lumma | hxxps://www[.]mediafire[.]com/folder/rcnaasyz32rtt/Kapu_Launch%D0%B5r

Analysis

max time kernel
108s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
08-01-2025 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/rcnaasyz32rtt/Kapu_Launch%D0%B5r

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://robinsharez.shop/api

https://handscreamny.shop/api

https://chipdonkeruz.shop/api

https://versersleep.shop/api

https://crowdwarek.shop/api

https://apporholis.shop/api

https://femalsabler.shop/api

https://soundtappysk.shop/api

https://letterdrive.shop/api

Extracted

Family

lumma

https://soundtappysk.shop/api

https://femalsabler.shop/api

https://handscreamny.shop/api

https://versersleep.shop/api

https://chipdonkeruz.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 7 IoCs

pid	Process
2676	Loader.exe
3076	Loader.exe
3036	Loader.exe
2024	Loader.exe
4424	Loader.exe
4432	Loader.exe
1860	Loader.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 3076	2676	Loader.exe	109
PID 3036 set thread context of 2024	3036	Loader.exe	116
PID 4424 set thread context of 1860	4424	Loader.exe	125

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3852	2676	WerFault.exe	106
4484	3036	WerFault.exe	114
1116	4424	WerFault.exe	122

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133808326672281585"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1512	chrome.exe
1512	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2356	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeRestorePrivilege	1588	7zG.exe
Token: 35	1588	7zG.exe
Token: SeSecurityPrivilege	1588	7zG.exe
Token: SeSecurityPrivilege	1588	7zG.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe
Token: SeShutdownPrivilege	1512	chrome.exe
Token: SeCreatePagefilePrivilege	1512	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1588	7zG.exe
3552	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe
2356	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2620	1512	chrome.exe	82
PID 1512 wrote to memory of 2620	1512	chrome.exe	82
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3496	1512	chrome.exe	83
PID 1512 wrote to memory of 3628	1512	chrome.exe	84
PID 1512 wrote to memory of 3628	1512	chrome.exe	84
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85
PID 1512 wrote to memory of 3176	1512	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/folder/rcnaasyz32rtt/Kapu_Launch%D0%B5r
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd5c83cc40,0x7ffd5c83cc4c,0x7ffd5c83cc58
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1644,i,15560675522063995358,11908837445458001362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1524 /prefetch:2
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,15560675522063995358,11908837445458001362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:3628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,15560675522063995358,11908837445458001362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:8
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,15560675522063995358,11908837445458001362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,15560675522063995358,11908837445458001362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4492,i,15560675522063995358,11908837445458001362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4124 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4920,i,15560675522063995358,11908837445458001362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5328,i,15560675522063995358,11908837445458001362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,15560675522063995358,11908837445458001362,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:212

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4272

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap5204:70:7zEvent1656
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1588

C:\Users\Admin\Downloads\Loader.exe
"C:\Users\Admin\Downloads\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2676
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 156
  2⤵
  - Program crash
  PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2676 -ip 2676
1⤵
PID:4796

C:\Users\Admin\Downloads\Loader.exe
"C:\Users\Admin\Downloads\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3036
- C:\Users\Admin\Downloads\Loader.exe
  "C:\Users\Admin\Downloads\Loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 776
  2⤵
  - Program crash
  PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3036 -ip 3036
1⤵
PID:2500

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Kapu\" -spe -an -ai#7zMap15766:70:7zEvent1224
1⤵
- Suspicious use of FindShellTrayWindow
PID:3552

C:\Users\Admin\Downloads\Kapu\Loader.exe
"C:\Users\Admin\Downloads\Kapu\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4424
- C:\Users\Admin\Downloads\Kapu\Loader.exe
  "C:\Users\Admin\Downloads\Kapu\Loader.exe"
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Users\Admin\Downloads\Kapu\Loader.exe
  "C:\Users\Admin\Downloads\Kapu\Loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 732
  2⤵
  - Program crash
  PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4424 -ip 4424
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
980ebd34ef8cdfa9900dba4fe367d2f7

SHA1
35955645e6324fce99a971a5a80ecae0fc21d971

SHA256
d5384308d29f2f9478f0d1354e9f94053300496f3b7cd2f88f5f8d00dbe1482e

SHA512
470cce060f4dcca34b26c8c3b2d3d4024c12fb4631ed8251e942e7e992149a422f30526b27f9f55c13d5d9581f022d3b18439893c6b0455180ae70c0fb24430a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
270b286000097d89a8b2e3278a2da9f3

SHA1
660198ab9f6c0865e478d29401409543a931171b

SHA256
7c7421a1a05008562aa2eb2031cca95b7978927c1de3b5dcc163d8701d644f48

SHA512
b255b33502632d275835fa77e5f7f92a94e609293c0be660a11081bc7ff766be0c73ba5361bff05e4997616e32b1c8ce79bae623293e25d1893696515fdd12fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1b910153bc546e92c628d795091608e1

SHA1
528b40f9c3998a226883091766d80e924c4cae03

SHA256
725d2bea6a0f22ed75036243bb8d60cc04683c8f68ab1f0b7dbb471dab9bd93a

SHA512
1f824ecd9756dcc4fc3572a82de91b93dc7a5c00839417ee994bb1a9afccefaba1f87f0b69304a8d1680c2acfbb5de52008add811dd11dacbea5a707532b1b0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2279c0091c633f9c0377d453ad9797c9

SHA1
2214a9cc630ac22b738920140f284bd0c7c2568d

SHA256
2c356007856110b0b8798c600096509d613b6135228a6c31b5d010dda42df87b

SHA512
34dfd54f71affb6285a7f950f11d19949d8c39034aa8f123c94b8f04f05c8460de6a210ea2da590f55ecea987f22e43a2ba6f93d692aa222bb6e10ab105417e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
edaada3ac77b61eef09cac0015e79d4e

SHA1
9860711cd3572071518aee7d91b50e60bf2d696f

SHA256
1c81fa264fbe955f1ccb294136148b8d24943a7255c8f31383d4e332b318826b

SHA512
735fd5a9fb04ca8732fa2611a4e25720c33895d4605c624ef40bf52ed0272e6ea472d16314f7a19cb1d917c6daf8b079233b6fb6b4494d5b535431030e668305

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
10KB

MD5
c54ec25e83d00fdbcfb445e565772515

SHA1
ac995d18cf8add3cc80d192f98c96295c022c507

SHA256
93c3c9469bea416bc15ae69a36867fc992b772b72ec4113bbe587aa58eb6dce4

SHA512
f0e626214e994bdbbc7e6b646b1e02155090e040d4d88cc92e1d486082c225716d55410bf28bf3c92e2464bc9ddc9deaab0d419c0a82cba2a937432f4deb7ce6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ffeaa5f09d1e24e180bd63e0665223f9

SHA1
3950a885094ec7baa030669a864fc16ffa904720

SHA256
a1282493c44df1c713d1922d0631ad943582281cf6d1155c8ee5ee831b74de89

SHA512
83f9e0c386a442d12c46b8192b5ea9d85be1c31bcaa9038af9713a136738f1146f87864e3ed5cbb98321f88cfb9c703525ce6c0d3501a7538de6b3a9b74c5997

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
780722d085bb23789ac506d367eb7a5c

SHA1
a1562021b5118f7e295877b346fd2159e0eb6e23

SHA256
1e41b26e302a13245a466004ddf73b51980a53df3849be4d6a6b4cfcebc717db

SHA512
45f6013a0c6f160c5b466b72e1f48938751a60ea7ec656e9ed5dadd9db8976629e2205b90a04a00cb033efb0481ba74e2b38c68ecfb0f565fc81969b036598e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4cce7d9f88e1f578e0e2963db5b9ac21

SHA1
77bc00ba34ace20c3d91c0a38a19cba490e9be8b

SHA256
45b727bd6ee9696b37a20c2f842dbf9931dc1a545c9315e4ecd73715fc85d535

SHA512
68450839795cd3d27b3d9e53a78ce3651f0915c20503f840c35af3bc8b312e8f33d7df597d9745380f1abc40caaeafc1d0836aaffbad7b7fb14da60350af63f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
57b280f86aeb12166698b1870561a9d6

SHA1
7999ae84791263da1d3e01aba226d0a418d28673

SHA256
ca3fb11d84528db606ce3b5861f59b4cefa96671fa42ee743ccfad5e0ca43b62

SHA512
eda8581cb2cf0173e2a79addcac09e3ce1e06a30bf75041e950c66eea4d87d94156da3bebe0bdad9572e475068a12716c910ab26e875173f56fb9da4bc18acee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
76cf54951e9d9f9431cd2e45c2be6a46

SHA1
e66bdc937f899385eb8f9384f61d43d9c8095007

SHA256
c5d40542a48bc4c1ae14a808fa31365a1122393a6368ab188fb10767d0b312d2

SHA512
31ce17f9e65e334f2a78ff95f4c9af42d067addf6895bf67a0b17355b85977408862d6e59447adaaa53da3ac69e58ef58e28785e08d71c91f44795b7ae1ccac5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7050b34f5adf7b3550a55c5da115146b

SHA1
6acfc865528f6d476e06e36bc72851ec98fc4225

SHA256
9aa19782bd335d1f01b32dd0b3c1a4b9ac9e80b760444848530f49504ae47807

SHA512
5aa6efd0706ae7d19f6e1f250a5639cdd6ce1b7c0ba33e1b05a7f7d45e46a59be6c4f83fbb58a08832839a57ce63f7ed2d0f783d0cbd26dc5a01dac47b431f4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f445114e0c30f7ac1a4be6eff1897750

SHA1
dca7e31ab658ea4e23e691f2cca10d4405efc52e

SHA256
f7c09570ca94971869fe9aaa4dfc585b94b96b777971ea71d39e550e6983147d

SHA512
dee55d533ec58f32049c2a414697f82b68ba01f5066f5666c94457505c91f26b6ead884ea4fc53bce47c7c4ac26d0cea5b7746f486e43caf0db2252c23cc1b79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bd1d4864f1b59953271fb0fcf68f95b7

SHA1
58b277955818f2ede4f9c33822b7af2d19ab56a8

SHA256
9096fe1ebd06e70dc94d12520b71cb1e376209f27a5a73600d37b4dd02bae606

SHA512
fb872640ab80db7c264fd76fe757029dfaa6e3d700c9a32a1ab9ce26f65cee071ea7577896ad0893cedfd755b20c4988a8c28b0a32e118bd33198046e89a240b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
90511b35ae7128a58ec748109ddf53a4

SHA1
d4654826c102bcc4195921b1843cf5e6e8f5acef

SHA256
91bac641810bf88748863ac6f286b9a12c3e5704fb0b4731195754ce428323de

SHA512
480da1ca7b210603c9cd766a17656a5721970ab46e52db19d5db9de3d511f5ade77d1cff1680c0ea27b7448f6c1b144937e7912c23b32532150674c5c399df9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
469fc5c79fc000917a3915baaba1fc81

SHA1
51252b4ae1e5d963f3006b481da394e19e94cc13

SHA256
5bafaf577e2db335a9f38f2093b3d8a4fad70281383d82af0d0f5c5306c0425e

SHA512
551a66a1d9e4ae8ee1568f2693a64db86ce4e372312145ed76275dcb14ff7a23e569bc941e3dc3e50ad2be4e37ca26732b5145cc1b01aa8decf1430b826433d0

Download Submit
C:\Users\Admin\Downloads\Kapu.rar

Filesize
1.8MB

MD5
497559c7da42d291b179936f1d608fb5

SHA1
f5b616773d984e2489bc270aa8ecf38d64fef748

SHA256
4ed2225098284e9ddb3a637faf40e8a68de6df9c82befdd2f24884e5f6b2e94f

SHA512
91cf75439990bdf2241bbd2ca6ecc53d6b061c78172967596d442d2655b8a5ff40c1f4f2474123006168a7507321ba4a56b95cc223eb9ca41adcde41b996c07b

Download Submit
C:\Users\Admin\Downloads\Kapu\Sentlog.dll

Filesize
125KB

MD5
181f3e3d0c509566283156816eb317ca

SHA1
400debdd4fb9ae24719157132a87c4bfeff7fa6c

SHA256
db0a4c4a21a1ba0937d1c22095c2b0702422efd4c7a41aaa577608288a2e69fc

SHA512
039d5a0013d6f0e916a86baa95452d79d4524f5c83b913170daa73e1333b2d424c0d9a74193e71ede3a0866b778781c57993806baa08833d11df825626e6d667

Download Submit
C:\Users\Admin\Downloads\Loader.exe

Filesize
338KB

MD5
ba45e7f0646e42d0497e6a0fdb83f051

SHA1
cb2201b4e6e3c1b1fbeb328f46b55ff215a136ff

SHA256
30e30197a1e107aa4428da00151575e3774c46372a5d39bcf3103b983818a42d

SHA512
04b1f027c5f11444e271635d57abbb6a14ce86b2122335d94afad2f958fbacbd01bc1714dab770e177b74cba616e4abd1fb849882816467293cd70d9f5c39505

Download Submit
memory/2676-253-0x0000000005190000-0x0000000005734000-memory.dmp

Filesize
5.6MB

Download
memory/2676-252-0x00000000002D0000-0x000000000032C000-memory.dmp

Filesize
368KB

Download
memory/3076-255-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3076-257-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download