blackguard | hxxps://github[.]com/not-seil/fudzi[.]app/raw/main/donotwatch[.]exe

Resubmissions

03-07-2024 06:45

240703-hjh8jswaml 10

02-07-2024 14:50

240702-r71beaxdre 8

02-07-2024 14:46

240702-r5jwms1gjl 10

Analysis

max time kernel
42s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/not-seil/fudzi.app/raw/main/donotwatch.exe

Score

10^/10

blackguard persistence spyware stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

donotwatch.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	donotwatch.exe

Executes dropped EXE 2 IoCs

Processes:

donotwatch.exeSkyperr_protected.exe

pid process

2912 donotwatch.exe
4928 Skyperr_protected.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2912	donotwatch.exe
4928	Skyperr_protected.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Skyperr_protected.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\%Program Files%\\Skyperr_protected.exe\""	Skyperr_protected.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 raw.githubusercontent.com
14 raw.githubusercontent.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

67 api.ipify.org
69 freegeoip.app
70 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Skyperr_protected.exe

pid process

4928 Skyperr_protected.exe

flow	ioc
15	raw.githubusercontent.com
14	raw.githubusercontent.com

flow	ioc
67	api.ipify.org
69	freegeoip.app
70	freegeoip.app

pid	process
4928	Skyperr_protected.exe

Drops file in Program Files directory 4 IoCs

Processes:

donotwatch.exe

description	ioc	process
File opened for modification	C:\Program Files\%Program Files%	donotwatch.exe
File created	C:\Program Files\%Program Files%\__tmp_rar_sfx_access_check_240629390	donotwatch.exe
File created	C:\Program Files\%Program Files%\Skyperr_protected.exe	donotwatch.exe
File opened for modification	C:\Program Files\%Program Files%\Skyperr_protected.exe	donotwatch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3580 4928 WerFault.exe Skyperr_protected.exe

pid	pid_target	process	target process
3580	4928	WerFault.exe	Skyperr_protected.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133644052083170927"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

chrome.exeSkyperr_protected.exetaskmgr.exe

pid	process
4780	chrome.exe
4780	chrome.exe
4928	Skyperr_protected.exe
4928	Skyperr_protected.exe
4928	Skyperr_protected.exe
4928	Skyperr_protected.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4780 chrome.exe
4780 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeSkyperr_protected.exe

description	pid	process
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeDebugPrivilege	4928	Skyperr_protected.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe
Token: SeCreatePagefilePrivilege	4780	chrome.exe
Token: SeShutdownPrivilege	4780	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe

Suspicious use of SendNotifyMessage 44 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4780	chrome.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe
4380	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Skyperr_protected.exe

pid process

4928 Skyperr_protected.exe

pid	process
4928	Skyperr_protected.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4780 wrote to memory of 2968	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 2968	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4988	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 2656	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 2656	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe
PID 4780 wrote to memory of 4752	4780	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/not-seil/fudzi.app/raw/main/donotwatch.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2847ab58,0x7ffc2847ab68,0x7ffc2847ab78
2⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:2
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:8
2⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:8
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:1
2⤵
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:1
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4708 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:8
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4732 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:8
2⤵
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:8
2⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:8
2⤵
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:8
2⤵
PID:536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5228 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:8
2⤵
PID:1364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5284 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:8
2⤵
PID:3096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:8
2⤵
PID:2936

C:\Users\Admin\Downloads\donotwatch.exe
"C:\Users\Admin\Downloads\donotwatch.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:2912

C:\Program Files\%Program Files%\Skyperr_protected.exe
"C:\Program Files\%Program Files%\Skyperr_protected.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1820
4⤵
- Program crash
PID:3580

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4928 -ip 4928
1⤵
PID:1064

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\%Program Files%\Skyperr_protected.exe

Filesize
1.2MB

MD5
3b6fc56278c4cc78d120ae23a0dd88c4

SHA1
7c0e2373f5aa592235439067ed2c43599537a524

SHA256
477ef21d4f261a396bce4a66422ae1f36fefca9eb45b142e526eb0f95b6ecf99

SHA512
8c5f0ebcf093f65474cb6bc37a9a8157bb80790b7974d793a10c5f3f83f69db47e5f733566dce06bb96493b9a9a9407e4f4fd12f9516e0a32657638fc7d4ca51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4fcfa67f-bbea-49de-9121-f9d2f5852bdd.tmp

Filesize
7KB

MD5
850a027a23b45ba4f879dcaff05abbc7

SHA1
2bbfe6087ba59c44032adcf976247f3b3809d58d

SHA256
304ab347eff83dd0835ca490282b83f6a3abb3eef8716868c741f62b233536f6

SHA512
ab911663ce841aafdcbe1405992691230a20d08780f8229241bcbc60b58087e19e6872cccee68153d0c07457cddf7c19600be992e8e6ea912c345ef0cad51cae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4bf8bebf6c50603841cb1148966909dd

SHA1
cad6682dcf3206e2130e69ffc248785fb2e7f955

SHA256
c1305edf9406898c8276fea5dfcc1d4da17bf9dfdaf243c3731e7d47c7480bbb

SHA512
92a4fbaa64837be42974a7f446270dae4a72934b64520d32d37c6e9b331984406bb77a43374ad3f231a146ee346f36c14e2781be144e8c8789d6476669c5d4ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
637c16b230c78d0b4726ec97182d3b80

SHA1
2ecdea7225f22ab194952174c3a25148fe738a85

SHA256
93a6479af50850a994323aaeabd50aa7b0f4c21477073d252b2edfe68c03aadd

SHA512
cdec398986a30560beddc23dd7e4533c8605706afac8e80e7e4410ae877787cf11de6fdb45b4b43a0b5bdc97777d8ce8156c42f0a47b440bdf46958b01794912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6065e54c73171154c89d0ccdb6a6ea3c

SHA1
57c202c0229edf5b01460eb9691d47250183726f

SHA256
b15e1f4ec215636f81b241793f164badc9670c08e077fee2b910b1cf92181f65

SHA512
781a75a6fcd07b577ea8c5f7f5d5ec14d6735202636e5fd7e6d4b0ca5e78323394124e00639938e5a01ace0fb85660a96ede98dd63346dcf730f073322954145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a76a3334adf76bc39fa8c0ac217c3907

SHA1
3eb9cf57d4abda461da19429dc6a8c5a88a9d7e6

SHA256
4735f62169e3c6dc8822abef0404e1692cf25e47a5a9853e3fa8051314512a68

SHA512
470fb9dfa7ace34f1c0634e5eff54ab00f5f2749652b92c18a2de1562b3f7d1091a6ef5b3b790e9a9f029505ffeca40e365432382bfd46690044b3c43337e8bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
d4fa592707b2b1b684359526ff197f90

SHA1
b68143a2410bdde3a64933cb6b98395db6f72da0

SHA256
ef70fffedaf686fde4a4be7ecb019a117a18c3d24ea657ea40b4e0a27d526a00

SHA512
33748a53777d945418dfb334d30a689fdb4b9f2a74cbe3d7a72b0907c9ce3c4910514f0b38cd0af50eb4f8e766924450f5b9df02c551a88d7b975d2c67a390a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
b621f30e941a8ccb7ba9e7611ea91b56

SHA1
9b5a760e1bb85a1fa2f3f7cfc1f390056765991d

SHA256
e2fae375357bc738a40408126cea4257283fdb317c7c5dd109bd9fc3fa63d078

SHA512
d551d97d43fe3b5bce0c991c6794ca50b13d080976c48cd71a29a5e04a66663b86d6ab8bba80fecdd3bad84e2140dcaa06d1dbb1edfec6751d90da72faf47747

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57dc46.TMP

Filesize
94KB

MD5
603e9f21e7d00f87bf3dd15409c51fea

SHA1
aaf94852c8f0190784349d80ee1898a6eb3a8249

SHA256
e289aa004fcc8af6f4c1cc57e967608f45623c2b867e52aba3f2bdbf1190d266

SHA512
13c2674ffa294ffb2b00d1b10d19aef764ff6e3d8f6db83cd33ba60a33ea955f24d4052c7b8d458fbf6a426918c0df8f0e65eebd252235c1f5654f92ea10047e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 51368.crdownload

Filesize
1.6MB

MD5
b3d51f7547f5ca01471dafccce25a7b4

SHA1
f51775c48540a6805ffd0e9a87bab045d5c67c07

SHA256
1dfb0c02777894980aab7de14a7c4275292f3203073c7757fe22249820f7337e

SHA512
8d146f34c9f0f6dd5aa6f828dcc7cb4204b38127751be7391ab966a9884eecc5c3700d1e81bb5fb2f9ef01ed8244a00fbaa4128647e7550bcddf05d927b12dcb

Download Submit
\??\pipe\crashpad_4780_QSZWFQXGGDGEQAMA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4380-311-0x0000024EE5A20000-0x0000024EE5A21000-memory.dmp

Filesize
4KB

Download
memory/4380-305-0x0000024EE5A20000-0x0000024EE5A21000-memory.dmp

Filesize
4KB

Download
memory/4380-306-0x0000024EE5A20000-0x0000024EE5A21000-memory.dmp

Filesize
4KB

Download
memory/4380-307-0x0000024EE5A20000-0x0000024EE5A21000-memory.dmp

Filesize
4KB

Download
memory/4380-317-0x0000024EE5A20000-0x0000024EE5A21000-memory.dmp

Filesize
4KB

Download
memory/4380-316-0x0000024EE5A20000-0x0000024EE5A21000-memory.dmp

Filesize
4KB

Download
memory/4380-315-0x0000024EE5A20000-0x0000024EE5A21000-memory.dmp

Filesize
4KB

Download
memory/4380-314-0x0000024EE5A20000-0x0000024EE5A21000-memory.dmp

Filesize
4KB

Download
memory/4380-313-0x0000024EE5A20000-0x0000024EE5A21000-memory.dmp

Filesize
4KB

Download
memory/4380-312-0x0000024EE5A20000-0x0000024EE5A21000-memory.dmp

Filesize
4KB

Download
memory/4928-244-0x0000000000A50000-0x0000000000E08000-memory.dmp

Filesize
3.7MB

Download
memory/4928-279-0x0000000000A50000-0x0000000000E08000-memory.dmp

Filesize
3.7MB

Download
memory/4928-243-0x0000000000A50000-0x0000000000E08000-memory.dmp

Filesize
3.7MB

Download