poullight | hxxps://mega[.]nz/file/QhZ1QKrB#dmTpOSgCLHs_sP5OnUGWYDwPB-zfB95QKyeonpfbJKE

General

Target

https://mega.nz/file/QhZ1QKrB#dmTpOSgCLHs_sP5OnUGWYDwPB-zfB95QKyeonpfbJKE
Sample

210728-ffpqfgdhxe

Score

10^/10

poullight spyware stealer suricata trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight
suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata

Executes dropped EXE 7 IoCs

Processes:

CODWCheats.exebuild_protected.sfx.exebuild_protected.exebuild_protected.sfx.exebuild_protected.exebuild_protected.sfx.exebuild_protected.exe

pid	process
4844	CODWCheats.exe
5060	build_protected.sfx.exe
5064	build_protected.exe
5088	build_protected.sfx.exe
2464	build_protected.exe
4724	build_protected.sfx.exe
4404	build_protected.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

build_protected.exebuild_protected.exebuild_protected.exe

pid	process
5064	build_protected.exe
5064	build_protected.exe
2464	build_protected.exe
2464	build_protected.exe
5064	build_protected.exe
2464	build_protected.exe
5064	build_protected.exe
2464	build_protected.exe
5064	build_protected.exe
2464	build_protected.exe
5064	build_protected.exe
2464	build_protected.exe
5064	build_protected.exe
2464	build_protected.exe
5064	build_protected.exe
2464	build_protected.exe
5064	build_protected.exe
2464	build_protected.exe
4404	build_protected.exe
4404	build_protected.exe
5064	build_protected.exe
2464	build_protected.exe
4404	build_protected.exe
5064	build_protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

Processes:

CODWCheats.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	CODWCheats.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	CODWCheats.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exebuild_protected.exebuild_protected.exebuild_protected.exe

pid	process
3480	chrome.exe
3480	chrome.exe
632	chrome.exe
632	chrome.exe
4420	chrome.exe
4420	chrome.exe
4736	chrome.exe
4736	chrome.exe
4432	chrome.exe
4432	chrome.exe
5064	build_protected.exe
2464	build_protected.exe
5064	build_protected.exe
2464	build_protected.exe
4404	build_protected.exe
4404	build_protected.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

build_protected.exebuild_protected.exebuild_protected.exe

description	pid	process
Token: SeDebugPrivilege	5064	build_protected.exe
Token: SeDebugPrivilege	2464	build_protected.exe
Token: SeDebugPrivilege	4404	build_protected.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

chrome.exe

pid	process
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe
632	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

CODWCheats.exebuild_protected.exebuild_protected.exebuild_protected.exe

pid process

4844 CODWCheats.exe
4844 CODWCheats.exe
5064 build_protected.exe
2464 build_protected.exe
4404 build_protected.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 632 wrote to memory of 1908	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 1908	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3192	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3480	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 3480	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe
PID 632 wrote to memory of 2788	632	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mega.nz/file/QhZ1QKrB#dmTpOSgCLHs_sP5OnUGWYDwPB-zfB95QKyeonpfbJKE
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffafbdb4f50,0x7ffafbdb4f60,0x7ffafbdb4f70
2⤵
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1608 /prefetch:2
2⤵
PID:3192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1676 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 /prefetch:8
2⤵
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
2⤵
PID:936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:1
2⤵
PID:1020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
2⤵
PID:1328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
2⤵
PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
2⤵
PID:640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
2⤵
PID:3668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5152 /prefetch:8
2⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6368 /prefetch:8
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6540 /prefetch:8
2⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6524 /prefetch:8
2⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6628 /prefetch:8
2⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6660 /prefetch:8
2⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6424 /prefetch:8
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6480 /prefetch:8
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6652 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6808 /prefetch:8
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6968 /prefetch:8
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff78199a890,0x7ff78199a8a0,0x7ff78199a8b0
3⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6676 /prefetch:8
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6480 /prefetch:8
2⤵
PID:804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6140 /prefetch:8
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6124 /prefetch:8
2⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4932 /prefetch:8
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5772 /prefetch:8
2⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5916 /prefetch:8
2⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:8
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5896 /prefetch:8
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:8
2⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6668 /prefetch:8
2⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7276 /prefetch:8
2⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7436 /prefetch:8
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7532 /prefetch:8
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7512 /prefetch:8
2⤵
PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7540 /prefetch:8
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7936 /prefetch:8
2⤵
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3408 /prefetch:8
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4184 /prefetch:8
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4188 /prefetch:8
2⤵
PID:3860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7928 /prefetch:8
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4172 /prefetch:8
2⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3400 /prefetch:8
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4076 /prefetch:8
2⤵
PID:4624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8068 /prefetch:8
2⤵
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8076 /prefetch:8
2⤵
PID:1944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3476 /prefetch:8
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3500 /prefetch:8
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7548 /prefetch:8
2⤵
PID:3884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3496 /prefetch:8
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7968 /prefetch:1
2⤵
PID:768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,10566525756161095796,5327145254982520921,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
2⤵
PID:5116

C:\Users\Admin\Downloads\CODWCheats.exe
"C:\Users\Admin\Downloads\CODWCheats.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4844

C:\Users\Admin\Desktop\build_protected.sfx.exe
"C:\Users\Admin\Desktop\build_protected.sfx.exe"
3⤵
- Executes dropped EXE
PID:5060

C:\Users\Admin\AppData\Local\Temp\build_protected.exe
"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f0
1⤵
PID:4932

C:\Users\Admin\Desktop\build_protected.sfx.exe
"C:\Users\Admin\Desktop\build_protected.sfx.exe"
1⤵
- Executes dropped EXE
PID:5088

C:\Users\Admin\AppData\Local\Temp\build_protected.exe
"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2464

C:\Users\Admin\Desktop\build_protected.sfx.exe
"C:\Users\Admin\Desktop\build_protected.sfx.exe"
1⤵
- Executes dropped EXE
PID:4724

C:\Users\Admin\AppData\Local\Temp\build_protected.exe
"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
ecf3cc09e7d2082814a239cd56c5b15d

SHA1
4606a8f3967d475c1efbb06bba5c1cd48bcb7704

SHA256
c860156e85da0b04ea46c12387c9e4d719cd3f8346f3d377a0784d200a6f1e83

SHA512
9c1dace836e43a1d818ba5e47cdd305164a3af90e634beb5bfaec28f77740cc80d91a6206d050e48906b9a07dfa3e7054735452921c91f17c7de266cb3b8bc6d

Download Submit
C:\Users\Admin\Downloads\CODWCheats.exe
MD5
2c7c0b89e187bac9cea3c0c285591852

SHA1
5999c0c5086ecd7f71de61b565068d12f3291ef7

SHA256
33314a958e790feedb53ae8cc727e2b8c737084f5ea5d66138924ae94aa571d4

SHA512
56b03915330e59347a6c2b81dcb99cb988a859787563d8bf2582d7823f642d532e5fa2f93606bf0e25bc47024ff2ee2c4a4248c31e8096d8f32080dd38c4e454

Download Submit
C:\Users\Admin\Downloads\CODWCheats.exe
MD5
2c7c0b89e187bac9cea3c0c285591852

SHA1
5999c0c5086ecd7f71de61b565068d12f3291ef7

SHA256
33314a958e790feedb53ae8cc727e2b8c737084f5ea5d66138924ae94aa571d4

SHA512
56b03915330e59347a6c2b81dcb99cb988a859787563d8bf2582d7823f642d532e5fa2f93606bf0e25bc47024ff2ee2c4a4248c31e8096d8f32080dd38c4e454

Download Submit
\??\pipe\crashpad_632_DAEGYXLUUGZRNZMI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/640-153-0x0000000000000000-mapping.dmp

Download
memory/768-426-0x0000000000000000-mapping.dmp

Download
memory/804-266-0x0000000000000000-mapping.dmp

Download
memory/936-137-0x0000000000000000-mapping.dmp

Download
memory/1020-140-0x0000000000000000-mapping.dmp

Download
memory/1328-144-0x0000000000000000-mapping.dmp

Download
memory/1820-149-0x0000000000000000-mapping.dmp

Download
memory/1908-116-0x0000000000000000-mapping.dmp

Download
memory/1944-396-0x0000000000000000-mapping.dmp

Download
memory/2148-243-0x0000000000000000-mapping.dmp

Download
memory/2148-406-0x0000000000000000-mapping.dmp

Download
memory/2148-329-0x0000000000000000-mapping.dmp

Download
memory/2464-456-0x0000000000000000-mapping.dmp

Download
memory/2464-462-0x00000000053F0000-0x00000000058EE000-memory.dmp

Filesize
5.0MB

Download
memory/2788-128-0x0000000000000000-mapping.dmp

Download
memory/3192-124-0x00007FFB04C60000-0x00007FFB04C61000-memory.dmp

Filesize
4KB

Download
memory/3192-121-0x0000000000000000-mapping.dmp

Download
memory/3480-122-0x0000000000000000-mapping.dmp

Download
memory/3668-160-0x0000000000000000-mapping.dmp

Download
memory/3860-361-0x0000000000000000-mapping.dmp

Download
memory/3864-376-0x0000000000000000-mapping.dmp

Download
memory/3884-416-0x0000000000000000-mapping.dmp

Download
memory/4036-420-0x0000000000000000-mapping.dmp

Download
memory/4100-339-0x0000000000000000-mapping.dmp

Download
memory/4100-403-0x0000000000000000-mapping.dmp

Download
memory/4132-294-0x0000000000000000-mapping.dmp

Download
memory/4164-246-0x0000000000000000-mapping.dmp

Download
memory/4228-334-0x0000000000000000-mapping.dmp

Download
memory/4284-309-0x0000000000000000-mapping.dmp

Download
memory/4332-179-0x0000000000000000-mapping.dmp

Download
memory/4344-250-0x0000000000000000-mapping.dmp

Download
memory/4372-304-0x0000000000000000-mapping.dmp

Download
memory/4404-481-0x0000000002DD0000-0x0000000002E62000-memory.dmp

Filesize
584KB

Download
memory/4404-358-0x0000000000000000-mapping.dmp

Download
memory/4404-475-0x0000000000000000-mapping.dmp

Download
memory/4420-254-0x0000000000000000-mapping.dmp

Download
memory/4432-412-0x0000000000000000-mapping.dmp

Download
memory/4556-188-0x0000000000000000-mapping.dmp

Download
memory/4568-366-0x0000000000000000-mapping.dmp

Download
memory/4580-314-0x0000000000000000-mapping.dmp

Download
memory/4584-193-0x0000000000000000-mapping.dmp

Download
memory/4624-386-0x0000000000000000-mapping.dmp

Download
memory/4660-198-0x0000000000000000-mapping.dmp

Download
memory/4700-319-0x0000000000000000-mapping.dmp

Download
memory/4712-203-0x0000000000000000-mapping.dmp

Download
memory/4720-390-0x0000000000000000-mapping.dmp

Download
memory/4736-270-0x0000000000000000-mapping.dmp

Download
memory/4744-381-0x0000000000000000-mapping.dmp

Download
memory/4744-274-0x0000000000000000-mapping.dmp

Download
memory/4764-208-0x0000000000000000-mapping.dmp

Download
memory/4796-371-0x0000000000000000-mapping.dmp

Download
memory/4824-344-0x0000000000000000-mapping.dmp

Download
memory/4828-215-0x0000000000000000-mapping.dmp

Download
memory/4844-439-0x0000000000000000-mapping.dmp

Download
memory/4844-218-0x0000000000000000-mapping.dmp

Download
memory/4848-284-0x0000000000000000-mapping.dmp

Download
memory/4864-279-0x0000000000000000-mapping.dmp

Download
memory/4872-349-0x0000000000000000-mapping.dmp

Download
memory/4968-225-0x0000000000000000-mapping.dmp

Download
memory/5020-230-0x0000000000000000-mapping.dmp

Download
memory/5020-299-0x0000000000000000-mapping.dmp

Download
memory/5040-289-0x0000000000000000-mapping.dmp

Download
memory/5044-235-0x0000000000000000-mapping.dmp

Download
memory/5060-444-0x0000000000000000-mapping.dmp

Download
memory/5064-447-0x0000000000000000-mapping.dmp

Download
memory/5064-451-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/5064-452-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/5064-453-0x0000000003480000-0x0000000003512000-memory.dmp

Filesize
584KB

Download
memory/5064-450-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/5064-448-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/5064-463-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/5064-464-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/5100-324-0x0000000000000000-mapping.dmp

Download
memory/5116-433-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads