56cfb0c6e4412c30a52f970ba0284bf964ccdae9086afc3

SHA512
a6c531122a120c5a1426ab8708338697c8ba91185baee76eca49c576e47a4ffe34aef795386425754d49d737e90c3fd49152784466e2e58b8b59697f57c21feb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0c8fsnx6.default-release\sessionstore.jsonlz4

Filesize
9KB

MD5
6b1234e5af0169d8bcbdfb81b0d45660

SHA1
8f9d2b5468796a04e834285e1753e08098119a7c

SHA256
0eff2679e0aa6e470fc78324afe5ae5dc756a3dd59cdd9b1a30eb5ec51dac5e7

SHA512
9dc912349516e9b669a43c5e4a86a8b29b3a9649a39e20ad9f1a4225ee88796cce15f1e5ea1704cf215138b022344fd3ed28cb3de3b0abe990804bcdd43a602d

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.885-Installer-1.1.3.exe

Filesize
22.6MB

MD5
bd3eefe3f5a4bb0c948251a5d05727e7

SHA1
b18722304d297aa384a024444aadd4e5f54a115e

SHA256
f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0

SHA512
d7df966eeda90bf074249ba983aac4ba32a7f09fe4bb6d95811951df08f24e55e01c790ffebc3bc50ce7b1c501ff562f0de5e01ca340c8596881f69f8fed932d

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.885-Installer-1.1.3.exe

Filesize
22.6MB

MD5
bd3eefe3f5a4bb0c948251a5d05727e7

SHA1
b18722304d297aa384a024444aadd4e5f54a115e

SHA256
f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0

SHA512
d7df966eeda90bf074249ba983aac4ba32a7f09fe4bb6d95811951df08f24e55e01c790ffebc3bc50ce7b1c501ff562f0de5e01ca340c8596881f69f8fed932d

Download Submit
C:\Users\Admin\Downloads\TLauncher-2.885-Installer-1.1.3.exe

Filesize
22.6MB

MD5
bd3eefe3f5a4bb0c948251a5d05727e7

SHA1
b18722304d297aa384a024444aadd4e5f54a115e

SHA256
f1b132f7ecf06d2aa1dd007fc7736166af3ee7c177c91587ae43930c65e531e0

SHA512
d7df966eeda90bf074249ba983aac4ba32a7f09fe4bb6d95811951df08f24e55e01c790ffebc3bc50ce7b1c501ff562f0de5e01ca340c8596881f69f8fed932d

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
1bbf5dd0b6ca80e4c7c77495c3f33083

SHA1
e0520037e60eb641ec04d1e814394c9da0a6a862

SHA256
bc6bd19ab0977ac794e18e2c82ace3116bf0537711a352638efd2d8d847c140b

SHA512
97bc810871868217f944bc5e60ab642f161c1f082bc9e4122094f10b4e309a6d96e3dd695553a20907cb8fea5aef4802f5a2f0a852328c1a1cd85944022abaab

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
memory/3824-48-0x00007FF72F2B0000-0x00007FF72F3A8000-memory.dmp

Filesize
992KB

Download
memory/3824-52-0x00007FFC47470000-0x00007FFC47582000-memory.dmp

Filesize
1.1MB

Download
memory/3824-51-0x00007FFC47870000-0x00007FFC4891B000-memory.dmp

Filesize
16.7MB

Download
memory/3824-50-0x00007FFC57AC0000-0x00007FFC57D74000-memory.dmp

Filesize
2.7MB

Download
memory/3824-49-0x00007FFC5B3A0000-0x00007FFC5B3D4000-memory.dmp

Filesize
208KB

Download
memory/4540-391-0x0000000001140000-0x0000000001528000-memory.dmp

Filesize
3.9MB

Download
memory/4540-682-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/4540-684-0x0000000007090000-0x0000000007093000-memory.dmp

Filesize
12KB

Download
memory/4540-804-0x0000000001140000-0x0000000001528000-memory.dmp

Filesize
3.9MB

Download
memory/4540-806-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download