538625f9a7445060633674211aa9d30224a7dea65b72b7bbb16796483b09034a

Analysis

max time kernel
144s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

echo.exe
Size

133.1MB
MD5

bfadc181245478806f97cfbaf4e06c57
SHA1

723a150dcbeffed304ed3421a6b35c61d1b009b6
SHA256

2312e8fb1738a48e0527464968cbabd8d02dbf69cde9e3cb61dcd47d78ad1381
SHA512

09c1116b78954066fb050f22a46402d91e05b6f7225432e8989863c198ebe01155b4a9432a9665dffbaba82b72ac12016b5587284bc9df3b52403dfbbec54b33
SSDEEP

786432:xcgzAL4pDrN1IeBzLwgB7jpjCuaZuggecoBxjQHikt3lumUPQbGaCRP:2dL4pfTIeVLwgB/cuafC11Px

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	echo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	echo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	echo.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	echo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	echo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	echo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	echo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	echo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	echo.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4764	echo.exe
4764	echo.exe
5032	echo.exe
5032	echo.exe
2536	echo.exe
2536	echo.exe
2536	echo.exe
2536	echo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 1412	1700	echo.exe	83
PID 1700 wrote to memory of 4764	1700	echo.exe	84
PID 1700 wrote to memory of 4764	1700	echo.exe	84
PID 1700 wrote to memory of 5032	1700	echo.exe	85
PID 1700 wrote to memory of 5032	1700	echo.exe	85
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87
PID 1700 wrote to memory of 3244	1700	echo.exe	87

C:\Users\Admin\AppData\Local\Temp\echo.exe
"C:\Users\Admin\AppData\Local\Temp\echo.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\echo.exe
  "C:\Users\Admin\AppData\Local\Temp\echo.exe" --type=gpu-process --field-trial-handle=1608,7588697082596155615,641256586861443668,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\echo" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 /prefetch:2
  2⤵
  PID:1412
- C:\Users\Admin\AppData\Local\Temp\echo.exe
  "C:\Users\Admin\AppData\Local\Temp\echo.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,7588697082596155615,641256586861443668,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\echo" --mojo-platform-channel-handle=1860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Users\Admin\AppData\Local\Temp\echo.exe
  "C:\Users\Admin\AppData\Local\Temp\echo.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\echo" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --field-trial-handle=1608,7588697082596155615,641256586861443668,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2364 /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:5032
- C:\Users\Admin\AppData\Local\Temp\echo.exe
  "C:\Users\Admin\AppData\Local\Temp\echo.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\echo" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-websql --field-trial-handle=1608,7588697082596155615,641256586861443668,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3244
- C:\Users\Admin\AppData\Local\Temp\echo.exe
  "C:\Users\Admin\AppData\Local\Temp\echo.exe" --type=gpu-process --field-trial-handle=1608,7588697082596155615,641256586861443668,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\echo" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\echo\Network Persistent State

Filesize
1KB

MD5
dd2fdd3b9328f85315374322573e1311

SHA1
fb0a08c298794872236bc1a721843c6503422d91

SHA256
b949a99f970f4e196dcee29564a1d098851fb39ac3c75afb3ad4a53d1f9769e0

SHA512
b7c7dc45e93b13f83e4ec346c2cc773ba0a78cf313014f76fd1814173ca3bdf64ad3127599fe66a122258de44c358fef4aa2d95092553db9abec09e61a3e7c5e

Download Submit
C:\Users\Admin\AppData\Roaming\echo\Network Persistent State~RFe58b8bc.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\echo\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\echo\Preferences~RFe57ccd5.TMP

Filesize
202B

MD5
01ae3fc8ed8354495892f7c662dff8f2

SHA1
1565b4b1e589830df0c5c03e88427758a09f4f2b

SHA256
c4c42a1c8f3115bd2a468ccc99c118cc37835500ef5076147723ae69955561b7

SHA512
6445ab923f365c67f5016c3dde54556be2a6c6657b5fe306ab8dcd8a4ed1bac161bf09a9312acb011eadbc4e9a83d88ec1297722148e73cd3ddd2edd2862f8f9

Download Submit
C:\Users\Admin\AppData\Roaming\echo\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\echo\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
ec98b39e65f335cc61d88f111819f92f

SHA1
a9831bd13952c947e0a57d3d706002f0cefd8b6a

SHA256
85b5defae0c0ed5afed4fd4a18c89e37c452f260abd1a30a1553b10d77f83065

SHA512
b74f417126524fd006c1ea385a4ed2734eb0337458fea96cb7954abb12fe5660f15615d27453f01e9e784d439213384dc57fb5a25caaf367b1c80a087ff236bb

Download Submit
C:\Users\Admin\AppData\Roaming\echo\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f8d7.TMP

Filesize
72B

MD5
68e161a1ce8182626b0c7256767c34ce

SHA1
f14f31281ce52f97e6c6215a7bbbda4fe49ddf9d

SHA256
b85feebb526526b5e9ffbf591a08b6cc41ed2c5418894eb1c69da470638267ae

SHA512
0f0d2979b55ae82dd63426a5ab714d7f7466358b954fca91e38d893f9ab942d060fc49d165226191d5033ee489341f084d4b4c8165ab6e2fcfa5da0ca6241fd2

Download Submit
C:\Users\Admin\AppData\Roaming\echo\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\build\prepareInjection.js

Filesize
1KB

MD5
1de10732e6d50c3a4ebf0b3a8d3a43f1

SHA1
065161d944b10728a2dbd673988c20cee1639ceb

SHA256
b51e4c56e9916093f02b4889633ed313dee7f6f8393c808dc039a92ad9489729

SHA512
e11e7312ebbc06896f82c26d74a0edca7f4014ebba06031ec7452994bbdcb6e01df8b10e5a0d30ce4f8ec1174383bbd7efc31b243b5386b52e8d0aaa9bffb344

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\128-deadcode.png

Filesize
2KB

MD5
95c2da7d58ac4f57f4162d4b521d1c2a

SHA1
964c06f2b50bd34c77ff760c939ccafccb8298da

SHA256
e3e4ce549604652a6a573550f34b3994992d7d70bfd39bf69fc30cfd769b75f8

SHA512
765ddb52aed9c28e7ccf22768b432e7391a407cbbd0be75722ff59f438ed7208eb94b78cfa1a90701f2dede8f153169d2caa379355f2b3532e465878f336e2c5

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\128-restricted.png

Filesize
1KB

MD5
976735be5c5ef4986782407579e25c50

SHA1
1a72c6f1fea87fe8e79d14c72ad5da6ab6d9b761

SHA256
cbde2b973624ad785f37523efecca9721813354f2a7e21ecd305560acc138c06

SHA512
8288ebd7f1bcfccacd9092a30f09ac141620710400856300f1c1056e7012c3066fadc8128c6ca1d567a289af3967cd8c9b3d562421e00132fe9680e4172f56c0

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\16-deadcode.png

Filesize
338B

MD5
2bd352e9368664c7aba97f61df7c407f

SHA1
232e5ea71cfa6276254862afdff99835136a4f31

SHA256
705902c00dc5cf4ac85d9eac512a17b2e0bb427dc98cb2cc8f19322a95600076

SHA512
7fa71202d4aa7eab73e4695c5c6a1a667ee2e8ed2eb2839bcc8da5404f0edf54d20e095df6af9bfb95a08f6044b3e2f51ee85bf2d28440aefa35d2af8362bf1a

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\16-restricted.png

Filesize
288B

MD5
7b2b93a5c23de8b45be5076bec86cc03

SHA1
7bf00b51cee062b2a6f0e7ba8e6fe892b2665e96

SHA256
131e9ff247e8e9257351129b203709d8a8a25488f7159b498d661ba8510efd7e

SHA512
93be1bebae3a2ccc5fcd8ad97b96529e6dd7f8eb1f68fa6a20a7c6c006222ade42915f5bc0199ad2b2258272e9001969a830d6a0536ce0b127176465c5b082ce

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\32-deadcode.png

Filesize
561B

MD5
7d81fdce34f01d8229f67cbed8ca30de

SHA1
2d147ca07846a5c33271a3cd9fee58be0b041088

SHA256
53b429c91414bee3fe255328029eff513f172fffc41fd63d95aaadb697ce71a5

SHA512
4e64518b53c83c075bade7171989a7f796f7d4ac63ddab47ae938bb55ade22a1ea04c208a16c4ec87a6535a57100eb51b7f80b24887c2a96eb2f5758e2615d22

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\32-restricted.png

Filesize
490B

MD5
a224d8a9e39b203054da833b0636ff06

SHA1
8acf99866b257c7b5b38c5708870cd17d3d7b13a

SHA256
1141df69cf1d1985c49f795b65acba57e4d2399e6ff50bb3e6bdc0b710f27804

SHA512
7c4d5daa2fb4a7285dd747287ba56e3c484973cb9f01a49dc0926aab0d4ae0295586707ea312560782abed6409a62ef3367907fa77863276cfbed85449b16315

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\48-deadcode.png

Filesize
826B

MD5
5514edc867b037351d2d01cb8b204d3c

SHA1
55070782e7049bf2d6c45be7605d193630f22eb1

SHA256
546c0260ab5a03c3075e9278956019214bb6433de266c6f95b7021c0115070e2

SHA512
f8ab9ad7e9ab9836580b6d99415250d01dd8be53a01a4e0658031d25d7c891f4e8ae4add8a86aae55522d118a771c2625d359aa504cf52244433955301d17079

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\48-restricted.png

Filesize
730B

MD5
f1198971a65f0c320a18931b5a6e9e03

SHA1
5783485687ae3ab6bcbb07f203dcb92211ada979

SHA256
0ddff2151123e022e007e09576a6b030c38021d0fffc7546f0c9a1b8529813e2

SHA512
bda8969740bb4320095f4d5b4bb185ec8f881307640eec1d917c20c0f65b7d43ade107334de6d01ee7334930909e55090cb7eea771ac2e199db6b811d72ee512

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\development.svg

Filesize
3KB

MD5
46bb24f5f8540049a459da5b12ee1478

SHA1
e8189f6545038616eca6ef33068093dbaeb66350

SHA256
acc667332543cd491097b281fd35bd49bf435768d4cb2ab8f579740072756313

SHA512
89b74512db2792b409f1ceaa275fb1e8d7eefdb195bcab76c7b489228c822a6a68182d93c485956d16c02e310e4d3d3f6da7a561f93d0e0034627339d6848776

Download Submit
C:\Users\Admin\AppData\Roaming\echo\extensions\fmkadmapgofadopljbjfkapdkoienihi\icons\restricted.svg

Filesize
1KB

MD5
3cd7ad037efd1fa2a7477031af2c2809

SHA1
ec5c179569f1add1f0ea8a69d622b36013ba72ac

SHA256
279310c2dfe871f3f6a875ef3d5cfb8922d37faeeb9c127ec312aeebe1c51cd3

SHA512
b2349b5a3decd559999f96c5b4886acb9d39ab46562d3dca1ffba049573c7d99980fd9c5272dfbc72059afd89a6d435bc81a2fd0adfb606ad9057c24b6b3f4c8

Download Submit
memory/1412-2-0x00007FF970D00000-0x00007FF970D01000-memory.dmp

Filesize
4KB

Download
memory/2536-325-0x000001C0A04D0000-0x000001C0A04D1000-memory.dmp

Filesize
4KB

Download
memory/2536-326-0x000001C0A04D0000-0x000001C0A04D1000-memory.dmp

Filesize
4KB

Download
memory/2536-327-0x000001C0A04D0000-0x000001C0A04D1000-memory.dmp

Filesize
4KB

Download
memory/2536-333-0x000001C0A04D0000-0x000001C0A04D1000-memory.dmp

Filesize
4KB

Download
memory/2536-334-0x000001C0A04D0000-0x000001C0A04D1000-memory.dmp

Filesize
4KB

Download
memory/2536-332-0x000001C0A04D0000-0x000001C0A04D1000-memory.dmp

Filesize
4KB

Download
memory/2536-331-0x000001C0A04D0000-0x000001C0A04D1000-memory.dmp

Filesize
4KB

Download
memory/2536-335-0x000001C0A04D0000-0x000001C0A04D1000-memory.dmp

Filesize
4KB

Download
memory/2536-337-0x000001C0A04D0000-0x000001C0A04D1000-memory.dmp

Filesize
4KB

Download
memory/2536-336-0x000001C0A04D0000-0x000001C0A04D1000-memory.dmp

Filesize
4KB

Download
memory/3244-258-0x00007FF971F80000-0x00007FF971F81000-memory.dmp

Filesize
4KB

Download
memory/3244-259-0x00007FF972920000-0x00007FF972921000-memory.dmp

Filesize
4KB

Download