hxxps://anonfiles[.]com/xdodBbYau1/FDO_zip

Analysis

max time kernel
159s
max time network
159s
platform
windows7_x64
resource
win7-en-20211104
submitted
02-12-2021 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anonfiles.com/xdodBbYau1/FDO_zip

Score

10^/10

coreentity

Malware Config

Signatures

CoreEntity .NET Packer 12 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
\Users\Admin\Downloads\FDO\FinderOuter.exe	coreentity
\Users\Admin\Downloads\FDO\FinderOuter.exe	coreentity
\Users\Admin\Downloads\FDO\FinderOuter.exe	coreentity
\Users\Admin\Downloads\FDO\FinderOuter.exe	coreentity
\Users\Admin\Downloads\FDO\FinderOuter.exe	coreentity
\Users\Admin\Downloads\FDO\FinderOuter.exe	coreentity
\Users\Admin\Downloads\FDO\FinderOuter.exe	coreentity
\Users\Admin\Downloads\FDO\FinderOuter.exe	coreentity
\Users\Admin\Downloads\FDO\FinderOuter.exe	coreentity
\Users\Admin\Downloads\FDO\FinderOuter.exe	coreentity
C:\Users\Admin\Downloads\FDO\FinderOuter.exe	coreentity
C:\Users\Admin\Downloads\FDO\FinderOuter.exe	coreentity

Executes dropped EXE 1 IoCs

Processes:

FinderOuter.exe

pid process

2124 FinderOuter.exe
Loads dropped DLL 15 IoCs

Processes:

FinderOuter.exe

pid process

1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
2124 FinderOuter.exe
2124 FinderOuter.exe
2124 FinderOuter.exe
2124 FinderOuter.exe
2124 FinderOuter.exe

pid	process
2124	FinderOuter.exe

pid	process
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
2124	FinderOuter.exe
2124	FinderOuter.exe
2124	FinderOuter.exe
2124	FinderOuter.exe
2124	FinderOuter.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exe

pid process

2024 chrome.exe
1512 chrome.exe
1512 chrome.exe
2404 chrome.exe
2736 chrome.exe
3060 chrome.exe

pid	process
2024	chrome.exe
1512	chrome.exe
1512	chrome.exe
2404	chrome.exe
2736	chrome.exe
3060	chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7zG.exeAUDIODG.EXE

description	pid	process
Token: SeRestorePrivilege	2208	7zG.exe
Token: 35	2208	7zG.exe
Token: SeSecurityPrivilege	2208	7zG.exe
Token: SeSecurityPrivilege	2208	7zG.exe
Token: 33	2456	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2456	AUDIODG.EXE
Token: 33	2456	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2456	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe

Suspicious use of SendNotifyMessage 56 IoCs

Processes:

chrome.exe

pid	process
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe
1512	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1512 wrote to memory of 684	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 684	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 684	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 648	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 2024	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 2024	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 2024	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe
PID 1512 wrote to memory of 1412	1512	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://anonfiles.com/xdodBbYau1/FDO_zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65d4f50,0x7fef65d4f60,0x7fef65d4f70
2⤵
PID:684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1172 /prefetch:2
2⤵
PID:648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1376 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1788 /prefetch:8
2⤵
PID:1412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
2⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2108 /prefetch:1
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
2⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3028 /prefetch:2
2⤵
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:8
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1520 /prefetch:1
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 /prefetch:8
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3372 /prefetch:8
2⤵
PID:2412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3336 /prefetch:8
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3328 /prefetch:8
2⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 /prefetch:8
2⤵
PID:2520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:1
2⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3472 /prefetch:8
2⤵
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2148 /prefetch:8
2⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3740 /prefetch:8
2⤵
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3780 /prefetch:8
2⤵
PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
2⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1152,6917378449920720863,13440993587218161234,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
2⤵
PID:1756

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\FDO\" -spe -an -ai#7zMap24307:68:7zEvent4074
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x57c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Users\Admin\Downloads\FDO\FinderOuter.exe
"C:\Users\Admin\Downloads\FDO\FinderOuter.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\FDO.zip
MD5
66fc5787723f21792c0ce37813cf3d51

SHA1
b673333bf70830fa40fe8a279ab21f6d02cb51a6

SHA256
7673c11a0afe4cf669b884b0378a1b4486d33e0ad92289fa3828724399a2ac3e

SHA512
b798a508785c275f364cbea315754fba4a49479ad3a97e68816ef8022a062d10b489cbc3a78447b12173b743702998cfa12b90c3f94e1de00298bf1af556f202

Download Submit
C:\Users\Admin\Downloads\FDO\FinderOuter.exe
MD5
bbaf03b75244efc4b01e3c3a0f08d3ac

SHA1
8a049856448bfe351af4e9fc622be247ea07aac5

SHA256
818c9139b4d003773f23d499cd64311d4c44c7893193775b0458abbf71828dfb

SHA512
64f5b72262bf79f15c5071a395fa6af1e0908924d884fdf295635799ab662ea4c4bf466eec56a39eb769c5e6462271dc519f685f4344dcba63c0ec401ee3413a

Download Submit
C:\Users\Admin\Downloads\FDO\FinderOuter.exe
MD5
bbaf03b75244efc4b01e3c3a0f08d3ac

SHA1
8a049856448bfe351af4e9fc622be247ea07aac5

SHA256
818c9139b4d003773f23d499cd64311d4c44c7893193775b0458abbf71828dfb

SHA512
64f5b72262bf79f15c5071a395fa6af1e0908924d884fdf295635799ab662ea4c4bf466eec56a39eb769c5e6462271dc519f685f4344dcba63c0ec401ee3413a

Download Submit
C:\Users\Admin\Downloads\FDO\clrcompression.dll
MD5
5b792eca9dca0f9b3e8fcfae0cff23a7

SHA1
5af12b98aaa2668072cc7196e160db3df822b914

SHA256
49f9a75ec20c3a40c73ebccc008ad82c27e63db79e84d00e6132cd9727fbf677

SHA512
51feb970ec703a5e9713b2ac4a09b324ad15c3266cc75449aeb872f7a175d971b692769d44901fbca4210ffc5dd360ff13e5073dd8ea50626122cedd42997d26

Download Submit
C:\Users\Admin\Downloads\FDO\clrjit.dll
MD5
59596a272009239a84c79938890f0d33

SHA1
635d1a1ef91249f44efb7d0a379a0c41f43ea942

SHA256
3f9b09169741e045f5a655dcc910d4d32d7d8937617ac82300681fcbd1e7828b

SHA512
78ff876154ee907e64d984d3a0c16392616c7005c6dd1c61109ea0ad590b8a0393c64c8664be1c1aa458d90a9a16cfd153379a2d6e87541df1d2fb7523194009

Download Submit
C:\Users\Admin\Downloads\FDO\coreclr.dll
MD5
c07d8cd07ef8d8dc6f1ee9dfab3c6f4c

SHA1
28b7613d4e14a6288127cf88a10e7d492835837d

SHA256
327e50b959bd57bb25a5f32c37c336a3bd513dac78fa0577ac9f1841623ea297

SHA512
f77c66b32e60530121ed76d09151ea89176b6879351f52853bd74a40b425d581a38cb441c5de5cfc45e5371516736ea914f691a233793cf1bf1959b9c7a4ac07

Download Submit
C:\Users\Admin\Downloads\FDO\libHarfBuzzSharp.DLL
MD5
609c9ab55ad9dab96f9f6ff67c94b5bc

SHA1
cf9dc9ca45196f569481b195e39c43bb88df4786

SHA256
a11f01a6ad7c2ba0dac02b1b8d06bbedfcc22db79a3ff8de33e36e55f69a6e98

SHA512
c3fd946365ffd6e7ebe7b6a4438723f8b8318e26ea40f451d32651e495fdd49a5f46645836fae21d9e84893eb5164dac7579fc33bc21ec7b02265714c497d266

Download Submit
C:\Users\Admin\Downloads\FDO\libSkiaSharp.DLL
MD5
b3c6148249fd8a26acb1b8376c5ade01

SHA1
d7429bd3ff2940061c3f53b4da355e5cfea551ad

SHA256
1c7d232c7bc1ec438d10879b448808839493254d55e708d6addf14c8cccf83b6

SHA512
a180dce5ffc4a388abed5ac85cb933d2975e689f30838fec4995a288048fc0615867572e81615f775ca6829d9416322184a2ca6e30eab99c0f1c76543617bb87

Download Submit
\??\pipe\crashpad_1512_OBSNQGVULUXEHXJN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\Downloads\FDO\FinderOuter.exe
MD5
bbaf03b75244efc4b01e3c3a0f08d3ac

SHA1
8a049856448bfe351af4e9fc622be247ea07aac5

SHA256
818c9139b4d003773f23d499cd64311d4c44c7893193775b0458abbf71828dfb

SHA512
64f5b72262bf79f15c5071a395fa6af1e0908924d884fdf295635799ab662ea4c4bf466eec56a39eb769c5e6462271dc519f685f4344dcba63c0ec401ee3413a

Download Submit
\Users\Admin\Downloads\FDO\FinderOuter.exe
MD5
bbaf03b75244efc4b01e3c3a0f08d3ac

SHA1
8a049856448bfe351af4e9fc622be247ea07aac5

SHA256
818c9139b4d003773f23d499cd64311d4c44c7893193775b0458abbf71828dfb

SHA512
64f5b72262bf79f15c5071a395fa6af1e0908924d884fdf295635799ab662ea4c4bf466eec56a39eb769c5e6462271dc519f685f4344dcba63c0ec401ee3413a

Download Submit
\Users\Admin\Downloads\FDO\FinderOuter.exe
MD5
bbaf03b75244efc4b01e3c3a0f08d3ac

SHA1
8a049856448bfe351af4e9fc622be247ea07aac5

SHA256
818c9139b4d003773f23d499cd64311d4c44c7893193775b0458abbf71828dfb

SHA512
64f5b72262bf79f15c5071a395fa6af1e0908924d884fdf295635799ab662ea4c4bf466eec56a39eb769c5e6462271dc519f685f4344dcba63c0ec401ee3413a

Download Submit
\Users\Admin\Downloads\FDO\FinderOuter.exe
MD5
bbaf03b75244efc4b01e3c3a0f08d3ac

SHA1
8a049856448bfe351af4e9fc622be247ea07aac5

SHA256
818c9139b4d003773f23d499cd64311d4c44c7893193775b0458abbf71828dfb

SHA512
64f5b72262bf79f15c5071a395fa6af1e0908924d884fdf295635799ab662ea4c4bf466eec56a39eb769c5e6462271dc519f685f4344dcba63c0ec401ee3413a

Download Submit
\Users\Admin\Downloads\FDO\FinderOuter.exe
MD5
bbaf03b75244efc4b01e3c3a0f08d3ac

SHA1
8a049856448bfe351af4e9fc622be247ea07aac5

SHA256
818c9139b4d003773f23d499cd64311d4c44c7893193775b0458abbf71828dfb

SHA512
64f5b72262bf79f15c5071a395fa6af1e0908924d884fdf295635799ab662ea4c4bf466eec56a39eb769c5e6462271dc519f685f4344dcba63c0ec401ee3413a

Download Submit
\Users\Admin\Downloads\FDO\FinderOuter.exe
MD5
bbaf03b75244efc4b01e3c3a0f08d3ac

SHA1
8a049856448bfe351af4e9fc622be247ea07aac5

SHA256
818c9139b4d003773f23d499cd64311d4c44c7893193775b0458abbf71828dfb

SHA512
64f5b72262bf79f15c5071a395fa6af1e0908924d884fdf295635799ab662ea4c4bf466eec56a39eb769c5e6462271dc519f685f4344dcba63c0ec401ee3413a

Download Submit
\Users\Admin\Downloads\FDO\FinderOuter.exe
MD5
bbaf03b75244efc4b01e3c3a0f08d3ac

SHA1
8a049856448bfe351af4e9fc622be247ea07aac5

SHA256
818c9139b4d003773f23d499cd64311d4c44c7893193775b0458abbf71828dfb

SHA512
64f5b72262bf79f15c5071a395fa6af1e0908924d884fdf295635799ab662ea4c4bf466eec56a39eb769c5e6462271dc519f685f4344dcba63c0ec401ee3413a

Download Submit
\Users\Admin\Downloads\FDO\FinderOuter.exe
MD5
bbaf03b75244efc4b01e3c3a0f08d3ac

SHA1
8a049856448bfe351af4e9fc622be247ea07aac5

SHA256
818c9139b4d003773f23d499cd64311d4c44c7893193775b0458abbf71828dfb

SHA512
64f5b72262bf79f15c5071a395fa6af1e0908924d884fdf295635799ab662ea4c4bf466eec56a39eb769c5e6462271dc519f685f4344dcba63c0ec401ee3413a

Download Submit
\Users\Admin\Downloads\FDO\FinderOuter.exe
MD5
bbaf03b75244efc4b01e3c3a0f08d3ac

SHA1
8a049856448bfe351af4e9fc622be247ea07aac5

SHA256
818c9139b4d003773f23d499cd64311d4c44c7893193775b0458abbf71828dfb

SHA512
64f5b72262bf79f15c5071a395fa6af1e0908924d884fdf295635799ab662ea4c4bf466eec56a39eb769c5e6462271dc519f685f4344dcba63c0ec401ee3413a

Download Submit
\Users\Admin\Downloads\FDO\FinderOuter.exe
MD5
bbaf03b75244efc4b01e3c3a0f08d3ac

SHA1
8a049856448bfe351af4e9fc622be247ea07aac5

SHA256
818c9139b4d003773f23d499cd64311d4c44c7893193775b0458abbf71828dfb

SHA512
64f5b72262bf79f15c5071a395fa6af1e0908924d884fdf295635799ab662ea4c4bf466eec56a39eb769c5e6462271dc519f685f4344dcba63c0ec401ee3413a

Download Submit
\Users\Admin\Downloads\FDO\clrcompression.dll
MD5
5b792eca9dca0f9b3e8fcfae0cff23a7

SHA1
5af12b98aaa2668072cc7196e160db3df822b914

SHA256
49f9a75ec20c3a40c73ebccc008ad82c27e63db79e84d00e6132cd9727fbf677

SHA512
51feb970ec703a5e9713b2ac4a09b324ad15c3266cc75449aeb872f7a175d971b692769d44901fbca4210ffc5dd360ff13e5073dd8ea50626122cedd42997d26

Download Submit
\Users\Admin\Downloads\FDO\clrjit.dll
MD5
59596a272009239a84c79938890f0d33

SHA1
635d1a1ef91249f44efb7d0a379a0c41f43ea942

SHA256
3f9b09169741e045f5a655dcc910d4d32d7d8937617ac82300681fcbd1e7828b

SHA512
78ff876154ee907e64d984d3a0c16392616c7005c6dd1c61109ea0ad590b8a0393c64c8664be1c1aa458d90a9a16cfd153379a2d6e87541df1d2fb7523194009

Download Submit
\Users\Admin\Downloads\FDO\coreclr.dll
MD5
c07d8cd07ef8d8dc6f1ee9dfab3c6f4c

SHA1
28b7613d4e14a6288127cf88a10e7d492835837d

SHA256
327e50b959bd57bb25a5f32c37c336a3bd513dac78fa0577ac9f1841623ea297

SHA512
f77c66b32e60530121ed76d09151ea89176b6879351f52853bd74a40b425d581a38cb441c5de5cfc45e5371516736ea914f691a233793cf1bf1959b9c7a4ac07

Download Submit
\Users\Admin\Downloads\FDO\libHarfBuzzSharp.dll
MD5
609c9ab55ad9dab96f9f6ff67c94b5bc

SHA1
cf9dc9ca45196f569481b195e39c43bb88df4786

SHA256
a11f01a6ad7c2ba0dac02b1b8d06bbedfcc22db79a3ff8de33e36e55f69a6e98

SHA512
c3fd946365ffd6e7ebe7b6a4438723f8b8318e26ea40f451d32651e495fdd49a5f46645836fae21d9e84893eb5164dac7579fc33bc21ec7b02265714c497d266

Download Submit
\Users\Admin\Downloads\FDO\libSkiaSharp.dll
MD5
b3c6148249fd8a26acb1b8376c5ade01

SHA1
d7429bd3ff2940061c3f53b4da355e5cfea551ad

SHA256
1c7d232c7bc1ec438d10879b448808839493254d55e708d6addf14c8cccf83b6

SHA512
a180dce5ffc4a388abed5ac85cb933d2975e689f30838fec4995a288048fc0615867572e81615f775ca6829d9416322184a2ca6e30eab99c0f1c76543617bb87

Download Submit
memory/2208-56-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download