hxxps://www[.]mediafire[.]com/file/66h8wv318t5k35w/KFlauncher[.]rar/file

Analysis

max time kernel
201s
max time network
205s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09/08/2024, 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/66h8wv318t5k35w/KFlauncher.rar/file

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1156	KFlauncher.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1156 set thread context of 5008	1156	KFlauncher.exe	124

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KFlauncher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\KFlauncher.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4664	msedge.exe
4664	msedge.exe
2124	msedge.exe
2124	msedge.exe
4748	msedge.exe
4748	msedge.exe
4252	identity_helper.exe
4252	identity_helper.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
2344	msedge.exe
2344	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3128	7zG.exe
Token: 35	3128	7zG.exe
Token: SeSecurityPrivilege	3128	7zG.exe
Token: SeSecurityPrivilege	3128	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe
2124	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1216	2124	msedge.exe	81
PID 2124 wrote to memory of 1216	2124	msedge.exe	81
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4416	2124	msedge.exe	82
PID 2124 wrote to memory of 4664	2124	msedge.exe	83
PID 2124 wrote to memory of 4664	2124	msedge.exe	83
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84
PID 2124 wrote to memory of 4124	2124	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/66h8wv318t5k35w/KFlauncher.rar/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd7cf43cb8,0x7ffd7cf43cc8,0x7ffd7cf43cd8
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1984 /prefetch:2
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5944 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
  2⤵
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,17126823807047401859,5647732676115623390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6824 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1668

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\KFlauncher\" -an -ai#7zMap256:104:7zEvent10976
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Users\Admin\Downloads\KFlauncher\KFlauncher.exe
"C:\Users\Admin\Downloads\KFlauncher\KFlauncher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9af507866fb23dace6259791c377531f

SHA1
5a5914fc48341ac112bfcd71b946fc0b2619f933

SHA256
5fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f

SHA512
c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0177afa818e013394b36a04cb111278

SHA1
dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5

SHA256
ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d

SHA512
d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
20KB

MD5
8c34c7b82f4668c975defa63ea3c9911

SHA1
01aee6e4857efb1898934c58dfbaab60a9bafb75

SHA256
6fddf44c880fa4ab45d21e764fb4371c8820b7b1c49502ece0fb5e1eab95ab3e

SHA512
7b8db2103dedf6b36759771c5b0451d6e2feb8ba889a07f1dbb869c229739e4343636ab5fe0bae8ff7ae5798d533caf3e408e34b71be72d0bfdd076da5a6104f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
20KB

MD5
631c4ff7d6e4024e5bdf8eb9fc2a2bcb

SHA1
c59d67b2bb027b438d05bd7c3ad9214393ef51c6

SHA256
27ccc7fad443790d6f9dc6fbb217fc2bc6e12f6a88e010e76d58cc33e1e99c82

SHA512
12517b3522fcc96cfafc031903de605609f91232a965d92473be5c1e7fc9ad4b1a46fa38c554e0613f0b1cfb02fd0a14122eaf77a0bbf3a06bd5868d31d0160e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
62KB

MD5
f79882e12fe87d482fe216d30ef3c93a

SHA1
e3031f2d694529705d8634b397815cd907fec24d

SHA256
c95d79ddd197080d143fdbaf458ce6d653621088f2d16827b3037f4417a32f61

SHA512
075f20268aa1b46fd322da5220b1705e42076d6ee681417bc95d5e900c6ed9929eca102796757e5db387db56ed2e97937e074b5af75840e55b018623c0a845c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
31KB

MD5
c03ff64e7985603de96e7f84ec7dd438

SHA1
dfc067c6cb07b81281561fdfe995aca09c18d0e9

SHA256
0db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526

SHA512
bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
63KB

MD5
67e59a06ec50dcd4aebe11bb4a7e99a5

SHA1
5d073dbe75e1a8b4ff9c3120df0084f373768dae

SHA256
14be8f816315d26d4bc7f78088d502eff79dee045f9e6b239493a707758107fe

SHA512
6364515e92ed455f837dcc021cc5d7bbab8eac2a61140de17ff6a67dfdbbd8fbdded5ce739d001a0ba555b6693dafdb6af83424d6643ff6efddc46d391b21d95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ace8891be2fb1b7_0

Filesize
268B

MD5
54f8066ef4bb927eb488d3a62b006df9

SHA1
ca2753b9e921b63c50b56525ef7ab5300831889d

SHA256
aa942c0a67bb031b93c123c0f60763d80c6c0b4b4a5c1391ea5989d96e68ac78

SHA512
0302dcb6c4ffb0b2660c4df8898dd06c3d1951ee43ec9b5936ac73d0f6986fc0597eb22be52c20da430c2e36e8e2913bca9acbb8e763c0ec65999512714b9e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9501205598d9a506_0

Filesize
55KB

MD5
84a6ab7f186a0bf7d84bbd2edf9a04c0

SHA1
db95b9ae883eaab6be9f897a06d64ed932aae1ff

SHA256
92ac6f66edb7de32975b97bc7d1d17403ee0e292910ac3555a222f14383f68ab

SHA512
e04f854ecb7fdedee308e46521b9aefc9fa40c05f1297031ef60ee664623752a2f7cf19e5eacaa33739d36f9c66628710e1f88763f348ad3559cf4b54a732e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ec4f3ca411d4eb4a_0

Filesize
331KB

MD5
05c293edec1b94959b94723a0585b04f

SHA1
ce3fea9e58236eafeebd135e486325644131b74e

SHA256
85bfb29600e08492ed98ee71e947d2ad09625d879cc2bc954653533fb2f66df1

SHA512
c21203272d253ce9afe18dccda6595d36b0c6dde76136ee9e5332aff55a520d3a7c94107ee6ac68dfedce16d3b3a9547528bb80dfdb739d61d3ff4a486d5458f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e217e2dcc4b6ca42d04e006869f371fe

SHA1
15022a85e17fc60c898c8f027f7135c4141f354a

SHA256
4408082fcef127764a742ebcbffbb61c0a3afc67eb34b17ee33e292643a379a5

SHA512
b47c588f777b49ec9f4fef1be2a07e1d925afb382a8adf257fddf085215dbee1253604e5f186b36ea86eec479355454bed70d6d43c478e8783f4e75e2ad84955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8a61ec2ab0e9f9d9637fd839481bccb4

SHA1
0d143856f46e3c51b1b2102ea18c5d4ceab94f9b

SHA256
c128051c9721394f9563616d8e3ddf3dcfa10f5e14b79bea52bf7c2eba77f8be

SHA512
6127b21508f2db8a9bd9e5bcbf9478ca2bc2b85084d8160bca4d736680cf5dab671dcb03d8db706423a6de100e17a0a0227afdbafb65f271344308cdd10227ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
85b484bb604ade1a86d41324155b69eb

SHA1
c9f4eb89f8e81a584fea3ae3e6004e3614b52448

SHA256
23854ea677671e52de6bc848da6d87f9d66bb8c85c6111d6cf85f77926f3f8ac

SHA512
cb1f3e85cd1c015c2da1485e274014a10c9fbbdf8c5991f658d012e5489b3e7133c09f6691018c08b853ac1581aab77b10571cf2e1d0b78a3a8af2910d78efaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cc25c4694e9ce722b124bbe09a70b10c

SHA1
98daa16fec5f10e3477aef51a4ddf0d3806e3733

SHA256
1b2c169dd83ce8384b9a54f9f5fc4d13f9822c3295fe9e7347cb52fff420d71f

SHA512
ecc5a88dc8abc73e42cd4880295cfd2a07c0b5a037e745b08202d2a2863c67de5f47fd5bf6f90ee5b65fbb6dab46bf7a0679716bf061d4348089444e34f927a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
876f536c97a29de003878777c615dc3d

SHA1
9a47e72d0a8b15b299f4ea9675caf20fc6993a21

SHA256
fc4dbd84022f38b4988b22f66027491b03c07def7de6a0df9df5b61874e597d1

SHA512
641b86cf5a5e300eee0a821dcbaef9e8e04729abd03310bf645284149424364c17f7e395a8b070c507d2873c004686cef43f9d8cf3ce6306fba67f448d60e8f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
67b5607b0204169c8f0035c6a948f9df

SHA1
aa7931ccbe448d9f8698fd6149693e2a21aba6cc

SHA256
d0dbab3fa337fe6adbcadbff2b49f5e62d785fa3fdd7a336940393e3355b72f7

SHA512
ba1ec211431c3c3a2b35868d0fe089463111b7bc9948999cce47523ece172d9e565d2fbd64c5799643158c91cfbbb36783980d66669db2c5ef3c6ffcf5199460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
f2efd217dc526213a363cf91aeef2f0e

SHA1
4280275d9abfc9d1a185cb5ed507ad7387c3c5d1

SHA256
bc8ec06aa0d28496833c94ecc9e659c940b88e4287493ce8a2b72cfeb484e8a8

SHA512
5590635f4a8985b9e2e8f9c808393fffd90d225d956d1cb2746fe4548b9c94971402e3d0829c052401b6f2d343718adfc1ea957766b8d3827ac5c7fa30a843fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
db5ef357357a82195a22393b0f20dafc

SHA1
028f6b6769dd32ae645cd91b94e713bf003a1bc4

SHA256
0ed2e0848ffac5ae4fdf25a5a6f6d692f401c1083ead420674d7b97fb92992b8

SHA512
6350bd5b7022e0ce5bdc4244e9d2f490995827c869ee57e8ed93dc260a69b01f3b8079548d9bdb8201d22935b00abf0e5f7c0e5a7815e225a3c24b14293c22de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6ba19a9647000cbc079bedccdc642e4a

SHA1
50e9fa02b5690b321d58d3cb8fa903765cfb8c9d

SHA256
8a08674f9d32a73712f77cb8f10940a516b8e1ef1b7912b361b79926040b2280

SHA512
b7d9c9698ea76e37fc25d1a7cf7d1d4849c6dcac7014f1eb356c381e95a436017262c2a850f967c18cc7bfedea7f063111158863ffd15e45fdb6c9b12e19a6fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
4ac5477fddad7c96421f1f2eb0a1ed0a

SHA1
68d310c0221d0cfae5e67e59f0af202cc6e61eb6

SHA256
2134e1fbff8e9f6a9e723eb9221c6acac49a11e2172164455f01734f0e02827a

SHA512
7a3d0afb4804abf853e762354d1534fb0ce678720a776a1dbb18ce1c10be97124f0de46048f21c271489f66063852dc0a13140002c3faad8b3c5818ae5bba7da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
bd1c43081f62b00cfbaf0926012ea8e6

SHA1
6f1daeee2175565c6f22d1ecd0d24594799a71ad

SHA256
f380787fb4b00a008b9a73529d2ce4dade382b54558ccc9448819b6e8b7c1e80

SHA512
2ec2525b6aa521117141fbce3460ebfb8a93aadfc26d69e7c7fa6b7e5f5f7d72bd393f1d3cdc97e13fcfae8d38d8eeeec0c4adc3e29ef7381738fba22e51b1ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f71f81d20a482e6c2c89fc1acaef1f71

SHA1
3459ab768d4cec4242b4855d2a14a7b2b7744453

SHA256
4a9bdbe075777a9ffde94d822e93f64e79b0a1be4b7ed566e4d7932567401450

SHA512
a05da380d1e672cc6f31d3e96f359cc8afbe5d4bfec891eeda32f32e73fd265c55190b2fea15414dd475592d99d3eae33dea4f1ee5d74e0ce2a1f0f5690b2aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
95528e44e70a78cf359407f26194ff51

SHA1
95c56a2006b04a52b00d2b9101154be18ca8dc2f

SHA256
e14ee2a88baa097d32624ea4dde241b59a8cb8dfb3fc0f2885e4ded9054f45b9

SHA512
0ed1be35e9fe3782ed9d6160b86c7f9da88f748193a36a94912f790a53028f0abf30938522cb17432cc15d79140fe4c561e91f8efee14485784cd86d4e9e490c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fbd71421250ca5bffb037c02a6752bf9

SHA1
ed1f8e78109d5b376ad57ca1f00eabbc36f16b95

SHA256
c1287023af33b459cb145b71d03e4b508b4fac81c8967bd2282b3f6dc5d1c2a1

SHA512
100eea43dd9e1b22223ffceecf30f476c507c31a92286547031752cd648df43d5e54aeb21764fec49b653bdd545bf6f05ec1ff3dd982436cde14bf29462ddff3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58faa7.TMP

Filesize
2KB

MD5
ce2af8c1a51f2ad6651f202b6c6f9f1e

SHA1
dd551e8bc6dcb21a7e0eb8d67da95e3ea798ec91

SHA256
4bbab0ecd2984fb6ebc3f4aeedfa1dc8982cafe2a313481ca13bc60d69b7027f

SHA512
5621bd4903284427930d8442d0ec19267b236f78b69004a2973bd594a1e3d05b94a2db4cb1e85a7f5543e26b1a712e6220422f7ce43fff770e7a6cafc7e94bb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8922fc5703cb9761f167b25a63bbe59c

SHA1
a9eaf001b956c6509a48cd4750b797785a7f28c9

SHA256
36b26cd4db2479aaf692f91a098195b1ad318529891f697652a6f63b965e038e

SHA512
e353f4cbfb807972eb8cace784886d9926010940c9dc0daa3e39fdad81419d7871cb9ab5630fa91e2abb2d87fe57c1f14196145dde18686bce2b0720af856d98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
008da624c9a0a272d23906eed4abcba4

SHA1
9dfab8c76535b9d8d5d1867050022feb2b0f8afb

SHA256
9666147a606eeacfef90ed3e7cac5951cc1bbdcb7d3b4b726705fb72a87524e3

SHA512
2c6ab40898396d3cfa0dd01a87f4436b0a1d05692025113f46b46216dd41ff095ac02e0addd16f5747a285c036e0d05588d77b524810916ef3b7197c8003cf29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
63972f0f75a820f2617ce5cf432a1600

SHA1
82e601c8946c19748a0d198d4224689432f8cd8b

SHA256
0b21e0db0dd5045666022db1e6aad00e9ac588ee2e331c6bd2b9e0f9f5d1d071

SHA512
2aae61681d3526c475bc7335041a9ef2b242b2f9d40293bb3b8a77ea1137f728553e3de22c3cda13e45104cd132d2340f1bc4e6e9d474084119e912229221f74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2bd0f32fc840fbb8d2dd31df0350616e

SHA1
e3cdad140e9442071b553690118834f61e45c3cb

SHA256
458e8a2a4b5dbbfbe6a20f00fd2e4a2d7f258a1797daeeca5ba209e903501dfc

SHA512
8445d801d506adaf0592a5c42cdc9b51b7bab30a4a22b1f3a9b2869ddcbedaaab9d67c0c9a45b7c70ab817bf8d337aabe094cba4fa5f0cd32718ae73b561c61d

Download Submit
C:\Users\Admin\Downloads\KFlauncher.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\KFlauncher\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
memory/1156-1200-0x0000000000820000-0x0000000000886000-memory.dmp

Filesize
408KB

Download
memory/5008-1203-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5008-1206-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download