4bf7c84949d8e672e7244e1d36d93575eabeb825bf60b209885e317bbbd431e2

Resubmissions

29-06-2024 19:15

240629-xyjj7aterh 8

15-05-2024 20:40

06-05-2024 19:45

01-05-2024 19:15

27-04-2024 10:03

Analysis

max time kernel
149s
max time network
149s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-06-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EcosiaInstaller.exe
Size

1.0MB
MD5

ead03cdd9d3398c50ffd82d1f1021d53
SHA1

24b37f404d510f4eb7807dd89de20e936fc18190
SHA256

4bf7c84949d8e672e7244e1d36d93575eabeb825bf60b209885e317bbbd431e2
SHA512

ff381bd5ce7aef733c9ce9fcac0bcf3c9da106b09223c2904714bf4f7df334280ebf4792c279bea32cdafd896d5d95f28cbd6fc18a7d56c4fe77b63438fd6c70
SSDEEP

24576:WgZNRxRm9PQBwV418TeWyavVb5AudHRhItGsePtjDZeMizZBx7j:WgHRW9P0wCWy2auFRhIP6pkd7j

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	ecosiabrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	ecosiabrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	ecosiabrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	ecosiabrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	ecosiabrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	ecosiabrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	ecosiabrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	ecosiabrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	ecosiabrowser.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 39 IoCs

Processes:

TempBr0.exesetup.exesetup.exesetup.exesetup.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exe

pid	process
1840	TempBr0.exe
2132	setup.exe
1464	setup.exe
384	setup.exe
3796	setup.exe
4960	ecosiabrowser.exe
4816	ecosiabrowser.exe
352	ecosiabrowser.exe
780	ecosiabrowser.exe
4860	ecosiabrowser.exe
2552	ecosiabrowser.exe
1696	ecosiabrowser.exe
496	ecosiabrowser.exe
3388	ecosiabrowser.exe
3708	ecosiabrowser.exe
1288	ecosiabrowser.exe
5080	ecosiabrowser.exe
3132	ecosiabrowser.exe
4312	ecosiabrowser.exe
1524	ecosiabrowser.exe
3352	ecosiabrowser.exe
4128	ecosiabrowser.exe
492	ecosiabrowser.exe
96	ecosiabrowser.exe
3492	ecosiabrowser.exe
1936	ecosiabrowser.exe
1556	ecosiabrowser.exe
4396	ecosiabrowser.exe
5236	ecosiabrowser.exe
5556	ecosiabrowser.exe
5960	ecosiabrowser.exe
5992	ecosiabrowser.exe
6140	ecosiabrowser.exe
4024	ecosiabrowser.exe
4292	ecosiabrowser.exe
2288	ecosiabrowser.exe
5620	ecosiabrowser.exe
5748	ecosiabrowser.exe
4468	ecosiabrowser.exe

Loads dropped DLL 64 IoCs

Processes:

EcosiaInstaller.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exeecosiabrowser.exe

pid	process
4140	EcosiaInstaller.exe
4140	EcosiaInstaller.exe
4960	ecosiabrowser.exe
4816	ecosiabrowser.exe
352	ecosiabrowser.exe
4960	ecosiabrowser.exe
780	ecosiabrowser.exe
4860	ecosiabrowser.exe
780	ecosiabrowser.exe
2552	ecosiabrowser.exe
780	ecosiabrowser.exe
780	ecosiabrowser.exe
780	ecosiabrowser.exe
2552	ecosiabrowser.exe
4860	ecosiabrowser.exe
780	ecosiabrowser.exe
780	ecosiabrowser.exe
780	ecosiabrowser.exe
1696	ecosiabrowser.exe
1696	ecosiabrowser.exe
496	ecosiabrowser.exe
496	ecosiabrowser.exe
3388	ecosiabrowser.exe
3388	ecosiabrowser.exe
3708	ecosiabrowser.exe
3708	ecosiabrowser.exe
1288	ecosiabrowser.exe
1288	ecosiabrowser.exe
5080	ecosiabrowser.exe
5080	ecosiabrowser.exe
3132	ecosiabrowser.exe
3132	ecosiabrowser.exe
4312	ecosiabrowser.exe
1524	ecosiabrowser.exe
4312	ecosiabrowser.exe
1524	ecosiabrowser.exe
3352	ecosiabrowser.exe
4128	ecosiabrowser.exe
4128	ecosiabrowser.exe
3352	ecosiabrowser.exe
492	ecosiabrowser.exe
96	ecosiabrowser.exe
492	ecosiabrowser.exe
96	ecosiabrowser.exe
3492	ecosiabrowser.exe
1936	ecosiabrowser.exe
1936	ecosiabrowser.exe
3492	ecosiabrowser.exe
1556	ecosiabrowser.exe
4396	ecosiabrowser.exe
4396	ecosiabrowser.exe
1556	ecosiabrowser.exe
5236	ecosiabrowser.exe
5236	ecosiabrowser.exe
5556	ecosiabrowser.exe
5556	ecosiabrowser.exe
5960	ecosiabrowser.exe
5992	ecosiabrowser.exe
5960	ecosiabrowser.exe
5992	ecosiabrowser.exe
6140	ecosiabrowser.exe
6140	ecosiabrowser.exe
4024	ecosiabrowser.exe
4024	ecosiabrowser.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

EcosiaInstaller.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecosia_EcosiaBrowser = "\"C:\\Users\\Admin\\AppData\\Local\\EcosiaBrowser\\Application\\ecosiabrowser.exe\""	EcosiaInstaller.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 8 IoCs

Processes:

ecosiabrowser.exe

description	ioc	process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4960_1533049738\manifest.json	ecosiabrowser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4960_1533049738\_metadata\verified_contents.json	ecosiabrowser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4960_1533049738\manifest.fingerprint	ecosiabrowser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4960_302152907\metadata.pb	ecosiabrowser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4960_302152907\manifest.json	ecosiabrowser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4960_302152907\_metadata\verified_contents.json	ecosiabrowser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4960_302152907\manifest.fingerprint	ecosiabrowser.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping4960_1533049738\safety_tips.pb	ecosiabrowser.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ecosiabrowser.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ecosiabrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	ecosiabrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	ecosiabrowser.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

ecosiabrowser.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	ecosiabrowser.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641622094219935"	ecosiabrowser.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\NGC\SoftLockoutVolatileKey	svchost.exe

Modifies registry class 44 IoCs

Processes:

setup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{CE9C26D8-7C04-4946-96FD-C95153F34CAF}	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.html\OpenWithProgids\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.xhtml	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.webp	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{CE9C26D8-7C04-4946-96FD-C95153F34CAF}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA\AppUserModelId = "Ecosia Browser.WJY6AZU5L6N66XKIK7HZKPBTIA"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA\Application\ApplicationName = "Ecosia Browser"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.htm	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.html	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.webp\OpenWithProgids\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{CE9C26D8-7C04-4946-96FD-C95153F34CAF}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\EcosiaBrowser\\Application\\123.0.6312.21\\notification_helper.exe"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA\shell	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA\Application	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.shtml\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.shtml\OpenWithProgids\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.pdf\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.svg\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{CE9C26D8-7C04-4946-96FD-C95153F34CAF}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\EcosiaBrowser\\Application\\123.0.6312.21\\notification_helper.exe\""	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA\shell\open	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA\shell\open\command	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA\Application\ApplicationDescription = "Access the Internet"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA\Application\ApplicationCompany = "The Ecosia Browser Authors"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.htm\OpenWithProgids\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.svg\OpenWithProgids\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.xht\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.xht\OpenWithProgids\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA\ = "Ecosia Browser HTML Document"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\EcosiaBrowser\\Application\\ecosiabrowser.exe,0"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA\Application\ApplicationIcon = "C:\\Users\\Admin\\AppData\\Local\\EcosiaBrowser\\Application\\ecosiabrowser.exe,0"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.pdf\OpenWithProgids\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.xht	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.webp\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA\DefaultIcon	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\EcosiaBrowser\\Application\\ecosiabrowser.exe\" --single-argument %1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.shtml	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.xhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.htm\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.html\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.xhtml\OpenWithProgids\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\EcosiaHTML.WJY6AZU5L6N66XKIK7HZKPBTIA\Application\AppUserModelId = "Ecosia Browser.WJY6AZU5L6N66XKIK7HZKPBTIA"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.pdf	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\.svg	setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ecosiabrowser.exe

pid process

4960 ecosiabrowser.exe
4960 ecosiabrowser.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

ecosiabrowser.exe

pid	process
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TempBr0.exeecosiabrowser.exe

description	pid	process
Token: 33	1840	TempBr0.exe
Token: SeIncBasePriorityPrivilege	1840	TempBr0.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe
Token: SeShutdownPrivilege	4960	ecosiabrowser.exe
Token: SeCreatePagefilePrivilege	4960	ecosiabrowser.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

ecosiabrowser.exe

pid	process
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

ecosiabrowser.exe

pid	process
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe
4960	ecosiabrowser.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EcosiaInstaller.exeTempBr0.exesetup.exesetup.exeecosiabrowser.exeecosiabrowser.exe

description	pid	process	target process
PID 4140 wrote to memory of 1840	4140	EcosiaInstaller.exe	TempBr0.exe
PID 4140 wrote to memory of 1840	4140	EcosiaInstaller.exe	TempBr0.exe
PID 1840 wrote to memory of 2132	1840	TempBr0.exe	setup.exe
PID 1840 wrote to memory of 2132	1840	TempBr0.exe	setup.exe
PID 2132 wrote to memory of 1464	2132	setup.exe	setup.exe
PID 2132 wrote to memory of 1464	2132	setup.exe	setup.exe
PID 2132 wrote to memory of 384	2132	setup.exe	setup.exe
PID 2132 wrote to memory of 384	2132	setup.exe	setup.exe
PID 384 wrote to memory of 3796	384	setup.exe	setup.exe
PID 384 wrote to memory of 3796	384	setup.exe	setup.exe
PID 2132 wrote to memory of 4960	2132	setup.exe	ecosiabrowser.exe
PID 2132 wrote to memory of 4960	2132	setup.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 4816	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 4816	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4816 wrote to memory of 352	4816	ecosiabrowser.exe	ecosiabrowser.exe
PID 4816 wrote to memory of 352	4816	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 780	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 4860	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 4860	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe
PID 4960 wrote to memory of 2552	4960	ecosiabrowser.exe	ecosiabrowser.exe

C:\Users\Admin\AppData\Local\Temp\EcosiaInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\EcosiaInstaller.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4140

C:\Users\Admin\AppData\Local\Temp\TempBr\TempBr0.exe
"C:\Users\Admin\AppData\Local\Temp\TempBr\TempBr0.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\TempBr\CR_35702.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\TempBr\CR_35702.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\TempBr\CR_35702.tmp\CHROME.PACKED.7Z"
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\TempBr\CR_35702.tmp\setup.exe
C:\Users\Admin\AppData\Local\Temp\TempBr\CR_35702.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Crashpad" --url=https://crashreports.ecosia-browser.net/desktop-browser-win --annotation=plat=Win64 --annotation=prod=Ecosia --annotation=sentry[release]=123.0.6312.21 --annotation=ver=123.0.6312.21 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff6b012eaf0,0x7ff6b012eafc,0x7ff6b012eb08
4⤵
- Executes dropped EXE
PID:1464

C:\Users\Admin\AppData\Local\Temp\TempBr\CR_35702.tmp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\TempBr\CR_35702.tmp\setup.exe" --verbose-logging --create-shortcuts=0 --install-level=0
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\TempBr\CR_35702.tmp\setup.exe
C:\Users\Admin\AppData\Local\Temp\TempBr\CR_35702.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Crashpad" --url=https://crashreports.ecosia-browser.net/desktop-browser-win --annotation=plat=Win64 --annotation=prod=Ecosia --annotation=sentry[release]=123.0.6312.21 --annotation=ver=123.0.6312.21 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff6b012eaf0,0x7ff6b012eafc,0x7ff6b012eb08
5⤵
- Executes dropped EXE
PID:3796

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --from-installer
4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data" /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data" --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Crashpad" --url=https://crashreports.ecosia-browser.net/desktop-browser-win --annotation=plat=Win64 --annotation=prod=Ecosia --annotation=sentry[release]=123.0.6312.21 --annotation=ver=123.0.6312.21 --initial-client-data=0xe0,0xe4,0xe8,0xbc,0xec,0x7ffb6e5abc40,0x7ffb6e5abc4c,0x7ffb6e5abc58
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4816

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data" /prefetch:4 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Crashpad" --url=https://crashreports.ecosia-browser.net/desktop-browser-win --annotation=plat=Win64 --annotation=prod=Ecosia --annotation=sentry[release]=123.0.6312.21 --annotation=ver=123.0.6312.21 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff65a5d6340,0x7ff65a5d634c,0x7ff65a5d6358
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:352

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=gpu-process --no-appcompat-clear --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=1916 /prefetch:2
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --start-stack-profiler --field-trial-handle=1780,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=1964 /prefetch:3
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4860

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2116,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=2148 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=renderer --no-appcompat-clear --start-stack-profiler --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2736,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=3068 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1696

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3040,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=3104 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:496

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4188,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:2
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3388

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4584,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=4644 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3708

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=4472 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=4636 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5080

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=4684 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3132

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=4644 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4312

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5168 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4812,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4128

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5180,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5140 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3352

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4816,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=4996 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:492

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5064 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:96

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5468,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3492

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5504,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5772 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5920,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5928 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4396

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3728,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5236

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5620,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5556

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6212,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5960

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5064,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5840 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5992

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5564,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5516 /prefetch:8
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6140

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=3216,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:2
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4024

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=4928,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:2
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4292

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=4688,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=5892 /prefetch:2
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:2288

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=744 /prefetch:8
5⤵
- Executes dropped EXE
PID:5620

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=4228,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=4852 /prefetch:2
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:5748

C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
"C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=300,i,9967107655707519843,16221426157392853104,262144 --variations-seed-version --mojo-platform-channel-handle=6176 /prefetch:8
5⤵
- Executes dropped EXE
PID:4468

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NgcSvc
1⤵
PID:4980

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:2596

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s NgcCtnrSvc
1⤵
- Modifies data under HKEY_USERS
PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping4960_302152907\manifest.json
Filesize
108B

MD5
56e08be378849f09ad013edd4948c5f6

SHA1
17408f1b2ab34dc6e0ffebd488fe64165aa3ef42

SHA256
2c9fb1c72f3a1ace30d8a2d55796202d73bb7bdd13b928acde052666eb2ced0c

SHA512
92c70c8424d4ebbf427ddc5eefd74778c91394368ed9c05658f38b843da7f7d7529c02f2a8e9de3f49ba23269a53fed6ab74b02e9161d94b60009ac52c2451e6

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\SetupMetrics\20240629191643.pma
Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\Application\ecosiabrowser.exe
Filesize
2.4MB

MD5
fb5581a14f52e14086ee997273198788

SHA1
ab92a654b218a630d0306279490121cc26abdbce

SHA256
be6b12e03b36e586a1abb5fdd7f69928e4e1a1c85fce9f2ccdd0358232131c2d

SHA512
6d6534a74b6d875756e2f1919f346b0e8c93449920b03aac96b2844b3f1d363488a529f214b707c9730553fddd5002b85f077cb1d5d949f7fecdfb60ac459bc9

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\405bfd0c-99ba-4c71-88a1-39ed301e0a2c.tmp
Filesize
154KB

MD5
d36d18f82847cdf716f8d181db1afbbc

SHA1
e820b54eb4a66ed95e7c9bd385de13de682e3f21

SHA256
5d7adf329a38ce56fc02fbbe56456e37875c79c57e109812bd64229dd6de9192

SHA512
d1f471340f9dfa84aa084e2980dfbcaf6483e40235cb923e1abadd5f655423cdc443799f7e5a37302eea88c8cb284bdeca33a80931899141031fdd3e50e4911f

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Cache\Cache_Data\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Cache\Cache_Data\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
e2e217115437ee6b881d5c8d39694f69

SHA1
b3b36fc4ed56c1fe02ee0cd44edb833a08c8e774

SHA256
c1d999e76751aa2420787a7a96b9879853af181719eadeb28409f6766e622252

SHA512
17c9d6dcdf5c838a104437b002c79518cf4c858edec359014a53ba440103b835df04556699b5b5d12c1fad46ad6bcc70ff4c022fc37303da2a84df386586c6dd

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
d214bfed6551afc3eb63affa0863715b

SHA1
2b65fafd1b4ad8b60a47c203c6f84b01c2b5f01f

SHA256
70f5f6878be6fcb4ed1d198b4d5f54f9acf95e6268782e5ac9998445e87969bd

SHA512
038e285f319f9140108157d98722520c304b2068c7c0361c09f7bb9935d0fa116457abacfa2428584af0d8f9a35dde404ac09adc1d20c216ea3900318ae409bf

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Extension Rules\000001.dbtmp
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Extension Rules\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
a158a470d8245bb5e010910e7ab9cff7

SHA1
72e13ec6a736163f070be3b33cdf9cba5639359d

SHA256
64a9720f90ea6c0a6ebd31d87c23526c29d484c6c346ece94f5e6225e30d01b1

SHA512
1cd920cfbcb93a74f818071aca0693236b2383fbd6a2e007d279eccdcb057db6d37e9bae8d287c2145aea9fd39c6877cce9e8f28146283f6b18fbe0e55972fcd

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Network\Network Persistent State~RFe594ada.TMP
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Network\TransportSecurity
Filesize
856B

MD5
074556c3057f7111635fc00e368b6a6e

SHA1
a35f5c50f8a20d8c6c0fc034e0a36ef712b5e8e8

SHA256
404d340c00592228f19cb458c583521cbd92d32296d05a68bcaa29b37b000cb8

SHA512
1529c040b039ab48d8681545a1c747f4afe08466f369a93f07eb2e8815c31f06f051dffb5f16818dd1af8b1648127bf4c1972d1992ddd22bee3fb7072db335db

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Network\TransportSecurity~RFe5991a7.TMP
Filesize
856B

MD5
0228448546b2a81b0a1493cb757c14da

SHA1
91298b0f7bc8aa4a017118bc04d93e2a51f8a542

SHA256
002f976d300a3716d44648b06884aa6f3bff9fe9825f400e4ba32396598011c3

SHA512
e95959a45d5abc59e371e571b738467c34dbabb649f04f662498a6c1c4d660f1584c97a73dc5c5bf1669cbca96977e33a281ddfd21f46ccf6d2909821f92ceb5

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Preferences
Filesize
6KB

MD5
287903fa1dbf0b032737d89271dfe2fa

SHA1
b73dffbc6c0988d4063fd2a95170cd68bb9bb413

SHA256
2103d835ad05dcceefe1074581434c379ef9acfe56d572485dc2ac707ffa73bd

SHA512
c752c92088cdebccbb894c08c3230239c9c014db55ffe21c7dc160c8ef25cb7cee44c9d44b614d14111c53fc1b8fc558682b3205c28a9ef5a86929e5745856f9

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Preferences
Filesize
6KB

MD5
7f63c109f0b0055e1adf02446db7f3b1

SHA1
54a09d38ff768006d1fec52b18b1a6f846a11679

SHA256
be7cedce12fe76a4327fe1355f6650931e630b49dbb0f1e1dea9c200965c0b6b

SHA512
c930988ac00eeaa981aa1a05e79545c4330a297f8e7da72172b1ba59da2831d5af976665735003383158355828929711693282271b9657707539d791a6f50e4e

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Preferences
Filesize
6KB

MD5
fdc779e1ca3af571e8b4a432f8fc1226

SHA1
379a4908d898817170317c8ceea868df8fcc6703

SHA256
5cae849b9c4acfdbd1004c8aa8d104ddc58b40e7ab1b8518c81936211a322253

SHA512
66547b7aff73f6ec7c93587426e035d3c198f90d81d0a24af14bdf8b960498f94b84d7354622630ab5d495f065f6796d2dcd628d83eca14ffc126aa5d9806cd8

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Preferences
Filesize
6KB

MD5
95699edef4a7ce719ee34006f202abfa

SHA1
5a3c87862e63cbbc4a88fdeb792474ce44bedec7

SHA256
f6ee6107225859775c63e30a5e791f517b3633d5389f67f88d7f6bb8a38fde51

SHA512
fea7639b2273fe5c0f3eb2e244cd05b5382ecf6b6e431638e5435693297c4ec5e9f1cdd52e72727a25ab46a11ceb1d37f126c16cd7dfd159ef7183321e29c420

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Preferences
Filesize
6KB

MD5
8ee165b7ab91e4d514ca131febefe0f3

SHA1
7c9f7bd96914544fa0f151a11e4d535949fe5e24

SHA256
092e198ba4095206f40404e1543bc90640064f497c9ef77fb1031f3571ae4de6

SHA512
90671e25f53c89ddb72c2f14bddb1be5c984d84c3c599d06f0314b2de6ec47d982d896a3f82d2883b2bda05353370c11121c2c9d370246370150640d7ecd14ef

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Preferences
Filesize
6KB

MD5
e5ab7e622b733e5610382581e4da7c61

SHA1
e7e143ca3bdf7e3845a53c5579f6f711dac02a30

SHA256
85470762c2c9b1faae164eed6db374166eb906357625820d63012415c81ec2bf

SHA512
7199547bfc624c0a9736bbb757f5e7a0e6a2c4f04a0828ce8d92855157bc508fcf651ab6bd5c42c36bcf33fc331b152b9afbfda006a5b00eb06c7ca3fbcc0fdf

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Preferences~RFe5891ea.TMP
Filesize
6KB

MD5
ab3126f3a9caff24d5c7aad8d8c0f4b0

SHA1
0c97474ae7467b77db1b41a9f06f98e4dcc6627b

SHA256
b1965e1aaacb6bd7179af80a63b6ddaeeae44ab7c050e2a302978390779dcb42

SHA512
79a254829d3aa916b4b8aa6712333bbcab3d28039c794da7343f963cc8913500e8d0900fa1376cf7650131aae55d4face754549bd0c294d3c8f0c0ecee9ffaff

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
360B

MD5
9e5d5faaccd5345e11d2d0a457de2b52

SHA1
87bbfc0273ff514b7de631855ef8db913a4a7dd5

SHA256
53eec37ac0e1c87ab05dcfd02ec1be41617e0284ba2d424faacd316e219d24d0

SHA512
5901ca95d44a619db55f5459904bc656f90f41b1c3116caaaf1b3a9f24d68a4909e195fd4a6090dccc43c4dea72fccda25eae6173724d7d55ba6e13dfea281b9

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe589778.TMP
Filesize
72B

MD5
ee683146def998217e64dc6e49e7b5e2

SHA1
2eca06ab9c5a331318977e642a1684591a4cc898

SHA256
4cf1afbd242fa56f418fed8923ab5bb2b0b8a7149a834d1a3825af6466dbd106

SHA512
a3c0fe575a10224f9c10c0dbc6ffeaf71bffb2c8b429da0c62705d3b63f38388dca7a381a54aaffd0f270c85cc5fee352243597fbd221dad984b938e06946ce7

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\GraphiteDawnCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Local State
Filesize
5KB

MD5
ca9c546f5aea354eab4b49d3136aaa8b

SHA1
11dc5da2f2411bc75fca7d14c4c22d4763db1944

SHA256
18088e852ab39831f809ecc1fca9dd20543dcda1c06358d5c17221ec8b282e21

SHA512
653d2bfefd6a85735b30160ace83d3aa1bb70a103baf74c30e5180cd9e82baf3869c2a8237b80298f2cf54bcd433ecb0c43a9cfc322e4e971c58cce3bfd117f0

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Local State
Filesize
5KB

MD5
c7fda3bb9264af11bb1c9bb29b45ffa3

SHA1
a8db291beab46a1e29761d047750ee598657b70c

SHA256
1027a15c80d0750e3b56b0340d959f6e731a7ef97e7000a3791f7271c4229dee

SHA512
b2474df40d70b025c5651d0c45464ed633258de8aae8e3636eb03c63d7f086b62fa1bb50b234b1900003c7c0fccdc9b3b49e8a8f2921b258e3e036f9d7c9c85b

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Local State
Filesize
2KB

MD5
335977c04f45d90048d64ba9bc871f88

SHA1
ee70003fcd5b41b6169258f745411810a47e0380

SHA256
906fc61bf6e889b142d85c60c1497c4867a041201626f9340571751330ebfe1c

SHA512
2bdc73e7b0d6278258318f0f59d248aadbf0d8a2cc39cdc2ca069695bea115f84e75530deed62bea3273b4fbc9d0472f41998660185907bb46ae751591848201

Download Submit
C:\Users\Admin\AppData\Local\EcosiaBrowser\User Data\Local State~RFe5854a3.TMP
Filesize
976B

MD5
72d0b3609064ceb502716933641876e7

SHA1
d77932ab738e1e3c731a1a97118afbb830897f83

SHA256
601dc1962245fa7294d89d898ad973488ade40c3cd25fbe6bbca76f470662a13

SHA512
404a6dff7851d702ea22770fd92f8af272490d560eb3dad2b617c8601a5125dea2238df8d1f7446ec58bc3f6dc5c5d415c327a156223b25a3e67f36fa7f773d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempBr\CR_35702.tmp\setup.exe
Filesize
2.6MB

MD5
ffb2b92410a8d4808aa425d72acfaa0d

SHA1
a3dda22a3dd64ae4a70c976bad73babad4cd78c9

SHA256
8ae46d3c371e7835c5998d1e1d8a5665f45fa567dfe5e19461c01dd68d9bb26e

SHA512
946e1b9d8dccdd655b69aabae2597620a30ecee3aa5df40190ab39574a5f1b39e7b687d920867f04e5e051d3c6c0c551a092fc09cef24e190fc8c12ea0953b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6cf26b6-effb-4f04-8852-bd6974c27191.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
\??\pipe\crashpad_4960_CSJKVDHQCTOAKVOO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\EcosiaBrowser\Application\123.0.6312.21\chrome_elf.dll
Filesize
1.2MB

MD5
ae0d60cfb1c9328269688e1baa88a943

SHA1
f7de751e5d9e5049f85d0ad88ab69d18be1b7d5e

SHA256
4bcabd79410e1f09555fce0851548066e8e720f54790c3d761d06925b2766641

SHA512
19222280c38602750b02998d790dfe648d2be88334a95bd6d553d189d702b5102166827a5d5ab25a55c19fb788362fc3b3011b054951b0a62a7fe60a0c7e9873

Download Submit
\Users\Admin\AppData\Local\EcosiaBrowser\Application\123.0.6312.21\d3dcompiler_47.dll
Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
\Users\Admin\AppData\Local\EcosiaBrowser\Application\123.0.6312.21\dxcompiler.dll
Filesize
20.9MB

MD5
150f0e3df0133148774ad54a42856603

SHA1
709d42b5a7f2251291c78225946022591d1aa37f

SHA256
ef457141e5ed3f7da23843abe149edfc490e70b6c11e0d9f5a4c2c56213e9e10

SHA512
457dbae0d312897a3c555cbdd0d14e27ab1b30e864a713636664a7fdaabf04dbab4d340d09cb354bb68777a2f43e6c45edd1a085c1babd14fc552ebacd13b548

Download Submit
\Users\Admin\AppData\Local\EcosiaBrowser\Application\123.0.6312.21\dxil.dll
Filesize
1.4MB

MD5
cb72bef6ce55aa7c9e3a09bd105dca33

SHA1
d48336e1c8215ccf71a758f2ff7e5913342ea229

SHA256
47ffdbd85438891b7963408ea26151ba26ae1b303bbdab3a55f0f11056085893

SHA512
c89eebcf43196f8660eee19ca41cc60c2a00d93f4b3bf118fe7a0deccb3f831cac0db04b2f0c5590fa8d388eb1877a3706ba0d58c7a4e38507c6e64cfd6a50a0

Download Submit
\Users\Admin\AppData\Local\EcosiaBrowser\Application\123.0.6312.21\libEGL.dll
Filesize
470KB

MD5
3256b6aa8cf471075fa54a3f55226e4e

SHA1
c048b56d0b9955ca3d7a247755bdde3ccdc72aba

SHA256
77554d8f11ed4a59543d014de3253fbcf28e6b5cef8a00e1d0ff0cc5f168ce96

SHA512
8f8c3a42982c90e614141dbf348e64f5acd3dc81072f81fcf946655f3522e4d60f0e2fbe74b17e2933182f15619bb53207085a6628513e33c265c67b09fe8b57

Download Submit
\Users\Admin\AppData\Local\EcosiaBrowser\Application\123.0.6312.21\libGLESv2.dll
Filesize
7.3MB

MD5
901a2a0be2869a84460058e15bc59844

SHA1
c42eb917dede03bdb6f9f807e2180d15caddf06d

SHA256
57bab60884711ea370f989ad7588698d3e2c23348297c3f309e64b97d532d673

SHA512
802fcd9711478015e9bb2747f1716c83aec29598933d604fcdcf769ac432525cfd648923ce763ceaf6ee04256fede439bfbecc565eb7ffb5f81450f642f703d3

Download Submit
\Users\Admin\AppData\Local\EcosiaBrowser\Application\123.0.6312.21\vk_swiftshader.dll
Filesize
4.9MB

MD5
63d04aae53e03e41a7d82f8431cc14f9

SHA1
1ee414e09abd9323b0250602342ff917607c8b7d

SHA256
bbd5f144433b75fe0580b299b20ff743a0d21d93897375a75d8ad8a59b22608e

SHA512
bac53a3b87f63604a98490fa4e2d921da5baa759574e76362115f49d67d31cd59bacb7cb8035a7cbbbda3267b6e195e6e2904f3b99b9a50d3fbd9ef928bca90b

Download Submit
\Users\Admin\AppData\Local\Temp\nsv79F5.tmp\MainModule.dll
Filesize
3.6MB

MD5
c5f78d7f3df8b816ef881d342f6e9520

SHA1
251a4bc26a697e4641483ce7a3ac694874d7be52

SHA256
b0c4e04590f521358d7e3cf5201ffc551b6cbd7182a6e8229e94f47105c71822

SHA512
c9af575cde74c1520ebd49df15116d4165e9c5314cc4c402463388552ee35768ddc31d8a3f38ab2488357e7fc112666e02c1c6ac6c9f4b6eeba787afcafaa2cd

Download Submit
\Users\Admin\AppData\Local\Temp\nsv79F5.tmp\System.dll
Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
memory/2552-113-0x00007FFB79AD0000-0x00007FFB79AD1000-memory.dmp

Filesize
4KB

Download
memory/2552-114-0x00007FFB79580000-0x00007FFB79581000-memory.dmp

Filesize
4KB

Download