njrat | 41417677b9fb6ec8e48a5c633da51083ea8887d34eedc7cd2b8a231e1d70e5d6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
14-07-2022 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

achwithrat.exe
Size

1020KB
MD5

e409c85a0d1dcf43d2ed11c436e9aabe
SHA1

a221ecf82df1650b6a34b15cfcf052581d316aa6
SHA256

41417677b9fb6ec8e48a5c633da51083ea8887d34eedc7cd2b8a231e1d70e5d6
SHA512

9ff191e371c097fdc9627ee817c6a774e24b880fc09a4e41faf37cfc4046e9c499cf2f14f9e720f71c288cc70cd3e4664c68c39df6aceeefe57aecd24022e828

Score

10^/10

njrat gay evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

gay

4.tcp.eu.ngrok.io:10296

Mutex

f61a5d905ecbb8c8be462972af515144

Attributes

reg_key
f61a5d905ecbb8c8be462972af515144
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 3 IoCs

Processes:

jopa.exeach.exe2.exe

pid process

912 jopa.exe
1968 ach.exe
2616 2.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

6972 netsh.exe

pid	process
912	jopa.exe
1968	ach.exe
2616	2.exe

pid	process
6972	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

achwithrat.exeach.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	achwithrat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	ach.exe

Drops startup file 2 IoCs

Processes:

jopa.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f61a5d905ecbb8c8be462972af515144.exe	jopa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f61a5d905ecbb8c8be462972af515144.exe	jopa.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jopa.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f61a5d905ecbb8c8be462972af515144 = "\"C:\\Program Files (x86)\\skleika\\jopa.exe\" .."	jopa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f61a5d905ecbb8c8be462972af515144 = "\"C:\\Program Files (x86)\\skleika\\jopa.exe\" .."	jopa.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

jopa.exe

description ioc process

File created C:\autorun.inf jopa.exe
File opened for modification C:\autorun.inf jopa.exe
File created D:\autorun.inf jopa.exe

description	ioc	process
File created	C:\autorun.inf	jopa.exe
File opened for modification	C:\autorun.inf	jopa.exe
File created	D:\autorun.inf	jopa.exe

Drops file in Program Files directory 35 IoCs

Processes:

ach.exeachwithrat.exejopa.exesetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\ach\5.png	ach.exe
File opened for modification	C:\Program Files (x86)\ach\6.bat	ach.exe
File created	C:\Program Files (x86)\ach\10.png	ach.exe
File opened for modification	C:\Program Files (x86)\ach\11.vbs	ach.exe
File opened for modification	C:\Program Files (x86)\skleika	achwithrat.exe
File created	C:\Program Files (x86)\skleika\jopa.exe	achwithrat.exe
File opened for modification	C:\Program Files (x86)\ach\3.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach	ach.exe
File created	C:\Program Files (x86)\ach\4.bat	ach.exe
File created	C:\Program Files (x86)\ach\6.bat	ach.exe
File created	C:\Program Files (x86)\ach\8.bat	ach.exe
File created	C:\Program Files (x86)\skleika\__tmp_rar_sfx_access_check_240542953	achwithrat.exe
File created	C:\Program Files (x86)\ach\3.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\4.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\2.exe	ach.exe
File created	C:\Program Files (x86)\ach\7.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\7.bat	ach.exe
File opened for modification	C:\Program Files (x86)\skleika\ach.exe	achwithrat.exe
File created	C:\Program Files (x86)\ach\1.vbs	ach.exe
File created	C:\Program Files (x86)\ach\2.exe	ach.exe
File created	C:\Program Files (x86)\ach\9.bat	ach.exe
File opened for modification	C:\Program Files (x86)\skleika\jopa.exe	jopa.exe
File created	C:\Program Files (x86)\ach\5.png	ach.exe
File opened for modification	C:\Program Files (x86)\ach\8.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\9.bat	ach.exe
File created	C:\Program Files (x86)\ach\11.vbs	ach.exe
File created	C:\Program Files (x86)\ach\12.bat	ach.exe
File opened for modification	C:\Program Files (x86)\skleika\jopa.exe	achwithrat.exe
File created	C:\Program Files (x86)\skleika\ach.exe	achwithrat.exe
File opened for modification	C:\Program Files (x86)\ach\1.vbs	ach.exe
File opened for modification	C:\Program Files (x86)\ach\12.bat	ach.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220714234829.pma	setup.exe
File created	C:\Program Files (x86)\ach\__tmp_rar_sfx_access_check_240543859	ach.exe
File opened for modification	C:\Program Files (x86)\ach\10.png	ach.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f1b30ab8-6631-4c81-b206-71bf1ccce3c8.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeach.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	ach.exe

Runs regedit.exe 10 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid	process
4860	regedit.exe
1980	regedit.exe
4524	regedit.exe
6388	regedit.exe
6348	regedit.exe
6504	regedit.exe
6628	regedit.exe
7892	regedit.exe
4452	regedit.exe
2276	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exejopa.exe

pid	process
5760	msedge.exe
5760	msedge.exe
5744	msedge.exe
5744	msedge.exe
5820	msedge.exe
5820	msedge.exe
5772	msedge.exe
5772	msedge.exe
4792	msedge.exe
4792	msedge.exe
6508	msedge.exe
6508	msedge.exe
6632	msedge.exe
6632	msedge.exe
6668	msedge.exe
6668	msedge.exe
6520	msedge.exe
6520	msedge.exe
6680	msedge.exe
6680	msedge.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe
912	jopa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

jopa.exeach.exe

pid process

912 jopa.exe
1968 ach.exe

pid	process
912	jopa.exe
1968	ach.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

Processes:

msedge.exe

pid	process
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

jopa.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	912	jopa.exe
Token: 33	7980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	7980	AUDIODG.EXE
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe
Token: 33	912	jopa.exe
Token: SeIncBasePriorityPrivilege	912	jopa.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

4792 msedge.exe
4792 msedge.exe
4792 msedge.exe

Suspicious use of SetWindowsHookEx 60 IoCs

Processes:

wordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exe

pid	process
5176	wordpad.exe
1128	wordpad.exe
1128	wordpad.exe
5176	wordpad.exe
5176	wordpad.exe
1128	wordpad.exe
1128	wordpad.exe
1128	wordpad.exe
5176	wordpad.exe
5176	wordpad.exe
1352	wordpad.exe
1352	wordpad.exe
6004	wordpad.exe
1352	wordpad.exe
6004	wordpad.exe
6004	wordpad.exe
6004	wordpad.exe
6004	wordpad.exe
1352	wordpad.exe
1352	wordpad.exe
204	wordpad.exe
5648	wordpad.exe
204	wordpad.exe
204	wordpad.exe
444	wordpad.exe
4032	wordpad.exe
5648	wordpad.exe
5648	wordpad.exe
444	wordpad.exe
4032	wordpad.exe
444	wordpad.exe
4032	wordpad.exe
5300	wordpad.exe
5300	wordpad.exe
5300	wordpad.exe
204	wordpad.exe
204	wordpad.exe
444	wordpad.exe
444	wordpad.exe
5648	wordpad.exe
5648	wordpad.exe
4032	wordpad.exe
4032	wordpad.exe
5300	wordpad.exe
5300	wordpad.exe
2436	wordpad.exe
2436	wordpad.exe
2436	wordpad.exe
6748	wordpad.exe
6748	wordpad.exe
6748	wordpad.exe
2436	wordpad.exe
2436	wordpad.exe
4828	wordpad.exe
4828	wordpad.exe
4828	wordpad.exe
6748	wordpad.exe
6748	wordpad.exe
4828	wordpad.exe
4828	wordpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

achwithrat.exeach.exe

description	pid	process	target process
PID 3416 wrote to memory of 912	3416	achwithrat.exe	jopa.exe
PID 3416 wrote to memory of 912	3416	achwithrat.exe	jopa.exe
PID 3416 wrote to memory of 912	3416	achwithrat.exe	jopa.exe
PID 3416 wrote to memory of 1968	3416	achwithrat.exe	ach.exe
PID 3416 wrote to memory of 1968	3416	achwithrat.exe	ach.exe
PID 3416 wrote to memory of 1968	3416	achwithrat.exe	ach.exe
PID 1968 wrote to memory of 2840	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 2840	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 2840	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 2616	1968	ach.exe	2.exe
PID 1968 wrote to memory of 2616	1968	ach.exe	2.exe
PID 1968 wrote to memory of 2616	1968	ach.exe	2.exe
PID 1968 wrote to memory of 4132	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 4132	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 4132	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 4536	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 4536	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 4536	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 5064	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 5064	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 5064	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4672	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4672	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4672	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4760	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4760	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4760	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 2096	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 2096	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 2096	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4416	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4416	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4416	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 2636	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 2636	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 2636	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 5052	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 5052	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 5052	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4992	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4992	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4992	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4032	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4032	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 4032	1968	ach.exe	WScript.exe
PID 1968 wrote to memory of 524	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 524	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 524	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 308	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 308	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 308	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 4440	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 4440	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 4440	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 2376	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 2376	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 2376	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 1708	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 1708	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 1708	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 3296	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 3296	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 3296	1968	ach.exe	cmd.exe
PID 1968 wrote to memory of 1352	1968	ach.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\achwithrat.exe
"C:\Users\Admin\AppData\Local\Temp\achwithrat.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3416

C:\Program Files (x86)\skleika\jopa.exe
"C:\Program Files (x86)\skleika\jopa.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Program Files (x86)\skleika\jopa.exe" "jopa.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:6972

C:\Program Files (x86)\skleika\ach.exe
"C:\Program Files (x86)\skleika\ach.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:2840

C:\Program Files (x86)\ach\2.exe
"C:\Program Files (x86)\ach\2.exe"
3⤵
- Executes dropped EXE
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
3⤵
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a3574718
5⤵
PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1
5⤵
PID:5196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
5⤵
PID:6376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
5⤵
PID:5800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
5⤵
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
5⤵
PID:6696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
5⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
5⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
5⤵
PID:1300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
5⤵
PID:6896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
5⤵
PID:7204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
5⤵
PID:7288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
5⤵
PID:7360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6120 /prefetch:8
5⤵
PID:7540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
5⤵
PID:7632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6960 /prefetch:8
5⤵
PID:7916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8672 /prefetch:1
5⤵
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8832 /prefetch:1
5⤵
PID:3748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8836 /prefetch:1
5⤵
PID:5776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9384 /prefetch:1
5⤵
PID:7812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8892 /prefetch:1
5⤵
PID:7144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10360 /prefetch:1
5⤵
PID:7044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=208 /prefetch:1
5⤵
PID:1456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10572 /prefetch:1
5⤵
PID:6104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10764 /prefetch:1
5⤵
PID:2660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1384 /prefetch:1
5⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1
5⤵
PID:8140

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11632 /prefetch:8
5⤵
PID:6320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:3460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xdc,0xe8,0x230,0xe4,0x7ff78fcb5460,0x7ff78fcb5470,0x7ff78fcb5480
6⤵
PID:7464

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11632 /prefetch:8
5⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7256 /prefetch:2
5⤵
PID:8188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10656 /prefetch:8
5⤵
PID:1228

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:5064

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
3⤵
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
4⤵
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a3574718
5⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,13499250928882308100,3959601836053173113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
5⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,13499250928882308100,3959601836053173113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5820

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:4760

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:2096

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:4416

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:2636

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:5052

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:4992

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "
3⤵
PID:524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
4⤵
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a3574718
5⤵
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,4458425667433468036,6706303671467880665,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
5⤵
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,4458425667433468036,6706303671467880665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
3⤵
PID:308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
4⤵
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a3574718
5⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,8132369693608773544,1477373858467199819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 /prefetch:2
5⤵
PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,8132369693608773544,1477373858467199819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "
3⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
4⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a3574718
5⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,1103359299444387983,4813453938945408690,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
5⤵
PID:6328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,1103359299444387983,4813453938945408690,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
3⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
4⤵
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a3574718
5⤵
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,10400624292721426834,12386514199371669035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
5⤵
PID:6292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,10400624292721426834,12386514199371669035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "
3⤵
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
4⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a3574718
5⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,5808566381897417773,14418066006559455585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
3⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
4⤵
PID:2660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a3574718
5⤵
PID:320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14650406839031013758,1373786542439042687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "
3⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
4⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a3574718
5⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,12322529326873274546,743237382425617120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6508

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:8144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\6.bat" "
3⤵
PID:7648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg
4⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a3574718
5⤵
PID:5432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\6.bat" "
3⤵
PID:7776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg
4⤵
PID:6072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\6.bat" "
3⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg
4⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a3574718
5⤵
PID:7676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:6316

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:6628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:6512

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:4808

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:6504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:3764

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:6348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:5972

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:6388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:1944

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:7892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:5244

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:5192

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:5124

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:5308

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:5176

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:4480

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:6004

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:3272

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:5300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:6196

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:6208

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:2704

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:1352

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:1048

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:1708

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\9.bat" "
3⤵
PID:6852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://wipet.malwarewatch.org/
4⤵
PID:6260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a3574718
5⤵
PID:6644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
3⤵
PID:4224

C:\Windows\SysWOW64\regedit.exe
regedit.exe
4⤵
- Runs regedit.exe
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\12.bat" "
3⤵
PID:7588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/images/search?text=trollface
4⤵
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a3574718
5⤵
PID:6088

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:6108

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:6944

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:4460

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:1432

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:7580

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:4120

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:5280

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:3196

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:5324

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:7672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
3⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:2788

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:5060

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:5648

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:1756

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:444

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:6424

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:204

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
3⤵
PID:5216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
3⤵
PID:5188

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:6960

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
6⤵
PID:5964

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:7100

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:6748

C:\Windows\SysWOW64\write.exe
write.exe
4⤵
PID:6316

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:4828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c8 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a3574718
1⤵
PID:6632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:7160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ach\1.vbs
Filesize
45B

MD5
7a89fc4808a599eca068d9d5d6da5c17

SHA1
34808a073a897f4eb2deaea3e74b8f33a3872776

SHA256
7d855d79426eca3e1fc8f6338c64a93bb90ecb51247f810c6e4414cbacbf5953

SHA512
dc6fa4265890133d4d003feafa7f6583cbcb7e1e9140babec14b65ebc704327abe4a4fb851e053b4bc889c1e12c8867dd6e1b26a78810bb7ed412aaa34b0b80e

Download Submit
C:\Program Files (x86)\ach\2.exe
Filesize
2.3MB

MD5
5134f289dbf4abae370e3f36b637b73e

SHA1
c78d3f2d00dc47da0112a74df665c7a84a8e32c3

SHA256
e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2

SHA512
0bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5

Download Submit
C:\Program Files (x86)\ach\3.bat
Filesize
62B

MD5
ea0164899b0262ea4949e2bcd9f31396

SHA1
91b698e4b13755fcb6d5ce0209a5b342185bc566

SHA256
0c39352ff971f6099cdf146ce566b70e089eb15db75a42b3ae8deb13fa771913

SHA512
cf9ba9b662dc107593cc66fe21b815bbf5b05651c0e4a50029f62ff16d64f8d63185d57c96cd6984141ca62310250b7af42ef56ea6249285c97c2d0aec0f3560

Download Submit
C:\Program Files (x86)\ach\4.bat
Filesize
83B

MD5
1acc850c1f9ad9dee5c12c9bd511bc19

SHA1
2786d0b2a6f3b1518f0ffcc31fd4d2466448f3dc

SHA256
136ca30e5e046d8cc399c5ae80fee4678723dabb84e0b33211c23e4457ab24d8

SHA512
db3eef765e8de29df99fda976d7ede5ec713a090f810a4a48430e2b1d11f54656a46c46e9cc691fa645212ecc742447f13d8429bcd32de318e5df460c74eb81d

Download Submit
C:\Program Files (x86)\skleika\ach.exe
Filesize
837KB

MD5
ab4470038abfcf2550f50cb94537165e

SHA1
2aaa0e7137e2c09ab7f0cc5bcaf088521edad9f0

SHA256
7c80903c5d1765f106a9a25187c32b40a9f7ab11ebf40d8117ba5b80acc5f3e9

SHA512
b6853047083ccb5e4d0c13cad934366506dfb3decaefc9a06c26a255b1d0704b38047cafba2daa4cfb1bf09b3ef5ebe79153eee0ae8ea5cc8f534f280c50e7f4

Download Submit
C:\Program Files (x86)\skleika\ach.exe
Filesize
837KB

MD5
ab4470038abfcf2550f50cb94537165e

SHA1
2aaa0e7137e2c09ab7f0cc5bcaf088521edad9f0

SHA256
7c80903c5d1765f106a9a25187c32b40a9f7ab11ebf40d8117ba5b80acc5f3e9

SHA512
b6853047083ccb5e4d0c13cad934366506dfb3decaefc9a06c26a255b1d0704b38047cafba2daa4cfb1bf09b3ef5ebe79153eee0ae8ea5cc8f534f280c50e7f4

Download Submit
C:\Program Files (x86)\skleika\jopa.exe
Filesize
37KB

MD5
36e59be3c751683fc142c0ebd8d6a71d

SHA1
1e9632a2173588f606e6a354cdcbeddc91ab2c78

SHA256
3611560138463ba5b2438d8691410a642875230b8db788751826a7b495371e4c

SHA512
e20d3f2c0ad628aa137c7dfde3d77ae09628f725af5f590dd4ff052a65975e7f0aa5fa5cbfb417ce57f0d34a36dccac3333885e2f91125946f8a29db27316eeb

Download Submit
C:\Program Files (x86)\skleika\jopa.exe
Filesize
37KB

MD5
36e59be3c751683fc142c0ebd8d6a71d

SHA1
1e9632a2173588f606e6a354cdcbeddc91ab2c78

SHA256
3611560138463ba5b2438d8691410a642875230b8db788751826a7b495371e4c

SHA512
e20d3f2c0ad628aa137c7dfde3d77ae09628f725af5f590dd4ff052a65975e7f0aa5fa5cbfb417ce57f0d34a36dccac3333885e2f91125946f8a29db27316eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b19308400c504bdc9aa1312921fec33

SHA1
61e57f79133ab680952321360d802207f23548bc

SHA256
a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b

SHA512
c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b19308400c504bdc9aa1312921fec33

SHA1
61e57f79133ab680952321360d802207f23548bc

SHA256
a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b

SHA512
c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b19308400c504bdc9aa1312921fec33

SHA1
61e57f79133ab680952321360d802207f23548bc

SHA256
a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b

SHA512
c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b19308400c504bdc9aa1312921fec33

SHA1
61e57f79133ab680952321360d802207f23548bc

SHA256
a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b

SHA512
c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b19308400c504bdc9aa1312921fec33

SHA1
61e57f79133ab680952321360d802207f23548bc

SHA256
a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b

SHA512
c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b19308400c504bdc9aa1312921fec33

SHA1
61e57f79133ab680952321360d802207f23548bc

SHA256
a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b

SHA512
c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b19308400c504bdc9aa1312921fec33

SHA1
61e57f79133ab680952321360d802207f23548bc

SHA256
a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b

SHA512
c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b19308400c504bdc9aa1312921fec33

SHA1
61e57f79133ab680952321360d802207f23548bc

SHA256
a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b

SHA512
c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b19308400c504bdc9aa1312921fec33

SHA1
61e57f79133ab680952321360d802207f23548bc

SHA256
a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b

SHA512
c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b19308400c504bdc9aa1312921fec33

SHA1
61e57f79133ab680952321360d802207f23548bc

SHA256
a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b

SHA512
c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
40895a9a81c754270ecf27e770f8a8f8

SHA1
1ef5e576a362c41bbfb0f861279d4129f56c4341

SHA256
ffec123cce76fd50003407e0dc0027aec64e9981e55dfe292e1dbf95fa9d45d0

SHA512
b681780fe578d92402e21b0fc537f05a5a32aa42a6e39c9beb8d577d1a87299ec85dc4731bb3bd9b7d971e0a5fd38bdcdb2f357d4947c4a2b229e45f11809f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
4014f80fa11396d569e680e59c3d486b

SHA1
7d2d8ba221d49519ad39adafa85e215189674036

SHA256
0e364f4c850da8e82d963624f6cf010e4a5b632f041263e31d1625721569bf14

SHA512
3970384f481c6260d212aec34c9a6bbc4a662e9dea6af01b42000dfd87debf52dc50a123d421f79eb575c6d5fb1693c26c50cf0b1b82400ac6fc41b94e6a269a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
84e5dc201a9b836ff8280ea2b6699d6e

SHA1
b0bab2725f0d49ff16a8e604ca1732fc8447cd57

SHA256
bf391b22e93b9cddee705d18359dbaf3e403e297f811ede9ca704bc6ac5f862c

SHA512
d4d932687dd9543ec47ccea10c10473514b3d2553694a369384d141a700a700b47919ed1da14b3dcc3e6945ff8d83e02f748ae5afacf565873075b240915d42a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
ab59303319da10f530afa8dd5b7ea71b

SHA1
8e77cf689af5ce0bfe176a5d87145bb188b1a1e8

SHA256
4b35fca55afb2c3de3421ff2c68f9e57de6d0bb6cf7c081d944dfaf791181025

SHA512
17c75eca343c6145f36a6f72f764eaab17002a467fd8488bde18f62cd50e402d585f381480d3f5101a59c501f36c3605f8c88859e062c52aa5a41cdf1b0f5333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
68f47d3dbdf2f655422876594025e85b

SHA1
219ec095b3c7f8c05d6dbafa8d0b1f898c36a7d8

SHA256
754ab82ec78de856e3a2bdc7befaf9235da8b0c22d943de175d632df5121fee9

SHA512
c0633889a650528578320de2665dd5637761df6d3a36296cd131eae316038fef1565d976ccaabd43c5d50d2db181ce05cb3cbf43b3c39e49849eba1d81d491b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
85ee7ecd73caacb3e353d02ec161aa47

SHA1
12ed568dacbd81506ab57b0785f3f8c5a5eb59f6

SHA256
a1c8daa3515247789eeccc4f207d4e668152c51ed58e9aca131ce6fd00212da6

SHA512
eef3b1b6660afb938b952d3984d91b6dde9928f09042fc762ec4ea465d211d62ad93ec25cdef88c9ab99f0c16aba48f521b43ade87bc1aca676980747aac4152

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
181c6090c63c996cf710c224d9f76817

SHA1
b17030a126bcb0eecb9af483b7ee0b8ddcb1121d

SHA256
800c61e2f29540223694a59aad889117c22d3da3c4f0d2d9862caa52825f98e5

SHA512
8f391c59816784b957a7e0f4d58c6fe3ea23c44a2d3489b20a25e6d447cab9ab85a58f63b5c7105e1df3dfca1912bf4f4ab5962202621bcf5bd0a0f65b2078bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
7b679035c8e9587d48ef08dd1daca6fd

SHA1
51a2750744c8c2ea95d50d8696594591ce23245a

SHA256
3151521e38a983be084248ea1bc2ac0b3a94432cb442d93a79f0609b97b8ff61

SHA512
10db8478cd1b671a92d4996c078acfe3229f5aab9f0fd99d3c2f22c347e11908ee01156b51f59b726cb4b4963d2c4195c58bb7a2714573eb8ca2b02f81d9b3a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
e4fe8305d3ae086053287c778c7a0ae7

SHA1
42aee8aa256d3c34da7c30d10e319b776a4fbc30

SHA256
da7564bbff42b61d436792e5a11517c6881b0acef0ad47e39c0cdd05fff12119

SHA512
13f1392a999876af039c954412273e6382651b5f1ca232b30f045ebdec7dd6b3518d8c68f0248319403a1eefd2af95b025142c8d0e7f75b64045366630fe4218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
4014f80fa11396d569e680e59c3d486b

SHA1
7d2d8ba221d49519ad39adafa85e215189674036

SHA256
0e364f4c850da8e82d963624f6cf010e4a5b632f041263e31d1625721569bf14

SHA512
3970384f481c6260d212aec34c9a6bbc4a662e9dea6af01b42000dfd87debf52dc50a123d421f79eb575c6d5fb1693c26c50cf0b1b82400ac6fc41b94e6a269a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
ab59303319da10f530afa8dd5b7ea71b

SHA1
8e77cf689af5ce0bfe176a5d87145bb188b1a1e8

SHA256
4b35fca55afb2c3de3421ff2c68f9e57de6d0bb6cf7c081d944dfaf791181025

SHA512
17c75eca343c6145f36a6f72f764eaab17002a467fd8488bde18f62cd50e402d585f381480d3f5101a59c501f36c3605f8c88859e062c52aa5a41cdf1b0f5333

Download Submit
\??\pipe\LOCAL\crashpad_1492_CDQQZWUFTSLYWGRP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_1620_CXKUHWPKJXBXNJRC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3372_AMCTIDCTTPHBXSEA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_428_CUCCWAXIFXKJRIUZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4768_CDJMZMRWEJQYQTQU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4792_PQYVOKOCQZXHMLFQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/308-154-0x0000000000000000-mapping.dmp

Download
memory/320-181-0x0000000000000000-mapping.dmp

Download
memory/428-166-0x0000000000000000-mapping.dmp

Download
memory/524-153-0x0000000000000000-mapping.dmp

Download
memory/868-169-0x0000000000000000-mapping.dmp

Download
memory/912-130-0x0000000000000000-mapping.dmp

Download
memory/912-146-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/912-266-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/1300-256-0x0000000000000000-mapping.dmp

Download
memory/1352-159-0x0000000000000000-mapping.dmp

Download
memory/1492-167-0x0000000000000000-mapping.dmp

Download
memory/1620-173-0x0000000000000000-mapping.dmp

Download
memory/1708-157-0x0000000000000000-mapping.dmp

Download
memory/1776-175-0x0000000000000000-mapping.dmp

Download
memory/1916-168-0x0000000000000000-mapping.dmp

Download
memory/1968-132-0x0000000000000000-mapping.dmp

Download
memory/2096-145-0x0000000000000000-mapping.dmp

Download
memory/2376-156-0x0000000000000000-mapping.dmp

Download
memory/2616-137-0x0000000000000000-mapping.dmp

Download
memory/2636-149-0x0000000000000000-mapping.dmp

Download
memory/2660-179-0x0000000000000000-mapping.dmp

Download
memory/2840-136-0x0000000000000000-mapping.dmp

Download
memory/3112-177-0x0000000000000000-mapping.dmp

Download
memory/3296-158-0x0000000000000000-mapping.dmp

Download
memory/3372-172-0x0000000000000000-mapping.dmp

Download
memory/4032-152-0x0000000000000000-mapping.dmp

Download
memory/4132-139-0x0000000000000000-mapping.dmp

Download
memory/4240-162-0x0000000000000000-mapping.dmp

Download
memory/4320-174-0x0000000000000000-mapping.dmp

Download
memory/4352-254-0x0000000000000000-mapping.dmp

Download
memory/4380-164-0x0000000000000000-mapping.dmp

Download
memory/4412-176-0x0000000000000000-mapping.dmp

Download
memory/4416-147-0x0000000000000000-mapping.dmp

Download
memory/4440-155-0x0000000000000000-mapping.dmp

Download
memory/4472-252-0x0000000000000000-mapping.dmp

Download
memory/4536-141-0x0000000000000000-mapping.dmp

Download
memory/4672-143-0x0000000000000000-mapping.dmp

Download
memory/4760-144-0x0000000000000000-mapping.dmp

Download
memory/4768-161-0x0000000000000000-mapping.dmp

Download
memory/4780-186-0x0000000000000000-mapping.dmp

Download
memory/4792-163-0x0000000000000000-mapping.dmp

Download
memory/4964-180-0x0000000000000000-mapping.dmp

Download
memory/4992-151-0x0000000000000000-mapping.dmp

Download
memory/5052-150-0x0000000000000000-mapping.dmp

Download
memory/5064-142-0x0000000000000000-mapping.dmp

Download
memory/5196-224-0x0000000000000000-mapping.dmp

Download
memory/5640-204-0x0000000000000000-mapping.dmp

Download
memory/5676-205-0x0000000000000000-mapping.dmp

Download
memory/5688-206-0x0000000000000000-mapping.dmp

Download
memory/5700-207-0x0000000000000000-mapping.dmp

Download
memory/5744-208-0x0000000000000000-mapping.dmp

Download
memory/5760-209-0x0000000000000000-mapping.dmp

Download
memory/5772-210-0x0000000000000000-mapping.dmp

Download
memory/5800-216-0x0000000000000000-mapping.dmp

Download
memory/5820-213-0x0000000000000000-mapping.dmp

Download
memory/6292-231-0x0000000000000000-mapping.dmp

Download
memory/6328-232-0x0000000000000000-mapping.dmp

Download
memory/6376-235-0x0000000000000000-mapping.dmp

Download
memory/6508-233-0x0000000000000000-mapping.dmp

Download
memory/6520-234-0x0000000000000000-mapping.dmp

Download
memory/6632-236-0x0000000000000000-mapping.dmp

Download
memory/6668-237-0x0000000000000000-mapping.dmp

Download
memory/6680-238-0x0000000000000000-mapping.dmp

Download
memory/6696-241-0x0000000000000000-mapping.dmp

Download
memory/6896-250-0x0000000000000000-mapping.dmp

Download
memory/6972-249-0x0000000000000000-mapping.dmp

Download