Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 21:47
Static task
static1
Behavioral task
behavioral1
Sample
achwithrat.exe
Resource
win7-20220414-en
General
-
Target
achwithrat.exe
-
Size
1020KB
-
MD5
e409c85a0d1dcf43d2ed11c436e9aabe
-
SHA1
a221ecf82df1650b6a34b15cfcf052581d316aa6
-
SHA256
41417677b9fb6ec8e48a5c633da51083ea8887d34eedc7cd2b8a231e1d70e5d6
-
SHA512
9ff191e371c097fdc9627ee817c6a774e24b880fc09a4e41faf37cfc4046e9c499cf2f14f9e720f71c288cc70cd3e4664c68c39df6aceeefe57aecd24022e828
Malware Config
Extracted
njrat
im523
gay
4.tcp.eu.ngrok.io:10296
f61a5d905ecbb8c8be462972af515144
-
reg_key
f61a5d905ecbb8c8be462972af515144
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Executes dropped EXE 3 IoCs
Processes:
jopa.exeach.exe2.exepid process 912 jopa.exe 1968 ach.exe 2616 2.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
achwithrat.exeach.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation achwithrat.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation ach.exe -
Drops startup file 2 IoCs
Processes:
jopa.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f61a5d905ecbb8c8be462972af515144.exe jopa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f61a5d905ecbb8c8be462972af515144.exe jopa.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
jopa.exemsedge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f61a5d905ecbb8c8be462972af515144 = "\"C:\\Program Files (x86)\\skleika\\jopa.exe\" .." jopa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f61a5d905ecbb8c8be462972af515144 = "\"C:\\Program Files (x86)\\skleika\\jopa.exe\" .." jopa.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
jopa.exedescription ioc process File created C:\autorun.inf jopa.exe File opened for modification C:\autorun.inf jopa.exe File created D:\autorun.inf jopa.exe -
Drops file in Program Files directory 35 IoCs
Processes:
ach.exeachwithrat.exejopa.exesetup.exedescription ioc process File opened for modification C:\Program Files (x86)\ach\5.png ach.exe File opened for modification C:\Program Files (x86)\ach\6.bat ach.exe File created C:\Program Files (x86)\ach\10.png ach.exe File opened for modification C:\Program Files (x86)\ach\11.vbs ach.exe File opened for modification C:\Program Files (x86)\skleika achwithrat.exe File created C:\Program Files (x86)\skleika\jopa.exe achwithrat.exe File opened for modification C:\Program Files (x86)\ach\3.bat ach.exe File opened for modification C:\Program Files (x86)\ach ach.exe File created C:\Program Files (x86)\ach\4.bat ach.exe File created C:\Program Files (x86)\ach\6.bat ach.exe File created C:\Program Files (x86)\ach\8.bat ach.exe File created C:\Program Files (x86)\skleika\__tmp_rar_sfx_access_check_240542953 achwithrat.exe File created C:\Program Files (x86)\ach\3.bat ach.exe File opened for modification C:\Program Files (x86)\ach\4.bat ach.exe File opened for modification C:\Program Files (x86)\ach\2.exe ach.exe File created C:\Program Files (x86)\ach\7.bat ach.exe File opened for modification C:\Program Files (x86)\ach\7.bat ach.exe File opened for modification C:\Program Files (x86)\skleika\ach.exe achwithrat.exe File created C:\Program Files (x86)\ach\1.vbs ach.exe File created C:\Program Files (x86)\ach\2.exe ach.exe File created C:\Program Files (x86)\ach\9.bat ach.exe File opened for modification C:\Program Files (x86)\skleika\jopa.exe jopa.exe File created C:\Program Files (x86)\ach\5.png ach.exe File opened for modification C:\Program Files (x86)\ach\8.bat ach.exe File opened for modification C:\Program Files (x86)\ach\9.bat ach.exe File created C:\Program Files (x86)\ach\11.vbs ach.exe File created C:\Program Files (x86)\ach\12.bat ach.exe File opened for modification C:\Program Files (x86)\skleika\jopa.exe achwithrat.exe File created C:\Program Files (x86)\skleika\ach.exe achwithrat.exe File opened for modification C:\Program Files (x86)\ach\1.vbs ach.exe File opened for modification C:\Program Files (x86)\ach\12.bat ach.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220714234829.pma setup.exe File created C:\Program Files (x86)\ach\__tmp_rar_sfx_access_check_240543859 ach.exe File opened for modification C:\Program Files (x86)\ach\10.png ach.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f1b30ab8-6631-4c81-b206-71bf1ccce3c8.tmp setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exeach.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings ach.exe -
Runs regedit.exe 10 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exepid process 4860 regedit.exe 1980 regedit.exe 4524 regedit.exe 6388 regedit.exe 6348 regedit.exe 6504 regedit.exe 6628 regedit.exe 7892 regedit.exe 4452 regedit.exe 2276 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exejopa.exepid process 5760 msedge.exe 5760 msedge.exe 5744 msedge.exe 5744 msedge.exe 5820 msedge.exe 5820 msedge.exe 5772 msedge.exe 5772 msedge.exe 4792 msedge.exe 4792 msedge.exe 6508 msedge.exe 6508 msedge.exe 6632 msedge.exe 6632 msedge.exe 6668 msedge.exe 6668 msedge.exe 6520 msedge.exe 6520 msedge.exe 6680 msedge.exe 6680 msedge.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe 912 jopa.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
jopa.exeach.exepid process 912 jopa.exe 1968 ach.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs
Processes:
msedge.exepid process 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
jopa.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 912 jopa.exe Token: 33 7980 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 7980 AUDIODG.EXE Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe Token: 33 912 jopa.exe Token: SeIncBasePriorityPrivilege 912 jopa.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 4792 msedge.exe 4792 msedge.exe 4792 msedge.exe -
Suspicious use of SetWindowsHookEx 60 IoCs
Processes:
wordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exepid process 5176 wordpad.exe 1128 wordpad.exe 1128 wordpad.exe 5176 wordpad.exe 5176 wordpad.exe 1128 wordpad.exe 1128 wordpad.exe 1128 wordpad.exe 5176 wordpad.exe 5176 wordpad.exe 1352 wordpad.exe 1352 wordpad.exe 6004 wordpad.exe 1352 wordpad.exe 6004 wordpad.exe 6004 wordpad.exe 6004 wordpad.exe 6004 wordpad.exe 1352 wordpad.exe 1352 wordpad.exe 204 wordpad.exe 5648 wordpad.exe 204 wordpad.exe 204 wordpad.exe 444 wordpad.exe 4032 wordpad.exe 5648 wordpad.exe 5648 wordpad.exe 444 wordpad.exe 4032 wordpad.exe 444 wordpad.exe 4032 wordpad.exe 5300 wordpad.exe 5300 wordpad.exe 5300 wordpad.exe 204 wordpad.exe 204 wordpad.exe 444 wordpad.exe 444 wordpad.exe 5648 wordpad.exe 5648 wordpad.exe 4032 wordpad.exe 4032 wordpad.exe 5300 wordpad.exe 5300 wordpad.exe 2436 wordpad.exe 2436 wordpad.exe 2436 wordpad.exe 6748 wordpad.exe 6748 wordpad.exe 6748 wordpad.exe 2436 wordpad.exe 2436 wordpad.exe 4828 wordpad.exe 4828 wordpad.exe 4828 wordpad.exe 6748 wordpad.exe 6748 wordpad.exe 4828 wordpad.exe 4828 wordpad.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
achwithrat.exeach.exedescription pid process target process PID 3416 wrote to memory of 912 3416 achwithrat.exe jopa.exe PID 3416 wrote to memory of 912 3416 achwithrat.exe jopa.exe PID 3416 wrote to memory of 912 3416 achwithrat.exe jopa.exe PID 3416 wrote to memory of 1968 3416 achwithrat.exe ach.exe PID 3416 wrote to memory of 1968 3416 achwithrat.exe ach.exe PID 3416 wrote to memory of 1968 3416 achwithrat.exe ach.exe PID 1968 wrote to memory of 2840 1968 ach.exe WScript.exe PID 1968 wrote to memory of 2840 1968 ach.exe WScript.exe PID 1968 wrote to memory of 2840 1968 ach.exe WScript.exe PID 1968 wrote to memory of 2616 1968 ach.exe 2.exe PID 1968 wrote to memory of 2616 1968 ach.exe 2.exe PID 1968 wrote to memory of 2616 1968 ach.exe 2.exe PID 1968 wrote to memory of 4132 1968 ach.exe cmd.exe PID 1968 wrote to memory of 4132 1968 ach.exe cmd.exe PID 1968 wrote to memory of 4132 1968 ach.exe cmd.exe PID 1968 wrote to memory of 4536 1968 ach.exe cmd.exe PID 1968 wrote to memory of 4536 1968 ach.exe cmd.exe PID 1968 wrote to memory of 4536 1968 ach.exe cmd.exe PID 1968 wrote to memory of 5064 1968 ach.exe WScript.exe PID 1968 wrote to memory of 5064 1968 ach.exe WScript.exe PID 1968 wrote to memory of 5064 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4672 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4672 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4672 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4760 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4760 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4760 1968 ach.exe WScript.exe PID 1968 wrote to memory of 2096 1968 ach.exe WScript.exe PID 1968 wrote to memory of 2096 1968 ach.exe WScript.exe PID 1968 wrote to memory of 2096 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4416 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4416 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4416 1968 ach.exe WScript.exe PID 1968 wrote to memory of 2636 1968 ach.exe WScript.exe PID 1968 wrote to memory of 2636 1968 ach.exe WScript.exe PID 1968 wrote to memory of 2636 1968 ach.exe WScript.exe PID 1968 wrote to memory of 5052 1968 ach.exe WScript.exe PID 1968 wrote to memory of 5052 1968 ach.exe WScript.exe PID 1968 wrote to memory of 5052 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4992 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4992 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4992 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4032 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4032 1968 ach.exe WScript.exe PID 1968 wrote to memory of 4032 1968 ach.exe WScript.exe PID 1968 wrote to memory of 524 1968 ach.exe cmd.exe PID 1968 wrote to memory of 524 1968 ach.exe cmd.exe PID 1968 wrote to memory of 524 1968 ach.exe cmd.exe PID 1968 wrote to memory of 308 1968 ach.exe cmd.exe PID 1968 wrote to memory of 308 1968 ach.exe cmd.exe PID 1968 wrote to memory of 308 1968 ach.exe cmd.exe PID 1968 wrote to memory of 4440 1968 ach.exe cmd.exe PID 1968 wrote to memory of 4440 1968 ach.exe cmd.exe PID 1968 wrote to memory of 4440 1968 ach.exe cmd.exe PID 1968 wrote to memory of 2376 1968 ach.exe cmd.exe PID 1968 wrote to memory of 2376 1968 ach.exe cmd.exe PID 1968 wrote to memory of 2376 1968 ach.exe cmd.exe PID 1968 wrote to memory of 1708 1968 ach.exe cmd.exe PID 1968 wrote to memory of 1708 1968 ach.exe cmd.exe PID 1968 wrote to memory of 1708 1968 ach.exe cmd.exe PID 1968 wrote to memory of 3296 1968 ach.exe cmd.exe PID 1968 wrote to memory of 3296 1968 ach.exe cmd.exe PID 1968 wrote to memory of 3296 1968 ach.exe cmd.exe PID 1968 wrote to memory of 1352 1968 ach.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\achwithrat.exe"C:\Users\Admin\AppData\Local\Temp\achwithrat.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\skleika\jopa.exe"C:\Program Files (x86)\skleika\jopa.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Program Files (x86)\skleika\jopa.exe" "jopa.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Program Files (x86)\skleika\ach.exe"C:\Program Files (x86)\skleika\ach.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Program Files (x86)\ach\2.exe"C:\Program Files (x86)\ach\2.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a35747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6120 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6960 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8672 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8832 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8836 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9384 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8892 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10360 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=208 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10572 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10764 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1384 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11632 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xdc,0xe8,0x230,0xe4,0x7ff78fcb5460,0x7ff78fcb5470,0x7ff78fcb54806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11632 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7256 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2180,1880399736555379150,9451554321877683121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10656 /prefetch:85⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a35747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,13499250928882308100,3959601836053173113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,13499250928882308100,3959601836053173113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a35747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,4458425667433468036,6706303671467880665,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,4458425667433468036,6706303671467880665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a35747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,8132369693608773544,1477373858467199819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,8132369693608773544,1477373858467199819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a35747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,1103359299444387983,4813453938945408690,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,1103359299444387983,4813453938945408690,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a35747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,10400624292721426834,12386514199371669035,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,10400624292721426834,12386514199371669035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a35747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,5808566381897417773,14418066006559455585,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a35747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14650406839031013758,1373786542439042687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a35747185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,12322529326873274546,743237382425617120,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\6.bat" "3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a35747185⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\6.bat" "3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\6.bat" "3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a35747185⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "3⤵
-
C:\Windows\SysWOW64\regedit.exeregedit.exe4⤵
- Runs regedit.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "3⤵
-
C:\Windows\SysWOW64\regedit.exeregedit.exe4⤵
- Runs regedit.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "3⤵
-
C:\Windows\SysWOW64\regedit.exeregedit.exe4⤵
- Runs regedit.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "3⤵
-
C:\Windows\SysWOW64\regedit.exeregedit.exe4⤵
- Runs regedit.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "3⤵
-
C:\Windows\SysWOW64\regedit.exeregedit.exe4⤵
- Runs regedit.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "3⤵
-
C:\Windows\SysWOW64\regedit.exeregedit.exe4⤵
- Runs regedit.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "3⤵
-
C:\Windows\SysWOW64\regedit.exeregedit.exe4⤵
- Runs regedit.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "3⤵
-
C:\Windows\SysWOW64\regedit.exeregedit.exe4⤵
- Runs regedit.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "3⤵
-
C:\Windows\SysWOW64\write.exewrite.exe4⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\write.exewrite.exe4⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\write.exewrite.exe4⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "3⤵
-
C:\Windows\SysWOW64\write.exewrite.exe4⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\write.exewrite.exe4⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\write.exewrite.exe4⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "3⤵
-
C:\Windows\SysWOW64\regedit.exeregedit.exe4⤵
- Runs regedit.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\9.bat" "3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://wipet.malwarewatch.org/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a35747185⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "3⤵
-
C:\Windows\SysWOW64\regedit.exeregedit.exe4⤵
- Runs regedit.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\12.bat" "3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/images/search?text=trollface4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a35747185⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "3⤵
-
C:\Windows\SysWOW64\write.exewrite.exe4⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\write.exewrite.exe4⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\write.exewrite.exe4⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "3⤵
-
C:\Windows\SysWOW64\write.exewrite.exe4⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122886⤵
-
C:\Windows\SysWOW64\write.exewrite.exe4⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\write.exewrite.exe4⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4c8 0x4fc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a35746f8,0x7ff8a3574708,0x7ff8a35747181⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\ach\1.vbsFilesize
45B
MD57a89fc4808a599eca068d9d5d6da5c17
SHA134808a073a897f4eb2deaea3e74b8f33a3872776
SHA2567d855d79426eca3e1fc8f6338c64a93bb90ecb51247f810c6e4414cbacbf5953
SHA512dc6fa4265890133d4d003feafa7f6583cbcb7e1e9140babec14b65ebc704327abe4a4fb851e053b4bc889c1e12c8867dd6e1b26a78810bb7ed412aaa34b0b80e
-
C:\Program Files (x86)\ach\2.exeFilesize
2.3MB
MD55134f289dbf4abae370e3f36b637b73e
SHA1c78d3f2d00dc47da0112a74df665c7a84a8e32c3
SHA256e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2
SHA5120bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5
-
C:\Program Files (x86)\ach\3.batFilesize
62B
MD5ea0164899b0262ea4949e2bcd9f31396
SHA191b698e4b13755fcb6d5ce0209a5b342185bc566
SHA2560c39352ff971f6099cdf146ce566b70e089eb15db75a42b3ae8deb13fa771913
SHA512cf9ba9b662dc107593cc66fe21b815bbf5b05651c0e4a50029f62ff16d64f8d63185d57c96cd6984141ca62310250b7af42ef56ea6249285c97c2d0aec0f3560
-
C:\Program Files (x86)\ach\4.batFilesize
83B
MD51acc850c1f9ad9dee5c12c9bd511bc19
SHA12786d0b2a6f3b1518f0ffcc31fd4d2466448f3dc
SHA256136ca30e5e046d8cc399c5ae80fee4678723dabb84e0b33211c23e4457ab24d8
SHA512db3eef765e8de29df99fda976d7ede5ec713a090f810a4a48430e2b1d11f54656a46c46e9cc691fa645212ecc742447f13d8429bcd32de318e5df460c74eb81d
-
C:\Program Files (x86)\skleika\ach.exeFilesize
837KB
MD5ab4470038abfcf2550f50cb94537165e
SHA12aaa0e7137e2c09ab7f0cc5bcaf088521edad9f0
SHA2567c80903c5d1765f106a9a25187c32b40a9f7ab11ebf40d8117ba5b80acc5f3e9
SHA512b6853047083ccb5e4d0c13cad934366506dfb3decaefc9a06c26a255b1d0704b38047cafba2daa4cfb1bf09b3ef5ebe79153eee0ae8ea5cc8f534f280c50e7f4
-
C:\Program Files (x86)\skleika\ach.exeFilesize
837KB
MD5ab4470038abfcf2550f50cb94537165e
SHA12aaa0e7137e2c09ab7f0cc5bcaf088521edad9f0
SHA2567c80903c5d1765f106a9a25187c32b40a9f7ab11ebf40d8117ba5b80acc5f3e9
SHA512b6853047083ccb5e4d0c13cad934366506dfb3decaefc9a06c26a255b1d0704b38047cafba2daa4cfb1bf09b3ef5ebe79153eee0ae8ea5cc8f534f280c50e7f4
-
C:\Program Files (x86)\skleika\jopa.exeFilesize
37KB
MD536e59be3c751683fc142c0ebd8d6a71d
SHA11e9632a2173588f606e6a354cdcbeddc91ab2c78
SHA2563611560138463ba5b2438d8691410a642875230b8db788751826a7b495371e4c
SHA512e20d3f2c0ad628aa137c7dfde3d77ae09628f725af5f590dd4ff052a65975e7f0aa5fa5cbfb417ce57f0d34a36dccac3333885e2f91125946f8a29db27316eeb
-
C:\Program Files (x86)\skleika\jopa.exeFilesize
37KB
MD536e59be3c751683fc142c0ebd8d6a71d
SHA11e9632a2173588f606e6a354cdcbeddc91ab2c78
SHA2563611560138463ba5b2438d8691410a642875230b8db788751826a7b495371e4c
SHA512e20d3f2c0ad628aa137c7dfde3d77ae09628f725af5f590dd4ff052a65975e7f0aa5fa5cbfb417ce57f0d34a36dccac3333885e2f91125946f8a29db27316eeb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b19308400c504bdc9aa1312921fec33
SHA161e57f79133ab680952321360d802207f23548bc
SHA256a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b
SHA512c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b19308400c504bdc9aa1312921fec33
SHA161e57f79133ab680952321360d802207f23548bc
SHA256a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b
SHA512c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b19308400c504bdc9aa1312921fec33
SHA161e57f79133ab680952321360d802207f23548bc
SHA256a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b
SHA512c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b19308400c504bdc9aa1312921fec33
SHA161e57f79133ab680952321360d802207f23548bc
SHA256a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b
SHA512c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b19308400c504bdc9aa1312921fec33
SHA161e57f79133ab680952321360d802207f23548bc
SHA256a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b
SHA512c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b19308400c504bdc9aa1312921fec33
SHA161e57f79133ab680952321360d802207f23548bc
SHA256a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b
SHA512c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b19308400c504bdc9aa1312921fec33
SHA161e57f79133ab680952321360d802207f23548bc
SHA256a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b
SHA512c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b19308400c504bdc9aa1312921fec33
SHA161e57f79133ab680952321360d802207f23548bc
SHA256a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b
SHA512c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b19308400c504bdc9aa1312921fec33
SHA161e57f79133ab680952321360d802207f23548bc
SHA256a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b
SHA512c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b19308400c504bdc9aa1312921fec33
SHA161e57f79133ab680952321360d802207f23548bc
SHA256a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b
SHA512c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD540895a9a81c754270ecf27e770f8a8f8
SHA11ef5e576a362c41bbfb0f861279d4129f56c4341
SHA256ffec123cce76fd50003407e0dc0027aec64e9981e55dfe292e1dbf95fa9d45d0
SHA512b681780fe578d92402e21b0fc537f05a5a32aa42a6e39c9beb8d577d1a87299ec85dc4731bb3bd9b7d971e0a5fd38bdcdb2f357d4947c4a2b229e45f11809f0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD54014f80fa11396d569e680e59c3d486b
SHA17d2d8ba221d49519ad39adafa85e215189674036
SHA2560e364f4c850da8e82d963624f6cf010e4a5b632f041263e31d1625721569bf14
SHA5123970384f481c6260d212aec34c9a6bbc4a662e9dea6af01b42000dfd87debf52dc50a123d421f79eb575c6d5fb1693c26c50cf0b1b82400ac6fc41b94e6a269a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD584e5dc201a9b836ff8280ea2b6699d6e
SHA1b0bab2725f0d49ff16a8e604ca1732fc8447cd57
SHA256bf391b22e93b9cddee705d18359dbaf3e403e297f811ede9ca704bc6ac5f862c
SHA512d4d932687dd9543ec47ccea10c10473514b3d2553694a369384d141a700a700b47919ed1da14b3dcc3e6945ff8d83e02f748ae5afacf565873075b240915d42a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5ab59303319da10f530afa8dd5b7ea71b
SHA18e77cf689af5ce0bfe176a5d87145bb188b1a1e8
SHA2564b35fca55afb2c3de3421ff2c68f9e57de6d0bb6cf7c081d944dfaf791181025
SHA51217c75eca343c6145f36a6f72f764eaab17002a467fd8488bde18f62cd50e402d585f381480d3f5101a59c501f36c3605f8c88859e062c52aa5a41cdf1b0f5333
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD568f47d3dbdf2f655422876594025e85b
SHA1219ec095b3c7f8c05d6dbafa8d0b1f898c36a7d8
SHA256754ab82ec78de856e3a2bdc7befaf9235da8b0c22d943de175d632df5121fee9
SHA512c0633889a650528578320de2665dd5637761df6d3a36296cd131eae316038fef1565d976ccaabd43c5d50d2db181ce05cb3cbf43b3c39e49849eba1d81d491b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD585ee7ecd73caacb3e353d02ec161aa47
SHA112ed568dacbd81506ab57b0785f3f8c5a5eb59f6
SHA256a1c8daa3515247789eeccc4f207d4e668152c51ed58e9aca131ce6fd00212da6
SHA512eef3b1b6660afb938b952d3984d91b6dde9928f09042fc762ec4ea465d211d62ad93ec25cdef88c9ab99f0c16aba48f521b43ade87bc1aca676980747aac4152
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5181c6090c63c996cf710c224d9f76817
SHA1b17030a126bcb0eecb9af483b7ee0b8ddcb1121d
SHA256800c61e2f29540223694a59aad889117c22d3da3c4f0d2d9862caa52825f98e5
SHA5128f391c59816784b957a7e0f4d58c6fe3ea23c44a2d3489b20a25e6d447cab9ab85a58f63b5c7105e1df3dfca1912bf4f4ab5962202621bcf5bd0a0f65b2078bb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD57b679035c8e9587d48ef08dd1daca6fd
SHA151a2750744c8c2ea95d50d8696594591ce23245a
SHA2563151521e38a983be084248ea1bc2ac0b3a94432cb442d93a79f0609b97b8ff61
SHA51210db8478cd1b671a92d4996c078acfe3229f5aab9f0fd99d3c2f22c347e11908ee01156b51f59b726cb4b4963d2c4195c58bb7a2714573eb8ca2b02f81d9b3a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5e4fe8305d3ae086053287c778c7a0ae7
SHA142aee8aa256d3c34da7c30d10e319b776a4fbc30
SHA256da7564bbff42b61d436792e5a11517c6881b0acef0ad47e39c0cdd05fff12119
SHA51213f1392a999876af039c954412273e6382651b5f1ca232b30f045ebdec7dd6b3518d8c68f0248319403a1eefd2af95b025142c8d0e7f75b64045366630fe4218
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD54014f80fa11396d569e680e59c3d486b
SHA17d2d8ba221d49519ad39adafa85e215189674036
SHA2560e364f4c850da8e82d963624f6cf010e4a5b632f041263e31d1625721569bf14
SHA5123970384f481c6260d212aec34c9a6bbc4a662e9dea6af01b42000dfd87debf52dc50a123d421f79eb575c6d5fb1693c26c50cf0b1b82400ac6fc41b94e6a269a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5ab59303319da10f530afa8dd5b7ea71b
SHA18e77cf689af5ce0bfe176a5d87145bb188b1a1e8
SHA2564b35fca55afb2c3de3421ff2c68f9e57de6d0bb6cf7c081d944dfaf791181025
SHA51217c75eca343c6145f36a6f72f764eaab17002a467fd8488bde18f62cd50e402d585f381480d3f5101a59c501f36c3605f8c88859e062c52aa5a41cdf1b0f5333
-
\??\pipe\LOCAL\crashpad_1492_CDQQZWUFTSLYWGRPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_1620_CXKUHWPKJXBXNJRCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_3372_AMCTIDCTTPHBXSEAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_428_CUCCWAXIFXKJRIUZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4768_CDJMZMRWEJQYQTQUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_4792_PQYVOKOCQZXHMLFQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/308-154-0x0000000000000000-mapping.dmp
-
memory/320-181-0x0000000000000000-mapping.dmp
-
memory/428-166-0x0000000000000000-mapping.dmp
-
memory/524-153-0x0000000000000000-mapping.dmp
-
memory/868-169-0x0000000000000000-mapping.dmp
-
memory/912-130-0x0000000000000000-mapping.dmp
-
memory/912-146-0x0000000073430000-0x00000000739E1000-memory.dmpFilesize
5.7MB
-
memory/912-266-0x0000000073430000-0x00000000739E1000-memory.dmpFilesize
5.7MB
-
memory/1300-256-0x0000000000000000-mapping.dmp
-
memory/1352-159-0x0000000000000000-mapping.dmp
-
memory/1492-167-0x0000000000000000-mapping.dmp
-
memory/1620-173-0x0000000000000000-mapping.dmp
-
memory/1708-157-0x0000000000000000-mapping.dmp
-
memory/1776-175-0x0000000000000000-mapping.dmp
-
memory/1916-168-0x0000000000000000-mapping.dmp
-
memory/1968-132-0x0000000000000000-mapping.dmp
-
memory/2096-145-0x0000000000000000-mapping.dmp
-
memory/2376-156-0x0000000000000000-mapping.dmp
-
memory/2616-137-0x0000000000000000-mapping.dmp
-
memory/2636-149-0x0000000000000000-mapping.dmp
-
memory/2660-179-0x0000000000000000-mapping.dmp
-
memory/2840-136-0x0000000000000000-mapping.dmp
-
memory/3112-177-0x0000000000000000-mapping.dmp
-
memory/3296-158-0x0000000000000000-mapping.dmp
-
memory/3372-172-0x0000000000000000-mapping.dmp
-
memory/4032-152-0x0000000000000000-mapping.dmp
-
memory/4132-139-0x0000000000000000-mapping.dmp
-
memory/4240-162-0x0000000000000000-mapping.dmp
-
memory/4320-174-0x0000000000000000-mapping.dmp
-
memory/4352-254-0x0000000000000000-mapping.dmp
-
memory/4380-164-0x0000000000000000-mapping.dmp
-
memory/4412-176-0x0000000000000000-mapping.dmp
-
memory/4416-147-0x0000000000000000-mapping.dmp
-
memory/4440-155-0x0000000000000000-mapping.dmp
-
memory/4472-252-0x0000000000000000-mapping.dmp
-
memory/4536-141-0x0000000000000000-mapping.dmp
-
memory/4672-143-0x0000000000000000-mapping.dmp
-
memory/4760-144-0x0000000000000000-mapping.dmp
-
memory/4768-161-0x0000000000000000-mapping.dmp
-
memory/4780-186-0x0000000000000000-mapping.dmp
-
memory/4792-163-0x0000000000000000-mapping.dmp
-
memory/4964-180-0x0000000000000000-mapping.dmp
-
memory/4992-151-0x0000000000000000-mapping.dmp
-
memory/5052-150-0x0000000000000000-mapping.dmp
-
memory/5064-142-0x0000000000000000-mapping.dmp
-
memory/5196-224-0x0000000000000000-mapping.dmp
-
memory/5640-204-0x0000000000000000-mapping.dmp
-
memory/5676-205-0x0000000000000000-mapping.dmp
-
memory/5688-206-0x0000000000000000-mapping.dmp
-
memory/5700-207-0x0000000000000000-mapping.dmp
-
memory/5744-208-0x0000000000000000-mapping.dmp
-
memory/5760-209-0x0000000000000000-mapping.dmp
-
memory/5772-210-0x0000000000000000-mapping.dmp
-
memory/5800-216-0x0000000000000000-mapping.dmp
-
memory/5820-213-0x0000000000000000-mapping.dmp
-
memory/6292-231-0x0000000000000000-mapping.dmp
-
memory/6328-232-0x0000000000000000-mapping.dmp
-
memory/6376-235-0x0000000000000000-mapping.dmp
-
memory/6508-233-0x0000000000000000-mapping.dmp
-
memory/6520-234-0x0000000000000000-mapping.dmp
-
memory/6632-236-0x0000000000000000-mapping.dmp
-
memory/6668-237-0x0000000000000000-mapping.dmp
-
memory/6680-238-0x0000000000000000-mapping.dmp
-
memory/6696-241-0x0000000000000000-mapping.dmp
-
memory/6896-250-0x0000000000000000-mapping.dmp
-
memory/6972-249-0x0000000000000000-mapping.dmp