5c92f0738c290eac319d4ac3006b5725f1d2163fbfe68dbb2047e07920f4d5e8

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2023 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FiddlerSetup.exe
Size

6.5MB
MD5

7fd1119b5f29e4094228dabf57e65a9d
SHA1

1a4e248bfe07f8c65ce68b4f29013442be6ef7c7
SHA256

5c92f0738c290eac319d4ac3006b5725f1d2163fbfe68dbb2047e07920f4d5e8
SHA512

20d22e16f5c285bd6ffdf3620762c340ffb97cc51c5080717b87442f29a14271644351b082392d9fb2fd1ce40a1fe56a4e6592a290d67f5c587e8e9eb2f33787
SSDEEP

196608:Q962sDwuahkk8ZaQd9NCMbw4fO0ADH6Op:Q5uAkk8ZBCuXfjADH6s

Score

9^/10

discovery evasion

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

2000 netsh.exe
2564 netsh.exe

pid	process
2000	netsh.exe
2564	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FiddlerSetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	FiddlerSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\55dd6e01-3df2-4992-81c3-6fca2a0517bf.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230504161219.pma	setup.exe

Drops file in Windows directory 52 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ac8-0\GA.Analytics.Monitor.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1308-0\System.EnterpriseServices.Wrapper.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\DotNetZip\b3a383423b05afda73d5befea52df23f\DotNetZip.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Fiddler\0246347168440311f67418ce72a25f0e\Fiddler.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9bc-0\Analytics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\918-0\System.ServiceModel.Internals.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1308-0\System.EnterpriseServices.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1120-0\Newtonsoft.Json.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\8b4-0\System.Drawing.Design.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data86569bbf#\37b9991e77d6c4ee257ca8b2c1f585ad\System.Data.OracleClient.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\147ecaf76a082c0dd04c1e2ae632921d\EnableLoopback.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt19c51595#\6f69c2900b13ef16144a4dd218db8baf\System.Runtime.Caching.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\830-0\System.Web.ApplicationServices.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\75c-0\System.Runtime.Caching.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1364-0\Telerik.NetworkConnections.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\3a4-0\System.ComponentModel.Composition.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Compba577418#\d5ea54b023997de3a48807f3b15ff588\System.ComponentModel.Composition.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\28c-0\System.Web.RegularExpressions.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\480-0\System.Web.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\558-0\System.Data.OracleClient.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\13f0-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Draw0a54d252#\3d5342ebcdfac2e48f2cbb87316da000\System.Drawing.Design.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1120-0\System.ComponentModel.DataAnnotations.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12dc-0\System.DirectoryServices.Protocols.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\778-0\Fiddler.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Newtonsoft.Json\c9d532d5040768732fdbb078eb294563\Newtonsoft.Json.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\f28-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\194-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Telerik.Net8bf66678#\a58ff39c1803c8009577b8aa07f4401d\Telerik.NetworkConnections.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\a4659c51384187894a071aa2b9d900e7\System.EnterpriseServices.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dire5d62f0a2#\dae28270785fd6a19fb72c8c675c81a8\System.DirectoryServices.Protocols.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10dc-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Analytics\9422cdf8836e5af7e68e6c7719083b46\Analytics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\GA.Analytics.Monitor\581f591747009a39a799777655cec912\GA.Analytics.Monitor.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Design\27f97b5687f7139425a49f9cbafaf6e2\System.Design.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.8dc504e4#\f95cdc313801411ba86580e09a790db8\System.Web.ApplicationServices.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Comp46f2b404#\1a856cd8b4506b84f967fb416431e03d\System.ComponentModel.DataAnnotations.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a50-0\EnableLoopback.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1210-0\DotNetZip.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\b7d3fce6d77b982cd4538b089805df8d\System.ServiceModel.Internals.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\7e76b1fb4198734d8af8f5d806b99864\SMDiagnostics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.82d5542b#\3248866fdc0058e6a1a5d64c5019ee84\System.Web.RegularExpressions.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1364-0\System.Design.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\f70-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\46c-0\SMDiagnostics.dll	mscorsvw.exe

Executes dropped EXE 2 IoCs

Processes:

FiddlerSetup.exeSetupHelper

pid process

4088 FiddlerSetup.exe
2220 SetupHelper

Loads dropped DLL 50 IoCs

Processes:

FiddlerSetup.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
4088	FiddlerSetup.exe
2640	mscorsvw.exe
3952	mscorsvw.exe
3880	mscorsvw.exe
4316	mscorsvw.exe
3880	mscorsvw.exe
5104	mscorsvw.exe
404	mscorsvw.exe
5104	mscorsvw.exe
1768	mscorsvw.exe
1768	mscorsvw.exe
1768	mscorsvw.exe
1768	mscorsvw.exe
1768	mscorsvw.exe
1912	mscorsvw.exe
2812	mscorsvw.exe
4624	mscorsvw.exe
4964	mscorsvw.exe
1912	mscorsvw.exe
932	mscorsvw.exe
2492	mscorsvw.exe
4384	mscorsvw.exe
2760	mscorsvw.exe
2328	mscorsvw.exe
1132	mscorsvw.exe
1132	mscorsvw.exe
4872	mscorsvw.exe
1152	mscorsvw.exe
1152	mscorsvw.exe
4384	mscorsvw.exe
652	mscorsvw.exe
4964	mscorsvw.exe
4964	mscorsvw.exe
1152	mscorsvw.exe
4964	mscorsvw.exe
1152	mscorsvw.exe
1368	mscorsvw.exe
2228	mscorsvw.exe
1368	mscorsvw.exe
2096	mscorsvw.exe
4384	mscorsvw.exe
4828	mscorsvw.exe
2984	mscorsvw.exe
2788	mscorsvw.exe
1912	mscorsvw.exe
1912	mscorsvw.exe
1912	mscorsvw.exe
1884	mscorsvw.exe
1912	mscorsvw.exe
1912	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsx7574.tmp\FiddlerSetup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsx7574.tmp\FiddlerSetup.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\nsx7574.tmp\FiddlerSetup.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\nsx7574.tmp\FiddlerSetup.exe	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

FiddlerSetup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe

Modifies registry class 16 IoCs

Processes:

FiddlerSetup.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Fiddler.ArchiveZip	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.saz	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Fiddler.ArchiveZip\Shell	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

FiddlerSetup.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
4088	FiddlerSetup.exe
4088	FiddlerSetup.exe
1960	msedge.exe
1960	msedge.exe
1764	msedge.exe
1764	msedge.exe
908	identity_helper.exe
908	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1764 msedge.exe
1764 msedge.exe
1764 msedge.exe
1764 msedge.exe
1764 msedge.exe
1764 msedge.exe
1764 msedge.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

1764 msedge.exe
1764 msedge.exe
1764 msedge.exe

pid	process
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe

pid	process
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FiddlerSetup.exeFiddlerSetup.exemsedge.exe

description	pid	process	target process
PID 2424 wrote to memory of 4088	2424	FiddlerSetup.exe	FiddlerSetup.exe
PID 2424 wrote to memory of 4088	2424	FiddlerSetup.exe	FiddlerSetup.exe
PID 2424 wrote to memory of 4088	2424	FiddlerSetup.exe	FiddlerSetup.exe
PID 4088 wrote to memory of 2000	4088	FiddlerSetup.exe	netsh.exe
PID 4088 wrote to memory of 2000	4088	FiddlerSetup.exe	netsh.exe
PID 4088 wrote to memory of 2000	4088	FiddlerSetup.exe	netsh.exe
PID 4088 wrote to memory of 2564	4088	FiddlerSetup.exe	netsh.exe
PID 4088 wrote to memory of 2564	4088	FiddlerSetup.exe	netsh.exe
PID 4088 wrote to memory of 2564	4088	FiddlerSetup.exe	netsh.exe
PID 4088 wrote to memory of 520	4088	FiddlerSetup.exe	ngen.exe
PID 4088 wrote to memory of 520	4088	FiddlerSetup.exe	ngen.exe
PID 4088 wrote to memory of 1504	4088	FiddlerSetup.exe	ngen.exe
PID 4088 wrote to memory of 1504	4088	FiddlerSetup.exe	ngen.exe
PID 4088 wrote to memory of 2220	4088	FiddlerSetup.exe	SetupHelper
PID 4088 wrote to memory of 2220	4088	FiddlerSetup.exe	SetupHelper
PID 4088 wrote to memory of 1764	4088	FiddlerSetup.exe	msedge.exe
PID 4088 wrote to memory of 1764	4088	FiddlerSetup.exe	msedge.exe
PID 1764 wrote to memory of 3208	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 3208	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4716	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 1960	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 1960	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4620	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4620	1764	msedge.exe	msedge.exe
PID 1764 wrote to memory of 4620	1764	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\FiddlerSetup.exe
"C:\Users\Admin\AppData\Local\Temp\FiddlerSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\nsx7574.tmp\FiddlerSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\nsx7574.tmp\FiddlerSetup.exe" /D=
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
    3⤵
    - Modifies Windows Firewall
    PID:2000
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
    3⤵
    - Modifies Windows Firewall
    PID:2564
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
    3⤵
    PID:520
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      PID:1768
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 268 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      PID:1912
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2812
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 0 -NGENProcess 294 -Pipe 270 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4624
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 25c -Pipe 274 -Comment "NGen Worker Process"
      4⤵
      PID:4964
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 0 -NGENProcess 28c -Pipe 264 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:932
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 2bc -Pipe 28c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2492
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 288 -Pipe 2c8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2760
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 294 -Pipe 2cc -Comment "NGen Worker Process"
      4⤵
      PID:4384
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 0 -NGENProcess 2e0 -Pipe 288 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2328
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 25c -Pipe 2e4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:1132
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 294 -Pipe 2d4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4872
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 298 -Pipe 2d0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:1152
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2b8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:652
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 2f0 -Pipe 25c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4964
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 2c0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:1368
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 258 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2228
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 2bc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2096
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2fc -Pipe 294 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4384
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 0 -NGENProcess 300 -Pipe 2dc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4828
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 298 -Pipe 304 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      PID:2984
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 2f4 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      PID:2788
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 0 -NGENProcess 2fc -Pipe 30c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:1884
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 0 -NGENProcess 318 -Pipe 2c4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:1912
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
    3⤵
    PID:1504
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
      4⤵
      PID:3484
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:3952
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 1cc -Pipe 1bc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2640
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 2ac -Pipe 260 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:3880
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 0 -NGENProcess 184 -Pipe 1cc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4316
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 0 -NGENProcess 2c8 -Pipe 184 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:5104
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 0 -NGENProcess 2bc -Pipe 1dc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:404
- - C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
    "C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
    3⤵
    - Executes dropped EXE
    PID:2220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun
    3⤵
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ffb052d46f8,0x7ffb052d4708,0x7ffb052d4718
      4⤵
      PID:3208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,7945911484872026259,1471268468888885244,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
      4⤵
      PID:4716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,7945911484872026259,1471268468888885244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,7945911484872026259,1471268468888885244,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2428 /prefetch:8
      4⤵
      PID:4620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7945911484872026259,1471268468888885244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
      4⤵
      PID:3764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7945911484872026259,1471268468888885244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
      4⤵
      PID:4896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7945911484872026259,1471268468888885244,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
      4⤵
      PID:4416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7945911484872026259,1471268468888885244,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
      4⤵
      PID:964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7945911484872026259,1471268468888885244,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
      4⤵
      PID:1560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7945911484872026259,1471268468888885244,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
      4⤵
      PID:1780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7945911484872026259,1471268468888885244,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
      4⤵
      PID:4440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7945911484872026259,1471268468888885244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:8
      4⤵
      PID:1568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:4944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7808b5460,0x7ff7808b5470,0x7ff7808b5480
        5⤵
        
        PID:4588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7945911484872026259,1471268468888885244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
7455d2ea99581e4763f057377099145f

SHA1
4f41638e8734290975ff16d1384797225e9ea13f

SHA256
8b68db80b1d26b9daf0f1312424f11b81e20e5c6048b663b85bf765fc6c161b8

SHA512
5a799b6c0396a136fa6b1e169c08f4016170d4e2ff22afb7ad2c3f569a219bc107ca965a142e505efd6407f0ca1075fa13a0614ef4e1ff79b6a8b7359e6f3c89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
06d89e0d5f29f3ebb44e610af7c3db92

SHA1
368722d4c59e54d3e3f12ab706e24162a4bb4610

SHA256
f372dbb62d2a109d6493b0d70ec0142c9ba5999275698ee625953f4df3becb2a

SHA512
fc735e312ddeb3298b01b4aa9c9d426ba9e150807b3039c682c8a0f836b1245b9c143875c71fb7918c42fa0963309aa0e2be62c978c1ac465b8a773f45b254f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aaeb1f5e097ab38083674077b84b8ed6

SHA1
7d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2

SHA256
1654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef

SHA512
130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1db53baf44edd6b1bc2b7576e2f01e12

SHA1
e35739fa87978775dcb3d8df5c8d2063631fa8df

SHA256
0d73ba3eea4c552ce3ffa767e4cd5fff4e459e543756987ab5d55f1e6d963f48

SHA512
84f544858803ac14bac962d2df1dbc7ed6e1134ecf16d242d7ee7316648b56b5bc095241363837bf0bf0afd16ca7deebe7afb7d40057604acbf09821fd5a9912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7a0cfecbe8756996a9986547e5cdfd56

SHA1
9aa6c8d17fe44b5ad15136ab2b0e8668ad79d24c

SHA256
0f48753c35eeea047e29171adb5b60d5a43885efc4bb2fc4970c1bf664b99dbe

SHA512
2ac46ffd351dc5c43af890aeeda3ee4a853beebb5b51e9b2e5dca8cfaea6ee9c434242553c1c691d2e457dcd7978267dff78b7ffc73fa6f7bbba127a7c23c901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
5f29f96da8baa22c095218d5e5abba7c

SHA1
c8a4e9120153bb544550bb10f0aecd24a775c9d3

SHA256
7325d5fb28a665c7531eb77089e0906f7c0c1c46a526d27cbe0be943c939ef3f

SHA512
94acb3b5dc3d1499cf96fd539cda413eb4b9ec05735875c0f253baa4cf30a3aee27ced054ae861df2ff85ce43ff8ebc9b67e57ed71ba049452106c04ac00b6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe581d09.TMP

Filesize
48B

MD5
1c2f0be95872cfcd2374d3c96995699f

SHA1
efdb6e6d716c8e06d6beff613fb7a220589ee444

SHA256
cc3e9db8e3084d15a1d7c913f6f52c1448a7a1557cb537e8947532052492e5e6

SHA512
59a46a9da8fb7b537731a8fe39a548b2186d9695255919fe232dd73d706e6f07a69d79dd423eb10953f5eab2eee7552f09edaea146bfa7d70aa39ea9aa12851a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
5a967922b9063635c8c95ce74f12a657

SHA1
88db9660f959c97c9585c3a3ca8a062c99160d4d

SHA256
b8871cd1d4ab90b473b3d9eb39d6aa7507cc51aabd53d75303d04c4b91021a5e

SHA512
1c419dd3065ae6b5c6010e7029ac169994d8f2040538fd94e6fb687e5e80d4d9795710faf017de94a84878e148f259dc854977da0ba4f373574710e22e00ce50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3f814c3e4548a5dd2434f05546b2ee32

SHA1
c34dcfbe7d5afee91289bee39577ee226092063f

SHA256
d44d5d98bb7fee643a6f3a6481b67cbfb21eb9079b9617fe3383fd3f09b6fb45

SHA512
21e84f5669ad6960c7ffde9e4c232ab30d5e5d90549d1c17c57d69787c1413f62c024ad4af1e183a45cd5b524e7656c05fbe5450de70c7ca94cb412f22ffe01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
0977115be10e8b196c0d24c529e497bb

SHA1
24b17bcf27af02862545a8130c3c8db51213a156

SHA256
7a704ff3a777ee295fd46bca6a30af6ae813279d88f0a692e340835741accbd1

SHA512
c3b2623f475e358b9df630c2a30c306dfd80d157dd3392eada75da0a83c1d05524021f082365ec18a9046c657615cced36739f25a8bd1d9d49374293fb553f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0a61f660bc93445262d3362ae8e38cad

SHA1
e54ab2b5c1e2e7c5ee7c5e392cd2d153dd7f98a5

SHA256
36bb3f02e8582c2174c163236413d34bd5b57311c63c23783e3397ddfbfc7664

SHA512
09996157ee5b61723986371afde63f7bb95f1f4c502b86a6ebb7245aa7951b2695187969aa4243e0861230f28edc682c5ddcb8a33ea1ebd95f03db255ba5a5f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7277b0cad11e5883db8b358e07941bff

SHA1
869b320dfe7b029318b7d8cf8f1f7c1178c86927

SHA256
d48ab83e10ef288865c7a87bc82796740f6cd6afd479588da95c98a293d532b7

SHA512
7b70cea48c9c2da03acc1e1d3b5bc7edbb75c54eac16fbcea326f44fd0aa82847501fc13c11f01da7bc9cf3b850815d319f19d402c320196bf14b7653b3432d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
47e94a96372e6f095b8a3fd7edc48ec0

SHA1
377b68f34e5964ca8be1b1b0c1507dd7f0e5f005

SHA256
15c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e

SHA512
5bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3d874cbf2372e29aa7bde5be5e1db4b3

SHA1
a9214d4e1ddfd7f4cbe8fc61f838f9f2a2f2f26f

SHA256
84c9c0c31f068bcdc2258102ef25547073b785cfedc7345f510de21dd6096000

SHA512
8f90c381382b2a95c3ba3fe941429cc70094c92e78668a54ac88ed3e030c14ee7c3ba8ee7f450533456fd1933663b4c300f265da972fc0493aa409cc17b9fe10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
250ecdd6ea90b9f6fc42a1b5d6dc4e27

SHA1
8debcb76dc584997af7a842fc253649066bdb38f

SHA256
5aed2ce51d3670a3b3af72b64734292625e654d008b685ef9abaf58360e9017e

SHA512
11e134ccf7f5749881605ff76cce23bcf594bdfee09330ad7114997c9969f7da7f1e1a77d5988b1b31e2fa119d859edfaca25e357e982e17266f79ee17235e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
90d066b828184f6db277b8c99367ee96

SHA1
26ba3e59e202a829ea71e27cc7651d4eb0eb68b9

SHA256
4ec2c1132f78c9744faa9736ab05facd422f77ba1d1947293489574260ff3b24

SHA512
07c48414882f94006d277d2aaeff4a3b4554613775a64495c1a159e993bb7ed27828c37b1ec5c24a0ba1d0d3b6e3f5604f9cb135b702a3edd74a5237dfbbf2ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58655c.TMP

Filesize
2KB

MD5
61a2fc1348fe1e4f3167b6996cbcb3bc

SHA1
04ccee1dd3b9cb499030f11391975831f230b2ce

SHA256
ac148435a6f145816da477d1713be51bf2dfde13db720b492c02d18c0a1c8545

SHA512
31db36a0c8e262a7dc64c70f5c6bb0f2b7e32d653b65e6a475edd0187079704f73020e57e4da2e61d4476da4c505057c91d922c9a04a2c7e9230c8e6722aef62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
a1eb7848913e0efb12565ee69f328feb

SHA1
52b67e076a1ef915f82dc9fa4cd0598212f15512

SHA256
d401539bd69f551434700bec285be75d09ae44848065aefd4ac3f38e1bbc0575

SHA512
dcd4ed3f9f843f62ca24f8198ff692bd69e2d16254ad4130f192fd45e1dae78c4060025be82170aa16b3c46878ae814464de401bf7304613e8630ee76e27700d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
3444475c7aab9a7bee28f36e76b98160

SHA1
4bb0bdf2bba9858d57deef5737cbc388089db4d0

SHA256
2453d231e85b49529c9400ae00bdc5b70e7785f1515bd0722923f41f977b522a

SHA512
d4288063e3c8e3b0bcf74cb604b9eeb05cda4032fe7311c9133c33431d03546085d4239cd53b933b64d7e361c260932ce87d2f0098c2469d9ce5baab194e9de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ef2622c2-0839-4ce3-b42c-554be2b9bb77.tmp

Filesize
12KB

MD5
e3909ffe373232dab2ec79b087788e5c

SHA1
1bad53d6de96ebb9c2d64bd3a16bcf431007720f

SHA256
3d8c159d824b94828ef177392785c9145f5ad4d717b908a502d7fcc51e90ce00

SHA512
f95fd5c9c4f2595bcfc66a5fd90e626f6ffc00c6519b335723bbb74aaa211a3157eb500b6fdab807c69efbe8cae91b1d3fb60c0d7d75888eeea9ecb2909c3681

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Analytics.dll

Filesize
32KB

MD5
1c2bd080b0e972a3ee1579895ea17b42

SHA1
a09454bc976b4af549a6347618f846d4c93b769b

SHA256
166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29

SHA512
946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\DotNetZip.dll

Filesize
449KB

MD5
11bbdf80d756b3a877af483195c60619

SHA1
99aca4f325d559487abc51b0d2ebd4dca62c9462

SHA256
698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1

SHA512
ad9c16481f95c0e7cf5158d4e921ca7534f580310270fa476e9ebd15d37eee2ab43e11c12d08846eae153f0b43fba89590d60ca00551f5096076d3cf6aa4ce29

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe

Filesize
95KB

MD5
5d16400084f534535c922180c562bd70

SHA1
20444c63a2e6ff17a1970f8af0744c0ccfdbb659

SHA256
0ccf6f4b2f6e89ddb50b3075fd6b604ef7c0d6b13ce377781d898dcd8f9c91d7

SHA512
b9dc50aac871ff81c54e000adb1de11c17aeea75fbc80afa5f025d1efe6c79acbfd05b5de6066f084ed0e26d4287c354984195e7aa134545846d371f84063bd0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe

Filesize
1.5MB

MD5
a5b8c0f51898e9d55e4b3aa7904adf32

SHA1
5eaff276409670f3e8ce4cbb17086f1362d18868

SHA256
5e3006a575d4acce2e5e3cec684d7e9a1fbc3efbb73f06f5c4604faebf014ad3

SHA512
6abf01f09c8c6e430118de27322f4d67bf25018633544556630c47bfa9adc2c1fd186c94119a0b9be6c2d8dead9bbb46a8b1185fe02da2085601b0e9613ad427

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe.config

Filesize
252B

MD5
38a7379a4b36fc661c69a3e299373a05

SHA1
1b0de45ad7fe759499c57cc1aa9c1da441d9167a

SHA256
70107440ed3e5ce934b947a85669a963ed0370d1d34c27e8f3bd2a8f5f670342

SHA512
5c91d3ebae7a1d0fc068303632cdd7f789bfc3f5158c338d253ef0ba584bde2346e86287dd56f8dd266494ecf1307fb091e548b5cb795a80e5969f09f7507f02

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\GA.Analytics.Monitor.dll

Filesize
52KB

MD5
6f9e5c4b5662c7f8d1159edcba6e7429

SHA1
c7630476a50a953dab490931b99d2a5eca96f9f6

SHA256
e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790

SHA512
78fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dll

Filesize
192KB

MD5
ac80e3ca5ec3ed77ef7f1a5648fd605a

SHA1
593077c0d921df0819d48b627d4a140967a6b9e0

SHA256
93b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5

SHA512
3ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dll

Filesize
816KB

MD5
eaa268802c633f27fcfc90fd0f986e10

SHA1
21f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f

SHA256
fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54

SHA512
c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dll

Filesize
228KB

MD5
3be64186e6e8ad19dc3559ee3c307070

SHA1
2f9e70e04189f6c736a3b9d0642f46208c60380a

SHA256
79a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c

SHA512
7d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper

Filesize
31KB

MD5
45a29924b29cd5881da857104c5554fe

SHA1
75716bfcb46aa02adc1e74369ec60f1c27e309b9

SHA256
b31d4c6a86bad9eaffaa543476261aaa95705fffaaf367a6ab67133c6af5fcfe

SHA512
0ee65dc21bfb5be949a8d96f0d5c04dba70c83988ddf460e9ce18e32eeb27fcb350e85b1ed5951ec2b5b2ad6506fa117fbe5495eabf58756fc66111f52b1b631

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper

Filesize
31KB

MD5
45a29924b29cd5881da857104c5554fe

SHA1
75716bfcb46aa02adc1e74369ec60f1c27e309b9

SHA256
b31d4c6a86bad9eaffaa543476261aaa95705fffaaf367a6ab67133c6af5fcfe

SHA512
0ee65dc21bfb5be949a8d96f0d5c04dba70c83988ddf460e9ce18e32eeb27fcb350e85b1ed5951ec2b5b2ad6506fa117fbe5495eabf58756fc66111f52b1b631

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Telerik.NetworkConnections.dll

Filesize
34KB

MD5
798d6938ceab9271cdc532c0943e19dc

SHA1
5f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3

SHA256
fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2

SHA512
644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst9179.tmp\System.dll

Filesize
11KB

MD5
b8992e497d57001ddf100f9c397fcef5

SHA1
e26ddf101a2ec5027975d2909306457c6f61cfbd

SHA256
98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

SHA512
8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx7574.tmp\FiddlerSetup.exe

Filesize
3.2MB

MD5
092879b4ec0b7a59be6273035da99e27

SHA1
282f2602469017d4d8401e84e248a6c138b7de97

SHA256
87d5fd5bfadffa31f6b72923be4d4a46335b3e32a4f6e306f90d04d4aed49c50

SHA512
dde4050f6a26dc0feecb7a7f2563f33db5615c15c0dd1f3e6bf8ff8aa3a4ced68a53ae66c179f56dda5a50185b5053460e63c5a0489b141d11372aacfcea4cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx7574.tmp\FiddlerSetup.exe

Filesize
3.2MB

MD5
092879b4ec0b7a59be6273035da99e27

SHA1
282f2602469017d4d8401e84e248a6c138b7de97

SHA256
87d5fd5bfadffa31f6b72923be4d4a46335b3e32a4f6e306f90d04d4aed49c50

SHA512
dde4050f6a26dc0feecb7a7f2563f33db5615c15c0dd1f3e6bf8ff8aa3a4ced68a53ae66c179f56dda5a50185b5053460e63c5a0489b141d11372aacfcea4cf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
80a7fd8bc954845b817721c2c39f5067

SHA1
ba221d812652e402c12f050c7fbf8c50c057f743

SHA256
7338a0233e6b0a21367f922367b52a145e1b1c05b1272e4c9148b4d7bff35a1f

SHA512
f158df2f4ef42446c8a55a1f7cb13c2d0466e80254276893a23e869c5a86d862c3675a020cd66d903716b577f726cfdf4f25a3bb4cb74d9526b84ae3414bc135

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
73004d0cf478ed4195cca3f964714025

SHA1
63e5ed8d7dd022e394838e78f29e24108d92b093

SHA256
9de45c902f8b9641cba373a4ed549065e4bd7437d58b9106dea90faec89e8896

SHA512
6fa50e647bd059ff8c9894f58d729151626ed8c41b007b8f1189316b6af997114198aec7c1a56bd9f980f36f4c87d71d9f47410f9a01027d4747568cdd26e1cf

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Analytics\9422cdf8836e5af7e68e6c7719083b46\Analytics.ni.dll

Filesize
153KB

MD5
c20e3fe00cf0f4e09294751a67dc50d8

SHA1
14ed469f18dfaa6832c6b82ccaf69c5af198fa12

SHA256
37553c2197d007b659be700cfd9df1900a245ec41bc5b31d5aee4e0593598b8d

SHA512
10202cb440a7644aa1793c95207dab1c03fb5784fea676223882b33231de0cbebccc4c8be11936667569bee2d14e84c4c9d6d8557a413f63353f45f4bc431ce0

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\DotNetZip\b3a383423b05afda73d5befea52df23f\DotNetZip.ni.dll

Filesize
1.0MB

MD5
c558f7c1f309e967a9219a4ff654b757

SHA1
cc8e02f557d8c7392cd2d0e2bbd3c2e4c857ed4b

SHA256
0dad05610e5ce4b2ce98304b248d4bdc96ad4e62a59169d9f7841f9d70e0e1dd

SHA512
31afaa54cf2054dd5babad5a320a349ea551ca8527c950557ad030d4d9bcef5ec1b66ffa6e7c902c7ba745dd4a55cfc877cb5fa3924c49a416533a4aa91616b7

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\147ecaf76a082c0dd04c1e2ae632921d\EnableLoopback.ni.exe

Filesize
161KB

MD5
24c44053061c2b04cf46e53efe53b3da

SHA1
8b9fe480172218a18619deac74d90368bb74caa1

SHA256
4fc4f26e6aac03d47eb59272697fab439c360dc3725d425f00690898ba620bab

SHA512
5e44722444cd4bb9598c7b703ddef1a469a93f6d5a6f112675a745a121d49a08a7fa508b21356efb709581d5bdf13fdec516e8f58fa518a59ba90d4968c2ae17

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Fiddler\0246347168440311f67418ce72a25f0e\Fiddler.ni.exe

Filesize
4.8MB

MD5
c5b289224745e363002c192ef7f362c7

SHA1
e61811b056a4574dc1f729cbeda472ef458f5488

SHA256
68d274018038d4a68f3d28a2c04e09ce2ef211daf38167ef54ff971ddd0d8285

SHA512
ca79e68c3d96c888c3928251f05ea551e995375c19ea8b99d3bafe84a018ddecbcddd58f197a8918389c3c438b6ea24e280618649143232f411a31b81687bc37

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\GA.Analytics.Monitor\581f591747009a39a799777655cec912\GA.Analytics.Monitor.ni.dll

Filesize
162KB

MD5
8a9d553a6470411d97b80dd5919b08ca

SHA1
e09a602029024b2ad39bcb5aac181308511f7fcc

SHA256
86ba3a5e754066a01231de83e669cdfd92c18d62c1cec34a3c4fe6dad2adb077

SHA512
61f6faeac2b6ce347310ae27b950beb78c905a930bc395dd19fcde506903b102c4e84b7ada333c2a1a9bdfe5f1d0e508b9f5879559b5a100e58de552f185be4e

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll

Filesize
2.7MB

MD5
89bedf9727f90a9f8e15826df509d7b9

SHA1
f0c590abc08815c38aa522afee4438d69a78c490

SHA256
224851ed49ed39bd526910bd252a6f53cc32c0067d80066a30f84329500ba929

SHA512
4d300c96062d5853e644675059afb4687246a610d5c86cfe1aa7380e4d69da255e743009339d59b4d00e79991cd8251330a99064447cde28f08821c3dbe448b9

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\7e76b1fb4198734d8af8f5d806b99864\SMDiagnostics.ni.dll

Filesize
142KB

MD5
ee791496cf3d4d9c47e410faf2ce6513

SHA1
db05319fee5f2ee451701ac7059caf52a1780b8a

SHA256
7725443ac7cb92308a71c71ab91218abdf2393d96ada57a56a53a03312fd4011

SHA512
19e12c301a514e291a779b2e054a71d20350cabbf468b1a4c1c26eded36053c5dcc373db758bc2d283aa4fa4e5a5406e9c892bb208be3d8c2eaef8c0d724fabb

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Compba577418#\d5ea54b023997de3a48807f3b15ff588\System.ComponentModel.Composition.ni.dll

Filesize
1.4MB

MD5
8e42a7675e2ce9730f36ee1e1b71c21c

SHA1
900a3986c0f3edd6fe726b57b8dadf4a6d204b57

SHA256
abeb92db614b2750084b361dce3169b72c314538e897255017b847f618bf2283

SHA512
21a0c5e0d9ee1088db62cda1ea971f9cd86064911a901924ecc0850c357c23852e08bb3d76c8e66974e45244910f566ceb6591a73862aaba4d46323201b5d40c

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
3.0MB

MD5
b0bd1b2c367441f420d9cc270cf7fab6

SHA1
bdd65767f9c8047125a86b66b5678d8d72a76911

SHA256
447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa

SHA512
551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
3.0MB

MD5
b0bd1b2c367441f420d9cc270cf7fab6

SHA1
bdd65767f9c8047125a86b66b5678d8d72a76911

SHA256
447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa

SHA512
551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
3.0MB

MD5
b0bd1b2c367441f420d9cc270cf7fab6

SHA1
bdd65767f9c8047125a86b66b5678d8d72a76911

SHA256
447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa

SHA512
551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
3.0MB

MD5
b0bd1b2c367441f420d9cc270cf7fab6

SHA1
bdd65767f9c8047125a86b66b5678d8d72a76911

SHA256
447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa

SHA512
551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux

Filesize
708B

MD5
688ac15ac387cbac93d705be85b08492

SHA1
a4fabce08bbe0fee991a8a1a8e8e62230f360ff2

SHA256
ce64b26c005cfc1bcf6ac0153f1dbcae07f25934eab3363ff05a72a754992470

SHA512
a756ea603d86a66b67163e3aa5d2325174a2748caf6b0eaa9f0600d42c297daa35aa5bfaf4962a1dedbae9437308d19571818cbd3e1542d7a7a26a4d20796074

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll

Filesize
3.0MB

MD5
3385fdacfda1fc77da651550a705936d

SHA1
207023bf3b3ff2c93e9368ba018d32bb11e47a8a

SHA256
44a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec

SHA512
bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll

Filesize
3.0MB

MD5
3385fdacfda1fc77da651550a705936d

SHA1
207023bf3b3ff2c93e9368ba018d32bb11e47a8a

SHA256
44a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec

SHA512
bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll

Filesize
3.0MB

MD5
3385fdacfda1fc77da651550a705936d

SHA1
207023bf3b3ff2c93e9368ba018d32bb11e47a8a

SHA256
44a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec

SHA512
bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux

Filesize
1KB

MD5
b019b58a1fc23042c21fa5518b2c18d5

SHA1
a594de6ae6ef0a22c44a5cfacb8e35891f5e557b

SHA256
2014e4b8b8183db7940c5dbb1e27fbe3a3993d13b90c04f6286dbe17174e1a1e

SHA512
26f9e8ace5821ae91f8a72ad0df19b9dc45f2b6028421f0fbaa7e8de8c65651792bc75d475d8098dde8150440ce14201aa418c91b1c4ad172286f93716d23837

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\a4659c51384187894a071aa2b9d900e7\System.EnterpriseServices.ni.dll

Filesize
993KB

MD5
f9746e198135ad1434e8a4d7a61011d7

SHA1
380246326d619f4ab314dd5166630909633b6e71

SHA256
be1475efa60535392e503a89eee5f1f4eea59f9ea577505e81bbee89e7d05d77

SHA512
ba91cb2ddfc0f416444761e74580633a86453a7814d3b3c2dd81d61e4b2d24a8dee916a9870bc297aa4a3be7e03ccd3d3570908afc724548ac01314e7e5a5cea

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\a4659c51384187894a071aa2b9d900e7\System.EnterpriseServices.ni.dll

Filesize
993KB

MD5
f9746e198135ad1434e8a4d7a61011d7

SHA1
380246326d619f4ab314dd5166630909633b6e71

SHA256
be1475efa60535392e503a89eee5f1f4eea59f9ea577505e81bbee89e7d05d77

SHA512
ba91cb2ddfc0f416444761e74580633a86453a7814d3b3c2dd81d61e4b2d24a8dee916a9870bc297aa4a3be7e03ccd3d3570908afc724548ac01314e7e5a5cea

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\a4659c51384187894a071aa2b9d900e7\System.EnterpriseServices.ni.dll.aux

Filesize
1KB

MD5
b1edfb0f90275e57d81bd749c5b36420

SHA1
b4be8552e2860fe1f29538fe33d3148eca9ce990

SHA256
125d12e8845191be13b0ba398c4e846f74ed90133c9c019818c58c3191e0a5c2

SHA512
4cb16ecf733a4d8ca6fc221517c36cf8093a8a79dc34998f5e1a3b40c587533f9a4bf0396b0dbf2a9e9ffcdc4fea7e8973583bd63ae67d08f3fb6836c84687eb

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll

Filesize
314KB

MD5
50b28be2b84f9dd1258a346525f8c2e5

SHA1
203abebaa5c22c9f6ac099d020711669e6655ed8

SHA256
6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

SHA512
d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll

Filesize
314KB

MD5
50b28be2b84f9dd1258a346525f8c2e5

SHA1
203abebaa5c22c9f6ac099d020711669e6655ed8

SHA256
6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

SHA512
d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll

Filesize
314KB

MD5
50b28be2b84f9dd1258a346525f8c2e5

SHA1
203abebaa5c22c9f6ac099d020711669e6655ed8

SHA256
6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

SHA512
d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll

Filesize
314KB

MD5
50b28be2b84f9dd1258a346525f8c2e5

SHA1
203abebaa5c22c9f6ac099d020711669e6655ed8

SHA256
6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

SHA512
d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll

Filesize
314KB

MD5
50b28be2b84f9dd1258a346525f8c2e5

SHA1
203abebaa5c22c9f6ac099d020711669e6655ed8

SHA256
6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

SHA512
d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux

Filesize
300B

MD5
5052a26ae1334e99f9c993f0ac477f5b

SHA1
941e82d2397f79faf7707569927bb3dbea9ea34c

SHA256
ec432d36bb95dcdb1876836b09ba1829c03a83c9b53afbb195c6fa0d7d91375f

SHA512
eb5dce71049b099c5764fe449f529b5813aab3d86150331ae384c08973f0487f9a25e1f11498203baa0a093dc2961f6bb0f5d03a86ff9c39f050524c9d32ede2

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll

Filesize
345KB

MD5
35738b026183e92c1f7a6344cfa189fd

SHA1
ccc1510ef4a88a010087321b8af89f0c0c29b6d8

SHA256
4075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb

SHA512
ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll

Filesize
345KB

MD5
35738b026183e92c1f7a6344cfa189fd

SHA1
ccc1510ef4a88a010087321b8af89f0c0c29b6d8

SHA256
4075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb

SHA512
ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll

Filesize
345KB

MD5
35738b026183e92c1f7a6344cfa189fd

SHA1
ccc1510ef4a88a010087321b8af89f0c0c29b6d8

SHA256
4075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb

SHA512
ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux

Filesize
644B

MD5
caba9e7248016ec410e8346b3cf4f51b

SHA1
f9e23982f25f1977b0f668090c92cedc783efc89

SHA256
638feb99f77dec41e6acd96a76d0b48bbd710a3c25df09d20e226730517c5149

SHA512
4577677bd631c76d33521a45de97f4d3e51badb6f859525f91f93abf8bdc86de9b1e27736636aaa5d1bbe677cc98b6d3aac93f873aaf6621fcf186c1274691e4

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

Filesize
986KB

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

Filesize
986KB

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

Filesize
986KB

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

Filesize
986KB

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux

Filesize
912B

MD5
255a843ca54e88fd16d2befcc1bafb7a

SHA1
aee7882de50a5cea1e4c2c2ddfaa4476f20a9be9

SHA256
8cd849585fe99e63f28b49f1dae2d1b47a406268dcc5a161e58331a6a3cba3ed

SHA512
666866c0d25d61dc04341cf95eb61969698cfafce232097e60cb0537ea2a35635e1e4986036e413fb51927187183aa2e64ecac7fbc26bac46998c0bd84f69e45

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\b7d3fce6d77b982cd4538b089805df8d\System.ServiceModel.Internals.ni.dll

Filesize
979KB

MD5
f867096b7d349af76728412feb1885af

SHA1
14d2cd438c2704e480c4d793fae6f9c4eee1ead9

SHA256
981aa78b0eeed437e94f2be357f2816919631277b6ac4593729d1a81d776fd7a

SHA512
a419df8204b029c0a2e0a7c547f2b7ee73dc7ad3aea91c490592a5e127986232c755fe83941fece13705ffc9723e084d3ef92692d6493f4028d88f5836d6edef

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\b7d3fce6d77b982cd4538b089805df8d\System.ServiceModel.Internals.ni.dll

Filesize
979KB

MD5
f867096b7d349af76728412feb1885af

SHA1
14d2cd438c2704e480c4d793fae6f9c4eee1ead9

SHA256
981aa78b0eeed437e94f2be357f2816919631277b6ac4593729d1a81d776fd7a

SHA512
a419df8204b029c0a2e0a7c547f2b7ee73dc7ad3aea91c490592a5e127986232c755fe83941fece13705ffc9723e084d3ef92692d6493f4028d88f5836d6edef

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\b7d3fce6d77b982cd4538b089805df8d\System.ServiceModel.Internals.ni.dll

Filesize
979KB

MD5
f867096b7d349af76728412feb1885af

SHA1
14d2cd438c2704e480c4d793fae6f9c4eee1ead9

SHA256
981aa78b0eeed437e94f2be357f2816919631277b6ac4593729d1a81d776fd7a

SHA512
a419df8204b029c0a2e0a7c547f2b7ee73dc7ad3aea91c490592a5e127986232c755fe83941fece13705ffc9723e084d3ef92692d6493f4028d88f5836d6edef

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\b7d3fce6d77b982cd4538b089805df8d\System.ServiceModel.Internals.ni.dll.aux

Filesize
592B

MD5
4d66b5a16886059c72f02695373b73fd

SHA1
67d9d961352b044ad141d3682154b61ef33a7a58

SHA256
865dabb09f0de89a3658227b2e16d285dc7338d2acab99d46963918d9b9667d2

SHA512
59da03ccc4be8351a22c4db76613f0ee9a268d4a22bfe8a88ba520d1173d3236d9a658a285e6496d9b778b1bfe2d97b77a3d18942963acc07b4a3bc4f254df91

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Telerik.Net8bf66678#\a58ff39c1803c8009577b8aa07f4401d\Telerik.NetworkConnections.ni.dll

Filesize
95KB

MD5
06c752fe567dd4366682cc47557ed4d3

SHA1
74c1f82a91fdd31c4892c5fcd62a0cbb5c4a91f3

SHA256
0353e43cee872188975775c1e2314fc5178febef54ac5b5a5561c6b6ce075d4a

SHA512
e60fb625ab1000eea1eea8bd8527e50e7c739d062f52b1513e057233ddfae0e0980dc1813b375731eec9b67002eeb83bcda567744dbf39531d7604fd83a65f2c

Download Submit
\??\pipe\LOCAL\crashpad_1764_GTVOTYZUKLQPHUPK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/404-409-0x0000064449980000-0x00000644499D8000-memory.dmp

Filesize
352KB

Download
memory/1768-469-0x0000024BA4CC0000-0x0000024BA4CCC000-memory.dmp

Filesize
48KB

Download
memory/1768-564-0x0000024BBED30000-0x0000024BBED6C000-memory.dmp

Filesize
240KB

Download
memory/1768-566-0x0000024BBE8B0000-0x0000024BBE8CE000-memory.dmp

Filesize
120KB

Download
memory/1768-512-0x0000024BA4CE0000-0x0000024BA4CF0000-memory.dmp

Filesize
64KB

Download
memory/1768-497-0x0000024BBF3C0000-0x0000024BBF8E8000-memory.dmp

Filesize
5.2MB

Download
memory/1768-481-0x0000024BBEDE0000-0x0000024BBEE88000-memory.dmp

Filesize
672KB

Download
memory/1768-479-0x0000024BA4CD0000-0x0000024BA4CDC000-memory.dmp

Filesize
48KB

Download
memory/1768-567-0x0000024BBEE90000-0x0000024BBEECA000-memory.dmp

Filesize
232KB

Download
memory/1768-470-0x0000024BBE900000-0x0000024BBE94A000-memory.dmp

Filesize
296KB

Download
memory/1768-565-0x0000024BA5280000-0x0000024BA5292000-memory.dmp

Filesize
72KB

Download
memory/1768-467-0x0000024BBECB0000-0x0000024BBED26000-memory.dmp

Filesize
472KB

Download
memory/1768-600-0x0000024BBF090000-0x0000024BBF1B2000-memory.dmp

Filesize
1.1MB

Download
memory/1768-463-0x0000024BBE970000-0x0000024BBEA2A000-memory.dmp

Filesize
744KB

Download
memory/1768-456-0x0000024BBEA30000-0x0000024BBEBAE000-memory.dmp

Filesize
1.5MB

Download
memory/1768-595-0x0000024BBED90000-0x0000024BBEDAA000-memory.dmp

Filesize
104KB

Download
memory/1768-573-0x0000024BBE8D0000-0x0000024BBE8EC000-memory.dmp

Filesize
112KB

Download
memory/1768-594-0x0000024BBEF10000-0x0000024BBEF54000-memory.dmp

Filesize
272KB

Download
memory/1768-604-0x0000024BBEDB0000-0x0000024BBEDD0000-memory.dmp

Filesize
128KB

Download
memory/1768-579-0x0000024BBEED0000-0x0000024BBEF02000-memory.dmp

Filesize
200KB

Download
memory/1768-576-0x0000024BBED70000-0x0000024BBED90000-memory.dmp

Filesize
128KB

Download
memory/1768-575-0x0000024BBE950000-0x0000024BBE962000-memory.dmp

Filesize
72KB

Download
memory/1768-574-0x0000024BBF8F0000-0x0000024BBFDBC000-memory.dmp

Filesize
4.8MB

Download
memory/2220-237-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/2640-334-0x0000064488000000-0x000006448802B000-memory.dmp

Filesize
172KB

Download
memory/2812-643-0x000006443CC40000-0x000006443CEF8000-memory.dmp

Filesize
2.7MB

Download
memory/3484-331-0x000001B337080000-0x000001B3370A2000-memory.dmp

Filesize
136KB

Download
memory/3484-333-0x000001B3370B0000-0x000001B3370D2000-memory.dmp

Filesize
136KB

Download
memory/3484-332-0x000001B3373A0000-0x000001B337452000-memory.dmp

Filesize
712KB

Download
memory/3484-330-0x000001B337210000-0x000001B337396000-memory.dmp

Filesize
1.5MB

Download
memory/3484-329-0x000001B336F30000-0x000001B336F80000-memory.dmp

Filesize
320KB

Download
memory/3484-328-0x000001B31C470000-0x000001B31C488000-memory.dmp

Filesize
96KB

Download
memory/3880-387-0x0000064449A20000-0x0000064449B18000-memory.dmp

Filesize
992KB

Download
memory/3952-336-0x00000644451A0000-0x00000644454A4000-memory.dmp

Filesize
3.0MB

Download
memory/4316-373-0x0000064443EC0000-0x0000064443F11000-memory.dmp

Filesize
324KB

Download
memory/4624-708-0x00000644A0000000-0x00000644A0103000-memory.dmp

Filesize
1.0MB

Download
memory/5104-411-0x0000064445320000-0x000006444561E000-memory.dmp

Filesize
3.0MB

Download