poullight | hxxps://fumacrom[.]com/1UFQf

General

Target

https://fumacrom.com/1UFQf
Sample

210728-z83qnm42as

Score

10^/10

poullight spyware stealer suricata trojan

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Suspicious use of NtCreateProcessExOtherParentProcess 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 5040 created 4124	5040	WerFault.exe	build_protected.exe
PID 1200 created 780	1200	WerFault.exe	build_protected.exe
PID 4596 created 4764	4596	WerFault.exe	build_protected.exe
PID 4416 created 1848	4416	WerFault.exe	build_protected.exe
PID 4764 created 900	4764	WerFault.exe	build_protected.exe

suricata: ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata

Executes dropped EXE 11 IoCs

Processes:

CODWCheats.exebuild_protected.sfx.exebuild_protected.exebuild_protected.sfx.exebuild_protected.exebuild_protected.sfx.exebuild_protected.exebuild_protected.sfx.exebuild_protected.exebuild_protected.sfx.exebuild_protected.exe

pid	process
4416	CODWCheats.exe
4544	build_protected.sfx.exe
4124	build_protected.exe
5084	build_protected.sfx.exe
780	build_protected.exe
1676	build_protected.sfx.exe
4764	build_protected.exe
5028	build_protected.sfx.exe
1848	build_protected.exe
1676	build_protected.sfx.exe
900	build_protected.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

build_protected.exebuild_protected.exebuild_protected.exebuild_protected.exebuild_protected.exe

pid	process
4124	build_protected.exe
4124	build_protected.exe
4124	build_protected.exe
780	build_protected.exe
780	build_protected.exe
780	build_protected.exe
4764	build_protected.exe
4764	build_protected.exe
1848	build_protected.exe
1848	build_protected.exe
900	build_protected.exe
900	build_protected.exe
1848	build_protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5040	4124	WerFault.exe	build_protected.exe
1200	780	WerFault.exe	build_protected.exe
4596	4764	WerFault.exe	build_protected.exe
4416	1848	WerFault.exe	build_protected.exe
4764	900	WerFault.exe	build_protected.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

Processes:

CODWCheats.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	CODWCheats.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	CODWCheats.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exebuild_protected.exebuild_protected.exeWerFault.exeWerFault.exechrome.exebuild_protected.exeWerFault.exe

pid	process
3976	chrome.exe
3976	chrome.exe
656	chrome.exe
656	chrome.exe
4912	chrome.exe
4912	chrome.exe
4776	chrome.exe
4776	chrome.exe
4204	chrome.exe
4204	chrome.exe
972	chrome.exe
972	chrome.exe
4496	chrome.exe
4496	chrome.exe
4124	build_protected.exe
4124	build_protected.exe
780	build_protected.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
5040	WerFault.exe
780	build_protected.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
1200	WerFault.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4672	chrome.exe
4764	build_protected.exe
4764	build_protected.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe
4596	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exetaskmgr.exe

pid process

2876 7zFM.exe
4152 taskmgr.exe

pid	process
2876	7zFM.exe
4152	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

build_protected.exe7zFM.exebuild_protected.exeWerFault.exeWerFault.exebuild_protected.exeWerFault.exetaskmgr.exebuild_protected.exebuild_protected.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4124	build_protected.exe
Token: SeRestorePrivilege	2876	7zFM.exe
Token: 35	2876	7zFM.exe
Token: SeDebugPrivilege	780	build_protected.exe
Token: SeRestorePrivilege	5040	WerFault.exe
Token: SeBackupPrivilege	5040	WerFault.exe
Token: SeDebugPrivilege	5040	WerFault.exe
Token: SeDebugPrivilege	1200	WerFault.exe
Token: SeDebugPrivilege	4764	build_protected.exe
Token: SeDebugPrivilege	4596	WerFault.exe
Token: SeDebugPrivilege	4152	taskmgr.exe
Token: SeSystemProfilePrivilege	4152	taskmgr.exe
Token: SeCreateGlobalPrivilege	4152	taskmgr.exe
Token: SeDebugPrivilege	1848	build_protected.exe
Token: SeDebugPrivilege	900	build_protected.exe
Token: SeDebugPrivilege	4416	WerFault.exe
Token: SeDebugPrivilege	4764	WerFault.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zFM.exetaskmgr.exe

pid	process
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
656	chrome.exe
2876	7zFM.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
656	chrome.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

CODWCheats.exebuild_protected.exebuild_protected.exebuild_protected.exebuild_protected.exebuild_protected.exe

pid	process
4416	CODWCheats.exe
4416	CODWCheats.exe
4124	build_protected.exe
780	build_protected.exe
4764	build_protected.exe
1848	build_protected.exe
900	build_protected.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 656 wrote to memory of 2368	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 2368	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3888	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3976	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 3976	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe
PID 656 wrote to memory of 416	656	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://fumacrom.com/1UFQf
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0x64,0xd4,0x7ffa8d2d4f50,0x7ffa8d2d4f60,0x7ffa8d2d4f70
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:2
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1692 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 /prefetch:8
2⤵
PID:416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
2⤵
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
2⤵
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
2⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
2⤵
PID:3112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
2⤵
PID:1056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
2⤵
PID:856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
2⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4976 /prefetch:8
2⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3896 /prefetch:8
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3676 /prefetch:8
2⤵
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3436 /prefetch:8
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6396 /prefetch:8
2⤵
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3860 /prefetch:8
2⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3852 /prefetch:8
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3404 /prefetch:8
2⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3468 /prefetch:8
2⤵
PID:4492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6668 /prefetch:8
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
2⤵
PID:4460

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff79ad7a890,0x7ff79ad7a8a0,0x7ff79ad7a8b0
3⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
2⤵
PID:428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
2⤵
PID:368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3844 /prefetch:8
2⤵
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6280 /prefetch:8
2⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6140 /prefetch:8
2⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6188 /prefetch:8
2⤵
PID:4072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6112 /prefetch:8
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5668 /prefetch:8
2⤵
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3216 /prefetch:8
2⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5216 /prefetch:8
2⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3228 /prefetch:8
2⤵
PID:840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:8
2⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6852 /prefetch:8
2⤵
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6864 /prefetch:8
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6888 /prefetch:8
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6900 /prefetch:8
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7252 /prefetch:8
2⤵
PID:3648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
2⤵
PID:3728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6852 /prefetch:8
2⤵
PID:3344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6840 /prefetch:8
2⤵
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5520 /prefetch:8
2⤵
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
2⤵
PID:3168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2996 /prefetch:8
2⤵
PID:4624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7740 /prefetch:8
2⤵
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7864 /prefetch:8
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7992 /prefetch:8
2⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8004 /prefetch:8
2⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8388 /prefetch:8
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7852 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7524 /prefetch:1
2⤵
PID:4368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
2⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5832 /prefetch:8
2⤵
PID:3648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8612 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7640 /prefetch:8
2⤵
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7520 /prefetch:8
2⤵
PID:780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3632 /prefetch:8
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3592 /prefetch:8
2⤵
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496

C:\Users\Admin\Downloads\CODWCheats.exe
"C:\Users\Admin\Downloads\CODWCheats.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4416

C:\Users\Admin\Desktop\build_protected.sfx.exe
"C:\Users\Admin\Desktop\build_protected.sfx.exe"
3⤵
- Executes dropped EXE
PID:4544

C:\Users\Admin\AppData\Local\Temp\build_protected.exe
"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1244
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7804 /prefetch:8
2⤵
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3620 /prefetch:8
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:8
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 /prefetch:8
2⤵
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3632 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3632 /prefetch:8
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 /prefetch:8
2⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,11284642186543095639,7308837217489689731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4104 /prefetch:8
2⤵
PID:4580

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d0
1⤵
PID:4668

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\build_protected.sfx.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2876

C:\Users\Admin\Desktop\build_protected.sfx.exe
"C:\Users\Admin\Desktop\build_protected.sfx.exe"
1⤵
- Executes dropped EXE
PID:5084

C:\Users\Admin\AppData\Local\Temp\build_protected.exe
"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 1136
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Users\Admin\Desktop\build_protected.sfx.exe
"C:\Users\Admin\Desktop\build_protected.sfx.exe"
1⤵
- Executes dropped EXE
PID:1676

C:\Users\Admin\AppData\Local\Temp\build_protected.exe
"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1148
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4380

C:\Users\Admin\Desktop\build_protected.sfx.exe
"C:\Users\Admin\Desktop\build_protected.sfx.exe"
1⤵
- Executes dropped EXE
PID:5028

C:\Users\Admin\AppData\Local\Temp\build_protected.exe
"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 2360
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Users\Admin\Desktop\build_protected.sfx.exe
"C:\Users\Admin\Desktop\build_protected.sfx.exe"
1⤵
- Executes dropped EXE
PID:1676

C:\Users\Admin\AppData\Local\Temp\build_protected.exe
"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 1360
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
9947d74fefef8e66c031a7cd02e805a9

SHA1
c979d570c6fc73a05b8c7fcfba939b9fdcff3bd1

SHA256
969ce7badc6462fb7c6a96e4a51703cb43b5fac5899b277fbb3b64c61a26c93c

SHA512
13e2c1a6e2a233d546d91f56e0646963078ceec604904265d7be9c007431241955b1693a2d3e97ab380513ce50d12d89c12fde0d991f2fcb59add4f07f37f490

Download Submit
\??\pipe\crashpad_656_CVMLRNVUUMAJXXJH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/368-262-0x0000000000000000-mapping.dmp

Download
memory/416-130-0x0000000000000000-mapping.dmp

Download
memory/428-256-0x0000000000000000-mapping.dmp

Download
memory/780-525-0x0000000005570000-0x0000000005A6E000-memory.dmp

Filesize
5.0MB

Download
memory/840-318-0x0000000000000000-mapping.dmp

Download
memory/856-159-0x0000000000000000-mapping.dmp

Download
memory/900-586-0x00000000061D0000-0x00000000066CE000-memory.dmp

Filesize
5.0MB

Download
memory/1056-154-0x0000000000000000-mapping.dmp

Download
memory/1168-366-0x0000000000000000-mapping.dmp

Download
memory/1284-223-0x0000000000000000-mapping.dmp

Download
memory/1284-387-0x0000000000000000-mapping.dmp

Download
memory/1848-578-0x0000000005F60000-0x000000000645E000-memory.dmp

Filesize
5.0MB

Download
memory/1868-140-0x0000000000000000-mapping.dmp

Download
memory/2052-283-0x0000000000000000-mapping.dmp

Download
memory/2284-144-0x0000000000000000-mapping.dmp

Download
memory/2300-286-0x0000000000000000-mapping.dmp

Download
memory/2368-116-0x0000000000000000-mapping.dmp

Download
memory/3112-147-0x0000000000000000-mapping.dmp

Download
memory/3156-136-0x0000000000000000-mapping.dmp

Download
memory/3168-377-0x0000000000000000-mapping.dmp

Download
memory/3228-474-0x0000000000000000-mapping.dmp

Download
memory/3344-361-0x0000000000000000-mapping.dmp

Download
memory/3648-454-0x0000000000000000-mapping.dmp

Download
memory/3648-351-0x0000000000000000-mapping.dmp

Download
memory/3728-356-0x0000000000000000-mapping.dmp

Download
memory/3876-238-0x0000000000000000-mapping.dmp

Download
memory/3888-121-0x0000000000000000-mapping.dmp

Download
memory/3888-124-0x00007FFA983C0000-0x00007FFA983C1000-memory.dmp

Filesize
4KB

Download
memory/3976-122-0x0000000000000000-mapping.dmp

Download
memory/4072-291-0x0000000000000000-mapping.dmp

Download
memory/4124-506-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/4124-511-0x0000000005450000-0x000000000594E000-memory.dmp

Filesize
5.0MB

Download
memory/4148-372-0x0000000000000000-mapping.dmp

Download
memory/4204-466-0x0000000000000000-mapping.dmp

Download
memory/4204-308-0x0000000000000000-mapping.dmp

Download
memory/4208-303-0x0000000000000000-mapping.dmp

Download
memory/4264-176-0x0000000000000000-mapping.dmp

Download
memory/4268-323-0x0000000000000000-mapping.dmp

Download
memory/4280-313-0x0000000000000000-mapping.dmp

Download
memory/4280-180-0x0000000000000000-mapping.dmp

Download
memory/4284-434-0x0000000000000000-mapping.dmp

Download
memory/4292-426-0x0000000000000000-mapping.dmp

Download
memory/4296-412-0x0000000000000000-mapping.dmp

Download
memory/4328-331-0x0000000000000000-mapping.dmp

Download
memory/4368-419-0x0000000000000000-mapping.dmp

Download
memory/4384-228-0x0000000000000000-mapping.dmp

Download
memory/4420-407-0x0000000000000000-mapping.dmp

Download
memory/4436-233-0x0000000000000000-mapping.dmp

Download
memory/4460-252-0x0000000000000000-mapping.dmp

Download
memory/4472-248-0x0000000000000000-mapping.dmp

Download
memory/4472-341-0x0000000000000000-mapping.dmp

Download
memory/4492-243-0x0000000000000000-mapping.dmp

Download
memory/4544-191-0x0000000000000000-mapping.dmp

Download
memory/4560-328-0x0000000000000000-mapping.dmp

Download
memory/4604-445-0x0000000000000000-mapping.dmp

Download
memory/4608-336-0x0000000000000000-mapping.dmp

Download
memory/4624-382-0x0000000000000000-mapping.dmp

Download
memory/4632-400-0x0000000000000000-mapping.dmp

Download
memory/4736-278-0x0000000000000000-mapping.dmp

Download
memory/4756-395-0x0000000000000000-mapping.dmp

Download
memory/4764-553-0x00000000053C0000-0x00000000058BE000-memory.dmp

Filesize
5.0MB

Download
memory/4776-274-0x0000000000000000-mapping.dmp

Download
memory/4788-198-0x0000000000000000-mapping.dmp

Download
memory/4796-392-0x0000000000000000-mapping.dmp

Download
memory/4804-257-0x0000000000000000-mapping.dmp

Download
memory/4912-204-0x0000000000000000-mapping.dmp

Download
memory/4964-268-0x0000000000000000-mapping.dmp

Download
memory/5000-208-0x0000000000000000-mapping.dmp

Download
memory/5052-213-0x0000000000000000-mapping.dmp

Download
memory/5104-218-0x0000000000000000-mapping.dmp

Download
memory/5112-298-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads