538625f9a7445060633674211aa9d30224a7dea65b72b7bbb16796483b09034a

Analysis

max time kernel
78s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

echo-Setup-1.2.2.exe
Size

83.6MB
MD5

ae244f20bb1f0ef9b59ca3a8f68f9ee9
SHA1

46fa43ea3b307bc68e771e582fbd409f56a8de4d
SHA256

538625f9a7445060633674211aa9d30224a7dea65b72b7bbb16796483b09034a
SHA512

367d429c0b048a9ffc97c38135609d3b119182e7c6a4b08399fd490e9b2f2b2585e68d560a1f2b28359e0c8c36bcc762b04dd98f9f5946277c0d4c17bb9d50e8
SSDEEP

1572864:G6gUDBSOQJXbL5OPQVQQZMJsIuW3IELNAe0uT7OeDF3jOZ1:G6LDBSO4XBOPsQQuP/3Guz9S1

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\Geo\Nation	echo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\Geo\Nation	echo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\International\Geo\Nation	echo.exe

Executes dropped EXE 7 IoCs

pid	Process
1592	echo.exe
1716	echo.exe
2780	echo.exe
2684	echo.exe
1616	echo.exe
2944	echo.exe
1480	echo.exe

Loads dropped DLL 35 IoCs

pid	Process
2880	echo-Setup-1.2.2.exe
2880	echo-Setup-1.2.2.exe
2880	echo-Setup-1.2.2.exe
2880	echo-Setup-1.2.2.exe
2880	echo-Setup-1.2.2.exe
2880	echo-Setup-1.2.2.exe
2880	echo-Setup-1.2.2.exe
2880	echo-Setup-1.2.2.exe
2880	echo-Setup-1.2.2.exe
2880	echo-Setup-1.2.2.exe
2880	echo-Setup-1.2.2.exe
1232	Process not Found
1592	echo.exe
1716	echo.exe
2780	echo.exe
1716	echo.exe
1232	Process not Found
1232	Process not Found
1232	Process not Found
2684	echo.exe
1232	Process not Found
1232	Process not Found
1716	echo.exe
1716	echo.exe
1616	echo.exe
1616	echo.exe
1616	echo.exe
1616	echo.exe
1616	echo.exe
1616	echo.exe
1616	echo.exe
1616	echo.exe
1616	echo.exe
2944	echo.exe
1480	echo.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	echo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	echo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	echo.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2880	echo-Setup-1.2.2.exe
2880	echo-Setup-1.2.2.exe
2880	echo-Setup-1.2.2.exe
2880	echo-Setup-1.2.2.exe
2780	echo.exe
2684	echo.exe
544	chrome.exe
544	chrome.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2880	echo-Setup-1.2.2.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe
Token: SeShutdownPrivilege	544	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe
544	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 1716	1592	echo.exe	33
PID 1592 wrote to memory of 2780	1592	echo.exe	34
PID 1592 wrote to memory of 2780	1592	echo.exe	34
PID 1592 wrote to memory of 2780	1592	echo.exe	34
PID 1592 wrote to memory of 2684	1592	echo.exe	35
PID 1592 wrote to memory of 2684	1592	echo.exe	35
PID 1592 wrote to memory of 2684	1592	echo.exe	35
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36
PID 1592 wrote to memory of 1616	1592	echo.exe	36

C:\Users\Admin\AppData\Local\Temp\echo-Setup-1.2.2.exe
"C:\Users\Admin\AppData\Local\Temp\echo-Setup-1.2.2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Users\Admin\AppData\Local\Programs\echo\echo.exe
"C:\Users\Admin\AppData\Local\Programs\echo\echo.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Users\Admin\AppData\Local\Programs\echo\echo.exe
  "C:\Users\Admin\AppData\Local\Programs\echo\echo.exe" --type=gpu-process --field-trial-handle=928,17667231886522631220,4935657019321237807,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\echo" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=940 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1716
- C:\Users\Admin\AppData\Local\Programs\echo\echo.exe
  "C:\Users\Admin\AppData\Local\Programs\echo\echo.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=928,17667231886522631220,4935657019321237807,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\echo" --mojo-platform-channel-handle=1296 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Users\Admin\AppData\Local\Programs\echo\echo.exe
  "C:\Users\Admin\AppData\Local\Programs\echo\echo.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\echo" --app-path="C:\Users\Admin\AppData\Local\Programs\echo\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=928,17667231886522631220,4935657019321237807,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1512 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2684
- C:\Users\Admin\AppData\Local\Programs\echo\echo.exe
  "C:\Users\Admin\AppData\Local\Programs\echo\echo.exe" --type=gpu-process --field-trial-handle=928,17667231886522631220,4935657019321237807,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\echo" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1144 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1616
- C:\Users\Admin\AppData\Local\Programs\echo\echo.exe
  "C:\Users\Admin\AppData\Local\Programs\echo\echo.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\echo" --app-path="C:\Users\Admin\AppData\Local\Programs\echo\resources\app.asar" --enable-websql --field-trial-handle=928,17667231886522631220,4935657019321237807,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2372 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2944
- C:\Users\Admin\AppData\Local\Programs\echo\echo.exe
  "C:\Users\Admin\AppData\Local\Programs\echo\echo.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=928,17667231886522631220,4935657019321237807,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\echo" --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5309758,0x7fef5309768,0x7fef5309778
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1900,i,12441267081398731517,16964294103746916411,131072 /prefetch:2
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1392 --field-trial-handle=1900,i,12441267081398731517,16964294103746916411,131072 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1500 --field-trial-handle=1900,i,12441267081398731517,16964294103746916411,131072 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1880 --field-trial-handle=1900,i,12441267081398731517,16964294103746916411,131072 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1900,i,12441267081398731517,16964294103746916411,131072 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1912 --field-trial-handle=1900,i,12441267081398731517,16964294103746916411,131072 /prefetch:2
  2⤵
  PID:2956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3044 --field-trial-handle=1900,i,12441267081398731517,16964294103746916411,131072 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 --field-trial-handle=1900,i,12441267081398731517,16964294103746916411,131072 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3940 --field-trial-handle=1900,i,12441267081398731517,16964294103746916411,131072 /prefetch:1
  2⤵
  PID:1792

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
daa3f2d8913ec77835202b7bd263703d

SHA1
efddc2918c528304e3f9952dc4e758c582be158b

SHA256
a22187bd0d710d23cce2877e60a5dee7f7781778aca5234e2757ff9598cb40e7

SHA512
dcae63cf741d88bfee937776bf4603c19f361dfffd2f918251f65fa1950e949aa76328049b4cb86ac0ea4a3126c8d415867085771b83694d2c584adfa15a6bce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
07f1717ae61e2f6caa5c13d07849fe0c

SHA1
facb23e18ef16c47745f98f6fe63137c29980b64

SHA256
cf313b54f93a3d0636a053a7484edcb7955a37a66a8d162cfee146b0ccf8edf6

SHA512
b04c9bce7a84485c59c614da300b876e37a5eec6b73f6109292f7131548af0fe11f51f870a6e37252bfcb950bdb3f7c2046a7e7aec31cbb7abe9a3946a0ba595

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0d6900fdc87f660eea4a4f7484384ecb

SHA1
e280959057f6664e1909f88fa63ef0a4b4e347eb

SHA256
36e4691320493c775362dca4b7304fdb6357cd3a5aae2b0510c22f95f2bba02d

SHA512
814ec02469b6a76c9cda178080628307f92cd753033bb641abec6adf98756907ec8b3fcb63152ba75b7d4e212fc48ed4384fa55b46acc2c68b940dc1360e36e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9fe0185f20833bc46776f7e09ec87183

SHA1
2b8b04eca2df5c19146c66a5d8ff6690ede141e5

SHA256
5f08f30f6c33d205bda537c3e5f058646b70e3790fb328e8f955b5cf2ac04231

SHA512
1b982dd4e6711377df20e8ba791c7a9229101b27d79a636afc6153cd39e47f2402d2bf4fe1bd8c8130d906b712c30b8b7bee8667d86157a39035898bfd492ddb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
44441c2eaeed0ff02326c3e6a8b7d23a

SHA1
c0809fb55aaf07fcccf5afcfebf3238a479db1db

SHA256
3b9fb15de129efbdf7b5afab2b87b285880a4335717b796ab85eb7671d00f233

SHA512
4a38362d654442e528d8007a3cdda41d26cd81a296701cb17aee5db863bfd4d37a161cd224a324b3ff0dca854de45317fc87469a9da4a2d6be94f0ac69f7802a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
305KB

MD5
5cd73fdf9398f5c4d4b25077ac088a55

SHA1
2f1fc704500676287b043b3173406b11c6087c0e

SHA256
6bbb5e9649522a4d87d08a4fc75c7a581b52e15fd0529457db40983d20ba2a98

SHA512
5e0f7e2fe2322c7e185f9d7174e8fbfdc128b76f85c030e005adbf0cc274222e9cabd0170449903b59f739d6d626cc5449cf84a9fd833217a9b40d898fff86f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ac5f012d-a8ef-41db-92a4-493681b125f1.tmp

Filesize
305KB

MD5
64bff1a427dcbae2ca81cb1f4ecd48e2

SHA1
a0a8c056b4fd7947a81320d01083c6bfe9203dd3

SHA256
506b653a236ab2b95eb3c75b51e30b70b51bdb06ee20abcd58394e0457d66f2e

SHA512
4a1d1d290f5d5627f7f83849b86a69510a08463e20d911ab686dab249a1742a73742af2120fe88bc0e238adce6d55989d989d6b4b93058c9427394fd7f32669a

Download Submit
C:\Users\Admin\AppData\Local\Programs\echo\chrome_100_percent.pak

Filesize
138KB

MD5
4f7cf265db503b21845d2df4dc903022

SHA1
970b35882db6670c81bd745bdeed11f011c609da

SHA256
c48e6d360aee16159d4be43f9144f77d3275a87b3f77eae548e357601c55fc16

SHA512
5645d2c226697c7ac69ce73e9124630696516fc18286a5579823588f93a936da71084a3850f1f9a7b34c624f4c502957107f5957ffba5e6c1e4da6d8da7d3348

Download Submit
C:\Users\Admin\AppData\Local\Programs\echo\chrome_200_percent.pak

Filesize
202KB

MD5
6a7a9dee6b4d47317b4478dba3b2076c

SHA1
e9167673a3d25ad37e2d83e04af92bfda48f0c86

SHA256
b820d19a7a8ce9d12a26837f967f983e45b07550b49e7b9a25e57b417c5f6fd9

SHA512
67466e21a13ca449b014b511fb49bfc51df841eb5776f93b4bda2e0023da96d368ac5c65de051ed9de1899275b9f33839af2c387be903688cdb48bf08993791e

Download Submit
C:\Users\Admin\AppData\Local\Programs\echo\ffmpeg.dll

Filesize
2.6MB

MD5
7f1ef8b63fc87f7b476e5aa192672458

SHA1
40b181c8e6538c13f0cfb5653f93d52031ffa858

SHA256
567fe35b7287c872cc50ee77a7e4cf5763caa33892b7994ab47894f534ff5a47

SHA512
b8a164f025da9f76644cb3d57c5bcbf5ddeef78434e492dc5a69b1886e1735384cd747eb66f58e762f2750c1d1f74002a823f8b18cd858ffefb2523fc482dfe9

Download Submit
C:\Users\Admin\AppData\Local\Programs\echo\icudtl.dat

Filesize
9.7MB

MD5
2e7d2f6c3eed51f5eca878a466a1ab4e

SHA1
759bd98d218d7e392819107fab2a8fd1cfc63ddf

SHA256
b62b7240837172959299dc3be44fffa83dc374353154eca1612e1bde330aa8fa

SHA512
0f1465e8efe32b0eaba628a30bbb21254a05d80f4407a1434120a55fb928cf575b3879e1b7cf754cd19b23c262ae715fa84a8049073563cb38f1855be7db1124

Download Submit
C:\Users\Admin\AppData\Local\Programs\echo\libglesv2.dll

Filesize
7.6MB

MD5
5cfc8302ddff464405d4c960d4a1b923

SHA1
8cc54eaf52c38b4f933da98a970b987bfdb15324

SHA256
baf6f58949320f2aed9f2cf1adafcc95dc213c2c22b3eb92f0f02a2b1f0ebfc9

SHA512
cf3b54fe6e0105c12da0f019442a71c4eb7509c49f0e4c5674d08446d0503304aa6d15f683659adef30e78b9abfceebf811df931bc5911dc6bcabcaa3eb76b3b

Download Submit
C:\Users\Admin\AppData\Local\Programs\echo\locales\en-US.pak

Filesize
100KB

MD5
b6a2c492d2bc0278f350201bdb66ea21

SHA1
9c2652cf0bf720c41263c675db5c342c08f66b35

SHA256
a453fe4e06016aac08b58a1569074f3be985a730b5ca1e345cb3e286b042acf5

SHA512
cb39c7e9c58cdf23900014eb589c50e495b80e0cbc6a369110f84e96bf2a47e9057df1914287990c04d7a5fd3119eabb30642492d0a50d359ff7d2305cb4ae22

Download Submit
C:\Users\Admin\AppData\Local\Programs\echo\resources.pak

Filesize
4.9MB

MD5
707a9b877cb01f28c4424caf1cf453a4

SHA1
10dd3aa2abdd0b5d30253f9acc1adeb99b1d2205

SHA256
9bf2dcc119f88c4f2b3aeced53bcbd9b229e9734e0204a32d87f49526bbea303

SHA512
ccf3e4decc49543bb8e3765ff21561c686afb6682d1d778669f8a53a35ccbfe875401b42b4604131ae7fd5e722c0d232a7c5b352b3b2058698f9bc682d40b63a

Download Submit
C:\Users\Admin\AppData\Local\Programs\echo\resources\app-update.yml

Filesize
92B

MD5
0bf3387f01d21d35d7760dbc5ae7aa19

SHA1
88ca26bc894d35839cac5396dea20da6500a16a2

SHA256
33e73b26b3e87b5cee3e31560def8fbb5480ecddb3c75971232080b9bcc5ea37

SHA512
9f3d124f8cbfbc1a4186d3501dc4e3510fea6ceae5a815dbc5dd4949ffe6be5c5cb928dabbf93e999902c3011c26977c140ffef84cf388d86358c25eba9f13c0

Download Submit
C:\Users\Admin\AppData\Local\Programs\echo\v8_context_snapshot.bin

Filesize
160KB

MD5
8fdac2cb67bb23f7c2e159121a356626

SHA1
24da4c3a16b09961375aca57595bca974083e553

SHA256
7f86fd6ca3e16a122eb6b2a0bd612879a9c0fb15ca4907a8bc546ebc807285d5

SHA512
9c8b8c4f14ba39a3e1caaae893dca7f7ccaddc50c0b6ce3ad25f8adb8be4bf9b140a491d8f71ddec959a4bc9300e9eeba496eee5f8ed24b07a1cc7ea94da2c89

Download Submit
C:\Users\Admin\AppData\Local\Programs\echo\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab31E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar36F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstE3EA.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Roaming\echo\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\echo\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\echo\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\echo\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\echo\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\echo\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\echo\en-US-9-0.bdic

Filesize
441KB

MD5
a78ad14e77147e7de3647e61964c0335

SHA1
cecc3dd41f4cea0192b24300c71e1911bd4fce45

SHA256
0d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa

SHA512
dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\build\prepareInjection.js

Filesize
1KB

MD5
1de10732e6d50c3a4ebf0b3a8d3a43f1

SHA1
065161d944b10728a2dbd673988c20cee1639ceb

SHA256
b51e4c56e9916093f02b4889633ed313dee7f6f8393c808dc039a92ad9489729

SHA512
e11e7312ebbc06896f82c26d74a0edca7f4014ebba06031ec7452994bbdcb6e01df8b10e5a0d30ce4f8ec1174383bbd7efc31b243b5386b52e8d0aaa9bffb344

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\128-deadcode.png

Filesize
2KB

MD5
95c2da7d58ac4f57f4162d4b521d1c2a

SHA1
964c06f2b50bd34c77ff760c939ccafccb8298da

SHA256
e3e4ce549604652a6a573550f34b3994992d7d70bfd39bf69fc30cfd769b75f8

SHA512
765ddb52aed9c28e7ccf22768b432e7391a407cbbd0be75722ff59f438ed7208eb94b78cfa1a90701f2dede8f153169d2caa379355f2b3532e465878f336e2c5

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\128-restricted.png

Filesize
1KB

MD5
976735be5c5ef4986782407579e25c50

SHA1
1a72c6f1fea87fe8e79d14c72ad5da6ab6d9b761

SHA256
cbde2b973624ad785f37523efecca9721813354f2a7e21ecd305560acc138c06

SHA512
8288ebd7f1bcfccacd9092a30f09ac141620710400856300f1c1056e7012c3066fadc8128c6ca1d567a289af3967cd8c9b3d562421e00132fe9680e4172f56c0

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\16-deadcode.png

Filesize
338B

MD5
2bd352e9368664c7aba97f61df7c407f

SHA1
232e5ea71cfa6276254862afdff99835136a4f31

SHA256
705902c00dc5cf4ac85d9eac512a17b2e0bb427dc98cb2cc8f19322a95600076

SHA512
7fa71202d4aa7eab73e4695c5c6a1a667ee2e8ed2eb2839bcc8da5404f0edf54d20e095df6af9bfb95a08f6044b3e2f51ee85bf2d28440aefa35d2af8362bf1a

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\16-restricted.png

Filesize
288B

MD5
7b2b93a5c23de8b45be5076bec86cc03

SHA1
7bf00b51cee062b2a6f0e7ba8e6fe892b2665e96

SHA256
131e9ff247e8e9257351129b203709d8a8a25488f7159b498d661ba8510efd7e

SHA512
93be1bebae3a2ccc5fcd8ad97b96529e6dd7f8eb1f68fa6a20a7c6c006222ade42915f5bc0199ad2b2258272e9001969a830d6a0536ce0b127176465c5b082ce

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\32-deadcode.png

Filesize
561B

MD5
7d81fdce34f01d8229f67cbed8ca30de

SHA1
2d147ca07846a5c33271a3cd9fee58be0b041088

SHA256
53b429c91414bee3fe255328029eff513f172fffc41fd63d95aaadb697ce71a5

SHA512
4e64518b53c83c075bade7171989a7f796f7d4ac63ddab47ae938bb55ade22a1ea04c208a16c4ec87a6535a57100eb51b7f80b24887c2a96eb2f5758e2615d22

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\32-restricted.png

Filesize
490B

MD5
a224d8a9e39b203054da833b0636ff06

SHA1
8acf99866b257c7b5b38c5708870cd17d3d7b13a

SHA256
1141df69cf1d1985c49f795b65acba57e4d2399e6ff50bb3e6bdc0b710f27804

SHA512
7c4d5daa2fb4a7285dd747287ba56e3c484973cb9f01a49dc0926aab0d4ae0295586707ea312560782abed6409a62ef3367907fa77863276cfbed85449b16315

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\48-deadcode.png

Filesize
826B

MD5
5514edc867b037351d2d01cb8b204d3c

SHA1
55070782e7049bf2d6c45be7605d193630f22eb1

SHA256
546c0260ab5a03c3075e9278956019214bb6433de266c6f95b7021c0115070e2

SHA512
f8ab9ad7e9ab9836580b6d99415250d01dd8be53a01a4e0658031d25d7c891f4e8ae4add8a86aae55522d118a771c2625d359aa504cf52244433955301d17079

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\48-restricted.png

Filesize
730B

MD5
f1198971a65f0c320a18931b5a6e9e03

SHA1
5783485687ae3ab6bcbb07f203dcb92211ada979

SHA256
0ddff2151123e022e007e09576a6b030c38021d0fffc7546f0c9a1b8529813e2

SHA512
bda8969740bb4320095f4d5b4bb185ec8f881307640eec1d917c20c0f65b7d43ade107334de6d01ee7334930909e55090cb7eea771ac2e199db6b811d72ee512

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\development.svg

Filesize
3KB

MD5
46bb24f5f8540049a459da5b12ee1478

SHA1
e8189f6545038616eca6ef33068093dbaeb66350

SHA256
acc667332543cd491097b281fd35bd49bf435768d4cb2ab8f579740072756313

SHA512
89b74512db2792b409f1ceaa275fb1e8d7eefdb195bcab76c7b489228c822a6a68182d93c485956d16c02e310e4d3d3f6da7a561f93d0e0034627339d6848776

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\restricted.svg

Filesize
1KB

MD5
3cd7ad037efd1fa2a7477031af2c2809

SHA1
ec5c179569f1add1f0ea8a69d622b36013ba72ac

SHA256
279310c2dfe871f3f6a875ef3d5cfb8922d37faeeb9c127ec312aeebe1c51cd3

SHA512
b2349b5a3decd559999f96c5b4886acb9d39ab46562d3dca1ffba049573c7d99980fd9c5272dfbc72059afd89a6d435bc81a2fd0adfb606ad9057c24b6b3f4c8

Download Submit
\Users\Admin\AppData\Local\Programs\echo\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
\Users\Admin\AppData\Local\Programs\echo\libEGL.dll

Filesize
431KB

MD5
1d9a67475de599e54bc86a8de8f300f2

SHA1
e4850b902232e727cddcf96c88be64f8395d5acc

SHA256
7c52fc5693e128656d3aff81da51ceed0e035da57d00ccceabafa97b74f27069

SHA512
03b397463cef9c1ec01f5cd89c80eedca77a12e32eb46bad073cf3477843d14163b3de62a2dd299cfba5c7b1e368cf83f0759ee8d5f7b823902f32172d5712c7

Download Submit
\Users\Admin\AppData\Local\Programs\echo\vk_swiftshader.dll

Filesize
4.3MB

MD5
17081815c960572aa3da745adfc66404

SHA1
5a14ab0c188a2aad906398f8050db287aa876b4c

SHA256
fa525b98e63847c5ffb6f09af784fd5ddcf06cbbe5e05bae8aede772ac6504d0

SHA512
3fc462ea1cc2bdff745a4a66aba2d2632abfd06607e92f79303316079b27b4ddaa56c20b4c113965ef01b358d63fce17b0c0529002e0821844c720827d823dc0

Download Submit
\Users\Admin\AppData\Local\Programs\echo\vulkan-1.dll

Filesize
715KB

MD5
40be32bba209d69cb71cb691b65c25e3

SHA1
0b4c99839bff6716a15d7c012550e9424c1b7293

SHA256
f52995fffa9a13b58739e58fc630a68f3cdbfc5035f49c7e54b3ba0baf9e752f

SHA512
7b5dd8233f3d5a35c5fdb575b131cb022ebd63ff99c3528120fcf6afa6c3851eaab9e439ab99e6b01fdc4cea502f7a2c1fb4f5b45da16c7b68ca7b58323aebe2

Download Submit
\Users\Admin\AppData\Local\Temp\nstE3EA.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
\Users\Admin\AppData\Local\Temp\nstE3EA.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
\Users\Admin\AppData\Local\Temp\nstE3EA.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nstE3EA.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nstE3EA.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/1716-336-0x00000000771A0000-0x00000000771A1000-memory.dmp

Filesize
4KB

Download
memory/1716-303-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2880-289-0x0000000002F50000-0x0000000002F52000-memory.dmp

Filesize
8KB

Download