Resubmissions
03-07-2024 06:45
240703-hjh8jswaml 1002-07-2024 14:50
240702-r71beaxdre 802-07-2024 14:46
240702-r5jwms1gjl 10Analysis
-
max time kernel
42s -
max time network
47s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 14:46
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/not-seil/fudzi.app/raw/main/donotwatch.exe
Resource
win10v2004-20240508-en
General
-
Target
https://github.com/not-seil/fudzi.app/raw/main/donotwatch.exe
Malware Config
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
donotwatch.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation donotwatch.exe -
Executes dropped EXE 2 IoCs
Processes:
donotwatch.exeSkyperr_protected.exepid process 2912 donotwatch.exe 4928 Skyperr_protected.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Skyperr_protected.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\%Program Files%\\Skyperr_protected.exe\"" Skyperr_protected.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 67 api.ipify.org 69 freegeoip.app 70 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Skyperr_protected.exepid process 4928 Skyperr_protected.exe -
Drops file in Program Files directory 4 IoCs
Processes:
donotwatch.exedescription ioc process File opened for modification C:\Program Files\%Program Files% donotwatch.exe File created C:\Program Files\%Program Files%\__tmp_rar_sfx_access_check_240629390 donotwatch.exe File created C:\Program Files\%Program Files%\Skyperr_protected.exe donotwatch.exe File opened for modification C:\Program Files\%Program Files%\Skyperr_protected.exe donotwatch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3580 4928 WerFault.exe Skyperr_protected.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133644052083170927" chrome.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
chrome.exeSkyperr_protected.exetaskmgr.exepid process 4780 chrome.exe 4780 chrome.exe 4928 Skyperr_protected.exe 4928 Skyperr_protected.exe 4928 Skyperr_protected.exe 4928 Skyperr_protected.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid process 4780 chrome.exe 4780 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exeSkyperr_protected.exedescription pid process Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeDebugPrivilege 4928 Skyperr_protected.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe Token: SeCreatePagefilePrivilege 4780 chrome.exe Token: SeShutdownPrivilege 4780 chrome.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
Processes:
chrome.exetaskmgr.exepid process 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe -
Suspicious use of SendNotifyMessage 44 IoCs
Processes:
chrome.exetaskmgr.exepid process 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4780 chrome.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe 4380 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Skyperr_protected.exepid process 4928 Skyperr_protected.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4780 wrote to memory of 2968 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 2968 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4988 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 2656 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 2656 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe PID 4780 wrote to memory of 4752 4780 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/not-seil/fudzi.app/raw/main/donotwatch.exe1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc2847ab58,0x7ffc2847ab68,0x7ffc2847ab782⤵PID:2968
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:22⤵PID:4988
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:82⤵PID:2656
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:82⤵PID:4752
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:12⤵PID:4236
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3040 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:12⤵PID:4548
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4708 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:82⤵PID:5044
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4732 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:82⤵PID:3000
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:82⤵PID:2268
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:82⤵PID:1932
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:82⤵PID:536
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5228 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:82⤵PID:1364
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5284 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:82⤵PID:3096
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1920,i,16685057161901716528,8490773817016262131,131072 /prefetch:82⤵PID:2936
-
C:\Users\Admin\Downloads\donotwatch.exe"C:\Users\Admin\Downloads\donotwatch.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:2912 -
C:\Program Files\%Program Files%\Skyperr_protected.exe"C:\Program Files\%Program Files%\Skyperr_protected.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 18204⤵
- Program crash
PID:3580
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4660
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4928 -ip 49281⤵PID:1064
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD53b6fc56278c4cc78d120ae23a0dd88c4
SHA17c0e2373f5aa592235439067ed2c43599537a524
SHA256477ef21d4f261a396bce4a66422ae1f36fefca9eb45b142e526eb0f95b6ecf99
SHA5128c5f0ebcf093f65474cb6bc37a9a8157bb80790b7974d793a10c5f3f83f69db47e5f733566dce06bb96493b9a9a9407e4f4fd12f9516e0a32657638fc7d4ca51
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4fcfa67f-bbea-49de-9121-f9d2f5852bdd.tmp
Filesize7KB
MD5850a027a23b45ba4f879dcaff05abbc7
SHA12bbfe6087ba59c44032adcf976247f3b3809d58d
SHA256304ab347eff83dd0835ca490282b83f6a3abb3eef8716868c741f62b233536f6
SHA512ab911663ce841aafdcbe1405992691230a20d08780f8229241bcbc60b58087e19e6872cccee68153d0c07457cddf7c19600be992e8e6ea912c345ef0cad51cae
-
Filesize
2KB
MD54bf8bebf6c50603841cb1148966909dd
SHA1cad6682dcf3206e2130e69ffc248785fb2e7f955
SHA256c1305edf9406898c8276fea5dfcc1d4da17bf9dfdaf243c3731e7d47c7480bbb
SHA51292a4fbaa64837be42974a7f446270dae4a72934b64520d32d37c6e9b331984406bb77a43374ad3f231a146ee346f36c14e2781be144e8c8789d6476669c5d4ed
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5637c16b230c78d0b4726ec97182d3b80
SHA12ecdea7225f22ab194952174c3a25148fe738a85
SHA25693a6479af50850a994323aaeabd50aa7b0f4c21477073d252b2edfe68c03aadd
SHA512cdec398986a30560beddc23dd7e4533c8605706afac8e80e7e4410ae877787cf11de6fdb45b4b43a0b5bdc97777d8ce8156c42f0a47b440bdf46958b01794912
-
Filesize
1KB
MD56065e54c73171154c89d0ccdb6a6ea3c
SHA157c202c0229edf5b01460eb9691d47250183726f
SHA256b15e1f4ec215636f81b241793f164badc9670c08e077fee2b910b1cf92181f65
SHA512781a75a6fcd07b577ea8c5f7f5d5ec14d6735202636e5fd7e6d4b0ca5e78323394124e00639938e5a01ace0fb85660a96ede98dd63346dcf730f073322954145
-
Filesize
7KB
MD5a76a3334adf76bc39fa8c0ac217c3907
SHA13eb9cf57d4abda461da19429dc6a8c5a88a9d7e6
SHA2564735f62169e3c6dc8822abef0404e1692cf25e47a5a9853e3fa8051314512a68
SHA512470fb9dfa7ace34f1c0634e5eff54ab00f5f2749652b92c18a2de1562b3f7d1091a6ef5b3b790e9a9f029505ffeca40e365432382bfd46690044b3c43337e8bd
-
Filesize
129KB
MD5d4fa592707b2b1b684359526ff197f90
SHA1b68143a2410bdde3a64933cb6b98395db6f72da0
SHA256ef70fffedaf686fde4a4be7ecb019a117a18c3d24ea657ea40b4e0a27d526a00
SHA51233748a53777d945418dfb334d30a689fdb4b9f2a74cbe3d7a72b0907c9ce3c4910514f0b38cd0af50eb4f8e766924450f5b9df02c551a88d7b975d2c67a390a7
-
Filesize
101KB
MD5b621f30e941a8ccb7ba9e7611ea91b56
SHA19b5a760e1bb85a1fa2f3f7cfc1f390056765991d
SHA256e2fae375357bc738a40408126cea4257283fdb317c7c5dd109bd9fc3fa63d078
SHA512d551d97d43fe3b5bce0c991c6794ca50b13d080976c48cd71a29a5e04a66663b86d6ab8bba80fecdd3bad84e2140dcaa06d1dbb1edfec6751d90da72faf47747
-
Filesize
94KB
MD5603e9f21e7d00f87bf3dd15409c51fea
SHA1aaf94852c8f0190784349d80ee1898a6eb3a8249
SHA256e289aa004fcc8af6f4c1cc57e967608f45623c2b867e52aba3f2bdbf1190d266
SHA51213c2674ffa294ffb2b00d1b10d19aef764ff6e3d8f6db83cd33ba60a33ea955f24d4052c7b8d458fbf6a426918c0df8f0e65eebd252235c1f5654f92ea10047e
-
Filesize
1.6MB
MD5b3d51f7547f5ca01471dafccce25a7b4
SHA1f51775c48540a6805ffd0e9a87bab045d5c67c07
SHA2561dfb0c02777894980aab7de14a7c4275292f3203073c7757fe22249820f7337e
SHA5128d146f34c9f0f6dd5aa6f828dcc7cb4204b38127751be7391ab966a9884eecc5c3700d1e81bb5fb2f9ef01ed8244a00fbaa4128647e7550bcddf05d927b12dcb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e