Malware Analysis Report

2024-09-09 18:08

Sample ID 240618-sdb76asgqr
Target EcoH Client.rar
SHA256 c9f637e83786be4c4d3065c8402002c5c9a90d84849bba712310f5df5889b91e
Tags
pyinstaller discovery persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c9f637e83786be4c4d3065c8402002c5c9a90d84849bba712310f5df5889b91e

Threat Level: Likely malicious

The file EcoH Client.rar was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller discovery persistence privilege_escalation

Downloads MZ/PE file

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Detects Pyinstaller

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

NTFS ADS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 15:00

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240419-en

Max time kernel

144s

Max time network

153s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libfreetype.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libfreetype.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4084-0-0x00007FFE6C2E0000-0x00007FFE6C38E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:04

Platform

win11-20240508-en

Max time kernel

86s

Max time network

104s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\SDL2.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\SDL2.dll",#1

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240508-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\config_retrieve.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EcoH Client\config_retrieve.exe

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\config_retrieve.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2252-1-0x00007FFCD03F0000-0x00007FFCD03FE000-memory.dmp

memory/2252-4-0x0000000062E80000-0x0000000062EA6000-memory.dmp

memory/2252-3-0x00007FFCCD3F0000-0x00007FFCCD47A000-memory.dmp

memory/2252-0-0x00007FF6AD150000-0x00007FF6AD245000-memory.dmp

memory/2252-2-0x0000000064940000-0x0000000064955000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240611-en

Max time kernel

144s

Max time network

151s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\dbghelp.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\dbghelp.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240611-en

Max time kernel

89s

Max time network

99s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\exchndl.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\exchndl.dll",#1

Network

Country Destination Domain Proto
IE 52.111.236.23:443 tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240611-en

Max time kernel

149s

Max time network

154s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\steam_api.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\steam_api.dll",#1

Network

Files

memory/908-0-0x00007FFD7A370000-0x00007FFD7A37E000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240611-en

Max time kernel

148s

Max time network

153s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\avcodec-60.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\avcodec-60.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4340-2-0x0000000064940000-0x0000000064955000-memory.dmp

memory/4340-1-0x00007FFCC3E50000-0x00007FFCC4054000-memory.dmp

memory/4340-0-0x00007FFCC4060000-0x00007FFCC4423000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240611-en

Max time kernel

72s

Max time network

124s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libogg.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libogg.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 20.42.65.94:443 tcp
SE 192.229.221.95:80 tcp

Files

memory/1672-0-0x00007FFF35330000-0x00007FFF35342000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240611-en

Max time kernel

87s

Max time network

93s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libssp-0.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libssp-0.dll",#1

Network

Files

memory/2928-0-0x00007FFDF2A50000-0x00007FFDF2A5E000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240611-en

Max time kernel

90s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\demo_extract_chat.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EcoH Client\demo_extract_chat.exe

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\demo_extract_chat.exe"

Network

Country Destination Domain Proto
NL 52.111.243.29:443 tcp

Files

memory/4692-0-0x00007FF67AD30000-0x00007FF67AE25000-memory.dmp

memory/4692-2-0x00007FFF45880000-0x00007FFF4590A000-memory.dmp

memory/4692-4-0x0000000062E80000-0x0000000062EA6000-memory.dmp

memory/4692-3-0x0000000064940000-0x0000000064955000-memory.dmp

memory/4692-1-0x00007FFF5AEC0000-0x00007FFF5AECE000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:04

Platform

win11-20240508-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\dilate.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EcoH Client\dilate.exe

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\dilate.exe"

Network

Files

memory/5112-4-0x0000000062E80000-0x0000000062EA6000-memory.dmp

memory/5112-5-0x00007FFFC9C10000-0x00007FFFC9C1E000-memory.dmp

memory/5112-3-0x0000000064940000-0x0000000064955000-memory.dmp

memory/5112-2-0x00007FFFC0A50000-0x00007FFFC0A9D000-memory.dmp

memory/5112-1-0x00007FFFC0120000-0x00007FFFC01AA000-memory.dmp

memory/5112-0-0x00007FF7FD4D0000-0x00007FF7FD5C8000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240508-en

Max time kernel

130s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\map_diff.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EcoH Client\map_diff.exe

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\map_diff.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3840-1-0x00007FF659E10000-0x00007FF659F05000-memory.dmp

memory/3840-5-0x00007FFC688C0000-0x00007FFC688CE000-memory.dmp

memory/3840-4-0x0000000062E80000-0x0000000062EA6000-memory.dmp

memory/3840-3-0x0000000064940000-0x0000000064955000-memory.dmp

memory/3840-2-0x00007FFC66340000-0x00007FFC663CA000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:04

Platform

win11-20240611-en

Max time kernel

88s

Max time network

96s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\sqlite3.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\sqlite3.dll",#1

Network

Files

memory/1968-0-0x00007FFD9A480000-0x00007FFD9A5E4000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:04

Platform

win11-20240508-en

Max time kernel

87s

Max time network

94s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libpng16-16.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libpng16-16.dll",#1

Network

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240611-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\map_extract.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EcoH Client\map_extract.exe

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\map_extract.exe"

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

memory/4880-5-0x00007FFD748A0000-0x00007FFD748AE000-memory.dmp

memory/4880-4-0x0000000064940000-0x0000000064955000-memory.dmp

memory/4880-1-0x00007FFD6F880000-0x00007FFD6F8CD000-memory.dmp

memory/4880-3-0x0000000062E80000-0x0000000062EA6000-memory.dmp

memory/4880-2-0x00007FFD6EEA0000-0x00007FFD6EF2A000-memory.dmp

memory/4880-0-0x00007FF7D5930000-0x00007FF7D5A28000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240508-en

Max time kernel

111s

Max time network

124s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\avformat-60.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\avformat-60.dll",#1

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

memory/756-0-0x00007FFBB1520000-0x00007FFBB159B000-memory.dmp

memory/756-1-0x00007FFBAE160000-0x00007FFBAE364000-memory.dmp

memory/756-2-0x00007FFBADD90000-0x00007FFBAE153000-memory.dmp

memory/756-3-0x0000000064940000-0x0000000064955000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:04

Platform

win11-20240508-en

Max time kernel

86s

Max time network

99s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\dbgcore.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\dbgcore.dll",#1

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:04

Platform

win11-20240611-en

Max time kernel

87s

Max time network

94s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\discord_game_sdk.dll",#1

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\discord_game_sdk.dll",#1

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240508-en

Max time kernel

142s

Max time network

153s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libopusfile.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libopusfile.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4736-2-0x00007FFFA83C0000-0x00007FFFA8452000-memory.dmp

memory/4736-1-0x00007FFFABFF0000-0x00007FFFAC002000-memory.dmp

memory/4736-0-0x00007FFFAE600000-0x00007FFFAE615000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:04

Platform

win11-20240508-en

Max time kernel

143s

Max time network

160s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EcoH Client\config_directory.bat"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EcoH Client\config_directory.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240611-en

Max time kernel

144s

Max time network

151s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libopus.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libopus.dll",#1

Network

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:04

Platform

win11-20240508-en

Max time kernel

88s

Max time network

105s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\mgwhelp.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\mgwhelp.dll",#1

Network

Country Destination Domain Proto
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/776-0-0x00007FF80F170000-0x00007FF80F232000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:04

Platform

win11-20240508-en

Max time kernel

140s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\DDNet-Server.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EcoH Client\DDNet-Server.exe

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\DDNet-Server.exe"

Network

Files

memory/4672-3-0x00007FFCC9D90000-0x00007FFCC9E1A000-memory.dmp

memory/4672-9-0x00007FFCC6390000-0x00007FFCC6452000-memory.dmp

memory/4672-8-0x00007FFCC9B00000-0x00007FFCC9B3F000-memory.dmp

memory/4672-7-0x0000000062E80000-0x0000000062EA6000-memory.dmp

memory/4672-6-0x00007FFCD03B0000-0x00007FFCD03BE000-memory.dmp

memory/4672-5-0x0000000064940000-0x0000000064955000-memory.dmp

memory/4672-4-0x00007FFCC6C60000-0x00007FFCC6DC4000-memory.dmp

memory/4672-2-0x00007FF748380000-0x00007FF748698000-memory.dmp

memory/4672-10-0x00007FF748380000-0x00007FF748698000-memory.dmp

memory/4672-18-0x00007FF748380000-0x00007FF748698000-memory.dmp

memory/4672-26-0x00007FF748380000-0x00007FF748698000-memory.dmp

memory/4672-34-0x00007FF748380000-0x00007FF748698000-memory.dmp

memory/4672-42-0x00007FF748380000-0x00007FF748698000-memory.dmp

memory/4672-50-0x00007FF748380000-0x00007FF748698000-memory.dmp

memory/4672-58-0x00007FF748380000-0x00007FF748698000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:05

Platform

win11-20240611-en

Max time kernel

274s

Max time network

279s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libcurl.dll",#1

Signatures

Downloads MZ/PE file

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fr.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sk.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lt.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sw.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fi.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lij.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uk.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\th.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\readme.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nb.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip32.dll C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\th.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ms.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gl.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ms.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\io.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ne.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ko.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\readme.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ar.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ca.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tg.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\yo.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\is.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.sfx C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ro.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hu.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kk.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ru.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ru.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bn.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.dll C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ky.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fur.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lv.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\Downloads\7z2406-x64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt C:\Users\Admin\Downloads\7z2406-x64.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133631965235420232" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000} C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll" C:\Users\Admin\Downloads\7z2406-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\Downloads\7z2406-x64.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\7z2406-x64.exe:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Users\Admin\Downloads\EcoH Client.rar:Zone.Identifier C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\Downloads\7z2406-x64.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\Downloads\7z2406-x64.exe N/A
N/A N/A C:\Users\Admin\Downloads\7z2406-x64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 1780 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 1780 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3928 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2524 wrote to memory of 3360 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libcurl.dll",#1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd824bab58,0x7ffd824bab68,0x7ffd824bab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3220 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4256 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2228 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2408 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4988 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5124 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5280 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4996 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5592 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4848 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5740 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5836 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5928 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6084 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Users\Admin\Downloads\7z2406-x64.exe

"C:\Users\Admin\Downloads\7z2406-x64.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5912 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5832 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5520 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5836 --field-trial-handle=1772,i,10386791432043856115,3971410618579251118,131072 /prefetch:2

C:\Users\Admin\Downloads\7z2406-x64.exe

"C:\Users\Admin\Downloads\7z2406-x64.exe"

C:\Users\Admin\Downloads\7z2406-x64.exe

"C:\Users\Admin\Downloads\7z2406-x64.exe"

C:\Program Files\7-Zip\7z.exe

"C:\Program Files\7-Zip\7z.exe"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe"

C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe

"C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe"

C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe

"C:\Users\Admin\Desktop\EcoH Client\Eco-H Revival.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

Network

Country Destination Domain Proto
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 142.250.200.14:443 apis.google.com udp
GB 172.217.169.46:443 play.google.com udp
GB 172.217.169.46:443 play.google.com tcp
GB 142.250.187.206:443 clients2.google.com udp
GB 142.250.187.206:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
NL 50.7.236.50:443 pixeldrain.com tcp
NL 50.7.236.50:443 pixeldrain.com tcp
DE 78.47.86.208:443 stats.pixeldrain.com tcp
NL 50.7.236.50:443 pixeldrain.com tcp
DE 78.47.86.208:443 stats.pixeldrain.com tcp
GB 142.250.187.196:443 www.google.com udp
GB 172.217.169.46:443 play.google.com udp
GB 2.18.66.170:443 tcp
US 104.208.16.88:443 browser.pipe.aria.microsoft.com tcp
BE 88.221.83.200:443 r.bing.com tcp
BE 88.221.83.200:443 r.bing.com tcp
BE 88.221.83.200:443 r.bing.com tcp
BE 88.221.83.200:443 r.bing.com tcp
BE 88.221.83.200:443 r.bing.com tcp
BE 88.221.83.200:443 r.bing.com tcp
BE 88.221.83.200:443 r.bing.com tcp
BE 88.221.83.200:443 r.bing.com tcp
BE 88.221.83.200:443 r.bing.com tcp
BE 88.221.83.200:443 r.bing.com tcp
BE 88.221.83.200:443 r.bing.com tcp
BE 88.221.83.200:443 r.bing.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 142.250.187.238:443 consent.google.com tcp
DE 49.12.202.237:443 www.7-zip.org tcp
DE 49.12.202.237:443 www.7-zip.org tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 4.150.240.254:443 arm-ring.msedge.net tcp
US 8.8.8.8:53 t-ring-fdv2.msedge.net udp
US 13.107.237.254:443 t-ring-fdv2.msedge.net tcp
US 8.8.8.8:53 254.4.107.13.in-addr.arpa udp
US 8.8.8.8:53 254.240.150.4.in-addr.arpa udp
US 8.8.8.8:53 254.237.107.13.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com udp
GB 172.217.169.46:443 play.google.com udp
US 8.8.8.8:53 id.google.com udp
GB 142.250.200.3:443 id.google.com tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp

Files

memory/3464-2-0x0000000062E80000-0x0000000062EA6000-memory.dmp

memory/3464-1-0x0000000064940000-0x0000000064955000-memory.dmp

memory/3464-0-0x00007FFD82BA0000-0x00007FFD82C2A000-memory.dmp

\??\pipe\crashpad_2524_PXJNEZLJTXQNWVOC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 c31c2fe50f49820efb625e08b553b2a2
SHA1 26cfed5c16539ad98b267ead9271f05d65faf93a
SHA256 c71a678f588ad119962c253df538d1d24fc93b47fc7c02d43be63700a3dd253d
SHA512 0577ebaa398da7ee601a250e44bbc9202de4680fbf778bffd15b303e588d7e1e9405a310a4ecb11212ffb556c79709b7e18ddb744c20e3ef963318f66dbe6c52

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 60670389268d02d98ac28745d2cb164a
SHA1 53b426b16348f6ce951b6c54dda828240a264dc9
SHA256 46d1af755cc9234347ca5761e3adbee185d95c2996e27448f8da654767c164d3
SHA512 04fdf38bec3bf95772eedfa994d4ef1d78878c7c0b6f0184fb001ee8b3ebf66245189c8f3f45b208b9eaa9bc32179a9d32c1f7ed8de737186bc3f5dd31d98f01

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 5a2f670bac48f31e7b8e2a2a16018e25
SHA1 cf83aae1cb684fe57826514734d8a71cf671619c
SHA256 9dc8e629e2af35c9cd434766094a0c0e3fd75b974ca99e1813aa8885121335ae
SHA512 05ba685e26fcf2b29cac55f7b2eded5f84cd55eac0aa210779ad79c89abbfe56efc66e8ea0afdef7b178a97fb418cff53a32081aa42aac2176787a8d97136323

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 f967e8016f7a1a51630414751c8d8273
SHA1 12016c1418cf1adf3e97693b6201d711d1f35eef
SHA256 74e6f703345e0979c45055008840875c0157c276dc90898f0cd897d647017b92
SHA512 600370ba6a0f45bb7f2842dca1333e673d2b592548aaa4638ddc08a93fa32f2432873b26c4211a6a3fe07122eecfa16ce0afebcb4eb485cd106f12007a57e385

C:\Users\Admin\Downloads\EcoH Client.rar:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a3423eea70585444fcf4d8587d4f9028
SHA1 d705145f4368862e2c3d15e195fc4ceb39ba9399
SHA256 11edaa042cc1790160b24d143234b0b428c892ebd7606e0fc682e626f0e54caf
SHA512 e76ce28cd6c3e3693960a0ac57d579617c84fb668706d2af7dbd12f214850fd4b8d112da17ab7af773242cc914fd83bd00d0d0d02c48a22388d9c3a6748158db

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 50357fcd590818a542bc556e67fb78f2
SHA1 1826963d6cf12003f9073e9337d4831e92d09bdc
SHA256 22da45ac08d33a9039673c2d580ee437ff8232cea0f7b3407890f0bc25ad747c
SHA512 3b7144991a3da9afcebc15d77bc8aca0796b2390ff6a1bfcb46784fbe8a3c06ec76217a990fec27c1729fbb7f09ce6294b8f15bc1e3031baa4dfaa20a4b36b99

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 677c6418699ad8f2348eeaa4d0b4ab3a
SHA1 92a706fef9d48280cb83437a6e00213ca8fa9352
SHA256 80b391ee6dee785d9c459feea457b592c381678a4c892b290b840f65e976035a
SHA512 a47c92075a173b03bc79b1f508d43a8e049f8e6ca07616cef2bb8db96859a057619f2ba4fe2ce8697d90f2e6472baa008df226c9ac1ffde65f7fb46f7360cc93

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58d954.TMP

MD5 29af30aad5215c5122ae4c95486382a2
SHA1 335e9b02da556f53b2c7fac22a5867c67cceaf64
SHA256 c2bdd5204d1f9131e8291e1a68b1aceb104b959bf17cae33bd5100fd3035f2f0
SHA512 7f630669b85ac6522e435f9a5a716451eb37c57966193ea87d0adb47223ae34e147aa0d987e55af9862d85e935b05e81aa1d0b2a807fa46f96ccf291e4c9d83f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 4f14a461daa497feefa76c753eb06370
SHA1 eec1c89431f251dc5eb405ca2792afa431c9ba65
SHA256 3d1e0a0a59a3eda4098c3955fc06873e76347850f8f5b3a25bc14ac5626959cf
SHA512 3f3b2c8e718039f0278e7a44c9dab089141e5fd3b5868278b3e9759d51d32572f168da8d7842f192d555d90c4dc9164a838fd52e4ef15d4f5fafc83f2484c185

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a936803d2ea43519f44a6d17228a5f9d
SHA1 8e6ddf5f8c2bd57868f651bda263b62eedaa6ad4
SHA256 1c71a1838862b36c036a7d5f842b4525ed170954f0a4ee7e2b60f4ebf297a95f
SHA512 c3b45b6bf6fd887b11d3dee808dc786c747ff776b6ae391303fdc8ace178c743103ecc44ab8e3e7ddeef87242ed97149dd918733e47924f2dcad284bc9fc42e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 e4e08de1dffbdd8c3e77c290c628abfc
SHA1 56c13bf0c935ee5396ee9dc792c019f583ecfc0b
SHA256 7d718d46063bf8c01e410db2fe5987a88aafb9191c090091992c77864bbc2c9b
SHA512 85e0ab5457e0255f0ac0d2ce9d6a57423de089f3f685481f0ce3e79c4452d932962d3c689d96a289df77e82bc7dcadf2c51e70643620e270ad39bd5412be7729

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 49dbc85bcfe62712b84625ab8625e67a
SHA1 5adfa39dde7d19d48e5a13eb2bc24c0aadb6d451
SHA256 389787b84e31bc9b741e84cbae535032927f850339164fc66689f47d74dd1bfc
SHA512 396d1efa3340cdd96070fa313d61e3767e9607b6f2c8083620c828d4d3e5f53a881fd204df2d04f5527faf203b2fb22994e53be14f12c3cb5e7793f16186e876

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 51dc14e4951e02d4f4bb3d9775969556
SHA1 f8b8aa6c76d9967eda0c56fde6eb103839d4e8f2
SHA256 46821892afe89da55c189ffcb22315db6152f768bd5ade2c5f9627f144983a34
SHA512 85a64c3f081cd6448937cd8cebadd74b3acc1382be7e0b1909bf2d762fd1f96122520b6ad8f0edf6ff813c31df4f81c77fff32e632a19b7949930d954de77dd4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a3f9d4d746725308fcd9811f11909e6b
SHA1 5c45b87f144368c8ac45f323e332d5018f7a18fe
SHA256 0791e13c2ee33706b26530d5f9b0d502d8fd76961fe4ea6ad147e826ffb0c359
SHA512 bf594a3895986a587485c08e0c090d90c7900102579478d919fb63a7790e7b86c66fe98c41514bc0e159dad8e895d371881690a75399c8c67b9d88c92bca534e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 1621a79ae4e1997de73c6ec7a4ba9ec7
SHA1 00178153046d6d076aab91ec912182c1b43fb29f
SHA256 d81a830b5732a67d2af71f929e22b556d66b6c34aef75f5a45882c3dc29cebc8
SHA512 860e66740449bbd7f0362e87bdb9a82508d7c0a6d6946927fad7a20397fb10aca008b7a666b946c712e07dfd0e6c85fcbff3506aabf0f03338bdd1988d1a74d9

C:\Users\Admin\Downloads\Unconfirmed 376862.crdownload

MD5 d8af785ca5752bae36e8af5a2f912d81
SHA1 54da15671ad8a765f3213912cba8ebd8dac1f254
SHA256 6220bbe6c26d87fc343e0ffa4e20ccfafeca7dab2742e41963c40b56fb884807
SHA512 b635b449f49aac29234f677e662be35f72a059401ea0786d956485d07134f9dd10ed284338503f08ff7aad16833cf034eb955ca34e1faf35a8177ccad1f20c75

C:\Users\Admin\Downloads\7z2406-x64.exe:Zone.Identifier

MD5 6a98c115becde12a2fd55b62da2a91e9
SHA1 93d4f922e009a8518744f47977299407f8470204
SHA256 9cafaf53c8abd05ad8f5fe2e517dbb910945f659c2e11811d6bc346167819c90
SHA512 24045a19d6f100c112244b6b1602209803050ed611f798ed32ad44ebfbb8e4e18ae3622e178f119d0347d663ad14d938fc2433771d8f152e156aa299e340eac9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 6aad651ae76796e5bc048586f36d63d9
SHA1 3410a3eadf164003c814c286ea73eb7e36a1ee4f
SHA256 f38bcf54e7a165aa423426ac3e57a753caa93ef41c9987c726423ea94203f45a
SHA512 5e25a579c60bacdc515bcf685e552c509538662b74d8c6fd6ca3c45eb68127fe7d3294e8c681e884e8f84f8f69b5f664d85f6596c95ad30f9a96d08925816d8e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e1fc8378a6279aa3c989e48c9e6be601
SHA1 a5800b6f8c138f218d6edd032b712a3164c2d8eb
SHA256 7b6f6192ac6932c4a008e27c484714c39ebf58125c45923a1d46be1a26b1c0df
SHA512 c7736390a842c466f383c1ff9f2319bf2b9f4ac55650af8a038d771738e5a734acf2355a81605aca225264f82a3e2c5d142210b3c39591a69f89ee638686d974

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1011c2254eb18e6dc39846f65ce4d889
SHA1 aef2d73573913a023a760184ca00c4d61d81196c
SHA256 51793564d3d5d9701293612a5a7496bb6a085631ca3963f817eda841d9c1a6eb
SHA512 7096a56f965729b7936a8593613c07e286479c1e0aa9b1beda23c86cdb8155ec7d3ed34e234e943911c177494f37964104e426f5accfbd9951f8ab3a2f827c6b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 67c437863f3a1a64c978713dfb43dda5
SHA1 d3f7a1c780c4952b6dd178118abb15bcda48450a
SHA256 c8acbba3ba1934d406e741fcc24ae60894879245b171f1abf653b79ac0742f54
SHA512 ff90e97440898f001d74f5b5a8f4f3e34c3780c5905035aa160eeb285901a386a02688f709f14386bf41310cebbcff457ac4d9526e886bcf93f71266ff6ba72d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

MD5 caaa5222d179a24ca5540080c7018b99
SHA1 1f415a7a73a12a4c16f25709504f4e4e4beae9dd
SHA256 b729255f2e984a20fa0f0eb07e08368cf468fd17ff27a7d1dbb4042ec261d8cf
SHA512 71b4f878aa154ba4a8523c2e36faa8dbe3cfafa082b18796d8b69539dee9506253b9e55fc9b71cc2c9027d22ae08587b0e2ddadbc8d3395dbb73584d1ca1ebcc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 02d5e234d3a93eef6e7fc86a30343f7f
SHA1 0144051bcfe265c686471837067ab11b40752d9b
SHA256 65c430e95436cbbd8d006d10becb823ccb1d600230d1911f3a05cf1ee599c8c5
SHA512 3f6475d9b03204bc9845754cc030d1cb46a898f202d2e72f018ea1feb0d43d6d46d49b14752d8862924b9bfde9ca0dba11d32f26d9920965352cc65bbb252404

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 3bb453bde58b75b8e63b5eb0ef3c933d
SHA1 d0ba84fdc2b5af4f75e610837d3e6dd5324829eb
SHA256 d7ea828fa2edcfbfe4b49138c0b68503282cfe2178adc693b68ceb89e2748fc6
SHA512 6aba9766bb41fb13bf3a29eb73ad77b3234c9b9aae95a05a8547ac4fa2148588a3bab0b509c4b94a0678d0bfb456bfe213c0e3dca3abcad9480f1e1e09ea20d3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 610b2add83ccdf35eb1b4b8d7c9e6d54
SHA1 f9126253fa63105132c2b53a05a26e71ccb9a93b
SHA256 1be8e6547656012ee1b3dcaaa1559e7090038f6ff7683086ec6bd697c915e87b
SHA512 8141201bef6d851c75134f374f11cfe71d5118ea9f6b7ef8ea45d8cb93b8240c0ce6c9fb008715ea1060753936f58cbc3299ecca4ecb09de123f15a33557fc52

C:\Program Files\7-Zip\7-zip.chm

MD5 3073686bd3abcdbf2148be7624388e8a
SHA1 8da958c7671b7e3b8aa8052e6608860e8e3349a6
SHA256 1a3a2bfcd5b14d0b014ecdf961b44f975b4bfe1f2284bd4fbef7da0befba5da8
SHA512 34f18ac283d38b2082da7ec44b10bde90338d408394d22af53c4b0aea2631d887f6455566633b665543643753231e5a06a505dc59ab8be0fe99022dd360e6502

C:\Program Files\7-Zip\descript.ion

MD5 eb7e322bdc62614e49ded60e0fb23845
SHA1 1bb477811ecdb01457790c46217b61cb53153b75
SHA256 1da513f5a4e8018b9ae143884eb3eaf72454b606fd51f2401b7cfd9be4dbbf4f
SHA512 8160b581a3f237d87e664d93310f5e85a42df793b3e22390093f9fb9a0a39950be6df2a713b55259fce5d5411d0499886a8039288d9481b4095fabadddbebb60

C:\Program Files\7-Zip\Lang\an.txt

MD5 f16218139e027338a16c3199091d0600
SHA1 da48140a4c033eea217e97118f595394195a15d5
SHA256 3ab9f7aacd38c4cde814f86bc37eec2b9df8d0dddb95fc1d09a5f5bcb11f0eeb
SHA512 b2e99d70d1a7a2a1bfa2ffb61f3ca2d1b18591c4707e4c6c5efb9becdd205d646b3baa0e8cbd28ce297d7830d3dfb8f737266c66e53a83bdbe58b117f8e3ae14

C:\Program Files\7-Zip\Lang\af.txt

MD5 df216fae5b13d3c3afe87e405fd34b97
SHA1 787ccb4e18fc2f12a6528adbb7d428397fc4678a
SHA256 9cf684ea88ea5a479f510750e4089aee60bbb2452aa85285312bafcc02c10a34
SHA512 a6eee3d60b88f9676200b40ca9c44cc4e64cf555d9b8788d4fde05e05b8ca5da1d2c7a72114a18358829858d10f2beff094afd3bc12b370460800040537cff68

C:\Program Files\7-Zip\History.txt

MD5 6b604af1dc25151fdcac458b6fe81a12
SHA1 59dea20ca7210206664e4ac21daae7397f267564
SHA256 0d8d0b046fa8798d4ebc3d14fd7f8bfb88fa130d0e58826f4c15d0b981acc553
SHA512 530319be3442eb276389ff66769820b4ed1a9c4ff0796430c6425206630245f5b19ecc9af09c7ae811bded22d401025fed898b3e37ac9dae5b1905516fc92fdb

C:\Program Files\7-Zip\Lang\ast.txt

MD5 1cf6411ff9154a34afb512901ba3ee02
SHA1 958f7ff322475f16ca44728349934bc2f7309423
SHA256 f5f2174daf36e65790c7f0e9a4496b12e14816dad2ee5b1d48a52307076be35f
SHA512 b554c1ab165a6344982533cceed316d7f73b5b94ce483b5dc6fb1f492c6b1914773027d31c35d60ab9408669520ea0785dc0d934d3b2eb4d78570ff7ccbfcf9c

C:\Program Files\7-Zip\Lang\fa.txt

MD5 741e0235c771e803c1b2a0b0549eac9d
SHA1 7839ae307e2690721ad11143e076c77d3b699a3c
SHA256 657f2aceb60d557f907603568b0096f9d94143ff5a624262bbfeb019d45d06d7
SHA512 f8662732464fa6a20f35edcce066048a6ba6811f5e56e9ca3d9aa0d198fc9517642b4f659a46d8cb8c87e890adc055433fa71380fb50189bc103d7fbb87e0be5

C:\Program Files\7-Zip\Lang\ext.txt

MD5 459b9c72a423304ffbc7901f81588337
SHA1 0ba0a0d9668c53f0184c99e9580b90ff308d79be
SHA256 8075fd31b4ebb54603f69abb59d383dcef2f5b66a9f63bb9554027fd2949671c
SHA512 033ced457609563e0f98c66493f665b557ddd26fab9a603e9de97978d9f28465c5ac09e96f5f8e0ecd502d73df29305a7e2b8a0ad4ee50777a75d6ab8d996d7f

C:\Program Files\7-Zip\Lang\eu.txt

MD5 c90cd9f1e3d05b80aba527eb765cbf13
SHA1 66d1e1b250e2288f1e81322edc3a272fc4d0fffc
SHA256 a1c9d46b0639878951538f531bba69aeddd61e6ad5229e3bf9c458196851c7d8
SHA512 439375d01799da3500dfa48c54eb46f7b971a299dfebff31492f39887d53ed83df284ef196eb8bc07d99d0ec92be08a1bf1a7dbf0ce9823c85449cc6f948f24c

C:\Program Files\7-Zip\Lang\et.txt

MD5 d6a50c4139d0973776fc294ee775c2ac
SHA1 1881d68ae10d7eb53291b80bd527a856304078a0
SHA256 6b2718882bb47e905f1fdd7b75ece5cc233904203c1407c6f0dcdc5e08e276da
SHA512 0fd14b4fd9b613d04ef8747dcd6a47f6f7777ac35c847387c0ea4b217f198aa8ac54ea1698419d4122b808f852e9110d1780edcb61a4057c1e2774aa5382e727

C:\Program Files\7-Zip\Lang\es.txt

MD5 ed230f9f52ef20a79c4bed8a9fefdf21
SHA1 ec0153260b58438ad17faf1a506b22ad0fec1bdc
SHA256 7199b362f43e9dca2049c0eeb8b1bb443488ca87e12d7dda0f717b2adbdb7f95
SHA512 32f0e954235420a535291cf58b823baacf4a84723231a8636c093061a8c64fcd0952c414fc5bc7080fd8e93f050505d308e834fea44b8ab84802d8449f076bc9

C:\Program Files\7-Zip\Lang\eo.txt

MD5 29caad3b73f6557f0306f4f6c6338235
SHA1 d4b3147f23c75de84287ad501e7403e0fce69921
SHA256 a6ef5a5a1e28d406fd78079d9cacf819b047a296adc7083d34f2bfb3d071e5af
SHA512 77618995d9cf90603c5d4ad60262832d8ad64c91a5e6944efd447a5cc082a381666d986bb294d7982c8721b0113f867b86490ca11bb3d46980132c9e4df1bd92

C:\Program Files\7-Zip\Lang\en.ttt

MD5 bf2e140e9d30d6c51d372638ba7f4bd9
SHA1 a4358379a21a050252d738f6987df587c0bd373d
SHA256 c218145bb039e1fd042fb1f5425b634a4bdc1f40b13801e33ed36cfdbda063ed
SHA512 b524388f7476c9a43e841746764ff59bdb1f8a1b4299353156081a854ee4435b94b34b1a87c299ec23f8909e0652222595b3177ee0392e3b8c0ff0a818db7f9a

C:\Program Files\7-Zip\Lang\el.txt

MD5 5894a446df1321fbdda52a11ff402295
SHA1 a08bf21d20f8ec0fc305c87c71e2c94b98a075a4
SHA256 2dd2130f94d31262b12680c080c96b38ad55c1007f9e610ec8473d4bb13d2908
SHA512 0a2c3d24e7e9add3ca583c09a63ba130d0088ed36947b9f7b02bb48be4d30ef8dc6b8d788535a941f74a7992566b969adf3bd729665e61bfe22b67075766f8de

C:\Program Files\7-Zip\Lang\de.txt

MD5 1e30a705da680aaeceaec26dcf2981de
SHA1 965c8ed225fb3a914f63164e0df2d5a24255c3d0
SHA256 895f76bfa4b1165e4c5a11bdab70a774e7d05d4bbdaec0230f29dcc85d5d3563
SHA512 ff96e6578a1ee38db309e72a33f5de7960edcc260ca1f5d899a822c78595cc761fedbdcdd10050378c02d8a36718d76c18c6796498e2574501011f9d988da701

C:\Program Files\7-Zip\Lang\da.txt

MD5 c397e8ac4b966e1476adbce006bb49e4
SHA1 3e473e3bc11bd828a1e60225273d47c8121f3f2c
SHA256 5ccd481367f7d8c544de6177187aff53f1143ae451ae755ce9ed9b52c5f5d478
SHA512 cbbece415d16b9984c82bd8fa4c03dbd1fec58ed04e9ef0a860b74d451d03d1c7e07b23b3e652374a3b9128a7987414074c2a281087f24a77873cc45ec5aadd2

C:\Program Files\7-Zip\Lang\cy.txt

MD5 6bdf25354b531370754506223b146600
SHA1 c2487c59eeeaa5c0bdb19d826fb1e926d691358e
SHA256 470eaf5e67f5ead5b8c3ecc1b5b21b29d16c73591eb0047b681660346e25b3fb
SHA512 c357b07c176175cc36a85c42d91b0cada79dbfb584bdf57f22a6cb11898f88aecf4392037d5cea3e1bc02df7493bb27b9509226f810f1875105bbc33c6ae3f20

C:\Program Files\7-Zip\Lang\cs.txt

MD5 dbdcfc996677513ea17c583511a5323b
SHA1 d655664bc98389ed916bed719203f286bab79d3c
SHA256 a6e329f37aca346ef64f2c08cc36568d5383d5b325c0caf758857ed3ff3953f2
SHA512 df495a8e8d50d7ec24abb55ce66b7e9b8118af63db3eb2153a321792d809f7559e41de3a9c16800347623ab10292aac2e1761b716cb5080e99a5c8726f7cc113

C:\Program Files\7-Zip\Lang\co.txt

MD5 de64842f09051e3af6792930a0456b16
SHA1 498b92a35f2a14101183ebe8a22c381610794465
SHA256 dcfb95b47a4435eb7504b804da47302d8a62bbe450dadf1a34baea51c7f60c77
SHA512 5dabeed739a753fd20807400dfc84f7bf1eb544704660a74afcf4e0205b7c71f1ddcf9f79ac2f7b63579735a38e224685b0125c49568cbde2d9d6add4c7d0ed8

C:\Program Files\7-Zip\Lang\ca.txt

MD5 264fb4b86bcfb77de221e063beebd832
SHA1 a2eb0a43ea4002c2d8b5817a207eb24296336a20
SHA256 07b5c0ac13d62882bf59db528168b6f0ffdf921d5442fae46319e84c90be3203
SHA512 8d1a73e902c50fd390b9372483ebd2ec58d588bacf0a3b8c8b9474657c67705b6a284bb16bba4326d314c7a3cc11caf320da38d5acb42e685ed2f8a8b6f411f4

C:\Program Files\7-Zip\Lang\br.txt

MD5 07504a4edab058c2f67c8bcb95c605dd
SHA1 3e2ae05865fb474f10b396bfefd453c074f822fa
SHA256 432bdb3eaa9953b084ee14eee8fe0abbc1b384cbdd984ccf35f0415d45aabba8
SHA512 b3f54d695c2a12e97c93af4df09ce1800b49e40302bec7071a151f13866edfdfafc56f70de07686650a46a8664608d8d3ea38c2939f2f1630ce0bf968d669ccc

C:\Program Files\7-Zip\Lang\bn.txt

MD5 771c8b73a374cb30df4df682d9c40edf
SHA1 46aa892c3553bddc159a2c470bd317d1f7b8af2a
SHA256 3f55b2ec5033c39c159593c6f5ece667b92f32938b38fcaf58b4b2a98176c1fc
SHA512 8dcc9cc13322c4504ee49111e1f674809892900709290e58a4e219053b1f78747780e1266e1f4128c0c526c8c37b1a5d1a452eefba2890e3a5190eebe30657ba

C:\Program Files\7-Zip\Lang\bg.txt

MD5 2d0c8197d84a083ef904f8f5608afe46
SHA1 5ae918d2bb3e9337538ef204342c5a1d690c7b02
SHA256 62c6f410d011a109abecb79caa24d8aeb98b0046d329d611a4d07e66460eef3f
SHA512 3243d24bc9fdb59e1964e4be353c10b6e9d4229ef903a5ace9c0cb6e1689403173b11db022ca2244c1ef0f568be95f21915083a8c5b016f07752026d332878a4

C:\Program Files\7-Zip\Lang\be.txt

MD5 b1dd654e9d8c8c1b001f7b3a15d7b5d3
SHA1 5a933ae8204163c90c00d97ba0c589f4d9f3f532
SHA256 32071222af04465a3d98bb30e253579aa4beceaeb6b21ac7c15b25f46620bf30
SHA512 0137900aeb21f53e4af4027ea15eed7696ed0156577fe6194c2b2097f5fb9d201e7e9d52a51a26ae9a426f8137692154d80676f8705f335fed9ae7e0e1d0a10e

C:\Program Files\7-Zip\Lang\ba.txt

MD5 387ff78cf5f524fc44640f3025746145
SHA1 8480e549d00003de262b54bc342af66049c43d3b
SHA256 8a85c3fcb5f81157490971ee4f5e6b9e4f80be69a802ebed04e6724ce859713f
SHA512 7851633ee62c00fa2c68f6f59220a836307e6dde37eae5e5dca3ca254d167e305fe1eb342f93112032dadafe9e9608c97036ac489761f7bdc776a98337152344

C:\Program Files\7-Zip\Lang\az.txt

MD5 3c297fbe9b1ed5582beabfc112b55523
SHA1 c605c20acf399a90ac9937935b4dbdb64fad9c9f
SHA256 055ec86aed86abbdbd52d8e99fec6e868d073a6df92c60225add16676994c314
SHA512 417984a749471770157c44737ee76bfd3655ef855956be797433dadc2a71e12359454cc817b5c31c6af811067d658429a8706e15625bf4ca9f0db7586f0ae183

C:\Program Files\7-Zip\Lang\ar.txt

MD5 5747381dc970306051432b18fb2236f2
SHA1 20c65850073308e498b63e5937af68b2e21c66f3
SHA256 85a26c7b59d6d9932f71518ccd03eceeba42043cb1707719b72bfc348c1c1d72
SHA512 3306e15b2c9bb2751b626f6f726de0bcafdc41487ba11fabfcef0a6a798572b29f2ee95384ff347b3b83b310444aaeec23e12bb3ddd7567222a0dd275b0180ff

C:\Program Files\7-Zip\7zFM.exe

MD5 5764deed342ca47eb4b97ae94eedc524
SHA1 e9cbefd32e5ddd0d914e98cfb0df2592bebc5987
SHA256 c5c7ad094ad71d8784c8b0990bf37a55ffc7c7ab77866286d77b7b6721943e4f
SHA512 6809130394a683c56a0245906d709b2289a631f630055d5e6161b001e216d58045d314b0148512d8c01f0c2bf5f9f16e93fa7d61ab3d24beab4f9c3d4db13c18

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 5f913802b16f5e3aa928e6487db99af2
SHA1 01fd3cfc002661ddead95097903bd94ccc3c0485
SHA256 fb87ab6504f6eb035f40e86a4f3d9b38c99c3b8e48087b13f3506c35a0a5d549
SHA512 28cb74193ef30e2eac9720b5efc1e6034a2499406942f7897a5642768e33724cebb92e7664464cfcb54778272b3217d60ff8ea5d3f29f25df5a810061c47c89c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 a450b346c7f81262db2468e8bdc6b567
SHA1 7eb04ce0661b660caf60eec843290cfa487e9ea2
SHA256 aa0bce708614713210cbe6e28bdbd44a7cf44ab94f286839134bd72b85ffc1fb
SHA512 39fadc7504a920dc0de4c3a9a3ab93ee3349305a909978b38d5a40a65f81568a565c28f3b96530462e3950f3acb49b986f930762107aab16d163a9ccb48e6964

C:\Users\Admin\AppData\Local\Temp\7zE8476FEAA\EcoH Client\data\shader\vulkan\spritemulti.frag.spv

MD5 c40ce2c551aac2dd72a74b67dd7644fe
SHA1 2bcea92975d2bb4d5853a2bc20fcd0c9dd9ffa60
SHA256 2f91be33933bdbd054b251ffe7b4c0843b73b443ce0505d9d6f1ac94760b2ea1
SHA512 e59d461dc9d11516b892e58cc7faf35a5d30190aab43d5cc330b419f6803005d2dd086c7eb0903f39aeac09f10282f62a64ba14a49d621677c578b76d66048b6

memory/1256-2502-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2501-0x0000018C64570000-0x0000018C64571000-memory.dmp

memory/1256-2506-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2514-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2536-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2538-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2534-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2532-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2530-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2528-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2526-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2524-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2522-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2520-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2518-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2516-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2512-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2510-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2508-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2504-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2540-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2542-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2544-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2546-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2548-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2550-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2552-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2554-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2556-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2558-0x0000018C64580000-0x0000018C64581000-memory.dmp

memory/1256-2560-0x0000018C64580000-0x0000018C64581000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 7db36caad14d3175b0ff5215ee73f1b1
SHA1 f6cde00609610ccaea6d9f2de19257f8b15c6bd9
SHA256 e5479a7a585f4a7bccfb3a068341e06c27dcb1fbf1078a0439df2fce5a0cb7db
SHA512 2b4eb4e833cc4443c0938d669feb45da57a616f622ca53289057b9e90e73fe9018c2384d8abb7eaee189b9dd0bb0076dd9822f33d9aba992233799f7ed8af76b

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:04

Platform

win11-20240508-en

Max time kernel

124s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\map_convert_07.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EcoH Client\map_convert_07.exe

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\map_convert_07.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2404-2-0x00007FFD44240000-0x00007FFD4428D000-memory.dmp

memory/2404-5-0x0000000062E80000-0x0000000062EA6000-memory.dmp

memory/2404-4-0x00007FFD4AB20000-0x00007FFD4AB2E000-memory.dmp

memory/2404-3-0x0000000064940000-0x0000000064955000-memory.dmp

memory/2404-1-0x00007FFD44410000-0x00007FFD4449A000-memory.dmp

memory/2404-0-0x00007FF75B060000-0x00007FF75B219000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240611-en

Max time kernel

88s

Max time network

94s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\swresample-4.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\swresample-4.dll",#1

Network

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240419-en

Max time kernel

129s

Max time network

146s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\swscale-7.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\swscale-7.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:04

Platform

win11-20240508-en

Max time kernel

143s

Max time network

154s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\symsrv.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\symsrv.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:03

Platform

win11-20240611-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe"

C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\Eco-H Revival.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

Network

Country Destination Domain Proto
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI37682\python310.dll

MD5 c80b5cb43e5fe7948c3562c1fff1254e
SHA1 f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256 058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512 faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

C:\Users\Admin\AppData\Local\Temp\_MEI37682\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

C:\Users\Admin\AppData\Local\Temp\_MEI37682\base_library.zip

MD5 0239a8c77b984b0e64042cff9320e51d
SHA1 86ce543744a1cf87ea0df46617e11a53fab5a6d3
SHA256 e3a2a9396e764876d50b94db11447e14fd1c91514ecc289e3c762e48af6362d9
SHA512 7010751f3e4c3ab7a4a5f041ab89e488a230b3f55ead8b32550bd20b5c921e0f17ab6b1eba3c8f8ff6806d58af9e3e04c64120c0c4d0048b31b3438802d7f782

C:\Users\Admin\AppData\Local\Temp\_MEI37682\_ctypes.pyd

MD5 87596db63925dbfe4d5f0f36394d7ab0
SHA1 ad1dd48bbc078fe0a2354c28cb33f92a7e64907e
SHA256 92d7954d9099762d81c1ae2836c11b6ba58c1883fde8eeefe387cc93f2f6afb4
SHA512 e6d63e6fe1c3bd79f1e39cb09b6f56589f0ee80fd4f4638002fe026752bfa65457982adbef13150fa2f36e68771262d9378971023e07a75d710026ed37e83d7b

C:\Users\Admin\AppData\Local\Temp\_MEI37682\python3.DLL

MD5 07bd9f1e651ad2409fd0b7d706be6071
SHA1 dfeb2221527474a681d6d8b16a5c378847c59d33
SHA256 5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5
SHA512 def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

C:\Users\Admin\AppData\Local\Temp\_MEI37682\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI37682\select.pyd

MD5 adc412384b7e1254d11e62e451def8e9
SHA1 04e6dff4a65234406b9bc9d9f2dcfe8e30481829
SHA256 68b80009ab656ffe811d680585fac3d4f9c1b45f29d48c67ea2b3580ec4d86a1
SHA512 f250f1236882668b2686bd42e1c334c60da7abec3a208ebebdee84a74d7c4c6b1bc79eed7241bc7012e4ef70a6651a32aa00e32a83f402475b479633581e0b07

C:\Users\Admin\AppData\Local\Temp\_MEI37682\_pytransform.dll

MD5 35b49ccb0516cb0e1180e95aa657aaa9
SHA1 f6e4c4a993dbaa276f321d7135f96c8df522eef8
SHA256 dcc65393ae46df9d5721ad167c227019631325e744226e4285ef9bb295a7cfb1
SHA512 921bc6d1c3be4f87b53697fa17ccaa488e31162322aef5fa256c8f79b5566c488d4485bc0fc4102f69b14a59b0711449ee18e52b3c671ccefa7efd6e0848a09a

memory/1500-120-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-118-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-116-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-114-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-112-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-110-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-108-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-106-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-104-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-102-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-100-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-98-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-96-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-94-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-92-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-90-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-88-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-86-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-84-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-82-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-80-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-78-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-76-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-74-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-72-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-70-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-68-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-66-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-64-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-62-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-60-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-58-0x0000021C9D680000-0x0000021C9D681000-memory.dmp

memory/1500-57-0x0000021C9D670000-0x0000021C9D671000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI37682\_socket.pyd

MD5 e137df498c120d6ac64ea1281bcab600
SHA1 b515e09868e9023d43991a05c113b2b662183cfe
SHA256 8046bf64e463d5aa38d13525891156131cf997c2e6cdf47527bc352f00f5c90a
SHA512 cc2772d282b81873aa7c5cba5939d232cceb6be0908b211edb18c25a17cbdb5072f102c0d6b7bc9b6b2f1f787b56ab1bc9be731bb9e98885c17e26a09c2beb90

C:\Users\Admin\AppData\Local\Temp\_MEI37682\_lzma.pyd

MD5 b5fbc034ad7c70a2ad1eb34d08b36cf8
SHA1 4efe3f21be36095673d949cceac928e11522b29c
SHA256 80a6ebe46f43ffa93bbdbfc83e67d6f44a44055de1439b06e4dd2983cb243df6
SHA512 e7185da748502b645030c96d3345d75814ba5fd95a997c2d1c923d981c44d5b90db64faf77ddbbdc805769af1bec37daf0ecee0930a248b67a1c2d92b59c250c

C:\Users\Admin\AppData\Local\Temp\_MEI37682\libssl-1_1.dll

MD5 de72697933d7673279fb85fd48d1a4dd
SHA1 085fd4c6fb6d89ffcc9b2741947b74f0766fc383
SHA256 ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f
SHA512 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

C:\Users\Admin\AppData\Local\Temp\_MEI37682\VCRUNTIME140_1.dll

MD5 75e78e4bf561031d39f86143753400ff
SHA1 324c2a99e39f8992459495182677e91656a05206
SHA256 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e
SHA512 ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

C:\Users\Admin\AppData\Local\Temp\_MEI37682\MSVCP140.dll

MD5 1ba6d1cf0508775096f9e121a24e5863
SHA1 df552810d779476610da3c8b956cc921ed6c91ae
SHA256 74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823
SHA512 9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

C:\Users\Admin\AppData\Local\Temp\_MEI37682\_brotli.cp310-win_amd64.pyd

MD5 6d44fd95c62c6415999ebc01af40574b
SHA1 a5aee5e107d883d1490257c9702913c12b49b22a
SHA256 58bacb135729a70102356c2d110651f1735bf40a602858941e13bdeabfacab4a
SHA512 59b6c07079f979ad4a27ec394eab3fdd2d2d15d106544246fe38f4eb1c9e12672f11d4a8efb5a2a508690ce2677edfac85eb793e2f6a5f8781b258c421119ff3

C:\Users\Admin\AppData\Local\Temp\_MEI37682\libcrypto-1_1.dll

MD5 ab01c808bed8164133e5279595437d3d
SHA1 0f512756a8db22576ec2e20cf0cafec7786fb12b
SHA256 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA512 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

C:\Users\Admin\AppData\Local\Temp\_MEI37682\_ssl.pyd

MD5 35f66ad429cd636bcad858238c596828
SHA1 ad4534a266f77a9cdce7b97818531ce20364cb65
SHA256 58b772b53bfe898513c0eb264ae4fa47ed3d8f256bc8f70202356d20f9ecb6dc
SHA512 1cca8e6c3a21a8b05cc7518bd62c4e3f57937910f2a310e00f13f60f6a94728ef2004a2f4a3d133755139c3a45b252e6db76987b6b78bc8269a21ad5890356ad

C:\Users\Admin\AppData\Local\Temp\_MEI37682\_hashlib.pyd

MD5 49ce7a28e1c0eb65a9a583a6ba44fa3b
SHA1 dcfbee380e7d6c88128a807f381a831b6a752f10
SHA256 1be5cfd06a782b2ae8e4629d9d035cbc487074e8f63b9773c85e317be29c0430
SHA512 cf1f96d6d61ecb2997bb541e9eda7082ef4a445d3dd411ce6fd71b0dfe672f4dfaddf36ae0fb7d5f6d1345fbd90c19961a8f35328332cdaa232f322c0bf9a1f9

C:\Users\Admin\AppData\Local\Temp\_MEI37682\zstandard\backend_c.cp310-win_amd64.pyd

MD5 4ec296c5608d46afdb37048b920a676b
SHA1 c94c21c9e9621940f59bcec2f6a576a991b42a03
SHA256 a0f31c62e0c1b25857330afa3d8c23b68d2e2b1d18ffc6d69ffb3db481fae40d
SHA512 7c49668bc1e9cca2b07533ae7e1dfac27a6c660ddb33553b0300a3946188d32e471bcae1c1cc203388b21265bdcf04fcbfae94c767537dca5f3dc8d17be34e24

C:\Users\Admin\AppData\Local\Temp\_MEI37682\_queue.pyd

MD5 23f4becf6a1df36aee468bb0949ac2bc
SHA1 a0e027d79a281981f97343f2d0e7322b9fe9b441
SHA256 09c5faf270fd63bde6c45cc53b05160262c7ca47d4c37825ed3e15d479daee66
SHA512 3ee5b3b7583be1408c0e1e1c885512445a7e47a69ff874508e8f0a00a66a40a0e828ce33e6f30ddc3ac518d69e4bb96c8b36011fb4ededf9a9630ef98a14893b

C:\Users\Admin\AppData\Local\Temp\_MEI37682\_bz2.pyd

MD5 a4b636201605067b676cc43784ae5570
SHA1 e9f49d0fc75f25743d04ce23c496eb5f89e72a9a
SHA256 f178e29921c04fb68cc08b1e5d1181e5df8ce1de38a968778e27990f4a69973c
SHA512 02096bc36c7a9ecfa1712fe738b5ef8b78c6964e0e363136166657c153727b870a6a44c1e1ec9b81289d1aa0af9c85f1a37b95b667103edc2d3916280b6a9488

C:\Users\Admin\AppData\Local\Temp\_MEI37682\unicodedata.pyd

MD5 102bbbb1f33ce7c007aac08fe0a1a97e
SHA1 9a8601bea3e7d4c2fa6394611611cda4fc76e219
SHA256 2cf6c5dea30bb0584991b2065c052c22d258b6e15384447dcea193fdcac5f758
SHA512 a07731f314e73f7a9ea73576a89ccb8a0e55e53f9b5b82f53121b97b1814d905b17a2da9bd2eda9f9354fc3f15e3dea7a613d7c9bc98c36bba653743b24dfc32

C:\Users\Admin\AppData\Local\Temp\_MEI37682\certifi\cacert.pem

MD5 3dcd08b803fbb28231e18b5d1eef4258
SHA1 b81ea40b943cd8a0c341f3a13e5bc05090b5a72a
SHA256 de2fa17c4d8ae68dc204a1b6b58b7a7a12569367cfeb8a3a4e1f377c73e83e9e
SHA512 9cc7106e921fbcf8c56745b38051a5a56154c600e3c553f2e64d93ec988c88b17f6d49698bdc18e3aa57ae96a79ee2c08c584c7c4c91cc6ea72db3dca6ccc2f5

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:04

Platform

win11-20240419-en

Max time kernel

132s

Max time network

149s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\avutil-58.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\avutil-58.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3144-1-0x0000000064940000-0x0000000064955000-memory.dmp

memory/3144-0-0x00007FFB81EB0000-0x00007FFB820B4000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:04

Platform

win11-20240611-en

Max time kernel

12s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\config_store.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\EcoH Client\config_store.exe

"C:\Users\Admin\AppData\Local\Temp\EcoH Client\config_store.exe"

Network

Files

memory/2904-4-0x0000000062E80000-0x0000000062EA6000-memory.dmp

memory/2904-3-0x00007FFD48270000-0x00007FFD482FA000-memory.dmp

memory/2904-1-0x00007FFD4E850000-0x00007FFD4E85E000-memory.dmp

memory/2904-2-0x0000000064940000-0x0000000064955000-memory.dmp

memory/2904-0-0x00007FF7A2420000-0x00007FF7A2515000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-18 15:00

Reported

2024-06-18 15:04

Platform

win11-20240611-en

Max time kernel

147s

Max time network

156s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libwinpthread-1.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\EcoH Client\libwinpthread-1.dll",#1

Network

Files

N/A