lumma | hxxps://mediafire[.]com/folder/f0tzfxsevhzq2/Kapu_Launcher

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2025, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mediafire.com/folder/f0tzfxsevhzq2/Kapu_Launcher

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Extracted

Family

lumma

https://fancywaxxers.shop/api

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 64 IoCs

pid	Process
5820	Loader.exe
5968	Loader.exe
5412	Loader.exe
1540	Loader.exe
4360	Loader.exe
4832	Loader.exe
5780	Loader.exe
5964	Loader.exe
4196	Loader.exe
2464	Loader.exe
4628	Loader.exe
3988	Loader.exe
5436	Loader.exe
3280	Loader.exe
5428	Loader.exe
5556	Loader.exe
5668	Loader.exe
5696	Loader.exe
5160	Loader.exe
5300	Loader.exe
5776	Loader.exe
3428	Loader.exe
6092	Loader.exe
5900	Loader.exe
4252	Loader.exe
3332	Loader.exe
3624	Loader.exe
1248	Loader.exe
4004	Loader.exe
5476	Loader.exe
696	Loader.exe
4988	Loader.exe
4124	Loader.exe
4972	Loader.exe
5232	Loader.exe
5916	Loader.exe
2960	Loader.exe
6076	Loader.exe
5156	Loader.exe
2428	Loader.exe
5524	Loader.exe
5584	Loader.exe
5588	Loader.exe
1396	Loader.exe
4808	Loader.exe
1492	Loader.exe
5016	Loader.exe
4484	Loader.exe
2376	Loader.exe
5256	Loader.exe
1092	Loader.exe
3268	Loader.exe
4464	Loader.exe
6068	Loader.exe
5136	Loader.exe
1316	Loader.exe
1420	Loader.exe
5392	Loader.exe
2032	Loader.exe
3936	Loader.exe
2320	Loader.exe
2924	Loader.exe
5464	Loader.exe
4548	Loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	mediafire.com
9	mediafire.com

Suspicious use of SetThreadContext 31 IoCs

description	pid	Process	procid_target
PID 5820 set thread context of 5968	5820	Loader.exe	121
PID 5412 set thread context of 1540	5412	Loader.exe	127
PID 4360 set thread context of 4832	4360	Loader.exe	133
PID 5780 set thread context of 5964	5780	Loader.exe	138
PID 4196 set thread context of 2464	4196	Loader.exe	143
PID 4628 set thread context of 3988	4628	Loader.exe	148
PID 5436 set thread context of 5428	5436	Loader.exe	154
PID 5556 set thread context of 5668	5556	Loader.exe	159
PID 5696 set thread context of 5300	5696	Loader.exe	165
PID 5776 set thread context of 3428	5776	Loader.exe	170
PID 6092 set thread context of 5900	6092	Loader.exe	175
PID 4252 set thread context of 4004	4252	Loader.exe	183
PID 5476 set thread context of 696	5476	Loader.exe	188
PID 4988 set thread context of 4124	4988	Loader.exe	193
PID 4972 set thread context of 5232	4972	Loader.exe	198
PID 5916 set thread context of 2960	5916	Loader.exe	203
PID 6076 set thread context of 2428	6076	Loader.exe	209
PID 5524 set thread context of 5588	5524	Loader.exe	215
PID 1396 set thread context of 5016	1396	Loader.exe	222
PID 4484 set thread context of 2376	4484	Loader.exe	227
PID 5256 set thread context of 1092	5256	Loader.exe	232
PID 3268 set thread context of 6068	3268	Loader.exe	238
PID 5136 set thread context of 5392	5136	Loader.exe	245
PID 2032 set thread context of 2320	2032	Loader.exe	251
PID 2924 set thread context of 5464	2924	Loader.exe	256
PID 4548 set thread context of 3628	4548	Loader.exe	262
PID 556 set thread context of 768	556	Loader.exe	287
PID 2152 set thread context of 1440	2152	Loader.exe	293
PID 4320 set thread context of 2320	4320	Loader.exe	300
PID 1792 set thread context of 316	1792	Loader.exe	305
PID 5996 set thread context of 2028	5996	Loader.exe	310

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 31 IoCs

pid	pid_target	Process	procid_target
6076	5820	WerFault.exe	118
5500	5412	WerFault.exe	125
3432	4360	WerFault.exe	131
6100	5780	WerFault.exe	136
6064	4196	WerFault.exe	141
4320	4628	WerFault.exe	146
4616	5436	WerFault.exe	151
4980	5556	WerFault.exe	157
316	5696	WerFault.exe	162
5176	5776	WerFault.exe	168
1056	6092	WerFault.exe	173
3720	4252	WerFault.exe	178
5676	5476	WerFault.exe	186
4704	4988	WerFault.exe	191
5828	4972	WerFault.exe	196
5932	5916	WerFault.exe	201
5400	6076	WerFault.exe	206
2036	5524	WerFault.exe	212
6060	1396	WerFault.exe	218
3456	4484	WerFault.exe	225
6040	5256	WerFault.exe	230
1764	3268	WerFault.exe	235
3624	5136	WerFault.exe	241
2216	2032	WerFault.exe	248
5300	2924	WerFault.exe	254
1472	4548	WerFault.exe	259
3520	556	WerFault.exe	281
5948	2152	WerFault.exe	291
6084	4320	WerFault.exe	296
1760	1792	WerFault.exe	303
2940	5996	WerFault.exe	308

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5708	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4844	msedge.exe
4844	msedge.exe
1052	msedge.exe
1052	msedge.exe
544	identity_helper.exe
544	identity_helper.exe
1096	msedge.exe
1096	msedge.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5536	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeRestorePrivilege	5536	7zFM.exe
Token: 35	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe
Token: SeSecurityPrivilege	5536	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe
5536	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe
1052	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 3996	1052	msedge.exe	82
PID 1052 wrote to memory of 3996	1052	msedge.exe	82
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 3164	1052	msedge.exe	83
PID 1052 wrote to memory of 4844	1052	msedge.exe	84
PID 1052 wrote to memory of 4844	1052	msedge.exe	84
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85
PID 1052 wrote to memory of 2396	1052	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mediafire.com/folder/f0tzfxsevhzq2/Kapu_Launcher
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfcd946f8,0x7ffcfcd94708,0x7ffcfcd94718
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6400 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,3390293033473670844,3360262215519919094,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4700 /prefetch:2
  2⤵
  PID:2508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4296

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5424

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Kapu.rar"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5536
- C:\Users\Admin\AppData\Local\Temp\7zO0A5ED438\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A5ED438\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5820
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5ED438\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5ED438\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 152
    3⤵
    - Program crash
    PID:6076
- C:\Users\Admin\AppData\Local\Temp\7zO0A50DEF8\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A50DEF8\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5412
- - C:\Users\Admin\AppData\Local\Temp\7zO0A50DEF8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A50DEF8\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1540
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 792
    3⤵
    - Program crash
    PID:5500
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0A548A98\Environment.ini
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5708
- C:\Users\Admin\AppData\Local\Temp\7zO0A597B88\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A597B88\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4360
- - C:\Users\Admin\AppData\Local\Temp\7zO0A597B88\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A597B88\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 808
    3⤵
    - Program crash
    PID:3432
- C:\Users\Admin\AppData\Local\Temp\7zO0A5D01B8\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A5D01B8\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5780
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5D01B8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5D01B8\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 840
    3⤵
    - Program crash
    PID:6100
- C:\Users\Admin\AppData\Local\Temp\7zO0A50FFB8\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A50FFB8\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4196
- - C:\Users\Admin\AppData\Local\Temp\7zO0A50FFB8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A50FFB8\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 804
    3⤵
    - Program crash
    PID:6064
- C:\Users\Admin\AppData\Local\Temp\7zO0A57BDB8\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A57BDB8\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\7zO0A57BDB8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A57BDB8\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 808
    3⤵
    - Program crash
    PID:4320
- C:\Users\Admin\AppData\Local\Temp\7zO0A5A9BB8\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A5A9BB8\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5436
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5A9BB8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5A9BB8\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:3280
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5A9BB8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5A9BB8\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 812
    3⤵
    - Program crash
    PID:4616
- C:\Users\Admin\AppData\Local\Temp\7zO0A53F8B8\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A53F8B8\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5556
- - C:\Users\Admin\AppData\Local\Temp\7zO0A53F8B8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A53F8B8\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 796
    3⤵
    - Program crash
    PID:4980
- C:\Users\Admin\AppData\Local\Temp\7zO0A5B29B8\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A5B29B8\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5696
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5B29B8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5B29B8\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:5160
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5B29B8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5B29B8\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 820
    3⤵
    - Program crash
    PID:316
- C:\Users\Admin\AppData\Local\Temp\7zO0A5C47A8\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A5C47A8\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5776
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5C47A8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5C47A8\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 728
    3⤵
    - Program crash
    PID:5176
- C:\Users\Admin\AppData\Local\Temp\7zO0A5045A8\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A5045A8\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:6092
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5045A8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5045A8\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 808
    3⤵
    - Program crash
    PID:1056
- C:\Users\Admin\AppData\Local\Temp\7zO0A5893A8\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A5893A8\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4252
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5893A8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5893A8\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:3332
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5893A8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5893A8\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:3624
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5893A8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5893A8\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:1248
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5893A8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5893A8\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 808
    3⤵
    - Program crash
    PID:3720
- C:\Users\Admin\AppData\Local\Temp\7zO0A5F70A8\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A5F70A8\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5476
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5F70A8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5F70A8\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 796
    3⤵
    - Program crash
    PID:5676
- C:\Users\Admin\AppData\Local\Temp\7zO0A509FA8\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A509FA8\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\7zO0A509FA8\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A509FA8\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 808
    3⤵
    - Program crash
    PID:4704
- C:\Users\Admin\AppData\Local\Temp\7zO0A59C459\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A59C459\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\7zO0A59C459\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A59C459\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 804
    3⤵
    - Program crash
    PID:5828
- C:\Users\Admin\AppData\Local\Temp\7zO0A50E559\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A50E559\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5916
- - C:\Users\Admin\AppData\Local\Temp\7zO0A50E559\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A50E559\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5916 -s 808
    3⤵
    - Program crash
    PID:5932
- C:\Users\Admin\AppData\Local\Temp\7zO0A583259\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A583259\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:6076
- - C:\Users\Admin\AppData\Local\Temp\7zO0A583259\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A583259\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:5156
- - C:\Users\Admin\AppData\Local\Temp\7zO0A583259\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A583259\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 812
    3⤵
    - Program crash
    PID:5400
- C:\Users\Admin\AppData\Local\Temp\7zO0A5F1059\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A5F1059\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5524
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5F1059\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5F1059\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:5584
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5F1059\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5F1059\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5524 -s 800
    3⤵
    - Program crash
    PID:2036
- C:\Users\Admin\AppData\Local\Temp\7zO0A53EE59\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A53EE59\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\7zO0A53EE59\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A53EE59\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:4808
- - C:\Users\Admin\AppData\Local\Temp\7zO0A53EE59\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A53EE59\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:1492
- - C:\Users\Admin\AppData\Local\Temp\7zO0A53EE59\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A53EE59\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 792
    3⤵
    - Program crash
    PID:6060
- C:\Users\Admin\AppData\Local\Temp\7zO0A5B5F59\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A5B5F59\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5B5F59\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5B5F59\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 804
    3⤵
    - Program crash
    PID:3456
- C:\Users\Admin\AppData\Local\Temp\7zO0A538D59\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A538D59\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5256
- - C:\Users\Admin\AppData\Local\Temp\7zO0A538D59\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A538D59\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 796
    3⤵
    - Program crash
    PID:6040
- C:\Users\Admin\AppData\Local\Temp\7zO0A578B59\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A578B59\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3268
- - C:\Users\Admin\AppData\Local\Temp\7zO0A578B59\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A578B59\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:4464
- - C:\Users\Admin\AppData\Local\Temp\7zO0A578B59\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A578B59\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 800
    3⤵
    - Program crash
    PID:1764
- C:\Users\Admin\AppData\Local\Temp\7zO0A5CF859\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A5CF859\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5136
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5CF859\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5CF859\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:1316
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5CF859\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5CF859\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5CF859\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5CF859\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5136 -s 820
    3⤵
    - Program crash
    PID:3624
- C:\Users\Admin\AppData\Local\Temp\7zO0A50F649\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A50F649\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\7zO0A50F649\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A50F649\Loader.exe"
    3⤵
    - Executes dropped EXE
    PID:3936
- - C:\Users\Admin\AppData\Local\Temp\7zO0A50F649\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A50F649\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 812
    3⤵
    - Program crash
    PID:2216
- C:\Users\Admin\AppData\Local\Temp\7zO0A54E449\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A54E449\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\7zO0A54E449\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A54E449\Loader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 804
    3⤵
    - Program crash
    PID:5300
- C:\Users\Admin\AppData\Local\Temp\7zO0A5D8F49\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A5D8F49\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4548
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5D8F49\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5D8F49\Loader.exe"
    3⤵
    PID:5816
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5D8F49\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5D8F49\Loader.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 848
    3⤵
    - Program crash
    PID:1472
- C:\Users\Admin\AppData\Local\Temp\7zO0A59D929\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A59D929\Loader.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\7zO0A59D929\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A59D929\Loader.exe"
    3⤵
    PID:5276
- - C:\Users\Admin\AppData\Local\Temp\7zO0A59D929\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A59D929\Loader.exe"
    3⤵
    PID:5264
- - C:\Users\Admin\AppData\Local\Temp\7zO0A59D929\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A59D929\Loader.exe"
    3⤵
    PID:5372
- - C:\Users\Admin\AppData\Local\Temp\7zO0A59D929\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A59D929\Loader.exe"
    3⤵
    PID:3268
- - C:\Users\Admin\AppData\Local\Temp\7zO0A59D929\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A59D929\Loader.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 856
    3⤵
    - Program crash
    PID:3520
- C:\Users\Admin\AppData\Local\Temp\7zO0A5D9FD9\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A5D9FD9\Loader.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5D9FD9\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5D9FD9\Loader.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 152
    3⤵
    - Program crash
    PID:5948
- C:\Users\Admin\AppData\Local\Temp\7zO0A54E9D9\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A54E9D9\Loader.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4320
- - C:\Users\Admin\AppData\Local\Temp\7zO0A54E9D9\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A54E9D9\Loader.exe"
    3⤵
    PID:2032
- - C:\Users\Admin\AppData\Local\Temp\7zO0A54E9D9\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A54E9D9\Loader.exe"
    3⤵
    PID:4948
- - C:\Users\Admin\AppData\Local\Temp\7zO0A54E9D9\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A54E9D9\Loader.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 812
    3⤵
    - Program crash
    PID:6084
- C:\Users\Admin\AppData\Local\Temp\7zO0A52F4C9\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A52F4C9\Loader.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\7zO0A52F4C9\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A52F4C9\Loader.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 804
    3⤵
    - Program crash
    PID:1760
- C:\Users\Admin\AppData\Local\Temp\7zO0A5402C9\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0A5402C9\Loader.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5996
- - C:\Users\Admin\AppData\Local\Temp\7zO0A5402C9\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0A5402C9\Loader.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5996 -s 792
    3⤵
    - Program crash
    PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5820 -ip 5820
1⤵
PID:6036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5412 -ip 5412
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4360 -ip 4360
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5780 -ip 5780
1⤵
PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4196 -ip 4196
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4628 -ip 4628
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5436 -ip 5436
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5556 -ip 5556
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5696 -ip 5696
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5776 -ip 5776
1⤵
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6092 -ip 6092
1⤵
PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4252 -ip 4252
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5476 -ip 5476
1⤵
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4988 -ip 4988
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4972 -ip 4972
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5916 -ip 5916
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6076 -ip 6076
1⤵
PID:6116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5524 -ip 5524
1⤵
PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1396 -ip 1396
1⤵
PID:5652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4484 -ip 4484
1⤵
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5256 -ip 5256
1⤵
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3268 -ip 3268
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5136 -ip 5136
1⤵
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2032 -ip 2032
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2924 -ip 2924
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4548 -ip 4548
1⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault7bfb2c41hc7d2h4fb3haa9ahc82c25a735fc
1⤵
PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcfcd946f8,0x7ffcfcd94708,0x7ffcfcd94718
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,18061915105647958332,8297817046929714263,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,18061915105647958332,8297817046929714263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  PID:3432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 556 -ip 556
1⤵
PID:5600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2152 -ip 2152
1⤵
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4320 -ip 4320
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1792 -ip 1792
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5996 -ip 5996
1⤵
PID:5576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a1f722e9f4c2dbf474ae07e72112947c

SHA1
99a1a9eaab3d3bab5a800dc1e5ef141aaa48e847

SHA256
eaf4006a4d21d0787b2c4fc4f41af05e55851ccc91356f19c930a00387a27e0d

SHA512
477e63eaca418b9c67bac0c4c22b8ac321530727b84a7d8488487cfc65e12191d170f4053b51a7d4c7c1341386cec603416747bc0319f5439ad81b1723e0d3ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
dc23ac1a62376d2eb9ccfe5905671900

SHA1
6261e1e585d2f30032aec6782121017754d0dea6

SHA256
e69a7d873b4f546d4ea180d0db0011b42d818e0636fbd717ab9f07aa73d15c7b

SHA512
f698a2bd9f84e4751f9930534f87f31dd8f4321160801439dfe4305866ef701d5033f8510026255765e43b6a3f01ce4e07b5cc6088d762557ea33cc0cae27d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
97d492c5c103fba55b00d94eee1764bc

SHA1
84db23ad328d7280f19618cc4b2f294c850dc7c9

SHA256
7d8dc8c539ce7298254818fd792d9543848fc335ada2d6fb5269a470e47697d1

SHA512
33cffe6a823f2f85c20a96ef146da4e80ff75c65a4ddf241c59ecaf588776f62a87e18ad96e55ce0c96bcc5a59cad80814be1e94202d2f751d6fbce8a3f0f47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0d5255f3d592b9db32356ad64bccebb5

SHA1
df5bd13adf7046ed6e8ca7d7790236969eacee1a

SHA256
5273fb429bcefab19cdcb334777b3218c70af81c1fec1feb8e97936fa36a2c52

SHA512
f1ae07f3990845402f4180731614d8425c6154a77632e018135f75ea3499712c1053808b5caf0f1c5bc9deac8e7320bd9d66b9bbcc335892d56b2c0f82f0eafd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
66349f2a339e83013b115ed56daded80

SHA1
d6970fc2c87087af99461e69706cb375e98b1023

SHA256
5cdb47d5f2ad0aee3fbedf641997d809ef127df48eb7a781b32117feafc7f190

SHA512
4b773a2546f8df4cbe471c47b2f760000b4bf64ef306b95f4be4dc46a5c3d67b73bdc65b3fbb1a930dc9bf9b4cd5659a9eea0e16bc72889c0b9d23e9bdd5667c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
41bd0af7c575ba299db30888e86bfbd1

SHA1
d38efd1c8a3d6457665cacea0a26b2127e4be5bd

SHA256
4dfedd1f564ca05928cfaf8945d1c5fbac4b9016feb5469918a4475be8ee36fd

SHA512
bc9612979fc772e1220929112c5a7b4b92e36f1710ca12896d64d010db05e5fc884d5b2d6802bad6dac5686ef04a8b4b31e712934d161bf09df57b6688f887ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
667d5dbb01ef2dd1870469a89caba7ed

SHA1
ff7574e333f4841b45eba547f2236b4d1fc0db6b

SHA256
a5742ecf57022e0b434e7fce997245dc2f80375bae4a627b3d888e50686415e9

SHA512
ad08230647ffb2ca26090f50e8b51512facf360851da7023ffda5790e3214200f5100be3f752ce10ba14eb086959a6210544538b62bafe5ad890d6a5d6a573e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8e88dbed23c517818f26e4dc69418b39

SHA1
50c1fd3dc63cabc9d9b10757326f37ace603c71b

SHA256
3dfbde9ed15f31149c104009f9843fe7de3fa964d4e61036ab7a1cbf791850b5

SHA512
06a34080e8b7dae8939934f0ea67f6076adf48c532d3ee3d77d83165de20369f2d6d2c7bfb8cef58b21f3088141224b30efc1b2cacd29bec5944f97faa0dd481

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
99917e383499bc6263ca7c2a68bba3b9

SHA1
ad548f768f2cebb9588d9505eee0a12ba7147c64

SHA256
a93c0cf6c9e70c35af7ac8eeeb2071117ad2f7bdfb65c9569871ea54978018aa

SHA512
abf2f75055e9a25b8309d98105bc1a3e7a120b5c87b66921e4994a6d0b3b465a09538452b8c6294c776b4c9a8a9271a0e3419fcd14d2b1fe2009bfeda140bf57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f5a0f32dc225c2052789368e68adc322

SHA1
e60b1e498d4ba7ceecef728fb763f13e826895e6

SHA256
f9cddaa80e3057b4b05b0fe2ab5ca6e95ec3c3072995edbd07dcd8c4774b41ff

SHA512
9c7697dde57b2a40e5a32e1623167f72b3c5c733c87c27aa718855402a69890cabe4d1e4e6dcabc6e92f62f531c3b406c22fcd19922fc2e9f33de29ac0578e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d22e3f22868a64c86ab7315ab40c42d4

SHA1
773eb1546e4046ea313652a65c3471c9b981e4c3

SHA256
ef22bbee091250f253f3f8434870d183fd12b6b429ad6e0f41f91e773fa669be

SHA512
1144bc9ae2713fbf22569a683dbafc0d3737e7aaf9a333f056ecb7e28958d4958bbb0071907d2d92197c7079699feca377bda8777fbe464d387a271bd0389505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
89fd45432b388c8da256934474634cc5

SHA1
576f8b88b55949446f5ee8a3f8b93f2b25531bf9

SHA256
6446bdef10d115ba321c4ef3def77f5daccec6b00fa4b3e3e6138b2c9820d9d9

SHA512
f780a9cb7d8332cb879488aeaee9ab63adbb0900a9bc4d8894710470799c6ba026fbbb4d141865ed328becd679ab68bb8ed2c7abb03ec00b5a0f89ea659f21f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bee642beff5853f39d0d383468b28f54

SHA1
6943693c829e2abd4cd8cf73d2491ac0d59033f8

SHA256
a908a3d3aab2e400a58ffaf657e997b31a1c4c4e6459be24a7b094c52e533938

SHA512
6560107ab798cd59f8c71fa3c223ae3736a4778c662505beed8cff3f3065e3e4bc489eb8a167257e1ba28e9f9c8a01d189c3cca7304651b2dda46dfa349bff23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0A548A98\Environment.ini

Filesize
15KB

MD5
0521921d1b973d325896a215f059e864

SHA1
17ee5cf0adc237048520e3fb3b47da19e40bc9df

SHA256
e41fdf321ec9b1287521481e8a277eb6768c639c6c142880970b5ecca2a1ff00

SHA512
4476039ed6e2f430c4b3c827d2d735a1e5b4f2623cbf07f3d00462bb6f4c549b1695018fcdfb26a5002a0379c104a2e269ee11d4ae7bb40d104bdee5998303f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0A5ED438\Loader.exe

Filesize
381KB

MD5
c82607e20a40c8fd71c7416d50a7657a

SHA1
ceade457a71505263b2217f0a86fc301e41d1e4c

SHA256
db53323f9a637ad6db1d7bc3050fe55712eaf06e527d431bf111aeef09b3a5f4

SHA512
cda2821ba15c83cd115fca56d0f667d2cee314ccedbe53c4717bcdad228f9a3e1011b5eb9813de9e35c51d406329ef4bd8afc50104fd1a2d3a629afeca623d4e

Download Submit
C:\Users\Admin\Downloads\Kapu.rar

Filesize
1.9MB

MD5
d874acac0680d1bc8a50561dccf58eaf

SHA1
dd404730ce45f88da3e17deb7770e64efe1ce3fc

SHA256
41cc70965382179a820ed6b269c43109a4cae2867b1078206dceb6770f651d4e

SHA512
ab4f3fa0d42df26547d7b058bc2013181270b85f7bec51095336700adabf79e21008a37ba3a219a487f12c3d66d83ee7109dfe5f04798c8e49d3931345a356d7

Download Submit
memory/5820-256-0x0000000005BE0000-0x0000000006184000-memory.dmp

Filesize
5.6MB

Download
memory/5820-255-0x0000000000CB0000-0x0000000000D14000-memory.dmp

Filesize
400KB

Download
memory/5968-260-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5968-258-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download