njrat | 41417677b9fb6ec8e48a5c633da51083ea8887d34eedc7cd2b8a231e1d70e5d6

Analysis

max time kernel
49s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
14-07-2022 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

achwithrat.exe
Size

1020KB
MD5

e409c85a0d1dcf43d2ed11c436e9aabe
SHA1

a221ecf82df1650b6a34b15cfcf052581d316aa6
SHA256

41417677b9fb6ec8e48a5c633da51083ea8887d34eedc7cd2b8a231e1d70e5d6
SHA512

9ff191e371c097fdc9627ee817c6a774e24b880fc09a4e41faf37cfc4046e9c499cf2f14f9e720f71c288cc70cd3e4664c68c39df6aceeefe57aecd24022e828

Score

10^/10

njrat gay evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

gay

4.tcp.eu.ngrok.io:10296

Mutex

f61a5d905ecbb8c8be462972af515144

Attributes

reg_key
f61a5d905ecbb8c8be462972af515144
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
suricata
Executes dropped EXE 3 IoCs

Processes:

jopa.exeach.exe2.exe

pid process

3156 jopa.exe
1384 ach.exe
4032 2.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2768 netsh.exe

pid	process
3156	jopa.exe
1384	ach.exe
4032	2.exe

pid	process
2768	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

achwithrat.exeach.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	achwithrat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	ach.exe

Drops startup file 2 IoCs

Processes:

jopa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f61a5d905ecbb8c8be462972af515144.exe	jopa.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f61a5d905ecbb8c8be462972af515144.exe	jopa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jopa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f61a5d905ecbb8c8be462972af515144 = "\"C:\\Program Files (x86)\\skleika\\jopa.exe\" .."	jopa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\f61a5d905ecbb8c8be462972af515144 = "\"C:\\Program Files (x86)\\skleika\\jopa.exe\" .."	jopa.exe

Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

jopa.exe

description ioc process

File created C:\autorun.inf jopa.exe
File opened for modification C:\autorun.inf jopa.exe
File created D:\autorun.inf jopa.exe

description	ioc	process
File created	C:\autorun.inf	jopa.exe
File opened for modification	C:\autorun.inf	jopa.exe
File created	D:\autorun.inf	jopa.exe

Drops file in Program Files directory 33 IoCs

Processes:

ach.exejopa.exeachwithrat.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\ach\3.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\4.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\5.png	ach.exe
File opened for modification	C:\Program Files (x86)\ach\6.bat	ach.exe
File created	C:\Program Files (x86)\ach\10.png	ach.exe
File opened for modification	C:\Program Files (x86)\skleika\jopa.exe	jopa.exe
File opened for modification	C:\Program Files (x86)\ach\2.exe	ach.exe
File created	C:\Program Files (x86)\ach\5.png	ach.exe
File opened for modification	C:\Program Files (x86)\ach\10.png	ach.exe
File created	C:\Program Files (x86)\ach\1.vbs	ach.exe
File opened for modification	C:\Program Files (x86)\ach\12.bat	ach.exe
File created	C:\Program Files (x86)\ach\12.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach	ach.exe
File opened for modification	C:\Program Files (x86)\skleika\ach.exe	achwithrat.exe
File opened for modification	C:\Program Files (x86)\ach\1.vbs	ach.exe
File created	C:\Program Files (x86)\ach\3.bat	ach.exe
File created	C:\Program Files (x86)\ach\8.bat	ach.exe
File created	C:\Program Files (x86)\skleika\__tmp_rar_sfx_access_check_240554265	achwithrat.exe
File created	C:\Program Files (x86)\skleika\ach.exe	achwithrat.exe
File created	C:\Program Files (x86)\ach\__tmp_rar_sfx_access_check_240555234	ach.exe
File created	C:\Program Files (x86)\ach\4.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\8.bat	ach.exe
File created	C:\Program Files (x86)\ach\9.bat	ach.exe
File created	C:\Program Files (x86)\ach\11.vbs	ach.exe
File opened for modification	C:\Program Files (x86)\skleika\jopa.exe	achwithrat.exe
File opened for modification	C:\Program Files (x86)\ach\9.bat	ach.exe
File opened for modification	C:\Program Files (x86)\skleika	achwithrat.exe
File created	C:\Program Files (x86)\ach\2.exe	ach.exe
File created	C:\Program Files (x86)\ach\6.bat	ach.exe
File created	C:\Program Files (x86)\ach\7.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\7.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\11.vbs	ach.exe
File created	C:\Program Files (x86)\skleika\jopa.exe	achwithrat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

ach.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	ach.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs regedit.exe 10 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid	process
6788	regedit.exe
6328	regedit.exe
6668	regedit.exe
6364	regedit.exe
6448	regedit.exe
6524	regedit.exe
6532	regedit.exe
6560	regedit.exe
5740	regedit.exe
6292	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exejopa.exe

pid	process
5016	msedge.exe
5016	msedge.exe
1172	msedge.exe
1172	msedge.exe
3692	msedge.exe
3692	msedge.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe
3156	jopa.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

ach.exejopa.exe

pid process

1384 ach.exe
3156 jopa.exe

pid	process
1384	ach.exe
3156	jopa.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exe

pid	process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

jopa.exe

description	pid	process
Token: SeDebugPrivilege	3156	jopa.exe
Token: 33	3156	jopa.exe
Token: SeIncBasePriorityPrivilege	3156	jopa.exe
Token: 33	3156	jopa.exe
Token: SeIncBasePriorityPrivilege	3156	jopa.exe
Token: 33	3156	jopa.exe
Token: SeIncBasePriorityPrivilege	3156	jopa.exe
Token: 33	3156	jopa.exe
Token: SeIncBasePriorityPrivilege	3156	jopa.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

3692 msedge.exe
3692 msedge.exe
3692 msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

wordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exe

pid	process
6396	wordpad.exe
7164	wordpad.exe
6396	wordpad.exe
6396	wordpad.exe
7164	wordpad.exe
7164	wordpad.exe
7164	wordpad.exe
7164	wordpad.exe
6396	wordpad.exe
6396	wordpad.exe
5052	wordpad.exe
5052	wordpad.exe
5052	wordpad.exe
7016	wordpad.exe
7016	wordpad.exe
7016	wordpad.exe
5052	wordpad.exe
5052	wordpad.exe
7016	wordpad.exe
7016	wordpad.exe
7384	wordpad.exe
7384	wordpad.exe
7384	wordpad.exe
7416	wordpad.exe
7416	wordpad.exe
7416	wordpad.exe
7596	wordpad.exe
7580	wordpad.exe
7416	wordpad.exe
7416	wordpad.exe
7384	wordpad.exe
7384	wordpad.exe
7596	wordpad.exe
7580	wordpad.exe
7580	wordpad.exe
7596	wordpad.exe
7944	wordpad.exe
7944	wordpad.exe
7944	wordpad.exe
8016	wordpad.exe
8016	wordpad.exe
8016	wordpad.exe
8056	wordpad.exe
8056	wordpad.exe
8056	wordpad.exe
7596	wordpad.exe
7596	wordpad.exe
7580	wordpad.exe
7580	wordpad.exe
8144	wordpad.exe
8144	wordpad.exe
8144	wordpad.exe
6472	wordpad.exe
6472	wordpad.exe
6472	wordpad.exe
5224	wordpad.exe
7204	wordpad.exe
6788	wordpad.exe
6712	wordpad.exe
7204	wordpad.exe
6788	wordpad.exe
7204	wordpad.exe
6788	wordpad.exe
6712	wordpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

achwithrat.exeach.exe

description	pid	process	target process
PID 728 wrote to memory of 3156	728	achwithrat.exe	jopa.exe
PID 728 wrote to memory of 3156	728	achwithrat.exe	jopa.exe
PID 728 wrote to memory of 3156	728	achwithrat.exe	jopa.exe
PID 728 wrote to memory of 1384	728	achwithrat.exe	ach.exe
PID 728 wrote to memory of 1384	728	achwithrat.exe	ach.exe
PID 728 wrote to memory of 1384	728	achwithrat.exe	ach.exe
PID 1384 wrote to memory of 2452	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 2452	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 2452	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 4032	1384	ach.exe	2.exe
PID 1384 wrote to memory of 4032	1384	ach.exe	2.exe
PID 1384 wrote to memory of 4032	1384	ach.exe	2.exe
PID 1384 wrote to memory of 1352	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 1352	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 1352	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 3912	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 3912	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 3912	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 3420	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 3420	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 3420	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 4796	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 4796	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 4796	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 3056	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 3056	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 3056	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 1168	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 1168	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 1168	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 4532	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 4532	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 4532	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 4988	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 4988	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 4988	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 4804	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 4804	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 4804	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 3520	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 3520	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 3520	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 2224	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 2224	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 2224	1384	ach.exe	WScript.exe
PID 1384 wrote to memory of 1972	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 1972	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 1972	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 2088	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 2088	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 2088	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 964	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 964	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 964	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 5004	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 5004	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 5004	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 556	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 556	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 556	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 1136	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 1136	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 1136	1384	ach.exe	cmd.exe
PID 1384 wrote to memory of 3388	1384	ach.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\achwithrat.exe
"C:\Users\Admin\AppData\Local\Temp\achwithrat.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:728
- C:\Program Files (x86)\skleika\jopa.exe
  "C:\Program Files (x86)\skleika\jopa.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3156
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Program Files (x86)\skleika\jopa.exe" "jopa.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2768
- C:\Program Files (x86)\skleika\ach.exe
  "C:\Program Files (x86)\skleika\ach.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:2452
- - C:\Program Files (x86)\ach\2.exe
    "C:\Program Files (x86)\ach\2.exe"
    3⤵
    - Executes dropped EXE
    PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
    3⤵
    PID:1352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
      4⤵
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:3692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8bb6f46f8,0x7ff8bb6f4708,0x7ff8bb6f4718
        5⤵
        
        PID:1996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
        5⤵
        
        PID:4732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:8
        5⤵
        
        PID:3060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        5⤵
        
        PID:808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
        5⤵
        
        PID:2836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
        5⤵
        
        PID:5408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
        5⤵
        
        PID:5216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
        5⤵
        
        PID:5828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5100 /prefetch:8
        5⤵
        
        PID:5596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
        5⤵
        
        PID:6008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
        5⤵
        
        PID:6096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2276 /prefetch:1
        5⤵
        
        PID:4312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
        5⤵
        
        PID:5232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
        5⤵
        
        PID:240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5172 /prefetch:8
        5⤵
        
        PID:3320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1
        5⤵
        
        PID:5620
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7268 /prefetch:1
        5⤵
        
        PID:2384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8412 /prefetch:1
        5⤵
        
        PID:7092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8972 /prefetch:1
        5⤵
        
        PID:948
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8904 /prefetch:1
        5⤵
        
        PID:4144
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9060 /prefetch:1
        5⤵
        
        PID:6800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9228 /prefetch:1
        5⤵
        
        PID:4984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9480 /prefetch:1
        5⤵
        
        PID:6636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9464 /prefetch:1
        5⤵
        
        PID:7140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10304 /prefetch:8
        5⤵
        
        PID:6852
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        5⤵
        
        PID:764
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff616755460,0x7ff616755470,0x7ff616755480
        6⤵
        
        PID:8000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10304 /prefetch:8
        5⤵
        
        PID:876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7696 /prefetch:1
        5⤵
        
        PID:8216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1
        5⤵
        
        PID:6744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
        5⤵
        
        PID:4328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
        5⤵
        
        PID:7676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9772 /prefetch:1
        5⤵
        
        PID:8704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9400 /prefetch:1
        5⤵
        
        PID:5460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7660 /prefetch:1
        5⤵
        
        PID:1580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7620 /prefetch:1
        5⤵
        
        PID:1156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7652 /prefetch:1
        5⤵
        
        PID:6524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:1
        5⤵
        
        PID:6644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7636 /prefetch:1
        5⤵
        
        PID:6316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,12608040035859985384,8025578320620568644,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8796 /prefetch:2
        5⤵
        
        PID:7860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
    3⤵
    PID:3912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
      4⤵
      PID:3340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bb6f46f8,0x7ff8bb6f4708,0x7ff8bb6f4718
        5⤵
        
        PID:1792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,4644941000965336816,18243454064434689654,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
        5⤵
        
        PID:1868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,4644941000965336816,18243454064434689654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1172
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "
    3⤵
    PID:1972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
      4⤵
      PID:4092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bb6f46f8,0x7ff8bb6f4708,0x7ff8bb6f4718
        5⤵
        
        PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
    3⤵
    PID:2088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
      4⤵
      PID:5532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bb6f46f8,0x7ff8bb6f4708,0x7ff8bb6f4718
        5⤵
        
        PID:5724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "
    3⤵
    PID:964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
      4⤵
      PID:2976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bb6f46f8,0x7ff8bb6f4708,0x7ff8bb6f4718
        5⤵
        
        PID:5636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
    3⤵
    PID:5004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
      4⤵
      PID:5244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bb6f46f8,0x7ff8bb6f4708,0x7ff8bb6f4718
        5⤵
        
        PID:5568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "
    3⤵
    PID:556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
      4⤵
      PID:5456
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bb6f46f8,0x7ff8bb6f4708,0x7ff8bb6f4718
        5⤵
        
        PID:5560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
    3⤵
    PID:1136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
      4⤵
      PID:5260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8bb6f46f8,0x7ff8bb6f4708,0x7ff8bb6f4718
        5⤵
        
        PID:5372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "
    3⤵
    PID:3388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
      4⤵
      PID:5524
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:5188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\6.bat" "
    3⤵
    PID:4880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg
      4⤵
      PID:6928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bb6f46f8,0x7ff8bb6f4708,0x7ff8bb6f4718
        5⤵
        
        PID:6960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\6.bat" "
    3⤵
    PID:984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg
      4⤵
      PID:6632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bb6f46f8,0x7ff8bb6f4708,0x7ff8bb6f4718
        5⤵
        
        PID:6724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\6.bat" "
    3⤵
    PID:2408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg
      4⤵
      PID:6428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
    3⤵
    PID:4464
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe
      4⤵
      Runs regedit.exe
      PID:5740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
    3⤵
    PID:5248
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe
      4⤵
      Runs regedit.exe
      PID:6328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
    3⤵
    PID:4544
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe
      4⤵
      Runs regedit.exe
      PID:6364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
    3⤵
    PID:520
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe
      4⤵
      Runs regedit.exe
      PID:6292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
    3⤵
    PID:5052
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe
      4⤵
      Runs regedit.exe
      PID:6560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
    3⤵
    PID:4116
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe
      4⤵
      Runs regedit.exe
      PID:6448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
    3⤵
    PID:3476
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe
      4⤵
      Runs regedit.exe
      PID:6524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
    3⤵
    PID:2400
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe
      4⤵
      Runs regedit.exe
      PID:6532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
    3⤵
    PID:5284
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe
      4⤵
      Runs regedit.exe
      PID:6788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:5468
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:6800
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7164
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:3448
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7016
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:3212
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:3112
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:6808
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6396
      - C:\Windows\splwow64.exe
        
        C:\Windows\splwow64.exe 12288
        6⤵
        
        PID:7284
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:6856
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5052
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:6724
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
    3⤵
    PID:1232
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe
      4⤵
      Runs regedit.exe
      PID:6668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\9.bat" "
    3⤵
    PID:3092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://wipet.malwarewatch.org/
      4⤵
      PID:3772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bb6f46f8,0x7ff8bb6f4708,0x7ff8bb6f4718
        5⤵
        
        PID:4712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\12.bat" "
    3⤵
    PID:4888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/images/search?text=trollface
      4⤵
      PID:6764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8bb6f46f8,0x7ff8bb6f4708,0x7ff8bb6f4718
        5⤵
        
        PID:5744
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:6184
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
    3⤵
    PID:6236
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:6316
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
    3⤵
    PID:6412
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:6496
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
    3⤵
    PID:6568
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:6604
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
    3⤵
    PID:6676
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
    3⤵
    PID:6880
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:6936
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
    3⤵
    PID:6772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:7036
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:4504
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7580
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7728
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8016
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:4696
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:7880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:7108
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7244
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7596
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7740
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8056
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:3872
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:6704
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7896
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:5280
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7704
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:6280
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7840
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:7000
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7852
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6712
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7780
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:4980
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:1340
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:7080
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7840
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8144
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7260
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:7044
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7280
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:6984
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7868
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6472
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7748
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:7496
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:8132
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:6872
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7700
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7944
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:8152
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:3812
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:6196
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:7296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:7100
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7860
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6788
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7736
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:6824
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:240
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:5540
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7832
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7204
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7272
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:7380
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7988
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:3168
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:5000
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:7532
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:5844
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8344
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:8704
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:5460
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:1612
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:7900
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7128
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8296
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:8648
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:6560
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7496
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:7888
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:3872
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8284
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:8640
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:5284
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:7876
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5224
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:2208
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:6476
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:5000
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
    3⤵
    PID:3864
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:4688
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:7756
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:4508
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8312
  - - C:\Windows\SysWOW64\write.exe
      write.exe
      4⤵
      PID:8368
    - - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
        5⤵
        
        PID:8756
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
    3⤵
    PID:5372
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
    3⤵
    PID:7212
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
    3⤵
    PID:7368
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
    3⤵
    PID:7504
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
    3⤵
    PID:7620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x80,0x104,0x7ff8bb6f46f8,0x7ff8bb6f4708,0x7ff8bb6f4718
1⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8bb6f46f8,0x7ff8bb6f4708,0x7ff8bb6f4718
1⤵
PID:4464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:9160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ach\1.vbs

Filesize
45B

MD5
7a89fc4808a599eca068d9d5d6da5c17

SHA1
34808a073a897f4eb2deaea3e74b8f33a3872776

SHA256
7d855d79426eca3e1fc8f6338c64a93bb90ecb51247f810c6e4414cbacbf5953

SHA512
dc6fa4265890133d4d003feafa7f6583cbcb7e1e9140babec14b65ebc704327abe4a4fb851e053b4bc889c1e12c8867dd6e1b26a78810bb7ed412aaa34b0b80e

Download Submit
C:\Program Files (x86)\ach\11.vbs

Filesize
107B

MD5
1b57e67e22f90b8a31e757997940f875

SHA1
7a67253b2b108070b8061855a9fb6d7ef1f4ffb5

SHA256
d8328176599c5cf00c14e893887b2abde72f01ee64c32985b26544558c337cf4

SHA512
cadb94ca168a455d365a390e7492a1865d2d54e3501f2924a81d69ab6cd6e539e51a2b79f23a38bd4cd97b83d2e76a8e3e344ba044a9fe9a5930b74047da3723

Download Submit
C:\Program Files (x86)\ach\12.bat

Filesize
64B

MD5
2fd614792ac60cc2a70eb01b6f9b67f4

SHA1
9296d5aabe979e5e4f72017e3012789adfaa1676

SHA256
82475a224341b16d4911d7e98e91ff3414c9913ba3c058bfd878f376e32b4ebc

SHA512
30f19b7504a2176882dfa7ba54cf851a0ed2c91b2ab07a9d5804f64f7177d3ff3e4e832cc7865ac14554d4ba6e09b732eef5a1443d960fc0d448a647ff2429e5

Download Submit
C:\Program Files (x86)\ach\2.exe

Filesize
2.3MB

MD5
5134f289dbf4abae370e3f36b637b73e

SHA1
c78d3f2d00dc47da0112a74df665c7a84a8e32c3

SHA256
e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2

SHA512
0bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5

Download Submit
C:\Program Files (x86)\ach\3.bat

Filesize
62B

MD5
ea0164899b0262ea4949e2bcd9f31396

SHA1
91b698e4b13755fcb6d5ce0209a5b342185bc566

SHA256
0c39352ff971f6099cdf146ce566b70e089eb15db75a42b3ae8deb13fa771913

SHA512
cf9ba9b662dc107593cc66fe21b815bbf5b05651c0e4a50029f62ff16d64f8d63185d57c96cd6984141ca62310250b7af42ef56ea6249285c97c2d0aec0f3560

Download Submit
C:\Program Files (x86)\ach\4.bat

Filesize
83B

MD5
1acc850c1f9ad9dee5c12c9bd511bc19

SHA1
2786d0b2a6f3b1518f0ffcc31fd4d2466448f3dc

SHA256
136ca30e5e046d8cc399c5ae80fee4678723dabb84e0b33211c23e4457ab24d8

SHA512
db3eef765e8de29df99fda976d7ede5ec713a090f810a4a48430e2b1d11f54656a46c46e9cc691fa645212ecc742447f13d8429bcd32de318e5df460c74eb81d

Download Submit
C:\Program Files (x86)\ach\6.bat

Filesize
77B

MD5
867b43ca89739d7c567234005c9d3094

SHA1
aa62a7c35a590ea8a90e7f7cbceb0a9ae25b4ad7

SHA256
c13a71d0d440c191560b068295ab93774969d6c81ee642a90462a1075cb25c89

SHA512
679e44414ca8c1bab9254f090e74644ceed96db05e25142a502e73b759360a6cecc46106dec59a9fc78b27a025cac345180cb8fd8e381bd1bc73db4be6dc989c

Download Submit
C:\Program Files (x86)\ach\7.bat

Filesize
17B

MD5
0d8f7695e06c0431dcc84ce926ba5f1d

SHA1
a1504b4baf7c180be7b42cb745e5af7ccc272219

SHA256
5ea8f2c0ed24467105b6eba30731f2e1fd5bb4f5cd9d17287f32b9ec850ea301

SHA512
df6e9cc73414cfa1f53d117ef8e1847a0539d44db9488d763b2fb7b6b52fb4cba5e74e96c427fd3dd9ffd68eb9b6cf047ce2bbdf66220043db19e332e6ca9904

Download Submit
C:\Program Files (x86)\ach\8.bat

Filesize
49B

MD5
b949133f46ebeabf8c49c6c7f7f4cd68

SHA1
04286a9c7641c5225c7e654904504fe4c7a0a39a

SHA256
3c08b2e29d0c97716dfc52e29bb44648fa2e38e802dd1f590b94233b6546db58

SHA512
0f1f4423bad62ed68f9b1a76e6ea0cb863a91f49036314c93e2586250edbc5ab2e48c48e568cacf825f6b7691d88856e98b39e3972a8ca582063b871de49da06

Download Submit
C:\Program Files (x86)\ach\9.bat

Filesize
37B

MD5
4e8cfdf8fcc0df4d52c0240ff9714efa

SHA1
ea56c4ff1bda995f2c0ffcf5473a55e441d3fcfe

SHA256
f473c141cf7fed8fa0d543dbd07e9333dc0975b79ae5b55e73ae015c67e8b53a

SHA512
d041322d20b2a3fe58be075120cefa06ec246e9496acdccbc907e678cf76286967d604812a214e290208c28369d57f8fe0d13fdcae4fd797c096e6d6d635df23

Download Submit
C:\Program Files (x86)\skleika\ach.exe

Filesize
837KB

MD5
ab4470038abfcf2550f50cb94537165e

SHA1
2aaa0e7137e2c09ab7f0cc5bcaf088521edad9f0

SHA256
7c80903c5d1765f106a9a25187c32b40a9f7ab11ebf40d8117ba5b80acc5f3e9

SHA512
b6853047083ccb5e4d0c13cad934366506dfb3decaefc9a06c26a255b1d0704b38047cafba2daa4cfb1bf09b3ef5ebe79153eee0ae8ea5cc8f534f280c50e7f4

Download Submit
C:\Program Files (x86)\skleika\ach.exe

Filesize
837KB

MD5
ab4470038abfcf2550f50cb94537165e

SHA1
2aaa0e7137e2c09ab7f0cc5bcaf088521edad9f0

SHA256
7c80903c5d1765f106a9a25187c32b40a9f7ab11ebf40d8117ba5b80acc5f3e9

SHA512
b6853047083ccb5e4d0c13cad934366506dfb3decaefc9a06c26a255b1d0704b38047cafba2daa4cfb1bf09b3ef5ebe79153eee0ae8ea5cc8f534f280c50e7f4

Download Submit
C:\Program Files (x86)\skleika\jopa.exe

Filesize
37KB

MD5
36e59be3c751683fc142c0ebd8d6a71d

SHA1
1e9632a2173588f606e6a354cdcbeddc91ab2c78

SHA256
3611560138463ba5b2438d8691410a642875230b8db788751826a7b495371e4c

SHA512
e20d3f2c0ad628aa137c7dfde3d77ae09628f725af5f590dd4ff052a65975e7f0aa5fa5cbfb417ce57f0d34a36dccac3333885e2f91125946f8a29db27316eeb

Download Submit
C:\Program Files (x86)\skleika\jopa.exe

Filesize
37KB

MD5
36e59be3c751683fc142c0ebd8d6a71d

SHA1
1e9632a2173588f606e6a354cdcbeddc91ab2c78

SHA256
3611560138463ba5b2438d8691410a642875230b8db788751826a7b495371e4c

SHA512
e20d3f2c0ad628aa137c7dfde3d77ae09628f725af5f590dd4ff052a65975e7f0aa5fa5cbfb417ce57f0d34a36dccac3333885e2f91125946f8a29db27316eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cf0590221414bd310de1ad577c93bb40

SHA1
8533cd52996baa6136966e180762f1ff56ec4128

SHA256
73b68fa48020a6656aa783ff6a1d5e2901df68f7796907b888a755d3898c4ce9

SHA512
99ee5bbe376f1af125374ff35061ddcebefeb0b5e7815924c50659edeb2c5228848707e76f61dc3333b0cec5d4f58999501d4de59c365034abae3eebda5abb8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
246515b4eb30d26c707924b86d457581

SHA1
4186c1ef3f36c8300c779a717f1757d9aebc947b

SHA256
9913e2b5bbd8cf69f88b50c22f6e4ede92b63b3b4af794efd0c873faaa481107

SHA512
94d776aa4d0f54e94ac45873bcfb87462ecb5c29adb82bc3c9af7da11d74c3736841e43203c4a87a50981ad8a4539a973d9d396e75f6e3b138e74626701dc778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
246515b4eb30d26c707924b86d457581

SHA1
4186c1ef3f36c8300c779a717f1757d9aebc947b

SHA256
9913e2b5bbd8cf69f88b50c22f6e4ede92b63b3b4af794efd0c873faaa481107

SHA512
94d776aa4d0f54e94ac45873bcfb87462ecb5c29adb82bc3c9af7da11d74c3736841e43203c4a87a50981ad8a4539a973d9d396e75f6e3b138e74626701dc778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
246515b4eb30d26c707924b86d457581

SHA1
4186c1ef3f36c8300c779a717f1757d9aebc947b

SHA256
9913e2b5bbd8cf69f88b50c22f6e4ede92b63b3b4af794efd0c873faaa481107

SHA512
94d776aa4d0f54e94ac45873bcfb87462ecb5c29adb82bc3c9af7da11d74c3736841e43203c4a87a50981ad8a4539a973d9d396e75f6e3b138e74626701dc778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
246515b4eb30d26c707924b86d457581

SHA1
4186c1ef3f36c8300c779a717f1757d9aebc947b

SHA256
9913e2b5bbd8cf69f88b50c22f6e4ede92b63b3b4af794efd0c873faaa481107

SHA512
94d776aa4d0f54e94ac45873bcfb87462ecb5c29adb82bc3c9af7da11d74c3736841e43203c4a87a50981ad8a4539a973d9d396e75f6e3b138e74626701dc778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
006025b816d32f1c02542b14f3cc265c

SHA1
ff19761346d8368e35d9c173423cfa3efa4e0ee7

SHA256
b3ed9da1b621b64d962fbcb2e3519278654cae40366107975fb82ce5043bff7b

SHA512
16566f1458e0f82dd1757cedd4f06546816f336d523f4ea6685b0c0fa4aabe3c00dd906839514a52d1893c96cc06cea8159040e072d085895f87d2ee7a61339b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
006025b816d32f1c02542b14f3cc265c

SHA1
ff19761346d8368e35d9c173423cfa3efa4e0ee7

SHA256
b3ed9da1b621b64d962fbcb2e3519278654cae40366107975fb82ce5043bff7b

SHA512
16566f1458e0f82dd1757cedd4f06546816f336d523f4ea6685b0c0fa4aabe3c00dd906839514a52d1893c96cc06cea8159040e072d085895f87d2ee7a61339b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
006025b816d32f1c02542b14f3cc265c

SHA1
ff19761346d8368e35d9c173423cfa3efa4e0ee7

SHA256
b3ed9da1b621b64d962fbcb2e3519278654cae40366107975fb82ce5043bff7b

SHA512
16566f1458e0f82dd1757cedd4f06546816f336d523f4ea6685b0c0fa4aabe3c00dd906839514a52d1893c96cc06cea8159040e072d085895f87d2ee7a61339b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
006025b816d32f1c02542b14f3cc265c

SHA1
ff19761346d8368e35d9c173423cfa3efa4e0ee7

SHA256
b3ed9da1b621b64d962fbcb2e3519278654cae40366107975fb82ce5043bff7b

SHA512
16566f1458e0f82dd1757cedd4f06546816f336d523f4ea6685b0c0fa4aabe3c00dd906839514a52d1893c96cc06cea8159040e072d085895f87d2ee7a61339b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
006025b816d32f1c02542b14f3cc265c

SHA1
ff19761346d8368e35d9c173423cfa3efa4e0ee7

SHA256
b3ed9da1b621b64d962fbcb2e3519278654cae40366107975fb82ce5043bff7b

SHA512
16566f1458e0f82dd1757cedd4f06546816f336d523f4ea6685b0c0fa4aabe3c00dd906839514a52d1893c96cc06cea8159040e072d085895f87d2ee7a61339b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
006025b816d32f1c02542b14f3cc265c

SHA1
ff19761346d8368e35d9c173423cfa3efa4e0ee7

SHA256
b3ed9da1b621b64d962fbcb2e3519278654cae40366107975fb82ce5043bff7b

SHA512
16566f1458e0f82dd1757cedd4f06546816f336d523f4ea6685b0c0fa4aabe3c00dd906839514a52d1893c96cc06cea8159040e072d085895f87d2ee7a61339b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
006025b816d32f1c02542b14f3cc265c

SHA1
ff19761346d8368e35d9c173423cfa3efa4e0ee7

SHA256
b3ed9da1b621b64d962fbcb2e3519278654cae40366107975fb82ce5043bff7b

SHA512
16566f1458e0f82dd1757cedd4f06546816f336d523f4ea6685b0c0fa4aabe3c00dd906839514a52d1893c96cc06cea8159040e072d085895f87d2ee7a61339b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
006025b816d32f1c02542b14f3cc265c

SHA1
ff19761346d8368e35d9c173423cfa3efa4e0ee7

SHA256
b3ed9da1b621b64d962fbcb2e3519278654cae40366107975fb82ce5043bff7b

SHA512
16566f1458e0f82dd1757cedd4f06546816f336d523f4ea6685b0c0fa4aabe3c00dd906839514a52d1893c96cc06cea8159040e072d085895f87d2ee7a61339b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
006025b816d32f1c02542b14f3cc265c

SHA1
ff19761346d8368e35d9c173423cfa3efa4e0ee7

SHA256
b3ed9da1b621b64d962fbcb2e3519278654cae40366107975fb82ce5043bff7b

SHA512
16566f1458e0f82dd1757cedd4f06546816f336d523f4ea6685b0c0fa4aabe3c00dd906839514a52d1893c96cc06cea8159040e072d085895f87d2ee7a61339b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
006025b816d32f1c02542b14f3cc265c

SHA1
ff19761346d8368e35d9c173423cfa3efa4e0ee7

SHA256
b3ed9da1b621b64d962fbcb2e3519278654cae40366107975fb82ce5043bff7b

SHA512
16566f1458e0f82dd1757cedd4f06546816f336d523f4ea6685b0c0fa4aabe3c00dd906839514a52d1893c96cc06cea8159040e072d085895f87d2ee7a61339b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
006025b816d32f1c02542b14f3cc265c

SHA1
ff19761346d8368e35d9c173423cfa3efa4e0ee7

SHA256
b3ed9da1b621b64d962fbcb2e3519278654cae40366107975fb82ce5043bff7b

SHA512
16566f1458e0f82dd1757cedd4f06546816f336d523f4ea6685b0c0fa4aabe3c00dd906839514a52d1893c96cc06cea8159040e072d085895f87d2ee7a61339b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
006025b816d32f1c02542b14f3cc265c

SHA1
ff19761346d8368e35d9c173423cfa3efa4e0ee7

SHA256
b3ed9da1b621b64d962fbcb2e3519278654cae40366107975fb82ce5043bff7b

SHA512
16566f1458e0f82dd1757cedd4f06546816f336d523f4ea6685b0c0fa4aabe3c00dd906839514a52d1893c96cc06cea8159040e072d085895f87d2ee7a61339b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
35b65681ae6d0f53fb1f5f519ff03709

SHA1
83d6ec0a8d91fa3186c2942c3a26d30d5cb0e247

SHA256
8fbdd10fadbf85f256c24e7acf06502e9b9497a8cd209702e4a5a080c60b75c2

SHA512
8cb3d56a8333882f850ccb3d18a6590769471405b9f3a0f574530b4d2b017218e1a4759f9b004e63721e1c9681257a6d64dcecf14095a6876b347bc0748e147b

Download Submit
\??\pipe\LOCAL\crashpad_3340_KSHJEHFNRTXJICSK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3692_XMILVIFGUPHLCRHS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/240-225-0x0000000000000000-mapping.dmp

Download
memory/556-157-0x0000000000000000-mapping.dmp

Download
memory/808-181-0x0000000000000000-mapping.dmp

Download
memory/964-155-0x0000000000000000-mapping.dmp

Download
memory/984-234-0x0000000000000000-mapping.dmp

Download
memory/1136-158-0x0000000000000000-mapping.dmp

Download
memory/1168-147-0x0000000000000000-mapping.dmp

Download
memory/1172-178-0x0000000000000000-mapping.dmp

Download
memory/1352-141-0x0000000000000000-mapping.dmp

Download
memory/1384-133-0x0000000000000000-mapping.dmp

Download
memory/1792-164-0x0000000000000000-mapping.dmp

Download
memory/1868-176-0x0000000000000000-mapping.dmp

Download
memory/1972-153-0x0000000000000000-mapping.dmp

Download
memory/1996-162-0x0000000000000000-mapping.dmp

Download
memory/2088-154-0x0000000000000000-mapping.dmp

Download
memory/2224-152-0x0000000000000000-mapping.dmp

Download
memory/2384-232-0x0000000000000000-mapping.dmp

Download
memory/2408-235-0x0000000000000000-mapping.dmp

Download
memory/2452-137-0x0000000000000000-mapping.dmp

Download
memory/2768-175-0x0000000000000000-mapping.dmp

Download
memory/2836-183-0x0000000000000000-mapping.dmp

Download
memory/2976-221-0x0000000000000000-mapping.dmp

Download
memory/3056-146-0x0000000000000000-mapping.dmp

Download
memory/3060-171-0x0000000000000000-mapping.dmp

Download
memory/3156-215-0x00000000727F0000-0x0000000072DA1000-memory.dmp

Filesize
5.7MB

Download
memory/3156-130-0x0000000000000000-mapping.dmp

Download
memory/3156-136-0x00000000727F0000-0x0000000072DA1000-memory.dmp

Filesize
5.7MB

Download
memory/3320-228-0x0000000000000000-mapping.dmp

Download
memory/3340-163-0x0000000000000000-mapping.dmp

Download
memory/3388-159-0x0000000000000000-mapping.dmp

Download
memory/3420-143-0x0000000000000000-mapping.dmp

Download
memory/3520-151-0x0000000000000000-mapping.dmp

Download
memory/3692-161-0x0000000000000000-mapping.dmp

Download
memory/3912-142-0x0000000000000000-mapping.dmp

Download
memory/4032-139-0x0000000000000000-mapping.dmp

Download
memory/4092-184-0x0000000000000000-mapping.dmp

Download
memory/4312-217-0x0000000000000000-mapping.dmp

Download
memory/4532-148-0x0000000000000000-mapping.dmp

Download
memory/4732-168-0x0000000000000000-mapping.dmp

Download
memory/4796-145-0x0000000000000000-mapping.dmp

Download
memory/4804-150-0x0000000000000000-mapping.dmp

Download
memory/4880-233-0x0000000000000000-mapping.dmp

Download
memory/4956-185-0x0000000000000000-mapping.dmp

Download
memory/4988-149-0x0000000000000000-mapping.dmp

Download
memory/5004-156-0x0000000000000000-mapping.dmp

Download
memory/5016-169-0x0000000000000000-mapping.dmp

Download
memory/5188-220-0x0000000000000000-mapping.dmp

Download
memory/5216-188-0x0000000000000000-mapping.dmp

Download
memory/5232-219-0x0000000000000000-mapping.dmp

Download
memory/5244-191-0x0000000000000000-mapping.dmp

Download
memory/5260-189-0x0000000000000000-mapping.dmp

Download
memory/5372-192-0x0000000000000000-mapping.dmp

Download
memory/5408-193-0x0000000000000000-mapping.dmp

Download
memory/5456-194-0x0000000000000000-mapping.dmp

Download
memory/5524-197-0x0000000000000000-mapping.dmp

Download
memory/5532-201-0x0000000000000000-mapping.dmp

Download
memory/5560-198-0x0000000000000000-mapping.dmp

Download
memory/5568-200-0x0000000000000000-mapping.dmp

Download
memory/5596-203-0x0000000000000000-mapping.dmp

Download
memory/5620-230-0x0000000000000000-mapping.dmp

Download
memory/5628-202-0x0000000000000000-mapping.dmp

Download
memory/5636-222-0x0000000000000000-mapping.dmp

Download
memory/5724-206-0x0000000000000000-mapping.dmp

Download
memory/5828-209-0x0000000000000000-mapping.dmp

Download
memory/6008-212-0x0000000000000000-mapping.dmp

Download
memory/6096-214-0x0000000000000000-mapping.dmp

Download