Analysis
-
max time kernel
168s -
max time network
182s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/08/2024, 21:09
Static task
static1
General
-
Target
Echo.rar
-
Size
9.8MB
-
MD5
def6a41693abf6866d1b6e156356ba41
-
SHA1
58a8b0330665a15a28cafb5b658816dd42e838eb
-
SHA256
839405fab88991656929ad868ecf90ca1f8bb064d60721711457399fcb4a34e2
-
SHA512
7daf710f6f44683e958ad23988f0b02e67ce8726ec113d2d1767c3dea8591c85c9105b542269cf489b0f37aaa56ce63b728ee25e295f9692cb6d8b13b528e614
-
SSDEEP
196608:mKA3QpdKhGaIL9h+59ltPh6atEfo+MituxqQNiCOhtL0nDPWQT9ovDrisZW16PPI:oApdGILXePPrEQ+VoNiC2ID+ue70s/rc
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ echo-e374e5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ echo-e374e5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ echo-e374e5.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ echo-e374e5.exe -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion echo-e374e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion echo-e374e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion echo-e374e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion echo-e374e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion echo-e374e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion echo-e374e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion echo-e374e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion echo-e374e5.exe -
Executes dropped EXE 6 IoCs
pid Process 2316 echo-e374e5.exe 2452 echo-e374e5.exe 2856 drop_echo_into_this.exe 4820 echo-e374e5.exe 764 drop_echo_into_this.exe 1772 echo-e374e5.exe -
Loads dropped DLL 2 IoCs
pid Process 4820 echo-e374e5.exe 1772 echo-e374e5.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA echo-e374e5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA echo-e374e5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA echo-e374e5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA echo-e374e5.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2316 echo-e374e5.exe 2452 echo-e374e5.exe 4820 echo-e374e5.exe 1772 echo-e374e5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RdrCEF.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 37 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 AcroRd32.exe Set value (data) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 AcroRd32.exe Set value (data) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 AcroRd32.exe Set value (data) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff AcroRd32.exe Set value (data) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" AcroRd32.exe Set value (data) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 AcroRd32.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" AcroRd32.exe Key created \Registry\User\S-1-5-21-131918955-2378418313-883382443-1000_Classes\NotificationData AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193" AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU AcroRd32.exe Set value (data) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 AcroRd32.exe Set value (data) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell AcroRd32.exe Set value (data) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" AcroRd32.exe Set value (data) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 AcroRd32.exe Set value (int) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" AcroRd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ AcroRd32.exe Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} AcroRd32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 744 msedge.exe 744 msedge.exe 4104 msedge.exe 4104 msedge.exe 4292 msedge.exe 4292 msedge.exe 4976 msedge.exe 4976 msedge.exe 2856 drop_echo_into_this.exe 2856 drop_echo_into_this.exe 4820 echo-e374e5.exe 4820 echo-e374e5.exe 764 drop_echo_into_this.exe 764 drop_echo_into_this.exe 1772 echo-e374e5.exe 1772 echo-e374e5.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1860 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 4104 msedge.exe 4104 msedge.exe 4976 msedge.exe 4976 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 4660 7zG.exe Token: 35 4660 7zG.exe Token: SeSecurityPrivilege 4660 7zG.exe Token: SeSecurityPrivilege 4660 7zG.exe Token: SeRestorePrivilege 2140 7zG.exe Token: 35 2140 7zG.exe Token: SeSecurityPrivilege 2140 7zG.exe Token: SeSecurityPrivilege 2140 7zG.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
pid Process 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4660 7zG.exe 2140 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe 4976 msedge.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 1860 OpenWith.exe 1860 OpenWith.exe 1860 OpenWith.exe 1860 OpenWith.exe 1860 OpenWith.exe 1860 OpenWith.exe 1860 OpenWith.exe 1860 OpenWith.exe 1860 OpenWith.exe 3372 AcroRd32.exe 3372 AcroRd32.exe 3372 AcroRd32.exe 3372 AcroRd32.exe 3372 AcroRd32.exe 1420 MiniSearchHost.exe 2316 echo-e374e5.exe 2452 echo-e374e5.exe 4820 echo-e374e5.exe 1772 echo-e374e5.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1860 wrote to memory of 3372 1860 OpenWith.exe 80 PID 1860 wrote to memory of 3372 1860 OpenWith.exe 80 PID 1860 wrote to memory of 3372 1860 OpenWith.exe 80 PID 3372 wrote to memory of 4688 3372 AcroRd32.exe 84 PID 3372 wrote to memory of 4688 3372 AcroRd32.exe 84 PID 3372 wrote to memory of 4688 3372 AcroRd32.exe 84 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 756 4688 RdrCEF.exe 85 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86 PID 4688 wrote to memory of 3708 4688 RdrCEF.exe 86
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Echo.rar1⤵
- Modifies registry class
PID:1576
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Echo.rar"2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B81308981F26C5DEFF2AC677E5B9628A --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:756
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7CF328C22160BFC6A499734D32A59256 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7CF328C22160BFC6A499734D32A59256 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:3708
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D68F2BA31686D8CF29FAA187DC482FC5 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:2744
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=311BDE80754FC2A469EDA224AD4537E5 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5D751870FF9FFF12A5279FBA4D928332 --mojo-platform-channel-handle=2520 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
- System Location Discovery: System Language Discovery
PID:2372
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2D3739F5938A6E74CFAC7718FBCC305B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2D3739F5938A6E74CFAC7718FBCC305B --renderer-client-id=8 --mojo-platform-channel-handle=1964 --allow-no-sandbox-job /prefetch:14⤵
- System Location Discovery: System Language Discovery
PID:1948
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4156
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://temp/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4104 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8050c3cb8,0x7ff8050c3cc8,0x7ff8050c3cd82⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1708,4604864275170033548,6825654815578707558,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1788 /prefetch:22⤵PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1708,4604864275170033548,6825654815578707558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1708,4604864275170033548,6825654815578707558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:82⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,4604864275170033548,6825654815578707558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,4604864275170033548,6825654815578707558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:684
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://temp/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4976 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff8050c3cb8,0x7ff8050c3cc8,0x7ff8050c3cd82⤵PID:3044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,4805276500564595915,3830432970479476213,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:22⤵PID:1028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,4805276500564595915,3830432970479476213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,4805276500564595915,3830432970479476213,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:82⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4805276500564595915,3830432970479476213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:12⤵PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,4805276500564595915,3830432970479476213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:12⤵PID:3732
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Echo\" -spe -an -ai#7zMap18582:88:7zEvent157521⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4660
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Echo\" -spe -an -ai#7zMap25398:88:7zEvent323881⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2140
-
C:\Users\Admin\AppData\Local\Temp\Echo\echo-e374e5.exe"C:\Users\Admin\AppData\Local\Temp\Echo\echo-e374e5.exe" C:\Users\Admin\AppData\Local\Temp\Echo\drop_echo_into_this.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2316
-
C:\Users\Admin\AppData\Local\Temp\Echo\echo-e374e5.exe"C:\Users\Admin\AppData\Local\Temp\Echo\echo-e374e5.exe" C:\Users\Admin\AppData\Local\Temp\Echo\drop_echo_into_this.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2452
-
C:\Users\Admin\AppData\Local\Temp\Echo\drop_echo_into_this.exe"C:\Users\Admin\AppData\Local\Temp\Echo\drop_echo_into_this.exe" C:\Users\Admin\AppData\Local\Temp\Echo\echo-e374e5.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\Echo\echo-e374e5.exeC:\Users\Admin\AppData\Local\Temp\Echo\echo-e374e5.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4820
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵PID:5028
-
-
C:\Users\Admin\AppData\Local\Temp\Echo\drop_echo_into_this.exe"C:\Users\Admin\AppData\Local\Temp\Echo\drop_echo_into_this.exe" C:\Users\Admin\AppData\Local\Temp\Echo\echo-e374e5.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:764 -
C:\Users\Admin\AppData\Local\Temp\Echo\echo-e374e5.exeC:\Users\Admin\AppData\Local\Temp\Echo\echo-e374e5.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵PID:2524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5483c808290bcc0c9ef9f4166e352d365
SHA14f9eddee3a569d7ce8fe120a28cbfbe05b7c7f9f
SHA256eceb283e1e61a3887a083119a6a3f1585ce44bb4a152c2c8b3aa280e5695d125
SHA512563e9ec8c79ca3561e7d3302fe8020940f481a934cf095eed478c0fc77eeb98751d2a052d999e42a704b56548c98303aacda775e25c64a521afd712cdc0abe13
-
Filesize
152B
MD5a79b769136e0f49b610fdb93ff8617c5
SHA1eaf0e9bae914904a93905eb40fcb2c8ed1800c75
SHA25622ba405080c8957dcf55576af7399e5dc7e855cae90bf48950b536f16043e3d9
SHA5121550feac224a13fc428120bb10e33778270224b7c1c8b6faedeeaf1b3908bb803a12c95ff77696a36f06f16a82fab9873a92744a6204f9e414d48d355e3d03ff
-
Filesize
152B
MD59f081a02d8bbd5d800828ed8c769f5d9
SHA1978d807096b7e7a4962a001b7bba6b2e77ce419a
SHA256a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e
SHA5127f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44
-
Filesize
152B
MD53e681bda746d695b173a54033103efa8
SHA1ae07be487e65914bb068174b99660fb8deb11a1d
SHA256fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2
SHA5120f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5f08db68-73a8-4180-8445-0cca65b1562b.tmp
Filesize5KB
MD539fb9886aba6f109facf83cc9a1b5b3a
SHA11e7c6a2a9e45d65646e5affc5fa0695616d18d92
SHA2560c4c5e649fdf0238bc62a1a3f2c4749441fd98b079dd2cc4d31a93b229883a93
SHA5124a57952f70d2a9bf98d41fda17f828e756e24772b4b749b357b16c1759b79435a417a6c14229bf91e297d993b98c9b08472427fcea6a8d5c9b2327ddcd32a74a
-
Filesize
44KB
MD592bbeb6a7c41c2472aa9a0e22e22e1a5
SHA1c8a03c708d0a1e878d3d5fd02ec0c23727d84ed3
SHA2568741b87e3d6684f0567a53ee025f8d21883d5f94dc06683c897a4678b42053f0
SHA512e7dba7972ed7cd77058cac289ae8edff729565a9fa76002bfd431071979f59ce409ea3eb65f3acd96a30ebed362931e46e526f4965e2736554ee8a61f42e52e7
-
Filesize
264KB
MD5463abfa3b2c59965925b6eb44cdc9e08
SHA1c5a29e1052b43931d30288b0c5d8585dfb3966d3
SHA256c9c7791b1b82e4ea4eff8115638a1d9bebdbad6844097256e3e58f445963f62d
SHA512dd6b3d49fba29ff9a83a5f259a76e01dc522c148330294e5ac1ccc5b8f2bd7f99d78b12622ba3656d66539d1eff82b65937703b66cdc6db36f5eefecfce56b76
-
Filesize
264KB
MD529cc12faa8ef147324784c5c6990333e
SHA1e99978c8b6bba954146ca3cbeeab78c8b5f9251d
SHA2562858b575c71c235cf19a044e94ac5ce6102d599a231836de15761955f98a660a
SHA5126b6ca63ad74f2da89c93f72a6b8864ab7ede75683569908d99df3d64b8a5306206353416af5e3354e2ecad843d58c42c9d8127c4aa49a4adc185d6024f0f09b7
-
Filesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
Filesize
331B
MD540ca9c2aa95b57b88544ac5fa2f89c5a
SHA15c00b09c97a11d79d4a0345f60c1bd91d0d27981
SHA25659f2e57bd8f70ccb9fb354e941d42ec3cc899b5360f6fa36afba0572de147a92
SHA512c1ec8e3e4864012bb335e36d82e0182eb2c760b7cff0cf8da5219713a0cff9e708c3eba16615206bfb0c33f43487add6e50d26ea07d957953d1a8ceac6548ab9
-
Filesize
6KB
MD54f4573e3c03c78388fc6ded2bf753b05
SHA103f517b1da14dd76ee20528b82f9801e264cf76e
SHA256b5f4ef41839e58ff9ee27b7c76c5a2c694506bf4189ec7502011bf00bc12a83f
SHA512da3ab1ae8e56eda2753e4ee99a8447d038d7ceb7725ad340cb08d6946362fbd3c2aa5b1c306d554193049b07de86d18c47ddabdf90af2cb98c8b644f3cd6a3be
-
Filesize
6KB
MD57280e156108f98906fab0e3e0b286964
SHA1e0d64aafb763b9218bd2f7ddc313fe59160d1642
SHA2561281acbe17573366122158281bf16edc28ba961f57c6e49c8ec934458f4303c9
SHA5122e7db84106788b13ad8eb27bd962211055e4ca2d27fdf8035f4c62a7329da52b94d37eb8d8f387e117df06feec50992a9b6c58d71d122520829f33731aed1c01
-
Filesize
6KB
MD57610e0a2c37f396c47f1e0633606ec29
SHA127fca1838fb5dfc509a0087bd8a20ea110c9bc60
SHA256f3f3a5743f4a95be798e4970a17edc2abb682dcef2210e40ac046744cea4e688
SHA5120c86b2e1b9a6215c6ef0fc07394b3b5330d884396957c1c8fff544632461a084f599cee00ed37db45381b2c3b7578a892275bb6beaeeb0e0b5a6663e3241a74b
-
Filesize
137B
MD5a62d3a19ae8455b16223d3ead5300936
SHA1c0c3083c7f5f7a6b41f440244a8226f96b300343
SHA256c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e
SHA512f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f
-
Filesize
319B
MD57b0b78c6e2ac239a8792251a7a178e81
SHA1eb716292d9ae093865863d09a20c513112a61a49
SHA25689fee80103d78cb0224803820f2e685b0326d9ef88c493d000dedca190625a40
SHA5129316e5795520b3154af1bf6398f29ad7f5dc8f2f56f0c4cd92950ea0d51706496fbaa302fc1c3f8aa48da6634eed7e9a03be185f9eb197ce6c9fff96fa53d370
-
Filesize
457B
MD55c87b1cfa850ed659bd29befc4911755
SHA14d2c760a3e80f1d8899254e6519a8ae99fa5fd8b
SHA256563d2514f100ed05323fa07fff4e910d741f0fe8839b4b70422d27cf55ab1101
SHA5120b2ebdc85ceba110a4e1074497ef3ca0c2f002f49ea4feaf906a4f8ee08b9bf91f9c73cae9f667bae7a974449a4957c1748368b5e8212dbd250e0a6bbf4aab73
-
Filesize
717B
MD5c5fdb73a13cd68fa405b666fa347c948
SHA1f3c693baa203505e4abdf20b9b0001adf97eb2c0
SHA256dc35f274ba3e0763bc502585fa6d513908cd245ea5f7f9ab8bfd500f16e2abe8
SHA51298ea904c4d7d1a479fc491db684dc0086a7f5e8a6d9aa818c5d541f36728bd15b5cee61329072ea9d6d465fbd5283a26da80c2c3f3ba586532c193ef28dee6ca
-
Filesize
347B
MD5d3725b4bb7ab5b0e68b549e31cbba96f
SHA186735b53f639b6505016bec2d14ed1b61f50e166
SHA256490dc405c4c30bfd8f19d51b57429e52f83242ec1beb99c98de7041c818cf56e
SHA51275da0041657d8ab234d79aafa546c930895aae5d10fa7a9d13aecbc840c5f0279b3abc2c55b4eb8e73f9853dc8955f853e2ef62be38692297af5f265e040ea29
-
Filesize
323B
MD54458f0c1dca2d4a1a94f464f31f63919
SHA1785533e230f56c76cbd2436729a34b8d03b6efd7
SHA256de68a9308723ee03c6ebe526168334e264378f9240b347c0f3fc67db0f9dae0b
SHA51260b7a93e36dfbcb9f3d9062bbd73d18b73a06d30ff74795d373861b483f9a258f5c355ed6b2a339290d5ab62cbb0ff646a3e1dd79a0678d31546ca69b41c1b48
-
Filesize
44KB
MD5d33b849aac324800a062e06e8d86db95
SHA1631128446d55c54db5a89d2b5a93c6fee3867967
SHA256adf438758ca5adab1e508996e102a893440fd08a5fa8b2e652019516afa84f29
SHA512c3f5bfdcfdb5be28a5674d4d9f9e12990d8bed08bd74225029e7455e020cf9e2ef3630724bb837cb15cdf4f0890b11605a2662b49c0450548bf0d6d97e383511
-
Filesize
319B
MD52c6727f1769ec51e9764c4f04b10d782
SHA107ae4ed05416574a3c1b9d0d930e0b9d72a81e32
SHA2569ab8c127a9a37f10220fa9f630af3c1d2e3e91918f63bd85a437d581a1b7d18c
SHA512036fe76ef953e2bd7ea578cdc2fe1b74a46899785ee96f2ac4c6c3c897378337f323c80600182ba8b33ee472f4855e6a35b8caa4ab8cf820fe8814a840eea538
-
Filesize
337B
MD5bcb1eb3203976b274760c082a2b89ab7
SHA1daa2dc3e11e33e1ee8e0f3e8f96c126aa3a2b1a6
SHA256953277e1fc43d2766520e8cc3b56f2791f944ac7bec92cdac927188abcb630ea
SHA51229ed9bd11ed0209245f24f1a733f5f4c106e7109452bcf03596a0c20b39bfc5345a2653eb8be12bb30c7586b034e86e4a25d8678d79ee129ff1b03f2e96a7466
-
Filesize
44KB
MD5e8df015087bd64472cf0aad6fc799761
SHA1749b1eebf64419c2564e4883b26e992a5b903e4c
SHA256fcc6d35d98ba2bdda4ad27a0f22358d05693d1060f407c372091aed4bb9c5b03
SHA5120b0ddf527c0dd60a9ae5465c560869aec902a00592c1fdf49805f6bd31f8dddd52a47fb897ec63e6c00eaae3fd1448d7bfd455fe984d4f8627f4a6b533d58165
-
Filesize
264KB
MD50a8c941f4b144bb41db404e664856835
SHA1180546c4474b6ddb61ade0c10e3ec6a3a9b80513
SHA256a6e091c63e51cc964fd54933628e282935ae89e4965f586a82b20b7f1e4870cf
SHA51268bc06d5732b9b2af9657c3c4f44693d599225a2f8bd9d7803e557ca439bad48e834c0f4b6bc385eea27793e3478872716a12fc887d40029fec638d0f101f3f5
-
Filesize
4.0MB
MD505decde88c4a286ff3de4a11ccfab18b
SHA1149253a1ff8f6da64ba07d399be6e017cea42f37
SHA256baa90be3677fc5515c6552af162494126502558f9c0e8eebb50865659723c618
SHA512a433a57adc61f1b531f31acbc5558af8fc02b61b13d63bf5a324b069cc5d6e3fe4cec35222895cc0a3b798e413a034e580cb866fbf318cdc5c304cc78713dee0
-
Filesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
Filesize
10KB
MD5c8076c132fef7ed3ffac9a810fc9d637
SHA15a097c11c61aa96af564e3a35a7ad5b5f66d977e
SHA256554693dd0dbc62897a0c6d61a46b423ea84a64f5dc4b5cc028656a5624fa0618
SHA512864cea459a789594fa13405690a125d5c37ca1d9ee829821c03057c832588c168b83309579bb8648ec024b1f330c3e7d76930d0a74258694e8c9e5e203991fb0
-
Filesize
10KB
MD580ceb25a9119d6e76aaad4e6940bd1db
SHA1cc2c0d1e3ef945d2765049d2dc8e8572dce5564a
SHA25663d22ca75e3866c385452c63f5e78e60c4258986d38f976adc8e9e93e19ff586
SHA5121d10f23737a19d61b1de887fbe44e701e683d5c27da6ff1895a6e57a2b32be7b37902834220966f5bccc3328126ccf3a80f8c45f927f45bfac6a15693999799a
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
4B
MD596ff12f467e3fbe4239417f56cd4fc9d
SHA11e4b4ac9b537368f6d2fa93c9e83108062a24589
SHA256c26ebe396235fdb5c76682f2062015d6d15139e4977266c4003fd090a5018971
SHA512fc0d9b594ec9774aefa1b86833782db04317cf424323a6c0365fe1b8981fffc73c0aa6bf8805516d6256c99d40ec3cb9d9e4f8b22b61e8bcf928465b2e780179
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD527152171537c47796aa7194ac41383bc
SHA1430c380ea885fce765a771cc40cbfe6358b4d04c
SHA25628276ad4adb3f540918a28a722f10a63406037b96a14e05565e31ec90c605c22
SHA512044ded8d45d2249f69ae617768398a33cf060618f1cb583aa9d9a34171de10bf3e23f6e49b3c0b8ca872f5ecbe98e841168fb3e94fdef2efbb299a3cbc01f616
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5f8f606a032719f0447a78d9b50fb672f
SHA145d741cb2185064eb8c06a91d79c928fcb657abe
SHA256d5e5bb3e87ef84f4e352d277fbe38a57f65ed50c0f8309dbff43d57af778b3ca
SHA51296169b9bcfce9f671452010340d707e2dd3a60a1ba2847cccbf1fff2dd11d0f74dfdc74cb9c20015bdbe95479f52501f9ee30ac634f547006104fba349472b65
-
Filesize
3.6MB
MD501d3cfe58eb02dabd19f63788a4b0b91
SHA190089324136c05374b1c7588c45c38b02da0dd50
SHA256c8a23d40a7b05943077d304b351281e523fd42fdb4b43bdbc84c3c704d90bde0
SHA5126338e6d7c0bf289e1be78b7319c5bfa86f37f207a5745aa5f5e20a1b65722feb5f9d562d0103aee673dbacec35dc7083260572bf03d7c03f616947719c78f176
-
Filesize
40KB
MD5e77a654bce0924323b9d5c41133423fb
SHA174a21fae2ed74488bcf3d45e73d912911441052b
SHA256d02dcc3f4e18e9b28da942926ad2eddd36d8b7ef865fcac414ad7965b9653582
SHA5125933a4dbcd58fd03f9a755278e0260c3f652092beaa311a03f72c53f6b36f01f66886fd49e6318ed5bb2fafdcf6682f63ed913d284155eb786e8ebbf289fb7ce
-
Filesize
11.3MB
MD5ceb4fde10a2aa0c94f3c8f397c42d81c
SHA1f8574169f838b8d397db12075febc42e055627c6
SHA2565495798b44a5b9cf2086dd60b3245d016c841296d26cd3cc169b77931763e0b9
SHA512f00dd4db714c6c8335a569eeb5f22de1d4b1cecf3b41ceb0f9bbef5ab5b0764896fed9aa932f310d64cde462870183d9ee548307872c72a767d59776773f8f2b