a9027c6070365053c3cb91261991c71f1d3a63707df8467e413847f344b3af4d

Analysis

max time kernel
301s
max time network
338s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrashMalwares-main/ach.exe
Size

837KB
MD5

ab4470038abfcf2550f50cb94537165e
SHA1

2aaa0e7137e2c09ab7f0cc5bcaf088521edad9f0
SHA256

7c80903c5d1765f106a9a25187c32b40a9f7ab11ebf40d8117ba5b80acc5f3e9
SHA512

b6853047083ccb5e4d0c13cad934366506dfb3decaefc9a06c26a255b1d0704b38047cafba2daa4cfb1bf09b3ef5ebe79153eee0ae8ea5cc8f534f280c50e7f4
SSDEEP

24576:+TbBv5rUlI6ZpBuTC/wYsxeB252QRoOXMf:ABRHC/Rso23RVXk

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

2.exe

pid process

2400 2.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ach.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ach.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe

pid	process
2400	2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ach.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 28 IoCs

Processes:

ach.exesetup.exe

description	ioc	process
File created	C:\Program Files (x86)\ach\1.vbs	ach.exe
File opened for modification	C:\Program Files (x86)\ach\2.exe	ach.exe
File opened for modification	C:\Program Files (x86)\ach\4.bat	ach.exe
File created	C:\Program Files (x86)\ach\8.bat	ach.exe
File created	C:\Program Files (x86)\ach\10.png	ach.exe
File opened for modification	C:\Program Files (x86)\ach	ach.exe
File created	C:\Program Files (x86)\ach\6.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\7.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\11.vbs	ach.exe
File created	C:\Program Files (x86)\ach\2.exe	ach.exe
File created	C:\Program Files (x86)\ach\9.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\10.png	ach.exe
File opened for modification	C:\Program Files (x86)\ach\8.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\5.png	ach.exe
File opened for modification	C:\Program Files (x86)\ach\12.bat	ach.exe
File created	C:\Program Files (x86)\ach\3.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\9.bat	ach.exe
File created	C:\Program Files (x86)\ach\11.vbs	ach.exe
File created	C:\Program Files (x86)\ach\12.bat	ach.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220918141938.pma	setup.exe
File opened for modification	C:\Program Files (x86)\ach\1.vbs	ach.exe
File created	C:\Program Files (x86)\ach\7.bat	ach.exe
File created	C:\Program Files (x86)\ach\5.png	ach.exe
File opened for modification	C:\Program Files (x86)\ach\6.bat	ach.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c347a981-7a6f-4596-94f1-486f93d5e406.tmp	setup.exe
File created	C:\Program Files (x86)\ach\__tmp_rar_sfx_access_check_240595062	ach.exe
File created	C:\Program Files (x86)\ach\4.bat	ach.exe
File opened for modification	C:\Program Files (x86)\ach\3.bat	ach.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

ach.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	ach.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs regedit.exe 10 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid	process
5156	regedit.exe
6700	regedit.exe
2372	regedit.exe
6640	regedit.exe
5284	regedit.exe
3980	regedit.exe
4320	regedit.exe
6088	regedit.exe
6772	regedit.exe
456	regedit.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
5904	msedge.exe
5904	msedge.exe
5948	msedge.exe
5948	msedge.exe
6020	msedge.exe
6020	msedge.exe
6048	msedge.exe
6048	msedge.exe
6060	msedge.exe
6060	msedge.exe
5844	msedge.exe
5844	msedge.exe
6108	msedge.exe
6108	msedge.exe
6100	msedge.exe
6100	msedge.exe
6092	msedge.exe
6092	msedge.exe
3104	msedge.exe
3104	msedge.exe
6260	identity_helper.exe
6260	identity_helper.exe
5800	msedge.exe
5800	msedge.exe
5800	msedge.exe
5800	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ach.exe

pid process

4632 ach.exe

pid	process
4632	ach.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exe

pid	process
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

3104 msedge.exe
3104 msedge.exe
3104 msedge.exe

Suspicious use of SetWindowsHookEx 60 IoCs

Processes:

wordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exewordpad.exe

pid	process
7144	wordpad.exe
7144	wordpad.exe
7144	wordpad.exe
2344	wordpad.exe
2344	wordpad.exe
2344	wordpad.exe
4792	wordpad.exe
2344	wordpad.exe
2344	wordpad.exe
4792	wordpad.exe
4792	wordpad.exe
7144	wordpad.exe
7144	wordpad.exe
4792	wordpad.exe
4792	wordpad.exe
372	wordpad.exe
372	wordpad.exe
372	wordpad.exe
5292	wordpad.exe
5292	wordpad.exe
5292	wordpad.exe
372	wordpad.exe
372	wordpad.exe
5292	wordpad.exe
5292	wordpad.exe
1876	wordpad.exe
1876	wordpad.exe
1876	wordpad.exe
1876	wordpad.exe
1876	wordpad.exe
6604	wordpad.exe
6604	wordpad.exe
6604	wordpad.exe
6604	wordpad.exe
6604	wordpad.exe
5764	wordpad.exe
5764	wordpad.exe
5764	wordpad.exe
6828	wordpad.exe
6828	wordpad.exe
6828	wordpad.exe
5764	wordpad.exe
5764	wordpad.exe
6828	wordpad.exe
6828	wordpad.exe
5808	wordpad.exe
5808	wordpad.exe
5808	wordpad.exe
5560	wordpad.exe
5560	wordpad.exe
5560	wordpad.exe
6316	wordpad.exe
6316	wordpad.exe
6316	wordpad.exe
5808	wordpad.exe
5808	wordpad.exe
6316	wordpad.exe
6316	wordpad.exe
5560	wordpad.exe
5560	wordpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ach.execmd.execmd.exe

description	pid	process	target process
PID 4632 wrote to memory of 672	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 672	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 672	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 2400	4632	ach.exe	2.exe
PID 4632 wrote to memory of 2400	4632	ach.exe	2.exe
PID 4632 wrote to memory of 2400	4632	ach.exe	2.exe
PID 4632 wrote to memory of 5076	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 5076	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 5076	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 4708	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 4708	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 4708	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 3228	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 3228	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 3228	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 3712	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 3712	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 3712	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 1304	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 1304	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 1304	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 5056	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 5056	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 5056	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 1228	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 1228	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 1228	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 4152	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 4152	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 4152	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 4604	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 4604	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 4604	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 2440	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 2440	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 2440	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 3420	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 3420	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 3420	4632	ach.exe	WScript.exe
PID 4632 wrote to memory of 5104	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 5104	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 5104	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 2344	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 2344	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 2344	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 4512	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 4512	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 4512	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 3388	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 3388	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 3388	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 1768	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 1768	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 1768	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 1832	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 1832	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 1832	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 3256	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 3256	4632	ach.exe	cmd.exe
PID 4632 wrote to memory of 3256	4632	ach.exe	cmd.exe
PID 5076 wrote to memory of 3080	5076	cmd.exe	msedge.exe
PID 5076 wrote to memory of 3080	5076	cmd.exe	msedge.exe
PID 4708 wrote to memory of 2008	4708	cmd.exe	msedge.exe
PID 4708 wrote to memory of 2008	4708	cmd.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\ach.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\ach.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:672

C:\Program Files (x86)\ach\2.exe
"C:\Program Files (x86)\ach\2.exe"
2⤵
- Executes dropped EXE
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
3⤵
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe963846f8,0x7ffe96384708,0x7ffe96384718
4⤵
PID:1788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,3756725831459776631,3136039457986828358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
4⤵
PID:5592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,3756725831459776631,3136039457986828358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:6092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
3⤵
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe963846f8,0x7ffe96384708,0x7ffe96384718
4⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9485692132609169596,2098746912072526660,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
4⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9485692132609169596,2098746912072526660,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5948

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:3228

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:3712

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:1304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:5056

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:1228

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:4152

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:4604

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:2440

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "
2⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
3⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe963846f8,0x7ffe96384708,0x7ffe96384718
4⤵
PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,16181277633030879497,13193982830578980751,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
4⤵
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,16181277633030879497,13193982830578980751,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:6108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
2⤵
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
3⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe963846f8,0x7ffe96384708,0x7ffe96384718
4⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2954543758145040444,9628486307791040147,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
4⤵
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,2954543758145040444,9628486307791040147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "
2⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
3⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe963846f8,0x7ffe96384708,0x7ffe96384718
4⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,3074488523761732856,7264812909760221709,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
4⤵
PID:5660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,3074488523761732856,7264812909760221709,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:6048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "
2⤵
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x9c,0x104,0x7ffe963846f8,0x7ffe96384708,0x7ffe96384718
4⤵
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
4⤵
PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
4⤵
PID:6480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
4⤵
PID:5728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
4⤵
PID:6580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
4⤵
PID:6588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
4⤵
PID:5952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
4⤵
PID:7176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1
4⤵
PID:7208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
4⤵
PID:7320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
4⤵
PID:7296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
4⤵
PID:7480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
4⤵
PID:7580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5604 /prefetch:8
4⤵
PID:7728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
4⤵
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
4⤵
PID:1340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8276 /prefetch:8
4⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8252 /prefetch:1
4⤵
PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8612 /prefetch:1
4⤵
PID:6308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8548 /prefetch:1
4⤵
PID:6400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9452 /prefetch:1
4⤵
PID:5332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9728 /prefetch:1
4⤵
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8308 /prefetch:8
4⤵
PID:7684

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:7668

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff718b15460,0x7ff718b15470,0x7ff718b15480
5⤵
PID:7728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8308 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:6260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7784 /prefetch:8
4⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9700 /prefetch:8
4⤵
PID:1984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7108 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7792 /prefetch:8
4⤵
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10116 /prefetch:8
4⤵
PID:6508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1908 /prefetch:8
4⤵
PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8540 /prefetch:8
4⤵
PID:1112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10200 /prefetch:8
4⤵
PID:7280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,8539379936975148108,1673264370304631510,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6124 /prefetch:8
4⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
2⤵
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
3⤵
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe963846f8,0x7ffe96384708,0x7ffe96384718
4⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,1402879579130333590,2077091500721386755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:6020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,1402879579130333590,2077091500721386755,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
4⤵
PID:5804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\3.bat" "
2⤵
PID:1832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC6qeIOiQYuevWysxR91eEZA
3⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd4,0x110,0x7ffe963846f8,0x7ffe96384708,0x7ffe96384718
4⤵
PID:960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,9044149770503410691,12954774675446232123,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
4⤵
PID:5652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,9044149770503410691,12954774675446232123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:6100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\4.bat" "
2⤵
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/search/?text=you+are+hacked+by+ach+vzlom
3⤵
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe963846f8,0x7ffe96384708,0x7ffe96384718
4⤵
PID:912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,10309151019529488247,16334913890403832422,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
4⤵
PID:5632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,10309151019529488247,16334913890403832422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:6060

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\6.bat" "
2⤵
PID:7940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg
3⤵
PID:8152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe963846f8,0x7ffe96384708,0x7ffe96384718
4⤵
PID:7736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\6.bat" "
2⤵
PID:7988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg
3⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\6.bat" "
2⤵
PID:6328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.meme-arsenal.com/memes/da2f1ad351b86210222d977d86acd913.jpg
3⤵
PID:968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe963846f8,0x7ffe96384708,0x7ffe96384718
4⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
2⤵
PID:5568

C:\Windows\SysWOW64\regedit.exe
regedit.exe
3⤵
- Runs regedit.exe
PID:6772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
2⤵
PID:8032

C:\Windows\SysWOW64\regedit.exe
regedit.exe
3⤵
- Runs regedit.exe
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
2⤵
PID:4512

C:\Windows\SysWOW64\regedit.exe
regedit.exe
3⤵
- Runs regedit.exe
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
2⤵
PID:6988

C:\Windows\SysWOW64\regedit.exe
regedit.exe
3⤵
- Runs regedit.exe
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
2⤵
PID:4356

C:\Windows\SysWOW64\regedit.exe
regedit.exe
3⤵
- Runs regedit.exe
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
2⤵
PID:6204

C:\Windows\SysWOW64\regedit.exe
regedit.exe
3⤵
- Runs regedit.exe
PID:6088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
2⤵
PID:2584

C:\Windows\SysWOW64\regedit.exe
regedit.exe
3⤵
- Runs regedit.exe
PID:6640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
2⤵
PID:6296

C:\Windows\SysWOW64\regedit.exe
regedit.exe
3⤵
- Runs regedit.exe
PID:5156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
2⤵
PID:6492

C:\Windows\SysWOW64\write.exe
write.exe
3⤵
PID:6260

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:7144

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
5⤵
PID:6704

C:\Windows\SysWOW64\write.exe
write.exe
3⤵
PID:6704

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:4792

C:\Windows\SysWOW64\write.exe
write.exe
3⤵
PID:6388

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:5292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
2⤵
PID:6504

C:\Windows\SysWOW64\regedit.exe
regedit.exe
3⤵
- Runs regedit.exe
PID:5284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
2⤵
PID:1144

C:\Windows\SysWOW64\write.exe
write.exe
3⤵
PID:6820

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:2344

C:\Windows\SysWOW64\write.exe
write.exe
3⤵
PID:5560

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:372

C:\Windows\SysWOW64\write.exe
write.exe
3⤵
PID:5328

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\7.bat" "
2⤵
PID:5772

C:\Windows\SysWOW64\regedit.exe
regedit.exe
3⤵
- Runs regedit.exe
PID:6700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\9.bat" "
2⤵
PID:6572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://wipet.malwarewatch.org/
3⤵
PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe963846f8,0x7ffe96384708,0x7ffe96384718
4⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\12.bat" "
2⤵
PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://yandex.ru/images/search?text=trollface
3⤵
PID:5928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe963846f8,0x7ffe96384708,0x7ffe96384718
4⤵
PID:3588

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
2⤵
PID:6860

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:6884

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
2⤵
PID:6768

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:6412

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
2⤵
PID:7472

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:6684

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
2⤵
PID:7000

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:2004

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
2⤵
PID:2572

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:5076

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\11.vbs"
2⤵
PID:7016

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\ach\1.vbs"
2⤵
PID:5264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
2⤵
PID:5656

C:\Windows\SysWOW64\write.exe
write.exe
3⤵
PID:3540

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:6828

C:\Windows\SysWOW64\write.exe
write.exe
3⤵
PID:448

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:5560

C:\Windows\SysWOW64\write.exe
write.exe
3⤵
PID:6784

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:6316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ach\8.bat" "
2⤵
PID:5676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:456

C:\Windows\SysWOW64\write.exe
write.exe
3⤵
PID:7728

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:6604

C:\Windows\SysWOW64\write.exe
write.exe
3⤵
PID:5536

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:5764

C:\Windows\SysWOW64\write.exe
write.exe
3⤵
PID:1260

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:5808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffe963846f8,0x7ffe96384708,0x7ffe96384718
1⤵
PID:4048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:7940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ach\1.vbs
Filesize
45B

MD5
7a89fc4808a599eca068d9d5d6da5c17

SHA1
34808a073a897f4eb2deaea3e74b8f33a3872776

SHA256
7d855d79426eca3e1fc8f6338c64a93bb90ecb51247f810c6e4414cbacbf5953

SHA512
dc6fa4265890133d4d003feafa7f6583cbcb7e1e9140babec14b65ebc704327abe4a4fb851e053b4bc889c1e12c8867dd6e1b26a78810bb7ed412aaa34b0b80e

Download Submit
C:\Program Files (x86)\ach\2.exe
Filesize
2.3MB

MD5
5134f289dbf4abae370e3f36b637b73e

SHA1
c78d3f2d00dc47da0112a74df665c7a84a8e32c3

SHA256
e69c9383b5d9fe4e069ddee15797c52e9116f883ad3b1717d2519621ab2751b2

SHA512
0bf61a04b93b1ba5b8a0e2d9a1c333cc4605350a4c797cc9f5f78fec698d6f4fd62d329513ed406e76a06aa6af0f00d206da723e5a33315ce8de7f68f2002cb5

Download Submit
C:\Program Files (x86)\ach\3.bat
Filesize
62B

MD5
ea0164899b0262ea4949e2bcd9f31396

SHA1
91b698e4b13755fcb6d5ce0209a5b342185bc566

SHA256
0c39352ff971f6099cdf146ce566b70e089eb15db75a42b3ae8deb13fa771913

SHA512
cf9ba9b662dc107593cc66fe21b815bbf5b05651c0e4a50029f62ff16d64f8d63185d57c96cd6984141ca62310250b7af42ef56ea6249285c97c2d0aec0f3560

Download Submit
C:\Program Files (x86)\ach\4.bat
Filesize
83B

MD5
1acc850c1f9ad9dee5c12c9bd511bc19

SHA1
2786d0b2a6f3b1518f0ffcc31fd4d2466448f3dc

SHA256
136ca30e5e046d8cc399c5ae80fee4678723dabb84e0b33211c23e4457ab24d8

SHA512
db3eef765e8de29df99fda976d7ede5ec713a090f810a4a48430e2b1d11f54656a46c46e9cc691fa645212ecc742447f13d8429bcd32de318e5df460c74eb81d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
471B

MD5
0f0d392bfa87f8c42d8489491d85c953

SHA1
c18ab3c74dea8d969e665aa40270b80f20bfe9e9

SHA256
7867bd411a5fdda87bfe3002fb53cd3a4ef9ceabeb568faa0cd933c10710e97c

SHA512
3513186d8049bc2bd8a0bb838ccc87358454364e2565bf24b5df47c2f0dfc587da5db0512b5889c6499035aa1c18aee73e23fb68733e40efd815dddfd1c2d1b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
412B

MD5
c5fefe20aed84054e3aef4974cf2fb51

SHA1
33c8a025d8ba4f3988a86cd68b37b96daa92cf71

SHA256
233b3a53a7831f845164da5c8cb55abe12f4af5830ce150af07f0fd6e31320de

SHA512
c111231ee73f84bdcc31eb336186171e15fd6c27e751a7bb69b31efa6cd3a2f693636392567d61de31367f13b1e6831d22076f01380150cb0409994f4cc062a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1dde831b3f72227121241cfbcf0b8bfa

SHA1
e076ca61127cce19e3495b3a0ae3dfdb8592effd

SHA256
b3f388e535f4220252e0b0b4fc8146c51489ecbeca74227f8cdff78ed0062cc6

SHA512
2ec5a389bb710a725b75ba3e27f3fbcb0d5d6bd2ff0803d1f2381d1a79c7162581c6818afaa7e10aa03900482e2a1f683ca8cb7ed2f68489efa093715740f03b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
dab7f78a912ea8c7d1b2db52a9c1fdd3

SHA1
69b08cea7fb64ff50052b60e67f2afb3b9975af6

SHA256
88e71b2c9a11caa6b1578f7221865d5fbc4c164d2847db379a1000b5a5b5ebbf

SHA512
7c271773544da00ec883a1995d86d4fd1b34eed3bdce0080574677b5606e4d6d8dcec2f7c87db4338f2735db86e72de7fdef26c7027c387aa8f765921ccd5092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
9a9e6a7fc4b1cc29e587073859f01afc

SHA1
55de26f9fa367661672c42eb520fa511ccc2dac5

SHA256
65864fdd4664b79183341c4e5f445f961eaa38d5c00ecade6ff2eb1f1f15a05b

SHA512
1429bb9473c0e10fa51b3711a120c5810b788cab6a8b65deb68a81c2cc6766a309dc6d9427465b043c52abf21915e3622ae0476ecb0b2b03b1ea1ca06753cec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
decc9ae6af5f374b22c3bccb52781904

SHA1
1c3c3072c5f377d25ac4505e5aa7279651e443fe

SHA256
45e1bd8fcd0bf4b07bd8740399b5a68520775dd590e592047aea0d8cf0aa6ae0

SHA512
458d430beeffa1a4221146d5e8a117a96c80b4c01e354cc702c950511659650849b8764f70e4ae06c919cc32a525d256a2d918e170bdf3ccb847d89c4606e6b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
d282340d81d61b9ec140e1ae2074aa35

SHA1
daad858055a55ff7293ac951251dfba4d9552567

SHA256
b91ef26b9214cc9be876e9b089166d3c765614cbbe172e8a3c313640620e027c

SHA512
1729e92969443576322c848e6a395abc766201004b52a1530b0d4c47fff3136c54768b4cf5bb007e7ba6e71d71debc54465adc6f5aeb070d28aa14141b0de557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
0ccfb5402a2d243ba78c17b292e73218

SHA1
677e60396c41bf843d02e1868e6ff87292daa7bd

SHA256
540eb1a1bf3d4ae1d8524aa791a14d438af678ff5be310b8c696c763e6725680

SHA512
56d3dccf8599c30ea89793ddef58313ef3b9cac8847efab9b9a8b17200d3850bb5ea6dfbe22060cd445b15f8436e65fa52c43bea1862ac8543247a085068b971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
82ec235bbd6407f91c0740599420c29f

SHA1
bdf1bf3c303d1e2f95fe962f4fb3b8cfd38d88d5

SHA256
c2c33e8671bc807cb250d1ec47c72425652d899a18f7e39b8aeb1d5d18d7a5de

SHA512
d6e6028b41d7bb949a7462cb89bfc097d325bc0d547993ad150b1e54ba31aa5cc8d1501e0ba38467f725520256c6552145ace4e16a793789bbb2e5be40b76835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
9a9e6a7fc4b1cc29e587073859f01afc

SHA1
55de26f9fa367661672c42eb520fa511ccc2dac5

SHA256
65864fdd4664b79183341c4e5f445f961eaa38d5c00ecade6ff2eb1f1f15a05b

SHA512
1429bb9473c0e10fa51b3711a120c5810b788cab6a8b65deb68a81c2cc6766a309dc6d9427465b043c52abf21915e3622ae0476ecb0b2b03b1ea1ca06753cec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
decc9ae6af5f374b22c3bccb52781904

SHA1
1c3c3072c5f377d25ac4505e5aa7279651e443fe

SHA256
45e1bd8fcd0bf4b07bd8740399b5a68520775dd590e592047aea0d8cf0aa6ae0

SHA512
458d430beeffa1a4221146d5e8a117a96c80b4c01e354cc702c950511659650849b8764f70e4ae06c919cc32a525d256a2d918e170bdf3ccb847d89c4606e6b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
dab7f78a912ea8c7d1b2db52a9c1fdd3

SHA1
69b08cea7fb64ff50052b60e67f2afb3b9975af6

SHA256
88e71b2c9a11caa6b1578f7221865d5fbc4c164d2847db379a1000b5a5b5ebbf

SHA512
7c271773544da00ec883a1995d86d4fd1b34eed3bdce0080574677b5606e4d6d8dcec2f7c87db4338f2735db86e72de7fdef26c7027c387aa8f765921ccd5092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
0ccfb5402a2d243ba78c17b292e73218

SHA1
677e60396c41bf843d02e1868e6ff87292daa7bd

SHA256
540eb1a1bf3d4ae1d8524aa791a14d438af678ff5be310b8c696c763e6725680

SHA512
56d3dccf8599c30ea89793ddef58313ef3b9cac8847efab9b9a8b17200d3850bb5ea6dfbe22060cd445b15f8436e65fa52c43bea1862ac8543247a085068b971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
7c574f935a45a1008022b067a3d69a3f

SHA1
f062e71c3535086fb48049d0b08b849c99cafef6

SHA256
284bb409e92365f71b096adca2e12b87ddf6f1476697ade371904dbde0a5126b

SHA512
625fdaa78d72411e96b397f5c4a2d148540c74cb9ab9152b01ded63881c9fbcfeb51b2187f32556ac9deaf49dc3047b45b4f6719401864929f411ddfbf05a71b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
ecd5540fbcc8a29e657271927892a3c4

SHA1
59e252eb2c21f33445969d535fd13717940d421e

SHA256
99a57f340ccabb988d32f0987a777b979068860e516dbe093b01e6a945045823

SHA512
2fb2a14459288f8d0f27bbb06a6807109888f26093cece9379df827d0ba9cfab5b9536cde717a033924020d5c95a6b7ea2a1adbaaaa83cfc0b419c35374d0eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
ecd5540fbcc8a29e657271927892a3c4

SHA1
59e252eb2c21f33445969d535fd13717940d421e

SHA256
99a57f340ccabb988d32f0987a777b979068860e516dbe093b01e6a945045823

SHA512
2fb2a14459288f8d0f27bbb06a6807109888f26093cece9379df827d0ba9cfab5b9536cde717a033924020d5c95a6b7ea2a1adbaaaa83cfc0b419c35374d0eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
d282340d81d61b9ec140e1ae2074aa35

SHA1
daad858055a55ff7293ac951251dfba4d9552567

SHA256
b91ef26b9214cc9be876e9b089166d3c765614cbbe172e8a3c313640620e027c

SHA512
1729e92969443576322c848e6a395abc766201004b52a1530b0d4c47fff3136c54768b4cf5bb007e7ba6e71d71debc54465adc6f5aeb070d28aa14141b0de557

Download Submit
\??\pipe\LOCAL\crashpad_1564_VLMDFVWLAGZFHQYR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2008_TULHACNCTKFGERNJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_2444_DENZNWQWNSBXKNEC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3080_BZPDGGUUXOIJSXDM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3104_OEQXEYCTHLFMFDIW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3168_EUNMSYMJWBZCAGEV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4260_UPDTTLIRSOUDQZZE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4892_BGTSJOJMCHXMIURL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_5012_LXAAYQIYSUMUGVFP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/672-132-0x0000000000000000-mapping.dmp

Download
memory/912-174-0x0000000000000000-mapping.dmp

Download
memory/960-177-0x0000000000000000-mapping.dmp

Download
memory/1228-143-0x0000000000000000-mapping.dmp

Download
memory/1240-168-0x0000000000000000-mapping.dmp

Download
memory/1304-140-0x0000000000000000-mapping.dmp

Download
memory/1564-175-0x0000000000000000-mapping.dmp

Download
memory/1768-152-0x0000000000000000-mapping.dmp

Download
memory/1784-158-0x0000000000000000-mapping.dmp

Download
memory/1788-162-0x0000000000000000-mapping.dmp

Download
memory/1832-153-0x0000000000000000-mapping.dmp

Download
memory/2008-157-0x0000000000000000-mapping.dmp

Download
memory/2316-160-0x0000000000000000-mapping.dmp

Download
memory/2344-149-0x0000000000000000-mapping.dmp

Download
memory/2400-134-0x0000000000000000-mapping.dmp

Download
memory/2440-146-0x0000000000000000-mapping.dmp

Download
memory/2444-159-0x0000000000000000-mapping.dmp

Download
memory/3080-156-0x0000000000000000-mapping.dmp

Download
memory/3104-164-0x0000000000000000-mapping.dmp

Download
memory/3168-170-0x0000000000000000-mapping.dmp

Download
memory/3228-138-0x0000000000000000-mapping.dmp

Download
memory/3256-154-0x0000000000000000-mapping.dmp

Download
memory/3368-176-0x0000000000000000-mapping.dmp

Download
memory/3388-151-0x0000000000000000-mapping.dmp

Download
memory/3420-147-0x0000000000000000-mapping.dmp

Download
memory/3700-179-0x0000000000000000-mapping.dmp

Download
memory/3712-139-0x0000000000000000-mapping.dmp

Download
memory/4152-144-0x0000000000000000-mapping.dmp

Download
memory/4260-163-0x0000000000000000-mapping.dmp

Download
memory/4512-150-0x0000000000000000-mapping.dmp

Download
memory/4604-145-0x0000000000000000-mapping.dmp

Download
memory/4708-137-0x0000000000000000-mapping.dmp

Download
memory/4872-161-0x0000000000000000-mapping.dmp

Download
memory/4892-171-0x0000000000000000-mapping.dmp

Download
memory/5012-172-0x0000000000000000-mapping.dmp

Download
memory/5056-141-0x0000000000000000-mapping.dmp

Download
memory/5076-136-0x0000000000000000-mapping.dmp

Download
memory/5104-148-0x0000000000000000-mapping.dmp

Download
memory/5116-165-0x0000000000000000-mapping.dmp

Download
memory/5592-199-0x0000000000000000-mapping.dmp

Download
memory/5604-194-0x0000000000000000-mapping.dmp

Download
memory/5616-198-0x0000000000000000-mapping.dmp

Download
memory/5632-207-0x0000000000000000-mapping.dmp

Download
memory/5640-211-0x0000000000000000-mapping.dmp

Download
memory/5652-212-0x0000000000000000-mapping.dmp

Download
memory/5660-209-0x0000000000000000-mapping.dmp

Download
memory/5728-249-0x0000000000000000-mapping.dmp

Download
memory/5752-210-0x0000000000000000-mapping.dmp

Download
memory/5804-220-0x0000000000000000-mapping.dmp

Download
memory/5844-213-0x0000000000000000-mapping.dmp

Download
memory/5904-221-0x0000000000000000-mapping.dmp

Download
memory/5948-222-0x0000000000000000-mapping.dmp

Download
memory/5952-262-0x0000000000000000-mapping.dmp

Download
memory/6020-224-0x0000000000000000-mapping.dmp

Download
memory/6048-226-0x0000000000000000-mapping.dmp

Download
memory/6060-227-0x0000000000000000-mapping.dmp

Download
memory/6092-230-0x0000000000000000-mapping.dmp

Download
memory/6100-231-0x0000000000000000-mapping.dmp

Download
memory/6108-228-0x0000000000000000-mapping.dmp

Download
memory/6480-239-0x0000000000000000-mapping.dmp

Download
memory/6580-253-0x0000000000000000-mapping.dmp

Download
memory/6588-260-0x0000000000000000-mapping.dmp

Download
memory/7176-264-0x0000000000000000-mapping.dmp

Download
memory/7208-266-0x0000000000000000-mapping.dmp

Download