njrat | 41417677b9fb6ec8e48a5c633da51083ea8887d34eedc7cd2b8a231e1d70e5d6

Analysis

max time kernel
5s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
14-07-2022 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

achwithrat.exe
Size

1020KB
MD5

e409c85a0d1dcf43d2ed11c436e9aabe
SHA1

a221ecf82df1650b6a34b15cfcf052581d316aa6
SHA256

41417677b9fb6ec8e48a5c633da51083ea8887d34eedc7cd2b8a231e1d70e5d6
SHA512

9ff191e371c097fdc9627ee817c6a774e24b880fc09a4e41faf37cfc4046e9c499cf2f14f9e720f71c288cc70cd3e4664c68c39df6aceeefe57aecd24022e828

Score

10^/10

njrat gay evasion suricata trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

gay

4.tcp.eu.ngrok.io:10296

Mutex

f61a5d905ecbb8c8be462972af515144

Attributes

reg_key
f61a5d905ecbb8c8be462972af515144
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata
Executes dropped EXE 3 IoCs

Processes:

jopa.exeach.exe2.exe

pid process

972 jopa.exe
2016 ach.exe
1648 2.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3488 netsh.exe
Loads dropped DLL 9 IoCs

Processes:

achwithrat.exeach.exe

pid process

776 achwithrat.exe
776 achwithrat.exe
776 achwithrat.exe
776 achwithrat.exe
776 achwithrat.exe
776 achwithrat.exe
2016 ach.exe
2016 ach.exe
2016 ach.exe

pid	process
972	jopa.exe
2016	ach.exe
1648	2.exe

pid	process
3488	netsh.exe

pid	process
776	achwithrat.exe
776	achwithrat.exe
776	achwithrat.exe
776	achwithrat.exe
776	achwithrat.exe
776	achwithrat.exe
2016	ach.exe
2016	ach.exe
2016	ach.exe

Drops file in Program Files directory 32 IoCs

Processes:

ach.exeachwithrat.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\ach\5.png	ach.exe
File created	C:\Program Files (x86)\ach\9.bat	ach.exe
File created	C:\Program Files (x86)\ach\11.vbs	ach.exe
File created	C:\Program Files (x86)\ach\6.bat	ach.exe
File opened for modification	C:\Program Files (x86)\skleika\jopa.exe	achwithrat.exe
File created	C:\Program Files (x86)\ach\1.vbs	ach.exe
File created	C:\Program Files (x86)\ach\2.exe	ach.exe
File created	C:\Program Files (x86)\skleika\__tmp_rar_sfx_access_check_7078997	achwithrat.exe
File created	C:\Program Files (x86)\ach\3.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\4.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\9.bat	ach.exe
File created	C:\Program Files (x86)\ach\__tmp_rar_sfx_access_check_7079668	ach.exe
File opened for modification	C:\Program Files (x86)\ach\1.vbs	ach.exe
File created	C:\Program Files (x86)\ach\5.png	ach.exe
File created	C:\Program Files (x86)\ach\4.bat	ach.exe
File created	C:\Program Files (x86)\ach\7.bat	ach.exe
File created	C:\Program Files (x86)\ach\10.png	ach.exe
File opened for modification	C:\Program Files (x86)\ach\12.bat	ach.exe
File opened for modification	C:\Program Files (x86)\skleika\ach.exe	achwithrat.exe
File opened for modification	C:\Program Files (x86)\ach	ach.exe
File opened for modification	C:\Program Files (x86)\ach\2.exe	ach.exe
File created	C:\Program Files (x86)\ach\12.bat	ach.exe
File created	C:\Program Files (x86)\skleika\ach.exe	achwithrat.exe
File opened for modification	C:\Program Files (x86)\ach\3.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\11.vbs	ach.exe
File opened for modification	C:\Program Files (x86)\ach\7.bat	ach.exe
File created	C:\Program Files (x86)\ach\8.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\8.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\10.png	ach.exe
File opened for modification	C:\Program Files (x86)\skleika	achwithrat.exe
File created	C:\Program Files (x86)\skleika\jopa.exe	achwithrat.exe
File opened for modification	C:\Program Files (x86)\ach\6.bat	ach.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Runs regedit.exe 10 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid	process
3320	regedit.exe
3408	regedit.exe
3452	regedit.exe
3728	regedit.exe
3924	regedit.exe
3916	regedit.exe
2948	regedit.exe
3096	regedit.exe
3428	regedit.exe
3528	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

achwithrat.exeach.execmd.execmd.exe

description	pid	process	target process
PID 776 wrote to memory of 972	776	achwithrat.exe	jopa.exe
PID 776 wrote to memory of 972	776	achwithrat.exe	jopa.exe
PID 776 wrote to memory of 972	776	achwithrat.exe	jopa.exe
PID 776 wrote to memory of 972	776	achwithrat.exe	jopa.exe
PID 776 wrote to memory of 2016	776	achwithrat.exe	ach.exe
PID 776 wrote to memory of 2016	776	achwithrat.exe	ach.exe
PID 776 wrote to memory of 2016	776	achwithrat.exe	ach.exe
PID 776 wrote to memory of 2016	776	achwithrat.exe	ach.exe
PID 2016 wrote to memory of 1968	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1968	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1968	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1968	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1648	2016	ach.exe	2.exe
PID 2016 wrote to memory of 1648	2016	ach.exe	2.exe
PID 2016 wrote to memory of 1648	2016	ach.exe	2.exe
PID 2016 wrote to memory of 1648	2016	ach.exe	2.exe
PID 2016 wrote to memory of 1964	2016	ach.exe	cmd.exe
PID 2016 wrote to memory of 1964	2016	ach.exe	cmd.exe
PID 2016 wrote to memory of 1964	2016	ach.exe	cmd.exe
PID 2016 wrote to memory of 1964	2016	ach.exe	cmd.exe
PID 2016 wrote to memory of 644	2016	ach.exe	cmd.exe
PID 2016 wrote to memory of 644	2016	ach.exe	cmd.exe
PID 2016 wrote to memory of 644	2016	ach.exe	cmd.exe
PID 2016 wrote to memory of 644	2016	ach.exe	cmd.exe
PID 2016 wrote to memory of 388	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 388	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 388	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 388	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1984	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1984	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1984	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1984	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 848	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 848	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 848	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 848	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1940	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1940	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1940	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1940	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1732	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1732	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1732	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1732	2016	ach.exe	WScript.exe
PID 644 wrote to memory of 1320	644	cmd.exe	iexplore.exe
PID 644 wrote to memory of 1320	644	cmd.exe	iexplore.exe
PID 644 wrote to memory of 1320	644	cmd.exe	iexplore.exe
PID 644 wrote to memory of 1320	644	cmd.exe	iexplore.exe
PID 1964 wrote to memory of 1388	1964	cmd.exe	iexplore.exe
PID 1964 wrote to memory of 1388	1964	cmd.exe	iexplore.exe
PID 1964 wrote to memory of 1388	1964	cmd.exe	iexplore.exe
PID 1964 wrote to memory of 1388	1964	cmd.exe	iexplore.exe
PID 2016 wrote to memory of 1032	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1032	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1032	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 1032	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 588	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 588	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 588	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 588	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 936	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 936	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 936	2016	ach.exe	WScript.exe
PID 2016 wrote to memory of 936	2016	ach.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\achwithrat.exe
"C:\Users\Admin\AppData\Local\Temp\achwithrat.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:776

C:\Program Files (x86)\skleika\jopa.exe
"C:\Program Files (x86)\skleika\jopa.exe"
2⤵
- Executes dropped EXE
PID:972

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Program Files (x86)\skleika\jopa.exe" "jopa.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:3488

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1088
3⤵
PID:2284

C:\Program Files (x86)\skleika\ach.exe
"C:\Program Files (x86)\skleika\ach.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:1968

C:\Program Files (x86)\ach\2.exe
"C:\Program Files (x86)\ach\2.exe"
3⤵
- Executes dropped EXE
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\3.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
4⤵
- Modifies Internet Explorer settings
PID:1388

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:275457 /prefetch:2
5⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\3.bat" "
3⤵
PID:644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
4⤵
- Modifies Internet Explorer settings
PID:1320

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1320 CREDAT:275457 /prefetch:2
5⤵
PID:2428

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:388

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:1984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:848

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:1940

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:1732

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:1032

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:588

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:936

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\4.bat" "
3⤵
PID:1604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
4⤵
- Modifies Internet Explorer settings
PID:1220

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1220 CREDAT:275457 /prefetch:2
5⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\3.bat" "
3⤵
PID:1448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
4⤵
- Modifies Internet Explorer settings
PID:992

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:275457 /prefetch:2
5⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\4.bat" "
3⤵
PID:1952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
4⤵
- Modifies Internet Explorer settings
PID:768

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:768 CREDAT:275457 /prefetch:2
5⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\3.bat" "
3⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\4.bat" "
3⤵
PID:1804

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
4⤵
- Modifies Internet Explorer settings
PID:2032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
5⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\3.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
4⤵
- Modifies Internet Explorer settings
PID:944

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:275457 /prefetch:2
5⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\4.bat" "
3⤵
PID:1784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
4⤵
- Modifies Internet Explorer settings
PID:1768

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1768 CREDAT:275457 /prefetch:2
5⤵
PID:2336

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\6.bat" "
3⤵
PID:2628

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg
4⤵
PID:368

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\6.bat" "
3⤵
PID:2656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg
4⤵
PID:332

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\6.bat" "
3⤵
PID:2676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg
4⤵
PID:304

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:2704

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:3408

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:2756

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:3728

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:2836

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:2948

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:2892

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:3096

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:2912

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:3528

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:2960

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:3452

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:3012

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:3428

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:3036

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:3320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:3064

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:3924

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:2268

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:1584

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
PID:960

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:1376

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:2520

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:2304

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:3700

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
PID:3544

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:3740

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
PID:2996

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:3768

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:2588

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:3916

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\9.bat" "
3⤵
PID:2324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://wipet.malwarewatch.org/
4⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\12.bat" "
3⤵
PID:2888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://yandex.ru/images/search?text=trollface
4⤵
PID:2440

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:3052

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:2684

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:2700

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:2828

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:2240

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:3088

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:3136

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:3176

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:3236

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:3252

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:3276

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:3388

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:3400

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:3932

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
PID:2664

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:2608

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
PID:2844

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:3688

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:3472

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:3804

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
PID:2964

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:3816

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
PID:3496

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
6⤵
PID:3828

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:3860

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:3500

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:3516

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:3472

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:2496

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:3424

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:2652

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:2672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:3444

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:2548

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
PID:2140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ach\1.vbs
Filesize
45B

MD5
7a89fc4808a599eca068d9d5d6da5c17

SHA1
34808a073a897f4eb2deaea3e74b8f33a3872776

SHA256
7d855d79426eca3e1fc8f6338c64a93bb90ecb51247f810c6e4414cbacbf5953

SHA512
dc6fa4265890133d4d003feafa7f6583cbcb7e1e9140babec14b65ebc704327abe4a4fb851e053b4bc889c1e12c8867dd6e1b26a78810bb7ed412aaa34b0b80e

Download Submit
C:\Program Files (x86)\ach\11.vbs
Filesize
107B

MD5
1b57e67e22f90b8a31e757997940f875

SHA1
7a67253b2b108070b8061855a9fb6d7ef1f4ffb5

SHA256
d8328176599c5cf00c14e893887b2abde72f01ee64c32985b26544558c337cf4

SHA512
cadb94ca168a455d365a390e7492a1865d2d54e3501f2924a81d69ab6cd6e539e51a2b79f23a38bd4cd97b83d2e76a8e3e344ba044a9fe9a5930b74047da3723

Download Submit
C:\Program Files (x86)\ach\12.bat
Filesize
64B

MD5
2fd614792ac60cc2a70eb01b6f9b67f4

SHA1
9296d5aabe979e5e4f72017e3012789adfaa1676

SHA256
82475a224341b16d4911d7e98e91ff3414c9913ba3c058bfd878f376e32b4ebc

SHA512
30f19b7504a2176882dfa7ba54cf851a0ed2c91b2ab07a9d5804f64f7177d3ff3e4e832cc7865ac14554d4ba6e09b732eef5a1443d960fc0d448a647ff2429e5

Download Submit
C:\Program Files (x86)\ach\2.exe
Filesize
2.3MB

MD5
5134f289dbf4abae370e3f36b637b73e

SHA1
c78d3f2d00dc47da0112a74df665c7a84a8e32c3

SHA256
e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2

SHA512
0bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5

Download Submit
C:\Program Files (x86)\ach\3.bat
Filesize
62B

MD5
ea0164899b0262ea4949e2bcd9f31396

SHA1
91b698e4b13755fcb6d5ce0209a5b342185bc566

SHA256
0c39352ff971f6099cdf146ce566b70e089eb15db75a42b3ae8deb13fa771913

SHA512
cf9ba9b662dc107593cc66fe21b815bbf5b05651c0e4a50029f62ff16d64f8d63185d57c96cd6984141ca62310250b7af42ef56ea6249285c97c2d0aec0f3560

Download Submit
C:\Program Files (x86)\ach\4.bat
Filesize
83B

MD5
1acc850c1f9ad9dee5c12c9bd511bc19

SHA1
2786d0b2a6f3b1518f0ffcc31fd4d2466448f3dc

SHA256
136ca30e5e046d8cc399c5ae80fee4678723dabb84e0b33211c23e4457ab24d8

SHA512
db3eef765e8de29df99fda976d7ede5ec713a090f810a4a48430e2b1d11f54656a46c46e9cc691fa645212ecc742447f13d8429bcd32de318e5df460c74eb81d

Download Submit
C:\Program Files (x86)\ach\6.bat
Filesize
77B

MD5
867b43ca89739d7c567234005c9d3094

SHA1
aa62a7c35a590ea8a90e7f7cbceb0a9ae25b4ad7

SHA256
c13a71d0d440c191560b068295ab93774969d6c81ee642a90462a1075cb25c89

SHA512
679e44414ca8c1bab9254f090e74644ceed96db05e25142a502e73b759360a6cecc46106dec59a9fc78b27a025cac345180cb8fd8e381bd1bc73db4be6dc989c

Download Submit
C:\Program Files (x86)\ach\7.bat
Filesize
17B

MD5
0d8f7695e06c0431dcc84ce926ba5f1d

SHA1
a1504b4baf7c180be7b42cb745e5af7ccc272219

SHA256
5ea8f2c0ed24467105b6eba30731f2e1fd5bb4f5cd9d17287f32b9ec850ea301

SHA512
df6e9cc73414cfa1f53d117ef8e1847a0539d44db9488d763b2fb7b6b52fb4cba5e74e96c427fd3dd9ffd68eb9b6cf047ce2bbdf66220043db19e332e6ca9904

Download Submit
C:\Program Files (x86)\ach\8.bat
Filesize
49B

MD5
b949133f46ebeabf8c49c6c7f7f4cd68

SHA1
04286a9c7641c5225c7e654904504fe4c7a0a39a

SHA256
3c08b2e29d0c97716dfc52e29bb44648fa2e38e802dd1f590b94233b6546db58

SHA512
0f1f4423bad62ed68f9b1a76e6ea0cb863a91f49036314c93e2586250edbc5ab2e48c48e568cacf825f6b7691d88856e98b39e3972a8ca582063b871de49da06

Download Submit
C:\Program Files (x86)\ach\9.bat
Filesize
37B

MD5
4e8cfdf8fcc0df4d52c0240ff9714efa

SHA1
ea56c4ff1bda995f2c0ffcf5473a55e441d3fcfe

SHA256
f473c141cf7fed8fa0d543dbd07e9333dc0975b79ae5b55e73ae015c67e8b53a

SHA512
d041322d20b2a3fe58be075120cefa06ec246e9496acdccbc907e678cf76286967d604812a214e290208c28369d57f8fe0d13fdcae4fd797c096e6d6d635df23

Download Submit
C:\Program Files (x86)\skleika\ach.exe
Filesize
837KB

MD5
ab4470038abfcf2550f50cb94537165e

SHA1
2aaa0e7137e2c09ab7f0cc5bcaf088521edad9f0

SHA256
7c80903c5d1765f106a9a25187c32b40a9f7ab11ebf40d8117ba5b80acc5f3e9

SHA512
b6853047083ccb5e4d0c13cad934366506dfb3decaefc9a06c26a255b1d0704b38047cafba2daa4cfb1bf09b3ef5ebe79153eee0ae8ea5cc8f534f280c50e7f4

Download Submit
C:\Program Files (x86)\skleika\ach.exe
Filesize
837KB

MD5
ab4470038abfcf2550f50cb94537165e

SHA1
2aaa0e7137e2c09ab7f0cc5bcaf088521edad9f0

SHA256
7c80903c5d1765f106a9a25187c32b40a9f7ab11ebf40d8117ba5b80acc5f3e9

SHA512
b6853047083ccb5e4d0c13cad934366506dfb3decaefc9a06c26a255b1d0704b38047cafba2daa4cfb1bf09b3ef5ebe79153eee0ae8ea5cc8f534f280c50e7f4

Download Submit
C:\Program Files (x86)\skleika\jopa.exe
Filesize
37KB

MD5
36e59be3c751683fc142c0ebd8d6a71d

SHA1
1e9632a2173588f606e6a354cdcbeddc91ab2c78

SHA256
3611560138463ba5b2438d8691410a642875230b8db788751826a7b495371e4c

SHA512
e20d3f2c0ad628aa137c7dfde3d77ae09628f725af5f590dd4ff052a65975e7f0aa5fa5cbfb417ce57f0d34a36dccac3333885e2f91125946f8a29db27316eeb

Download Submit
C:\Program Files (x86)\skleika\jopa.exe
Filesize
37KB

MD5
36e59be3c751683fc142c0ebd8d6a71d

SHA1
1e9632a2173588f606e6a354cdcbeddc91ab2c78

SHA256
3611560138463ba5b2438d8691410a642875230b8db788751826a7b495371e4c

SHA512
e20d3f2c0ad628aa137c7dfde3d77ae09628f725af5f590dd4ff052a65975e7f0aa5fa5cbfb417ce57f0d34a36dccac3333885e2f91125946f8a29db27316eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4800B951-03CF-11ED-A33B-DE95627D9645}.dat
Filesize
5KB

MD5
07c41f8a05966c4c176caa2742618763

SHA1
d608136fdbf397bf53b527ff3b4c45bf282ed63e

SHA256
d860b6980cd95e8df29fb097e66fc8b6a73a2e1730be456d85cb6ff1d5eb907e

SHA512
f3b91b82396edda44b027d91ce74de3d44cd22ab525de7f2664543003350017dac0cf6933bed0963262ecb191f761f175ef40efb30755488a5e4d80e802ef901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4872FB51-03CF-11ED-A33B-DE95627D9645}.dat
Filesize
3KB

MD5
cea06d64104f5011fec0e5e8bf7990b1

SHA1
dc416cd856e933543b3e8ef2b3c129618d9283e9

SHA256
5b71a05eeccfe23720194c3e1773a2923bc36a662d68fe76091235269b11c722

SHA512
06fde924327af7237d2ada00eb13b68112abe560f1d6e895e367b3e27257c59323db7a108677305a21877f259f3dd65e9b141ac79a01b35b216033ab5771f81b

Download Submit
\Program Files (x86)\ach\2.exe
Filesize
2.3MB

MD5
5134f289dbf4abae370e3f36b637b73e

SHA1
c78d3f2d00dc47da0112a74df665c7a84a8e32c3

SHA256
e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2

SHA512
0bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5

Download Submit
\Program Files (x86)\ach\2.exe
Filesize
2.3MB

MD5
5134f289dbf4abae370e3f36b637b73e

SHA1
c78d3f2d00dc47da0112a74df665c7a84a8e32c3

SHA256
e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2

SHA512
0bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5

Download Submit
\Program Files (x86)\ach\2.exe
Filesize
2.3MB

MD5
5134f289dbf4abae370e3f36b637b73e

SHA1
c78d3f2d00dc47da0112a74df665c7a84a8e32c3

SHA256
e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2

SHA512
0bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5

Download Submit
\Program Files (x86)\skleika\ach.exe
Filesize
837KB

MD5
ab4470038abfcf2550f50cb94537165e

SHA1
2aaa0e7137e2c09ab7f0cc5bcaf088521edad9f0

SHA256
7c80903c5d1765f106a9a25187c32b40a9f7ab11ebf40d8117ba5b80acc5f3e9

SHA512
b6853047083ccb5e4d0c13cad934366506dfb3decaefc9a06c26a255b1d0704b38047cafba2daa4cfb1bf09b3ef5ebe79153eee0ae8ea5cc8f534f280c50e7f4

Download Submit
\Program Files (x86)\skleika\ach.exe
Filesize
837KB

MD5
ab4470038abfcf2550f50cb94537165e

SHA1
2aaa0e7137e2c09ab7f0cc5bcaf088521edad9f0

SHA256
7c80903c5d1765f106a9a25187c32b40a9f7ab11ebf40d8117ba5b80acc5f3e9

SHA512
b6853047083ccb5e4d0c13cad934366506dfb3decaefc9a06c26a255b1d0704b38047cafba2daa4cfb1bf09b3ef5ebe79153eee0ae8ea5cc8f534f280c50e7f4

Download Submit
\Program Files (x86)\skleika\ach.exe
Filesize
837KB

MD5
ab4470038abfcf2550f50cb94537165e

SHA1
2aaa0e7137e2c09ab7f0cc5bcaf088521edad9f0

SHA256
7c80903c5d1765f106a9a25187c32b40a9f7ab11ebf40d8117ba5b80acc5f3e9

SHA512
b6853047083ccb5e4d0c13cad934366506dfb3decaefc9a06c26a255b1d0704b38047cafba2daa4cfb1bf09b3ef5ebe79153eee0ae8ea5cc8f534f280c50e7f4

Download Submit
\Program Files (x86)\skleika\jopa.exe
Filesize
37KB

MD5
36e59be3c751683fc142c0ebd8d6a71d

SHA1
1e9632a2173588f606e6a354cdcbeddc91ab2c78

SHA256
3611560138463ba5b2438d8691410a642875230b8db788751826a7b495371e4c

SHA512
e20d3f2c0ad628aa137c7dfde3d77ae09628f725af5f590dd4ff052a65975e7f0aa5fa5cbfb417ce57f0d34a36dccac3333885e2f91125946f8a29db27316eeb

Download Submit
\Program Files (x86)\skleika\jopa.exe
Filesize
37KB

MD5
36e59be3c751683fc142c0ebd8d6a71d

SHA1
1e9632a2173588f606e6a354cdcbeddc91ab2c78

SHA256
3611560138463ba5b2438d8691410a642875230b8db788751826a7b495371e4c

SHA512
e20d3f2c0ad628aa137c7dfde3d77ae09628f725af5f590dd4ff052a65975e7f0aa5fa5cbfb417ce57f0d34a36dccac3333885e2f91125946f8a29db27316eeb

Download Submit
\Program Files (x86)\skleika\jopa.exe
Filesize
37KB

MD5
36e59be3c751683fc142c0ebd8d6a71d

SHA1
1e9632a2173588f606e6a354cdcbeddc91ab2c78

SHA256
3611560138463ba5b2438d8691410a642875230b8db788751826a7b495371e4c

SHA512
e20d3f2c0ad628aa137c7dfde3d77ae09628f725af5f590dd4ff052a65975e7f0aa5fa5cbfb417ce57f0d34a36dccac3333885e2f91125946f8a29db27316eeb

Download Submit
memory/388-80-0x0000000000000000-mapping.dmp

Download
memory/588-93-0x0000000000000000-mapping.dmp

Download
memory/644-79-0x0000000000000000-mapping.dmp

Download
memory/644-109-0x0000000000000000-mapping.dmp

Download
memory/712-106-0x0000000000000000-mapping.dmp

Download
memory/776-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/848-85-0x0000000000000000-mapping.dmp

Download
memory/936-94-0x0000000000000000-mapping.dmp

Download
memory/972-58-0x0000000000000000-mapping.dmp

Download
memory/972-69-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/972-195-0x0000000074270000-0x000000007481B000-memory.dmp

Filesize
5.7MB

Download
memory/1032-92-0x0000000000000000-mapping.dmp

Download
memory/1156-97-0x0000000000000000-mapping.dmp

Download
memory/1448-100-0x0000000000000000-mapping.dmp

Download
memory/1604-98-0x0000000000000000-mapping.dmp

Download
memory/1648-76-0x0000000000000000-mapping.dmp

Download
memory/1732-89-0x0000000000000000-mapping.dmp

Download
memory/1784-112-0x0000000000000000-mapping.dmp

Download
memory/1804-107-0x0000000000000000-mapping.dmp

Download
memory/1940-87-0x0000000000000000-mapping.dmp

Download
memory/1952-104-0x0000000000000000-mapping.dmp

Download
memory/1964-78-0x0000000000000000-mapping.dmp

Download
memory/1968-70-0x0000000000000000-mapping.dmp

Download
memory/1984-84-0x0000000000000000-mapping.dmp

Download
memory/2016-64-0x0000000000000000-mapping.dmp

Download
memory/2240-143-0x0000000000000000-mapping.dmp

Download
memory/2268-131-0x0000000000000000-mapping.dmp

Download
memory/2304-132-0x0000000000000000-mapping.dmp

Download
memory/2312-117-0x0000000000000000-mapping.dmp

Download
memory/2324-134-0x0000000000000000-mapping.dmp

Download
memory/2588-133-0x0000000000000000-mapping.dmp

Download
memory/2628-119-0x0000000000000000-mapping.dmp

Download
memory/2656-120-0x0000000000000000-mapping.dmp

Download
memory/2676-121-0x0000000000000000-mapping.dmp

Download
memory/2684-138-0x0000000000000000-mapping.dmp

Download
memory/2700-141-0x0000000000000000-mapping.dmp

Download
memory/2704-122-0x0000000000000000-mapping.dmp

Download
memory/2756-123-0x0000000000000000-mapping.dmp

Download
memory/2828-142-0x0000000000000000-mapping.dmp

Download
memory/2836-124-0x0000000000000000-mapping.dmp

Download
memory/2888-135-0x0000000000000000-mapping.dmp

Download
memory/2892-125-0x0000000000000000-mapping.dmp

Download
memory/2912-126-0x0000000000000000-mapping.dmp

Download
memory/2948-139-0x0000000000000000-mapping.dmp

Download
memory/2960-127-0x0000000000000000-mapping.dmp

Download
memory/2996-201-0x0000000000121000-0x0000000000123000-memory.dmp

Filesize
8KB

Download
memory/3012-128-0x0000000000000000-mapping.dmp

Download
memory/3036-129-0x0000000000000000-mapping.dmp

Download
memory/3052-136-0x0000000000000000-mapping.dmp

Download
memory/3064-130-0x0000000000000000-mapping.dmp

Download
memory/3088-144-0x0000000000000000-mapping.dmp

Download
memory/3096-145-0x0000000000000000-mapping.dmp

Download
memory/3136-147-0x0000000000000000-mapping.dmp

Download
memory/3176-148-0x0000000000000000-mapping.dmp

Download
memory/3236-151-0x0000000000000000-mapping.dmp

Download
memory/3252-152-0x0000000000000000-mapping.dmp

Download
memory/3276-153-0x0000000000000000-mapping.dmp

Download
memory/3320-156-0x0000000000000000-mapping.dmp

Download
memory/3388-163-0x0000000000000000-mapping.dmp

Download
memory/3400-168-0x0000000000000000-mapping.dmp

Download
memory/3408-164-0x0000000000000000-mapping.dmp

Download
memory/3428-170-0x0000000000000000-mapping.dmp

Download
memory/3452-171-0x0000000000000000-mapping.dmp

Download
memory/3472-175-0x0000000000000000-mapping.dmp

Download
memory/3488-174-0x0000000000000000-mapping.dmp

Download
memory/3528-176-0x0000000000000000-mapping.dmp

Download
memory/3700-185-0x0000000000000000-mapping.dmp

Download
memory/3728-186-0x0000000000000000-mapping.dmp

Download