Overview
overview
8Static
static
3EcoH Clien...er.exe
windows11-21h2-x64
1EcoH Clien...al.exe
windows11-21h2-x64
7EcoH Client/SDL2.dll
windows11-21h2-x64
1EcoH Clien...60.dll
windows11-21h2-x64
1EcoH Clien...60.dll
windows11-21h2-x64
1EcoH Clien...58.dll
windows11-21h2-x64
1EcoH Clien...ry.bat
windows11-21h2-x64
1EcoH Clien...ve.exe
windows11-21h2-x64
1EcoH Clien...re.exe
windows11-21h2-x64
1EcoH Clien...re.dll
windows11-21h2-x64
1EcoH Clien...lp.dll
windows11-21h2-x64
1EcoH Clien...at.exe
windows11-21h2-x64
1EcoH Clien...te.exe
windows11-21h2-x64
1EcoH Clien...dk.dll
windows11-21h2-x64
1EcoH Clien...dl.dll
windows11-21h2-x64
1EcoH Clien...rl.dll
windows11-21h2-x64
8EcoH Clien...pe.dll
windows11-21h2-x64
1EcoH Clien...gg.dll
windows11-21h2-x64
1EcoH Clien...us.dll
windows11-21h2-x64
1EcoH Clien...le.dll
windows11-21h2-x64
1EcoH Clien...16.dll
windows11-21h2-x64
1EcoH Clien...-0.dll
windows11-21h2-x64
1EcoH Clien...-1.dll
windows11-21h2-x64
1EcoH Clien...07.exe
windows11-21h2-x64
1EcoH Clien...ff.exe
windows11-21h2-x64
1EcoH Clien...ct.exe
windows11-21h2-x64
1EcoH Clien...lp.dll
windows11-21h2-x64
1EcoH Clien...e3.dll
windows11-21h2-x64
1EcoH Clien...pi.dll
windows11-21h2-x64
1EcoH Clien...-4.dll
windows11-21h2-x64
1EcoH Clien...-7.dll
windows11-21h2-x64
1EcoH Clien...rv.dll
windows11-21h2-x64
1Analysis
-
max time kernel
274s -
max time network
279s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
18-06-2024 15:00
Behavioral task
behavioral1
Sample
EcoH Client/DDNet-Server.exe
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
EcoH Client/Eco-H Revival.exe
Resource
win11-20240611-en
Behavioral task
behavioral3
Sample
EcoH Client/SDL2.dll
Resource
win11-20240508-en
Behavioral task
behavioral4
Sample
EcoH Client/avcodec-60.dll
Resource
win11-20240611-en
Behavioral task
behavioral5
Sample
EcoH Client/avformat-60.dll
Resource
win11-20240508-en
Behavioral task
behavioral6
Sample
EcoH Client/avutil-58.dll
Resource
win11-20240419-en
Behavioral task
behavioral7
Sample
EcoH Client/config_directory.bat
Resource
win11-20240508-en
Behavioral task
behavioral8
Sample
EcoH Client/config_retrieve.exe
Resource
win11-20240508-en
Behavioral task
behavioral9
Sample
EcoH Client/config_store.exe
Resource
win11-20240611-en
Behavioral task
behavioral10
Sample
EcoH Client/dbgcore.dll
Resource
win11-20240508-en
Behavioral task
behavioral11
Sample
EcoH Client/dbghelp.dll
Resource
win11-20240611-en
Behavioral task
behavioral12
Sample
EcoH Client/demo_extract_chat.exe
Resource
win11-20240611-en
Behavioral task
behavioral13
Sample
EcoH Client/dilate.exe
Resource
win11-20240508-en
Behavioral task
behavioral14
Sample
EcoH Client/discord_game_sdk.dll
Resource
win11-20240611-en
Behavioral task
behavioral15
Sample
EcoH Client/exchndl.dll
Resource
win11-20240611-en
Behavioral task
behavioral16
Sample
EcoH Client/libcurl.dll
Resource
win11-20240611-en
Behavioral task
behavioral17
Sample
EcoH Client/libfreetype.dll
Resource
win11-20240419-en
Behavioral task
behavioral18
Sample
EcoH Client/libogg.dll
Resource
win11-20240611-en
Behavioral task
behavioral19
Sample
EcoH Client/libopus.dll
Resource
win11-20240611-en
Behavioral task
behavioral20
Sample
EcoH Client/libopusfile.dll
Resource
win11-20240508-en
Behavioral task
behavioral21
Sample
EcoH Client/libpng16-16.dll
Resource
win11-20240508-en
Behavioral task
behavioral22
Sample
EcoH Client/libssp-0.dll
Resource
win11-20240611-en
Behavioral task
behavioral23
Sample
EcoH Client/libwinpthread-1.dll
Resource
win11-20240611-en
Behavioral task
behavioral24
Sample
EcoH Client/map_convert_07.exe
Resource
win11-20240508-en
Behavioral task
behavioral25
Sample
EcoH Client/map_diff.exe
Resource
win11-20240508-en
Behavioral task
behavioral26
Sample
EcoH Client/map_extract.exe
Resource
win11-20240611-en
Behavioral task
behavioral27
Sample
EcoH Client/mgwhelp.dll
Resource
win11-20240508-en
Behavioral task
behavioral28
Sample
EcoH Client/sqlite3.dll
Resource
win11-20240611-en
Behavioral task
behavioral29
Sample
EcoH Client/steam_api.dll
Resource
win11-20240611-en
Behavioral task
behavioral30
Sample
EcoH Client/swresample-4.dll
Resource
win11-20240611-en
Behavioral task
behavioral31
Sample
EcoH Client/swscale-7.dll
Resource
win11-20240419-en
Behavioral task
behavioral32
Sample
EcoH Client/symsrv.dll
Resource
win11-20240508-en
General
-
Target
EcoH Client/libcurl.dll
-
Size
511KB
-
MD5
320b4cf812b92d1bb91604e33741d9ae
-
SHA1
1860eb0e6f85a11285cb9e98465ad8f13bac0be6
-
SHA256
9a8038c80c046ca40e27fd1258d761cff67eb78dd19b4bd0d43691b88092ac5b
-
SHA512
a9b0b7bcdced5bbcd5c986d4faaae0e0fc8682c5a701d44db8985b5fdbdc81909a0ea967f15d573255d81f944263b5c6ccd8a4a13402184a1859d184e5bf635e
-
SSDEEP
12288:pteH0CG3V0M0TZN7fbw1Pl713Cv4NijuI1r:ptG0CGSM01N7f8l7132jJr
Malware Config
Signatures
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 7 IoCs
Processes:
7z2406-x64.exe7z2406-x64.exe7z2406-x64.exe7z.exe7zFM.exeEco-H Revival.exeEco-H Revival.exepid process 3440 7z2406-x64.exe 3508 7z2406-x64.exe 5572 7z2406-x64.exe 5900 7z.exe 5960 7zFM.exe 3592 Eco-H Revival.exe 1256 Eco-H Revival.exe -
Loads dropped DLL 24 IoCs
Processes:
7zFM.exeEco-H Revival.exepid process 5960 7zFM.exe 3404 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe 1256 Eco-H Revival.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Eco-H Revival.exepid process 1256 Eco-H Revival.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7z2406-x64.exe7z2406-x64.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\az.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7z.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hi.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\History.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\readme.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\History.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\readme.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\yo.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7z.dll 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 7z2406-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt 7z2406-x64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133631965235420232" chrome.exe -
Modifies registry class 43 IoCs
Processes:
7z2406-x64.exe7z2406-x64.exeOpenWith.exechrome.exeOpenWith.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip 7z2406-x64.exe Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip 7z2406-x64.exe Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2406-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" 7z2406-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" 7z2406-x64.exe -
NTFS ADS 2 IoCs
Processes:
chrome.exechrome.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\7z2406-x64.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\EcoH Client.rar:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
chrome.exechrome.exepid process 2524 chrome.exe 2524 chrome.exe 1576 chrome.exe 1576 chrome.exe 1576 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
OpenWith.exeOpenWith.exe7zFM.exepid process 3592 OpenWith.exe 4592 OpenWith.exe 5960 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
chrome.exepid process 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe Token: SeShutdownPrivilege 2524 chrome.exe Token: SeCreatePagefilePrivilege 2524 chrome.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
Processes:
chrome.exe7zFM.exepid process 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 5960 7zFM.exe 5960 7zFM.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
chrome.exepid process 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe 2524 chrome.exe -
Suspicious use of SetWindowsHookEx 45 IoCs
Processes:
OpenWith.exe7z2406-x64.exeOpenWith.exe7z2406-x64.exe7z2406-x64.exepid process 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3592 OpenWith.exe 3440 7z2406-x64.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 4592 OpenWith.exe 3508 7z2406-x64.exe 5572 7z2406-x64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2524 wrote to memory of 1780 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 1780 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 4444 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3928 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3928 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe PID 2524 wrote to memory of 3360 2524 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libcurl.dll",#11⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd824bab58,0x7ffd824bab68,0x7ffd824bab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3220 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2228 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2408 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4988 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5124 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5280 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
- NTFS ADS
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4996 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5592 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4848 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5740 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5836 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5928 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
- NTFS ADS
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6084 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Users\Admin\Downloads\7z2406-x64.exe"C:\Users\Admin\Downloads\7z2406-x64.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5912 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5832 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5520 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5836 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\7z2406-x64.exe"C:\Users\Admin\Downloads\7z2406-x64.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\7z2406-x64.exe"C:\Users\Admin\Downloads\7z2406-x64.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe"C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe"C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\7-zip.chmFilesize
117KB
MD53073686bd3abcdbf2148be7624388e8a
SHA18da958c7671b7e3b8aa8052e6608860e8e3349a6
SHA2561a3a2bfcd5b14d0b014ecdf961b44f975b4bfe1f2284bd4fbef7da0befba5da8
SHA51234f18ac283d38b2082da7ec44b10bde90338d408394d22af53c4b0aea2631d887f6455566633b665543643753231e5a06a505dc59ab8be0fe99022dd360e6502
-
C:\Program Files\7-Zip\7zFM.exeFilesize
960KB
MD55764deed342ca47eb4b97ae94eedc524
SHA1e9cbefd32e5ddd0d914e98cfb0df2592bebc5987
SHA256c5c7ad094ad71d8784c8b0990bf37a55ffc7c7ab77866286d77b7b6721943e4f
SHA5126809130394a683c56a0245906d709b2289a631f630055d5e6161b001e216d58045d314b0148512d8c01f0c2bf5f9f16e93fa7d61ab3d24beab4f9c3d4db13c18
-
C:\Program Files\7-Zip\History.txtFilesize
5KB
MD56b604af1dc25151fdcac458b6fe81a12
SHA159dea20ca7210206664e4ac21daae7397f267564
SHA2560d8d0b046fa8798d4ebc3d14fd7f8bfb88fa130d0e58826f4c15d0b981acc553
SHA512530319be3442eb276389ff66769820b4ed1a9c4ff0796430c6425206630245f5b19ecc9af09c7ae811bded22d401025fed898b3e37ac9dae5b1905516fc92fdb
-
C:\Program Files\7-Zip\Lang\af.txtFilesize
4KB
MD5df216fae5b13d3c3afe87e405fd34b97
SHA1787ccb4e18fc2f12a6528adbb7d428397fc4678a
SHA2569cf684ea88ea5a479f510750e4089aee60bbb2452aa85285312bafcc02c10a34
SHA512a6eee3d60b88f9676200b40ca9c44cc4e64cf555d9b8788d4fde05e05b8ca5da1d2c7a72114a18358829858d10f2beff094afd3bc12b370460800040537cff68
-
C:\Program Files\7-Zip\Lang\an.txtFilesize
7KB
MD5f16218139e027338a16c3199091d0600
SHA1da48140a4c033eea217e97118f595394195a15d5
SHA2563ab9f7aacd38c4cde814f86bc37eec2b9df8d0dddb95fc1d09a5f5bcb11f0eeb
SHA512b2e99d70d1a7a2a1bfa2ffb61f3ca2d1b18591c4707e4c6c5efb9becdd205d646b3baa0e8cbd28ce297d7830d3dfb8f737266c66e53a83bdbe58b117f8e3ae14
-
C:\Program Files\7-Zip\Lang\ar.txtFilesize
12KB
MD55747381dc970306051432b18fb2236f2
SHA120c65850073308e498b63e5937af68b2e21c66f3
SHA25685a26c7b59d6d9932f71518ccd03eceeba42043cb1707719b72bfc348c1c1d72
SHA5123306e15b2c9bb2751b626f6f726de0bcafdc41487ba11fabfcef0a6a798572b29f2ee95384ff347b3b83b310444aaeec23e12bb3ddd7567222a0dd275b0180ff
-
C:\Program Files\7-Zip\Lang\ast.txtFilesize
4KB
MD51cf6411ff9154a34afb512901ba3ee02
SHA1958f7ff322475f16ca44728349934bc2f7309423
SHA256f5f2174daf36e65790c7f0e9a4496b12e14816dad2ee5b1d48a52307076be35f
SHA512b554c1ab165a6344982533cceed316d7f73b5b94ce483b5dc6fb1f492c6b1914773027d31c35d60ab9408669520ea0785dc0d934d3b2eb4d78570ff7ccbfcf9c
-
C:\Program Files\7-Zip\Lang\az.txtFilesize
9KB
MD53c297fbe9b1ed5582beabfc112b55523
SHA1c605c20acf399a90ac9937935b4dbdb64fad9c9f
SHA256055ec86aed86abbdbd52d8e99fec6e868d073a6df92c60225add16676994c314
SHA512417984a749471770157c44737ee76bfd3655ef855956be797433dadc2a71e12359454cc817b5c31c6af811067d658429a8706e15625bf4ca9f0db7586f0ae183
-
C:\Program Files\7-Zip\Lang\ba.txtFilesize
10KB
MD5387ff78cf5f524fc44640f3025746145
SHA18480e549d00003de262b54bc342af66049c43d3b
SHA2568a85c3fcb5f81157490971ee4f5e6b9e4f80be69a802ebed04e6724ce859713f
SHA5127851633ee62c00fa2c68f6f59220a836307e6dde37eae5e5dca3ca254d167e305fe1eb342f93112032dadafe9e9608c97036ac489761f7bdc776a98337152344
-
C:\Program Files\7-Zip\Lang\be.txtFilesize
11KB
MD5b1dd654e9d8c8c1b001f7b3a15d7b5d3
SHA15a933ae8204163c90c00d97ba0c589f4d9f3f532
SHA25632071222af04465a3d98bb30e253579aa4beceaeb6b21ac7c15b25f46620bf30
SHA5120137900aeb21f53e4af4027ea15eed7696ed0156577fe6194c2b2097f5fb9d201e7e9d52a51a26ae9a426f8137692154d80676f8705f335fed9ae7e0e1d0a10e
-
C:\Program Files\7-Zip\Lang\bg.txtFilesize
17KB
MD52d0c8197d84a083ef904f8f5608afe46
SHA15ae918d2bb3e9337538ef204342c5a1d690c7b02
SHA25662c6f410d011a109abecb79caa24d8aeb98b0046d329d611a4d07e66460eef3f
SHA5123243d24bc9fdb59e1964e4be353c10b6e9d4229ef903a5ace9c0cb6e1689403173b11db022ca2244c1ef0f568be95f21915083a8c5b016f07752026d332878a4
-
C:\Program Files\7-Zip\Lang\bn.txtFilesize
14KB
MD5771c8b73a374cb30df4df682d9c40edf
SHA146aa892c3553bddc159a2c470bd317d1f7b8af2a
SHA2563f55b2ec5033c39c159593c6f5ece667b92f32938b38fcaf58b4b2a98176c1fc
SHA5128dcc9cc13322c4504ee49111e1f674809892900709290e58a4e219053b1f78747780e1266e1f4128c0c526c8c37b1a5d1a452eefba2890e3a5190eebe30657ba
-
C:\Program Files\7-Zip\Lang\br.txtFilesize
4KB
MD507504a4edab058c2f67c8bcb95c605dd
SHA13e2ae05865fb474f10b396bfefd453c074f822fa
SHA256432bdb3eaa9953b084ee14eee8fe0abbc1b384cbdd984ccf35f0415d45aabba8
SHA512b3f54d695c2a12e97c93af4df09ce1800b49e40302bec7071a151f13866edfdfafc56f70de07686650a46a8664608d8d3ea38c2939f2f1630ce0bf968d669ccc
-
C:\Program Files\7-Zip\Lang\ca.txtFilesize
8KB
MD5264fb4b86bcfb77de221e063beebd832
SHA1a2eb0a43ea4002c2d8b5817a207eb24296336a20
SHA25607b5c0ac13d62882bf59db528168b6f0ffdf921d5442fae46319e84c90be3203
SHA5128d1a73e902c50fd390b9372483ebd2ec58d588bacf0a3b8c8b9474657c67705b6a284bb16bba4326d314c7a3cc11caf320da38d5acb42e685ed2f8a8b6f411f4
-
C:\Program Files\7-Zip\Lang\co.txtFilesize
11KB
MD5de64842f09051e3af6792930a0456b16
SHA1498b92a35f2a14101183ebe8a22c381610794465
SHA256dcfb95b47a4435eb7504b804da47302d8a62bbe450dadf1a34baea51c7f60c77
SHA5125dabeed739a753fd20807400dfc84f7bf1eb544704660a74afcf4e0205b7c71f1ddcf9f79ac2f7b63579735a38e224685b0125c49568cbde2d9d6add4c7d0ed8
-
C:\Program Files\7-Zip\Lang\cs.txtFilesize
9KB
MD5dbdcfc996677513ea17c583511a5323b
SHA1d655664bc98389ed916bed719203f286bab79d3c
SHA256a6e329f37aca346ef64f2c08cc36568d5383d5b325c0caf758857ed3ff3953f2
SHA512df495a8e8d50d7ec24abb55ce66b7e9b8118af63db3eb2153a321792d809f7559e41de3a9c16800347623ab10292aac2e1761b716cb5080e99a5c8726f7cc113
-
C:\Program Files\7-Zip\Lang\cy.txtFilesize
4KB
MD56bdf25354b531370754506223b146600
SHA1c2487c59eeeaa5c0bdb19d826fb1e926d691358e
SHA256470eaf5e67f5ead5b8c3ecc1b5b21b29d16c73591eb0047b681660346e25b3fb
SHA512c357b07c176175cc36a85c42d91b0cada79dbfb584bdf57f22a6cb11898f88aecf4392037d5cea3e1bc02df7493bb27b9509226f810f1875105bbc33c6ae3f20
-
C:\Program Files\7-Zip\Lang\da.txtFilesize
7KB
MD5c397e8ac4b966e1476adbce006bb49e4
SHA13e473e3bc11bd828a1e60225273d47c8121f3f2c
SHA2565ccd481367f7d8c544de6177187aff53f1143ae451ae755ce9ed9b52c5f5d478
SHA512cbbece415d16b9984c82bd8fa4c03dbd1fec58ed04e9ef0a860b74d451d03d1c7e07b23b3e652374a3b9128a7987414074c2a281087f24a77873cc45ec5aadd2
-
C:\Program Files\7-Zip\Lang\de.txtFilesize
9KB
MD51e30a705da680aaeceaec26dcf2981de
SHA1965c8ed225fb3a914f63164e0df2d5a24255c3d0
SHA256895f76bfa4b1165e4c5a11bdab70a774e7d05d4bbdaec0230f29dcc85d5d3563
SHA512ff96e6578a1ee38db309e72a33f5de7960edcc260ca1f5d899a822c78595cc761fedbdcdd10050378c02d8a36718d76c18c6796498e2574501011f9d988da701
-
C:\Program Files\7-Zip\Lang\el.txtFilesize
17KB
MD55894a446df1321fbdda52a11ff402295
SHA1a08bf21d20f8ec0fc305c87c71e2c94b98a075a4
SHA2562dd2130f94d31262b12680c080c96b38ad55c1007f9e610ec8473d4bb13d2908
SHA5120a2c3d24e7e9add3ca583c09a63ba130d0088ed36947b9f7b02bb48be4d30ef8dc6b8d788535a941f74a7992566b969adf3bd729665e61bfe22b67075766f8de
-
C:\Program Files\7-Zip\Lang\en.tttFilesize
7KB
MD5bf2e140e9d30d6c51d372638ba7f4bd9
SHA1a4358379a21a050252d738f6987df587c0bd373d
SHA256c218145bb039e1fd042fb1f5425b634a4bdc1f40b13801e33ed36cfdbda063ed
SHA512b524388f7476c9a43e841746764ff59bdb1f8a1b4299353156081a854ee4435b94b34b1a87c299ec23f8909e0652222595b3177ee0392e3b8c0ff0a818db7f9a
-
C:\Program Files\7-Zip\Lang\eo.txtFilesize
4KB
MD529caad3b73f6557f0306f4f6c6338235
SHA1d4b3147f23c75de84287ad501e7403e0fce69921
SHA256a6ef5a5a1e28d406fd78079d9cacf819b047a296adc7083d34f2bfb3d071e5af
SHA51277618995d9cf90603c5d4ad60262832d8ad64c91a5e6944efd447a5cc082a381666d986bb294d7982c8721b0113f867b86490ca11bb3d46980132c9e4df1bd92
-
C:\Program Files\7-Zip\Lang\es.txtFilesize
10KB
MD5ed230f9f52ef20a79c4bed8a9fefdf21
SHA1ec0153260b58438ad17faf1a506b22ad0fec1bdc
SHA2567199b362f43e9dca2049c0eeb8b1bb443488ca87e12d7dda0f717b2adbdb7f95
SHA51232f0e954235420a535291cf58b823baacf4a84723231a8636c093061a8c64fcd0952c414fc5bc7080fd8e93f050505d308e834fea44b8ab84802d8449f076bc9
-
C:\Program Files\7-Zip\Lang\et.txtFilesize
6KB
MD5d6a50c4139d0973776fc294ee775c2ac
SHA11881d68ae10d7eb53291b80bd527a856304078a0
SHA2566b2718882bb47e905f1fdd7b75ece5cc233904203c1407c6f0dcdc5e08e276da
SHA5120fd14b4fd9b613d04ef8747dcd6a47f6f7777ac35c847387c0ea4b217f198aa8ac54ea1698419d4122b808f852e9110d1780edcb61a4057c1e2774aa5382e727
-
C:\Program Files\7-Zip\Lang\eu.txtFilesize
8KB
MD5c90cd9f1e3d05b80aba527eb765cbf13
SHA166d1e1b250e2288f1e81322edc3a272fc4d0fffc
SHA256a1c9d46b0639878951538f531bba69aeddd61e6ad5229e3bf9c458196851c7d8
SHA512439375d01799da3500dfa48c54eb46f7b971a299dfebff31492f39887d53ed83df284ef196eb8bc07d99d0ec92be08a1bf1a7dbf0ce9823c85449cc6f948f24c
-
C:\Program Files\7-Zip\Lang\ext.txtFilesize
7KB
MD5459b9c72a423304ffbc7901f81588337
SHA10ba0a0d9668c53f0184c99e9580b90ff308d79be
SHA2568075fd31b4ebb54603f69abb59d383dcef2f5b66a9f63bb9554027fd2949671c
SHA512033ced457609563e0f98c66493f665b557ddd26fab9a603e9de97978d9f28465c5ac09e96f5f8e0ecd502d73df29305a7e2b8a0ad4ee50777a75d6ab8d996d7f
-
C:\Program Files\7-Zip\Lang\fa.txtFilesize
12KB
MD5741e0235c771e803c1b2a0b0549eac9d
SHA17839ae307e2690721ad11143e076c77d3b699a3c
SHA256657f2aceb60d557f907603568b0096f9d94143ff5a624262bbfeb019d45d06d7
SHA512f8662732464fa6a20f35edcce066048a6ba6811f5e56e9ca3d9aa0d198fc9517642b4f659a46d8cb8c87e890adc055433fa71380fb50189bc103d7fbb87e0be5
-
C:\Program Files\7-Zip\descript.ionFilesize
366B
MD5eb7e322bdc62614e49ded60e0fb23845
SHA11bb477811ecdb01457790c46217b61cb53153b75
SHA2561da513f5a4e8018b9ae143884eb3eaf72454b606fd51f2401b7cfd9be4dbbf4f
SHA5128160b581a3f237d87e664d93310f5e85a42df793b3e22390093f9fb9a0a39950be6df2a713b55259fce5d5411d0499886a8039288d9481b4095fabadddbebb60
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006Filesize
59KB
MD5caaa5222d179a24ca5540080c7018b99
SHA11f415a7a73a12a4c16f25709504f4e4e4beae9dd
SHA256b729255f2e984a20fa0f0eb07e08368cf468fd17ff27a7d1dbb4042ec261d8cf
SHA51271b4f878aa154ba4a8523c2e36faa8dbe3cfafa082b18796d8b69539dee9506253b9e55fc9b71cc2c9027d22ae08587b0e2ddadbc8d3395dbb73584d1ca1ebcc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
528B
MD55f913802b16f5e3aa928e6487db99af2
SHA101fd3cfc002661ddead95097903bd94ccc3c0485
SHA256fb87ab6504f6eb035f40e86a4f3d9b38c99c3b8e48087b13f3506c35a0a5d549
SHA51228cb74193ef30e2eac9720b5efc1e6034a2499406942f7897a5642768e33724cebb92e7664464cfcb54778272b3217d60ff8ea5d3f29f25df5a810061c47c89c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
96B
MD5a936803d2ea43519f44a6d17228a5f9d
SHA18e6ddf5f8c2bd57868f651bda263b62eedaa6ad4
SHA2561c71a1838862b36c036a7d5f842b4525ed170954f0a4ee7e2b60f4ebf297a95f
SHA512c3b45b6bf6fd887b11d3dee808dc786c747ff776b6ae391303fdc8ace178c743103ecc44ab8e3e7ddeef87242ed97149dd918733e47924f2dcad284bc9fc42e8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
336B
MD5e1fc8378a6279aa3c989e48c9e6be601
SHA1a5800b6f8c138f218d6edd032b712a3164c2d8eb
SHA2567b6f6192ac6932c4a008e27c484714c39ebf58125c45923a1d46be1a26b1c0df
SHA512c7736390a842c466f383c1ff9f2319bf2b9f4ac55650af8a038d771738e5a734acf2355a81605aca225264f82a3e2c5d142210b3c39591a69f89ee638686d974
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD57db36caad14d3175b0ff5215ee73f1b1
SHA1f6cde00609610ccaea6d9f2de19257f8b15c6bd9
SHA256e5479a7a585f4a7bccfb3a068341e06c27dcb1fbf1078a0439df2fce5a0cb7db
SHA5122b4eb4e833cc4443c0938d669feb45da57a616f622ca53289057b9e90e73fe9018c2384d8abb7eaee189b9dd0bb0076dd9822f33d9aba992233799f7ed8af76b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5e4e08de1dffbdd8c3e77c290c628abfc
SHA156c13bf0c935ee5396ee9dc792c019f583ecfc0b
SHA2567d718d46063bf8c01e410db2fe5987a88aafb9191c090091992c77864bbc2c9b
SHA51285e0ab5457e0255f0ac0d2ce9d6a57423de089f3f685481f0ce3e79c4452d932962d3c689d96a289df77e82bc7dcadf2c51e70643620e270ad39bd5412be7729
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD5a450b346c7f81262db2468e8bdc6b567
SHA17eb04ce0661b660caf60eec843290cfa487e9ea2
SHA256aa0bce708614713210cbe6e28bdbd44a7cf44ab94f286839134bd72b85ffc1fb
SHA51239fadc7504a920dc0de4c3a9a3ab93ee3349305a909978b38d5a40a65f81568a565c28f3b96530462e3950f3acb49b986f930762107aab16d163a9ccb48e6964
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
691B
MD56aad651ae76796e5bc048586f36d63d9
SHA13410a3eadf164003c814c286ea73eb7e36a1ee4f
SHA256f38bcf54e7a165aa423426ac3e57a753caa93ef41c9987c726423ea94203f45a
SHA5125e25a579c60bacdc515bcf685e552c509538662b74d8c6fd6ca3c45eb68127fe7d3294e8c681e884e8f84f8f69b5f664d85f6596c95ad30f9a96d08925816d8e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD5a3423eea70585444fcf4d8587d4f9028
SHA1d705145f4368862e2c3d15e195fc4ceb39ba9399
SHA25611edaa042cc1790160b24d143234b0b428c892ebd7606e0fc682e626f0e54caf
SHA512e76ce28cd6c3e3693960a0ac57d579617c84fb668706d2af7dbd12f214850fd4b8d112da17ab7af773242cc914fd83bd00d0d0d02c48a22388d9c3a6748158db
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD55a2f670bac48f31e7b8e2a2a16018e25
SHA1cf83aae1cb684fe57826514734d8a71cf671619c
SHA2569dc8e629e2af35c9cd434766094a0c0e3fd75b974ca99e1813aa8885121335ae
SHA51205ba685e26fcf2b29cac55f7b2eded5f84cd55eac0aa210779ad79c89abbfe56efc66e8ea0afdef7b178a97fb418cff53a32081aa42aac2176787a8d97136323
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
691B
MD5610b2add83ccdf35eb1b4b8d7c9e6d54
SHA1f9126253fa63105132c2b53a05a26e71ccb9a93b
SHA2561be8e6547656012ee1b3dcaaa1559e7090038f6ff7683086ec6bd697c915e87b
SHA5128141201bef6d851c75134f374f11cfe71d5118ea9f6b7ef8ea45d8cb93b8240c0ce6c9fb008715ea1060753936f58cbc3299ecca4ecb09de123f15a33557fc52
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
524B
MD51621a79ae4e1997de73c6ec7a4ba9ec7
SHA100178153046d6d076aab91ec912182c1b43fb29f
SHA256d81a830b5732a67d2af71f929e22b556d66b6c34aef75f5a45882c3dc29cebc8
SHA512860e66740449bbd7f0362e87bdb9a82508d7c0a6d6946927fad7a20397fb10aca008b7a666b946c712e07dfd0e6c85fcbff3506aabf0f03338bdd1988d1a74d9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD551dc14e4951e02d4f4bb3d9775969556
SHA1f8b8aa6c76d9967eda0c56fde6eb103839d4e8f2
SHA25646821892afe89da55c189ffcb22315db6152f768bd5ade2c5f9627f144983a34
SHA51285a64c3f081cd6448937cd8cebadd74b3acc1382be7e0b1909bf2d762fd1f96122520b6ad8f0edf6ff813c31df4f81c77fff32e632a19b7949930d954de77dd4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD502d5e234d3a93eef6e7fc86a30343f7f
SHA10144051bcfe265c686471837067ab11b40752d9b
SHA25665c430e95436cbbd8d006d10becb823ccb1d600230d1911f3a05cf1ee599c8c5
SHA5123f6475d9b03204bc9845754cc030d1cb46a898f202d2e72f018ea1feb0d43d6d46d49b14752d8862924b9bfde9ca0dba11d32f26d9920965352cc65bbb252404
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD560670389268d02d98ac28745d2cb164a
SHA153b426b16348f6ce951b6c54dda828240a264dc9
SHA25646d1af755cc9234347ca5761e3adbee185d95c2996e27448f8da654767c164d3
SHA51204fdf38bec3bf95772eedfa994d4ef1d78878c7c0b6f0184fb001ee8b3ebf66245189c8f3f45b208b9eaa9bc32179a9d32c1f7ed8de737186bc3f5dd31d98f01
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD550357fcd590818a542bc556e67fb78f2
SHA11826963d6cf12003f9073e9337d4831e92d09bdc
SHA25622da45ac08d33a9039673c2d580ee437ff8232cea0f7b3407890f0bc25ad747c
SHA5123b7144991a3da9afcebc15d77bc8aca0796b2390ff6a1bfcb46784fbe8a3c06ec76217a990fec27c1729fbb7f09ce6294b8f15bc1e3031baa4dfaa20a4b36b99
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD51011c2254eb18e6dc39846f65ce4d889
SHA1aef2d73573913a023a760184ca00c4d61d81196c
SHA25651793564d3d5d9701293612a5a7496bb6a085631ca3963f817eda841d9c1a6eb
SHA5127096a56f965729b7936a8593613c07e286479c1e0aa9b1beda23c86cdb8155ec7d3ed34e234e943911c177494f37964104e426f5accfbd9951f8ab3a2f827c6b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5f967e8016f7a1a51630414751c8d8273
SHA112016c1418cf1adf3e97693b6201d711d1f35eef
SHA25674e6f703345e0979c45055008840875c0157c276dc90898f0cd897d647017b92
SHA512600370ba6a0f45bb7f2842dca1333e673d2b592548aaa4638ddc08a93fa32f2432873b26c4211a6a3fe07122eecfa16ce0afebcb4eb485cd106f12007a57e385
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
278KB
MD5c31c2fe50f49820efb625e08b553b2a2
SHA126cfed5c16539ad98b267ead9271f05d65faf93a
SHA256c71a678f588ad119962c253df538d1d24fc93b47fc7c02d43be63700a3dd253d
SHA5120577ebaa398da7ee601a250e44bbc9202de4680fbf778bffd15b303e588d7e1e9405a310a4ecb11212ffb556c79709b7e18ddb744c20e3ef963318f66dbe6c52
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
278KB
MD5a3f9d4d746725308fcd9811f11909e6b
SHA15c45b87f144368c8ac45f323e332d5018f7a18fe
SHA2560791e13c2ee33706b26530d5f9b0d502d8fd76961fe4ea6ad147e826ffb0c359
SHA512bf594a3895986a587485c08e0c090d90c7900102579478d919fb63a7790e7b86c66fe98c41514bc0e159dad8e895d371881690a75399c8c67b9d88c92bca534e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
278KB
MD53bb453bde58b75b8e63b5eb0ef3c933d
SHA1d0ba84fdc2b5af4f75e610837d3e6dd5324829eb
SHA256d7ea828fa2edcfbfe4b49138c0b68503282cfe2178adc693b68ceb89e2748fc6
SHA5126aba9766bb41fb13bf3a29eb73ad77b3234c9b9aae95a05a8547ac4fa2148588a3bab0b509c4b94a0678d0bfb456bfe213c0e3dca3abcad9480f1e1e09ea20d3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
278KB
MD54f14a461daa497feefa76c753eb06370
SHA1eec1c89431f251dc5eb405ca2792afa431c9ba65
SHA2563d1e0a0a59a3eda4098c3955fc06873e76347850f8f5b3a25bc14ac5626959cf
SHA5123f3b2c8e718039f0278e7a44c9dab089141e5fd3b5868278b3e9759d51d32572f168da8d7842f192d555d90c4dc9164a838fd52e4ef15d4f5fafc83f2484c185
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
99KB
MD567c437863f3a1a64c978713dfb43dda5
SHA1d3f7a1c780c4952b6dd178118abb15bcda48450a
SHA256c8acbba3ba1934d406e741fcc24ae60894879245b171f1abf653b79ac0742f54
SHA512ff90e97440898f001d74f5b5a8f4f3e34c3780c5905035aa160eeb285901a386a02688f709f14386bf41310cebbcff457ac4d9526e886bcf93f71266ff6ba72d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
92KB
MD549dbc85bcfe62712b84625ab8625e67a
SHA15adfa39dde7d19d48e5a13eb2bc24c0aadb6d451
SHA256389787b84e31bc9b741e84cbae535032927f850339164fc66689f47d74dd1bfc
SHA512396d1efa3340cdd96070fa313d61e3767e9607b6f2c8083620c828d4d3e5f53a881fd204df2d04f5527faf203b2fb22994e53be14f12c3cb5e7793f16186e876
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
87KB
MD5677c6418699ad8f2348eeaa4d0b4ab3a
SHA192a706fef9d48280cb83437a6e00213ca8fa9352
SHA25680b391ee6dee785d9c459feea457b592c381678a4c892b290b840f65e976035a
SHA512a47c92075a173b03bc79b1f508d43a8e049f8e6ca07616cef2bb8db96859a057619f2ba4fe2ce8697d90f2e6472baa008df226c9ac1ffde65f7fb46f7360cc93
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58d954.TMPFilesize
82KB
MD529af30aad5215c5122ae4c95486382a2
SHA1335e9b02da556f53b2c7fac22a5867c67cceaf64
SHA256c2bdd5204d1f9131e8291e1a68b1aceb104b959bf17cae33bd5100fd3035f2f0
SHA5127f630669b85ac6522e435f9a5a716451eb37c57966193ea87d0adb47223ae34e147aa0d987e55af9862d85e935b05e81aa1d0b2a807fa46f96ccf291e4c9d83f
-
C:\Users\Admin\AppData\Local\Temp\7zE8476FEAA\EcoH Client\data\shader\vulkan\spritemulti.frag.spvFilesize
984B
MD5c40ce2c551aac2dd72a74b67dd7644fe
SHA12bcea92975d2bb4d5853a2bc20fcd0c9dd9ffa60
SHA2562f91be33933bdbd054b251ffe7b4c0843b73b443ce0505d9d6f1ac94760b2ea1
SHA512e59d461dc9d11516b892e58cc7faf35a5d30190aab43d5cc330b419f6803005d2dd086c7eb0903f39aeac09f10282f62a64ba14a49d621677c578b76d66048b6
-
C:\Users\Admin\Downloads\7z2406-x64.exe:Zone.IdentifierFilesize
621B
MD56a98c115becde12a2fd55b62da2a91e9
SHA193d4f922e009a8518744f47977299407f8470204
SHA2569cafaf53c8abd05ad8f5fe2e517dbb910945f659c2e11811d6bc346167819c90
SHA51224045a19d6f100c112244b6b1602209803050ed611f798ed32ad44ebfbb8e4e18ae3622e178f119d0347d663ad14d938fc2433771d8f152e156aa299e340eac9
-
C:\Users\Admin\Downloads\EcoH Client.rar:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\Unconfirmed 376862.crdownloadFilesize
1.5MB
MD5d8af785ca5752bae36e8af5a2f912d81
SHA154da15671ad8a765f3213912cba8ebd8dac1f254
SHA2566220bbe6c26d87fc343e0ffa4e20ccfafeca7dab2742e41963c40b56fb884807
SHA512b635b449f49aac29234f677e662be35f72a059401ea0786d956485d07134f9dd10ed284338503f08ff7aad16833cf034eb955ca34e1faf35a8177ccad1f20c75
-
\??\pipe\crashpad_2524_PXJNEZLJTXQNWVOCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1256-2514-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2516-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2502-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2501-0x0000018C64570000-0x0000018C64571000-memory.dmpFilesize
4KB
-
memory/1256-2506-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2560-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2536-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2538-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2534-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2532-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2530-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2528-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2526-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2524-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2522-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2520-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2518-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2558-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2512-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2510-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2508-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2504-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2540-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2542-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2544-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2546-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2548-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2550-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2552-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2554-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/1256-2556-0x0000018C64580000-0x0000018C64581000-memory.dmpFilesize
4KB
-
memory/3464-0-0x00007FFD82BA0000-0x00007FFD82C2A000-memory.dmpFilesize
552KB
-
memory/3464-2-0x0000000062E80000-0x0000000062EA6000-memory.dmpFilesize
152KB
-
memory/3464-1-0x0000000064940000-0x0000000064955000-memory.dmpFilesize
84KB