Analysis
-
max time kernel
779s -
max time network
660s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
02-12-2023 23:47
General
-
Target
SaturnX-F2.exe
-
Size
2.9MB
-
MD5
406377b13d97be6601b006bd542ebed7
-
SHA1
65a9cc706a89c0d0bd832ed0af5cb2b06826711c
-
SHA256
2ab087bb4ed0cd582d516182549de9755c5972a8955cddaa95675e93610cb993
-
SHA512
02c0143c6a8da45325dc3b912ae9b517d6007d55af6da9f35638bd9160693a8ec7d4b7794728d32eea93d42d8a0857f1d475489bd1e1daefb98639b0ea5bef84
-
SSDEEP
49152:gxlRxlWfZ628CpyVEiUa5z8QE2j8e4go6oQhZsukz:gPRPWfM27b7e4go6xhZsD
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/360-5-0x000001E0B1BB0000-0x000001E0B1DC4000-memory.dmp family_agenttesla -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
SaturnX-F2.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions SaturnX-F2.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
SaturnX-F2.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools SaturnX-F2.exe -
Modifies Windows Firewall 1 TTPs 4 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exepid process 368 netsh.exe 488 netsh.exe 5764 netsh.exe 3344 netsh.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SaturnX-F2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SaturnX-F2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SaturnX-F2.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FiddlerSetup.exeEnableLoopback.exeFiddlerSetup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Control Panel\International\Geo\Nation FiddlerSetup.exe Key value queried \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Control Panel\International\Geo\Nation EnableLoopback.exe Key value queried \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Control Panel\International\Geo\Nation FiddlerSetup.exe -
Executes dropped EXE 8 IoCs
Processes:
FiddlerSetup.exeFiddlerSetup.exemscorsvw.exeFiddlerSetup.exeFiddlerSetup.exeSetupHelperFiddler.exeEnableLoopback.exepid process 4876 FiddlerSetup.exe 4220 FiddlerSetup.exe 3480 mscorsvw.exe 5928 FiddlerSetup.exe 2168 FiddlerSetup.exe 1280 SetupHelper 3496 Fiddler.exe 5496 EnableLoopback.exe -
Loads dropped DLL 64 IoCs
Processes:
FiddlerSetup.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeSetupHelpermscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeFiddlerSetup.exemscorsvw.exemscorsvw.exepid process 4220 FiddlerSetup.exe 5976 mscorsvw.exe 4600 mscorsvw.exe 4600 mscorsvw.exe 5952 mscorsvw.exe 5696 mscorsvw.exe 5472 mscorsvw.exe 3552 mscorsvw.exe 5696 mscorsvw.exe 5592 mscorsvw.exe 3480 mscorsvw.exe 6136 mscorsvw.exe 5228 mscorsvw.exe 3336 mscorsvw.exe 5648 mscorsvw.exe 5164 mscorsvw.exe 4848 mscorsvw.exe 3788 mscorsvw.exe 3788 mscorsvw.exe 5704 mscorsvw.exe 5240 mscorsvw.exe 5164 mscorsvw.exe 5240 mscorsvw.exe 5804 mscorsvw.exe 4172 mscorsvw.exe 4172 mscorsvw.exe 5240 mscorsvw.exe 4172 mscorsvw.exe 3036 mscorsvw.exe 3036 mscorsvw.exe 4884 mscorsvw.exe 5240 mscorsvw.exe 6092 mscorsvw.exe 5604 mscorsvw.exe 1280 SetupHelper 3164 mscorsvw.exe 3172 mscorsvw.exe 4800 mscorsvw.exe 3584 mscorsvw.exe 3584 mscorsvw.exe 3584 mscorsvw.exe 3584 mscorsvw.exe 3584 mscorsvw.exe 5220 mscorsvw.exe 5220 mscorsvw.exe 5220 mscorsvw.exe 5220 mscorsvw.exe 5220 mscorsvw.exe 6076 mscorsvw.exe 2168 FiddlerSetup.exe 5992 mscorsvw.exe 5992 mscorsvw.exe 5992 mscorsvw.exe 5992 mscorsvw.exe 5992 mscorsvw.exe 5992 mscorsvw.exe 756 mscorsvw.exe 756 mscorsvw.exe 756 mscorsvw.exe 756 mscorsvw.exe 756 mscorsvw.exe 756 mscorsvw.exe 756 mscorsvw.exe 756 mscorsvw.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/360-0-0x000001E097070000-0x000001E097368000-memory.dmp agile_net -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SaturnX-F2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SaturnX-F2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 SaturnX-F2.exe -
Drops file in Windows directory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exeEnableLoopback.exemscorsvw.exemscorsvw.exemscorsvw.exeMicrosoftEdge.exemscorsvw.exeSetupHelperMicrosoftEdgeCP.exemscorsvw.exemscorsvw.exemscorsvw.exeMicrosoftEdge.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedescription ioc process File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Analytics\d756563aa7cd4e9c00502605394ea611\Analytics.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data86569bbf#\98a4068512ff6a2566204bc1e759b0be\System.Data.OracleClient.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\rescache\_merged\2878165772\843930774.pri EnableLoopback.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bdc-0\System.Data.OracleClient.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15e4-0\System.ComponentModel.DataAnnotations.dll mscorsvw.exe File created C:\Windows\rescache\_merged\4082845976\4179106759.pri EnableLoopback.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\2145e325c531dd03775cc61606722965\Microsoft.JScript.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d08-0\Analytics.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.82d5542b#\d56e83822b7799e202533e1b84b3c134\System.Web.RegularExpressions.ni.dll.aux.tmp mscorsvw.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\83250422\4228004947.pri EnableLoopback.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\9fab28f14be5a0da526b1ceaaa04a4c3\System.ServiceModel.Internals.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dire5d62f0a2#\74935b58bfe4054a47e71f128e498aba\System.DirectoryServices.Protocols.ni.dll.aux.tmp SetupHelper File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\662487990\860079255.pri EnableLoopback.exe File created C:\Windows\rescache\_merged\81479705\3370156234.pri EnableLoopback.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1640-0\System.Deployment.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\52c68307282a248618376df5db7f9cce\System.Deployment.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\rescache\_merged\4272278488\3302449443.pri EnableLoopback.exe File created C:\Windows\rescache\_merged\778832011\3616426238.pri EnableLoopback.exe File created C:\Windows\rescache\_merged\1476457207\3434258465.pri EnableLoopback.exe File created C:\Windows\rescache\_merged\423379043\1647780687.pri EnableLoopback.exe File created C:\Windows\rescache\_merged\689984732\783130423.pri EnableLoopback.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\GA.Analytics.Monitor\3bf155f5fe5c3c876614c4d82313933c\GA.Analytics.Monitor.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\7f321fe9120b83dd2f2c9861d186a06e\EnableLoopback.ni.exe.aux.tmp mscorsvw.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\5fc5747c2c5a8c9903788db8973ea28a\System.Web.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\500-0\System.DirectoryServices.Protocols.dll SetupHelper File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c64-0\System.Runtime.Caching.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Telerik.Net8bf66678#\e5f4977994d2fd10324efd51321f1c59\Telerik.NetworkConnections.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1610-0\GA.Analytics.Monitor.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1478-0\System.Web.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ecc-0\SMDiagnostics.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1648-0\System.EnterpriseServices.dll mscorsvw.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri EnableLoopback.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\DotNetZip\330381c0d4a4a49e56426709e084cc48\DotNetZip.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\146c-0\System.ComponentModel.Composition.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt19c51595#\c2577ffc64fd5f786d339c18f95dfae7\System.Runtime.Caching.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri EnableLoopback.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1758-0\System.Data.SqlXml.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1740-0\Fiddler.exe mscorsvw.exe File created C:\Windows\rescache\_merged\3819496785\3974849359.pri EnableLoopback.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\88bbec18c44a06edb18eb16d6775008f\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1314-0\System.Drawing.Design.dll mscorsvw.exe File created C:\Windows\rescache\_merged\1301087654\4010849688.pri EnableLoopback.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.8dc504e4#\4a5f2a8626e8af6b6f54e42a0f59f2b6\System.Web.ApplicationServices.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1560-0\System.Numerics.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\17f8-0\Telerik.NetworkConnections.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\bcab827b24e870428fcdda58e1ebec20\System.EnterpriseServices.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\c7d01590f25b87c1d82c1b48e56d5865\SMDiagnostics.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\142c-0\Newtonsoft.Json.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\104c-0\System.Design.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Design\e54657ea70d60e1ad13dc5f818f32e90\System.Design.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\rescache\_merged\3418783148\1077508030.pri EnableLoopback.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\11f8-0\System.Security.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\9744e094346545d417a938174608d0ad\System.Numerics.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12f0-0\System.ServiceModel.Internals.dll mscorsvw.exe File created C:\Windows\rescache\_merged\4185669309\1051174594.pri EnableLoopback.exe File created C:\Windows\rescache\_merged\2483382631\734974073.pri EnableLoopback.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\cccf0195b8a7b2804875769b64f41f8a\System.Security.ni.dll.aux.tmp mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 9 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\FiddlerSetup.-lFQNNgB.exe.part nsis_installer_2 C:\Users\Admin\Downloads\FiddlerSetup.exe nsis_installer_1 C:\Users\Admin\Downloads\FiddlerSetup.exe nsis_installer_2 C:\Users\Admin\Downloads\FiddlerSetup.exe nsis_installer_1 C:\Users\Admin\Downloads\FiddlerSetup.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\nsbB7CE.tmp\FiddlerSetup.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\nsbB7CE.tmp\FiddlerSetup.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\nsbB7CE.tmp\FiddlerSetup.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\nsbB7CE.tmp\FiddlerSetup.exe nsis_installer_2 -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
SaturnX-F2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SaturnX-F2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer SaturnX-F2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion SaturnX-F2.exe -
Processes:
FiddlerSetup.exeMicrosoftEdgeCP.exeFiddlerSetup.exebrowser_broker.exebrowser_broker.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0" FiddlerSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION FiddlerSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0" FiddlerSetup.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeFiddlerSetup.exeFiddlerSetup.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\telerik.com\ = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8d623d6c7a25da01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Fiddler.ArchiveZip FiddlerSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{8523C319-2227-4F42-BC16-802349079FC0} = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico" FiddlerSetup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 67df0d9a7a25da01 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive" FiddlerSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000257c115355fe5a20dff39fc56e9f5c077df8b36259d9758fba72882b96f237140d8fa3779e6562b8e1ddd02ad9d807ecac46d8f948358d27506d MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\telerik.com\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.telerik.com\ = "187" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\telerik.com\NumberOfSubdomain = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed" FiddlerSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\"" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\.saz\ = "Fiddler.ArchiveZip" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-2508097367-364665605-1201309312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe -
Processes:
Fiddler.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f Fiddler.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f Fiddler.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Fiddler.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\FiddlerSetup.exe:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
SaturnX-F2.exeFiddler.exepid process 360 SaturnX-F2.exe 360 SaturnX-F2.exe 360 SaturnX-F2.exe 360 SaturnX-F2.exe 360 SaturnX-F2.exe 360 SaturnX-F2.exe 360 SaturnX-F2.exe 360 SaturnX-F2.exe 360 SaturnX-F2.exe 360 SaturnX-F2.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe 3496 Fiddler.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
MicrosoftEdgeCP.exepid process 5304 MicrosoftEdgeCP.exe 5304 MicrosoftEdgeCP.exe 5304 MicrosoftEdgeCP.exe 5304 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
SaturnX-F2.exefirefox.exeFiddlerSetup.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeFiddler.exedescription pid process Token: SeDebugPrivilege 360 SaturnX-F2.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4220 FiddlerSetup.exe Token: SeDebugPrivilege 4220 FiddlerSetup.exe Token: SeDebugPrivilege 4220 FiddlerSetup.exe Token: SeDebugPrivilege 4220 FiddlerSetup.exe Token: SeDebugPrivilege 4220 FiddlerSetup.exe Token: SeDebugPrivilege 4220 FiddlerSetup.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 4456 firefox.exe Token: SeDebugPrivilege 1224 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1224 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1224 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1224 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3084 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3084 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5480 MicrosoftEdge.exe Token: SeDebugPrivilege 5480 MicrosoftEdge.exe Token: SeDebugPrivilege 3496 Fiddler.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
firefox.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeFiddler.exepid process 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 4456 firefox.exe 5480 MicrosoftEdge.exe 5304 MicrosoftEdgeCP.exe 1224 MicrosoftEdgeCP.exe 5304 MicrosoftEdgeCP.exe 5520 MicrosoftEdge.exe 5948 MicrosoftEdgeCP.exe 5948 MicrosoftEdgeCP.exe 3496 Fiddler.exe 3496 Fiddler.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 5056 wrote to memory of 4456 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4456 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4456 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4456 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4456 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4456 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4456 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4456 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4456 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4456 5056 firefox.exe firefox.exe PID 5056 wrote to memory of 4456 5056 firefox.exe firefox.exe PID 4456 wrote to memory of 3192 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3192 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 3140 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 4476 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 4476 4456 firefox.exe firefox.exe PID 4456 wrote to memory of 4476 4456 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SaturnX-F2.exe"C:\Users\Admin\AppData\Local\Temp\SaturnX-F2.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:360
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.0.1975428841\734394681" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a50831b-c913-4a27-83b4-edd1baa0312c} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 1764 17efefd9858 gpu3⤵PID:3192
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.1.1460511519\1830964622" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17e8d325-62d5-47fd-ba53-8407d49398e5} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 2120 17efeb31558 socket3⤵
- Checks processor information in registry
PID:3140 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.2.695906429\1137916760" -childID 1 -isForBrowser -prefsHandle 2612 -prefMapHandle 2704 -prefsLen 21120 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e15d7ff-c9ac-470a-8e91-6a9b235900e3} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 2756 17e8ace0258 tab3⤵PID:4476
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.3.2146706675\1599007899" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4fc567a-8155-431d-8607-85630bb6a4dd} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 3608 17e8baaae58 tab3⤵PID:2192
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.4.1208261459\1953306594" -childID 3 -isForBrowser -prefsHandle 3788 -prefMapHandle 3796 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71f02200-1f2c-4207-a478-3f7fa27804d7} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 3812 17e8bcc6558 tab3⤵PID:1852
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.6.861638685\301705045" -childID 5 -isForBrowser -prefsHandle 4992 -prefMapHandle 4996 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3544ed4-d1e4-4e5e-a554-1e107982fe44} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 4984 17e8d115458 tab3⤵PID:3924
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.5.139755040\1574844371" -childID 4 -isForBrowser -prefsHandle 4832 -prefMapHandle 4828 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e65d9dd-fcad-4e99-80c1-4ecd282f9a39} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 4840 17e8cd4cd58 tab3⤵PID:2312
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.7.855887514\1828840573" -childID 6 -isForBrowser -prefsHandle 4696 -prefMapHandle 4960 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60c6f9c2-e4d9-48c6-b642-64ab383422b8} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 4708 17e8d117b58 tab3⤵PID:3256
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.8.863615972\1961278624" -childID 7 -isForBrowser -prefsHandle 5648 -prefMapHandle 5604 -prefsLen 26699 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f8d2348-bb8b-4b19-a403-2523d5aa8351} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 5656 17e8ecfd258 tab3⤵PID:4276
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.9.1702702474\1206499335" -parentBuildID 20221007134813 -prefsHandle 2584 -prefMapHandle 2648 -prefsLen 27139 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {946d0f6a-9ee3-4418-91c8-7933047e8d0f} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 5508 17e8ef1a858 rdd3⤵PID:200
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.10.1495155269\511975659" -childID 8 -isForBrowser -prefsHandle 3516 -prefMapHandle 4456 -prefsLen 27139 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a37b7234-8688-44d9-87e2-c8334f88cc4c} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 2800 17e8f015558 tab3⤵PID:4176
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.11.1240339737\2040481257" -childID 9 -isForBrowser -prefsHandle 6016 -prefMapHandle 2960 -prefsLen 27139 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fa35a83-bc01-4bbc-9169-5fd73c30465a} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 2800 17e8d114b58 tab3⤵PID:1412
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.12.2055245483\1064772544" -childID 10 -isForBrowser -prefsHandle 4840 -prefMapHandle 4844 -prefsLen 27139 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb30c498-47d9-4589-9d8c-57edf6e378c7} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 4004 17e8f688558 tab3⤵PID:3308
-
C:\Users\Admin\Downloads\FiddlerSetup.exe"C:\Users\Admin\Downloads\FiddlerSetup.exe"3⤵
- Executes dropped EXE
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\nsbB7CE.tmp\FiddlerSetup.exe"C:\Users\Admin\AppData\Local\Temp\nsbB7CE.tmp\FiddlerSetup.exe" /D=4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4220 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"5⤵
- Modifies Windows Firewall
PID:368 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"5⤵
- Modifies Windows Firewall
PID:488 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"5⤵PID:4612
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
PID:5220 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 0 -NGENProcess 218 -Pipe 22c -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:6076 -
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper"C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"5⤵PID:3480
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"5⤵PID:816
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 0 -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"6⤵PID:3036
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 0 -NGENProcess 210 -Pipe 224 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5952 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 0 -NGENProcess 23c -Pipe 228 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5976 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 0 -NGENProcess 238 -Pipe 210 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4600 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 23c -Pipe 290 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5472 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 0 -NGENProcess 19c -Pipe 270 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5696 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 248 -Pipe 23c -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3552 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 0 -NGENProcess 28c -Pipe 240 -Comment "NGen Worker Process"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3480 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 294 -Pipe 248 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5592 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 214 -Pipe 264 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:6136 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5228 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 270 -Pipe 22c -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3336 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 214 -Pipe 26c -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5648 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 0 -NGENProcess 274 -Pipe 23c -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5164 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 0 -NGENProcess 294 -Pipe 270 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4848 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 0 -NGENProcess 2a4 -Pipe 288 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3788 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 0 -NGENProcess 2a4 -Pipe 27c -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5704 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 298 -Pipe 278 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5240 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 0 -NGENProcess 2a0 -Pipe 19c -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5804 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 274 -Pipe 2b4 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4172 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 240 -Pipe 2a4 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3036 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2b0 -Pipe 2c0 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4884 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2a0 -Pipe 274 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:6092 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 13c -Pipe 2cc -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5604 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 0 -NGENProcess 2b0 -Pipe 29c -Comment "NGen Worker Process"6⤵PID:1280
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 13c -InterruptEvent 0 -NGENProcess 2b0 -Pipe 2dc -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
PID:4800 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2b0 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
PID:3164 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2d4 -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3172 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"6⤵
- Loads dropped DLL
PID:3584 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4456.13.270524229\1445923933" -childID 11 -isForBrowser -prefsHandle 9356 -prefMapHandle 9368 -prefsLen 27315 -prefMapSize 232675 -jsInitHandle 1296 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe64c2c0-07ca-424c-85de-9b9623f760f8} 4456 "\\.\pipe\gecko-crash-server-pipe.4456" 9352 17e906cdb58 tab3⤵PID:4060
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:5556
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5480
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5304
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1224
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5256
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:912
-
C:\Users\Admin\Downloads\FiddlerSetup.exe"C:\Users\Admin\Downloads\FiddlerSetup.exe"1⤵
- Executes dropped EXE
PID:5928 -
C:\Users\Admin\AppData\Local\Temp\nsvE5EE.tmp\FiddlerSetup.exe"C:\Users\Admin\AppData\Local\Temp\nsvE5EE.tmp\FiddlerSetup.exe" /D=2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"3⤵
- Modifies Windows Firewall
PID:5764 -
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper"C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1280 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"3⤵PID:5284
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
PID:5992 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"3⤵PID:4624
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
PID:756 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"3⤵
- Modifies Windows Firewall
PID:3344
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5520
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4820
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5948
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5200
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3496 -
C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:5496
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3996
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\d25hmlvg.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD5199fca530daf842f1d37171b31f29890
SHA1885d628c14f8863361e80c543dd1d14f9f97a8b6
SHA256d5ed6e3da78b2e3e760179e52d5cba9046e2c07bdab22eacf164cef8872e4d84
SHA512a47cda62e98325ca1dbd8bf21a4c4d96c31e64b2245a7c059d658a56e842ebdbfac241e1066cd588b6c05ab8c0c7f13c07c6b2dbc66cd7e0484219bc478e6452
-
Filesize
10KB
MD57020c6a987e091ed586b8230def17a89
SHA15a1a2f0eeae4728c0851285f6ff388b56af7f25b
SHA256e2de23c193c30be8dcae503670b62da3fb250e0ebdb8387635869fda0d4c1a16
SHA5122ad404b067ecd83fc47947ef820c5158a65f48ba96c5e1ecbb516e9a2f4d0ae3e82635e3f3fb8eb87435ae45b4156eaaabcf72295038f611ab39ec5d3131405e
-
Filesize
7KB
MD565bc2056bde3c08a6874d4d9f5d3bbcb
SHA188b29e9940ff2fc6c2a60d9ad79b4aa89b8b0411
SHA256df896f69c7e5d04bccaefcd224be9d0a9d7469ada110a542f954b78d36206992
SHA512312a2a5e75f75d162223b231fcbb73401b5d08a249897d49a40df16b4bb245086e0356b45fab7e7505111e67a9c3366cad0e2ba06400a7deb648503d0e17aa33
-
Filesize
7KB
MD52f8d480e4244c34e0623644521669006
SHA18ee365755316060047d63ea52e575a845ad7abd9
SHA25671892b76055b911f1eb34e6f9786a80756352fe9be8e5e692ae7934d6d013dba
SHA51234cc99ba43310decef1db18677c19e4f19143fb21e791c3bf652902bc6b6a96468a818b8f44d2c159389160b4ac1ae53f6a39ee9672373bd94aec33736184479
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\d25hmlvg.default-release\cache2\entries\576AF26366088B1183AEC73E48ABFAF3762F25E4
Filesize40KB
MD599b85a3c0ca0a9dd8ea6cdf17d46f6e6
SHA1f2f4d8a911200591dcb0155d0f0a0f6f60248743
SHA2565e16e2af031065b85924910a661b5a6a579f9a0ba3e622a25b3ce9e5c4a069cb
SHA512596dd05040d3c295a128a3d33b0f216b3e45700107020a7102dde3a6c83a9887ea62fc1ed959cb940a79bb076f9c109144dd6cba1706c140da4f220f5cf6046a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\d25hmlvg.default-release\cache2\entries\CDEE44BF5302375DF227D1D6924ADCC670EFCA54
Filesize195KB
MD5ff6310bd17714b2b6143b144f058bae8
SHA152ec6815cec70797914cb9c3f706c2961b680156
SHA2567defd3be25ea9febb20e1c730f3f1d2ba6d155f9c50e86c661c6c76a9df3d7a5
SHA512d9c8210bf6f505a682e19a811ad3b39aad03516bb21e7e2b6b150174424e24fa17a5b7575edccd542dfb2099a04d4f9473278e41e34163896ef2be97421351a6
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\D6T0XM8I\Metric-Medium[1].woff2
Filesize31KB
MD5c8b62860d3e187860f9eb25ae4b5ea0e
SHA1426f75fe868e4ed43556000fd2adb28c112114fe
SHA256e8dfd28c31cd9887abf07a330c4066d42653792733222e1d7508b4f6ac25b446
SHA512e97a9152952c4812c8c7e6c0d00fbe11b62fe849c565493c7353b9ea0861729e6290ae7ce4625800ab9a5db215405dc7019a8056f65d078a81cc9c04dd94a422
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WZK5EV58\Metric-Light[1].woff2
Filesize33KB
MD5249b877fdd0eb071e09df73645c12b71
SHA1344cb223db5c230194d475800a9ddd02bacde734
SHA2569642881515bd7496bc1ebb7bab132d109e109614e36d8acc6731633d03797050
SHA5124a2604164dbeb42878da36e7d7eeafe8eb12678e8410983d36c9ca10bd259299b5262ea19d9aa47ea64986bcc6eb40e78754be434d0a595fe29acdaaf22d3780
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WZK5EV58\Metric-Regular[1].woff2
Filesize33KB
MD54562882014f7df38316d04c4d89475ea
SHA1b56bd842693d3c17a9b09af5a89100144d1ce88a
SHA2565d80735b48c0f39f70e37251a2861d5470b765fb662213da3a88d1c25867a440
SHA5127d1ce83b4f217c8ff5c5b25d389c1475efd5264c01638ebd4899b90ac560f06e8beb3ffb962ea6c118ac5c819e7d74c97fd0f91ba43f2e03146401e5219d6124
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WZK5EV58\Metric-Semibold[1].woff2
Filesize34KB
MD5edbb294ce5bb567f873a96d00f1f8813
SHA13add27c280d1c5e3804d453acc1a5fd86d805094
SHA25630c970eed7bc24dbd036ebf22b16fecf9e5dfffc1442c3379236c43d3797a596
SHA5122b701736491e4fdb9308e5285c2fe279729579fa8ebace7baed3504a7023ef8aafa27caba5f89c14ef7380cda74973aa9a67f1512c5621ede9333a09ed695bd2
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
Filesize512KB
MD5860772c0abec514a2d1b40e03e2415c9
SHA12096461839ccf3528a972719b0697f094aea5544
SHA256c4460bcb0d1bcb8235efe408128045a9c3754a34639aa1e2879793a7a664a576
SHA512ff105a2fdc8dbf58da4afe49ac6b50911e0aba5c5a63591432ee05739bb7c7cca413cf741522c1d5061b26b3197dace408f2055ccdc75dad463cecca05a250b5
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
Filesize8KB
MD5fa1de59043c4dc93e14f628febc7a42d
SHA17f3159182e3ab89263ad5c3e4013d4845b68fc70
SHA2564811155355913958cbcf1e2c05da30cc0443630b51ade87765f060535ca3605f
SHA512d2c858c0e9d4199da9ad78b0a034a31824297e445d9b3c585ebe855a4b33a7a57c4a3cd585c7a581c58955d422d4eda6a87bcab3f6971d0b656fd8fff9ddf6f2
-
Filesize
32KB
MD51c2bd080b0e972a3ee1579895ea17b42
SHA1a09454bc976b4af549a6347618f846d4c93b769b
SHA256166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29
SHA512946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0
-
Filesize
32KB
MD51c2bd080b0e972a3ee1579895ea17b42
SHA1a09454bc976b4af549a6347618f846d4c93b769b
SHA256166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29
SHA512946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0
-
Filesize
47KB
MD5f84fb6cd84b5d07e3de4d78d38f388ff
SHA10b31f09eeb1af0681614c2f9f90d98b541df580f
SHA25603ca5a20d36bbc0aea28aa3184d65b322cecc3080d55a975cdf0f5d31199829d
SHA51203fa13b39d4fae8bc83b4f37cf24aafc8c4a12a5db0462968ae6a0c96232d727df9264d190ff641115921e350a1981ad518a4740c20e54c433b2f2065522ad52
-
Filesize
449KB
MD511bbdf80d756b3a877af483195c60619
SHA199aca4f325d559487abc51b0d2ebd4dca62c9462
SHA256698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1
SHA512ad9c16481f95c0e7cf5158d4e921ca7534f580310270fa476e9ebd15d37eee2ab43e11c12d08846eae153f0b43fba89590d60ca00551f5096076d3cf6aa4ce29
-
Filesize
1.5MB
MD5a5b8c0f51898e9d55e4b3aa7904adf32
SHA15eaff276409670f3e8ce4cbb17086f1362d18868
SHA2565e3006a575d4acce2e5e3cec684d7e9a1fbc3efbb73f06f5c4604faebf014ad3
SHA5126abf01f09c8c6e430118de27322f4d67bf25018633544556630c47bfa9adc2c1fd186c94119a0b9be6c2d8dead9bbb46a8b1185fe02da2085601b0e9613ad427
-
Filesize
1.5MB
MD5a5b8c0f51898e9d55e4b3aa7904adf32
SHA15eaff276409670f3e8ce4cbb17086f1362d18868
SHA2565e3006a575d4acce2e5e3cec684d7e9a1fbc3efbb73f06f5c4604faebf014ad3
SHA5126abf01f09c8c6e430118de27322f4d67bf25018633544556630c47bfa9adc2c1fd186c94119a0b9be6c2d8dead9bbb46a8b1185fe02da2085601b0e9613ad427
-
Filesize
252B
MD538a7379a4b36fc661c69a3e299373a05
SHA11b0de45ad7fe759499c57cc1aa9c1da441d9167a
SHA25670107440ed3e5ce934b947a85669a963ed0370d1d34c27e8f3bd2a8f5f670342
SHA5125c91d3ebae7a1d0fc068303632cdd7f789bfc3f5158c338d253ef0ba584bde2346e86287dd56f8dd266494ecf1307fb091e548b5cb795a80e5969f09f7507f02
-
Filesize
52KB
MD56f9e5c4b5662c7f8d1159edcba6e7429
SHA1c7630476a50a953dab490931b99d2a5eca96f9f6
SHA256e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790
SHA51278fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8
-
Filesize
52KB
MD56f9e5c4b5662c7f8d1159edcba6e7429
SHA1c7630476a50a953dab490931b99d2a5eca96f9f6
SHA256e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790
SHA51278fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8
-
Filesize
93KB
MD5df9591879a5af2a8458fb9148e197313
SHA1189df547db269f1694603eab40519ec0086fc326
SHA2566c19ec08ffb13998ace51e1b531128af12cd47ccadff5e346176c6992c00a843
SHA51289c8f7686048e3329d47bd7f6678cca880d1c2a704664a44276090ed2a5b6452d964c69e2d0161ec8b69586e3aae3c99f63445c22122a1b9bf532234f93af65c
-
Filesize
647KB
MD55afda7c7d4f7085e744c2e7599279db3
SHA13a833eb7c6be203f16799d7b7ccd8b8c9d439261
SHA256f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4
SHA5127cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944
-
Filesize
50KB
MD544f37783cd2889a9eb8232c263339e68
SHA1cd186e0bc8ecb3e063e68d5923bd5e7b165e3532
SHA256d43b4fa2b5b61429905f707959657430fc67a2a23351757b09af15c680e6efbf
SHA51265880a8ee81a67e866babc71988f6af31084e690b6e172cfb14c51315accef92a26a73cedac9846ba4348a01b328400d942131b5704a8f91f7c804ae1100d2fd
-
Filesize
192KB
MD5ac80e3ca5ec3ed77ef7f1a5648fd605a
SHA1593077c0d921df0819d48b627d4a140967a6b9e0
SHA25693b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5
SHA5123ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159
-
Filesize
816KB
MD5eaa268802c633f27fcfc90fd0f986e10
SHA121f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f
SHA256fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54
SHA512c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47
-
Filesize
228KB
MD53be64186e6e8ad19dc3559ee3c307070
SHA12f9e70e04189f6c736a3b9d0642f46208c60380a
SHA25679a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c
SHA5127d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78
-
Filesize
1.1MB
MD59fe6e9cfedb661c61a2c70fa75008ec3
SHA10f6a0f4e7fc5552088d3f2dd0c0adf6f6c45b686
SHA256acff23204982780d844f5b0cbfe0bf1849c1dfe782cb4084ba2bdc9bf53f026c
SHA512a8864ee43628f667d6e0acf071fbba414ff768fe9dd302e6f9498432b3ce48a22deecfe438099a3caa684ad8e9588fae111de752c37c158eebd76e48ab67e02d
-
Filesize
31KB
MD545a29924b29cd5881da857104c5554fe
SHA175716bfcb46aa02adc1e74369ec60f1c27e309b9
SHA256b31d4c6a86bad9eaffaa543476261aaa95705fffaaf367a6ab67133c6af5fcfe
SHA5120ee65dc21bfb5be949a8d96f0d5c04dba70c83988ddf460e9ce18e32eeb27fcb350e85b1ed5951ec2b5b2ad6506fa117fbe5495eabf58756fc66111f52b1b631
-
Filesize
31KB
MD545a29924b29cd5881da857104c5554fe
SHA175716bfcb46aa02adc1e74369ec60f1c27e309b9
SHA256b31d4c6a86bad9eaffaa543476261aaa95705fffaaf367a6ab67133c6af5fcfe
SHA5120ee65dc21bfb5be949a8d96f0d5c04dba70c83988ddf460e9ce18e32eeb27fcb350e85b1ed5951ec2b5b2ad6506fa117fbe5495eabf58756fc66111f52b1b631
-
Filesize
34KB
MD5798d6938ceab9271cdc532c0943e19dc
SHA15f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3
SHA256fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2
SHA512644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31
-
C:\Users\Admin\AppData\Local\Progress_Software_Corpora\Fiddler.exe_Url_gn2suaigfhhkewccgutguryxxqm34vvg\5.0.20211.51073\user.config
Filesize966B
MD545e86724e80eec7edc1554f5c7504ce6
SHA1793ada957914353d33856878d9883cfd471d0f06
SHA25668bd925cd0f9af48f9512d827501cda5482f85d3f963c4ef11ecfc723d86eff3
SHA512695cc8c52e42dc73b2926a6d21f503d2c530ec6ce2c61a68d00c0fa16afad2717252a5a005ee3843c4ffa538482ed4069adf06b5229709d985c56b15410e22ad
-
Filesize
3.2MB
MD5092879b4ec0b7a59be6273035da99e27
SHA1282f2602469017d4d8401e84e248a6c138b7de97
SHA25687d5fd5bfadffa31f6b72923be4d4a46335b3e32a4f6e306f90d04d4aed49c50
SHA512dde4050f6a26dc0feecb7a7f2563f33db5615c15c0dd1f3e6bf8ff8aa3a4ced68a53ae66c179f56dda5a50185b5053460e63c5a0489b141d11372aacfcea4cf9
-
Filesize
3.2MB
MD5092879b4ec0b7a59be6273035da99e27
SHA1282f2602469017d4d8401e84e248a6c138b7de97
SHA25687d5fd5bfadffa31f6b72923be4d4a46335b3e32a4f6e306f90d04d4aed49c50
SHA512dde4050f6a26dc0feecb7a7f2563f33db5615c15c0dd1f3e6bf8ff8aa3a4ced68a53ae66c179f56dda5a50185b5053460e63c5a0489b141d11372aacfcea4cf9
-
Filesize
11KB
MD5b8992e497d57001ddf100f9c397fcef5
SHA1e26ddf101a2ec5027975d2909306457c6f61cfbd
SHA25698bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b
SHA5128823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c
-
Filesize
7KB
MD549cb5b666dadfd0fe0a47c7ff59d12f3
SHA19bd42c062ce8515c5f9106738b1d0d0d3ab20615
SHA2560f3682048c63437348f0a222759ac24bd0638d765837e99fbf64cfadda8c7b5d
SHA5127d74f9bf9a199ac946b3a632958c1355e1226f35d57d7642cfdcdcbf64272b5d44de35cd9dc10e76adf8174dbd4ff5825470e908ff0e7a07f044e294dc23a3ae
-
Filesize
6KB
MD59a6e3f5558a98095af45933261e0165e
SHA148f1320d95895dc02bcded85cef286ef857c6e81
SHA256bd5f6181528fe89482ddbfb70f11fd14897f64fbd5d5e0671bb1292248d54058
SHA512a236b768b003afdebef96c6773414e459b7f2eaff75f14183181e3fbf09baa7fa15222059527dbd6cac4bbce027fd605d846997d3dd65209bc3b1b131e6c906d
-
Filesize
7KB
MD541c8f4445a6a3552c2a331652745b450
SHA16d5804f045e74ad5a540309b2618c656294f84a7
SHA256b9178d1ffbb5c564d6f98d34f2d14a0f316cbfc098f61ed496d74f6560d4220e
SHA51263798a5f34c621c49c72b302985e5a682ba8ad09bc3bd113c4583a0a13f70cdd64b1c68b86c42891da550ae5c3129c1227555bc0eb3bcf913a69051fccdf0e66
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5ae6decdb5eb829c6e8a1e75cff583644
SHA1083e22deac95cb8d8a725c07825a04a0c333671c
SHA256f983474219ba0f9a9ce420154d02d54bcf5473b976d62e2a56dd955036912d6f
SHA51289c9076312c8f056a2a84c1fac9096963e62aa2cf662425e85a80597778f2bf9fe29c8cf7c6d7639672c7857356462c27fe2402a342c1463b56ad2d31edfdf1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize17KB
MD578640c204f1888a05a66263e9be2ba87
SHA1554d9b6cf16f3efea41d5a1c3e2c9f55cfc33b15
SHA256df6f6edfcb96cb240bf859f5592a5df65a661792c3fe2e7665ade84b807a1c1b
SHA5124898f5643442153a7c8682b7657f0793726f478e6c0589adde5023b698b16db3c7b1a649bb61602ece6087df260a37c7bffc2618e840e308e6f56af0379f2f29
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5c6934c3d4a0ea677cfa9d91e642b6c08
SHA130dbc5c3f54cbf3ca8fb43582c7f16dacd40fdee
SHA256a5a87a8a31ab85f133f3c76974ad4d066c51717da3a7d73b253977ad1f5ae928
SHA5123a78854554ef5e0f767f28c64e4c198e0380bfacbbc22b533b09ec59901a208336a2be16128b6b0ad4cac4a2012b950bb9d305edb01987953d2b8413a0ff4daa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize17KB
MD50e13bdf1f41c5e027a642a29e44604bd
SHA1e6a0c4d9d615a69ccfdef1a5eb96e1bef073b644
SHA256b5a55bb5edd6d0d58cf36977b794cd0f0df2dcd97c971a7d17791d02496ed5ec
SHA5126b65e7cdc6950e61c9c339119f7b05a44ef6e8d84a6c65557909eedd069bf6e3aae3d60d433c4681788b03b045632aa72499f53ad4c375c3baa1353ceb78a4e6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD51b56353aa332caac51a37cdf3fa844ae
SHA1262b58ecafcc61de391bd7edc373aea8b94c4808
SHA2560736edc1f4656c82eb27b876d4c5d32d91e75290376b99a8978d17302c657d16
SHA5120b19edeff6e508d64ca255518f3d0549c93e8c8faa3803849811c9bac881e0e57d3e78f7e52ae5635ff112d750a679fc27132b6b833bdea15476aa203db86d4f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize15KB
MD5abf1df091a75e320b0d96a13d8d270d2
SHA19cdf14f3f95ddae128e388cd5aa36cd5bea8abf2
SHA25696daa81fae0af780d62ec7aa3caed712b0b37c36cd39110888f6f181de9429ce
SHA512eb21c82e55f4803505ec6fb1102789b176d55412423c5e7b9d10d3e868347e546579dfc60a766167dc49565dcbc75400a56ff5c87ac322b455f17d7e48223a75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize17KB
MD5e3179e2133fdfb4e4323b6eb077a2bba
SHA1883ff1fabf6b40fe63dccd3969c87709419ce8ec
SHA256b1816137581c0c9da12ae74ab0003ee801f0a8572bb8815d65216e09a9e02b32
SHA512029f8f8a5316f7f549f19f38233ae7ce8a8e3c5274231ea09c5bf582b8cdd1dc79395d15ce531cf12b83b6ffd907c0a927f2a1b495733b3db0ca631e69cbd81b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore-backups\recovery.jsonlz4
Filesize16KB
MD5fabbb3a9a33f26035517d51413383c37
SHA1aafe8ff72cd8441479229e7d57f8d95fe0c74227
SHA2564ac20461dc67657b3e2cdf056b616ddbf70387e65df50bfbb17b03c9cd6ee0d3
SHA51211fd5927f879a4d1d7f423c879366b64144ab922109605968915b012cd23b94d557a02ea21629fe165edb615c66d27b30c2915a1120443447e459ac289667226
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\sessionstore.jsonlz4
Filesize15KB
MD5ec56c9f5ca433146ec59a6d1c08b9d6e
SHA1eed7367107f3dcbcab62a2facef6f184ace05cd0
SHA2564cd6f68196c784a7fa93819c86b17a47f4dd2b5252627bb8e1e86b341bc78973
SHA5122e957100dd8d357c8c603ea8a8f4627214d1cb824f1cd646159cc858b8e3d6abcf083bcad8ad5deba1b47dd152f5519bf185a2f3e7c1fbcd24e314e25e8febb3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d25hmlvg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize176KB
MD5e540b4ba056dc849b62401d849c9110c
SHA1e317f21395f50a4e8558d373fdb5cff3e7b9fb8a
SHA2567b8f511529030bd604d3d45cff3106bd45c2deb4a2086bf21236075d2d57fb1f
SHA51288d6adb62652482b4fb234265bc1c36338f8eebc2b864bb25b35b5928b083bfec1d6c19d79636542114ddc0e5dc0411fffb28c9a21eb1d607d999ec409ceab7a
-
Filesize
39KB
MD5bb31da65ae92a3b475b21bc4a463ec59
SHA13d898b1d54206b30f32019768f93bd929a08503d
SHA256f181f32e8bb168744905e40c63e7920121accaba78cc07fba3002b5a91feced8
SHA512cbf9ca7b31824f86578c1d51653c5851b5e5135253513c63e62eec3c6503aa1dc0926ff05377d38ca475e5b462f7bf1839f32d62a76c098f47d52d0582e3eca3
-
Filesize
6.5MB
MD57fd1119b5f29e4094228dabf57e65a9d
SHA11a4e248bfe07f8c65ce68b4f29013442be6ef7c7
SHA2565c92f0738c290eac319d4ac3006b5725f1d2163fbfe68dbb2047e07920f4d5e8
SHA51220d22e16f5c285bd6ffdf3620762c340ffb97cc51c5080717b87442f29a14271644351b082392d9fb2fd1ce40a1fe56a4e6592a290d67f5c587e8e9eb2f33787
-
Filesize
6.5MB
MD57fd1119b5f29e4094228dabf57e65a9d
SHA11a4e248bfe07f8c65ce68b4f29013442be6ef7c7
SHA2565c92f0738c290eac319d4ac3006b5725f1d2163fbfe68dbb2047e07920f4d5e8
SHA51220d22e16f5c285bd6ffdf3620762c340ffb97cc51c5080717b87442f29a14271644351b082392d9fb2fd1ce40a1fe56a4e6592a290d67f5c587e8e9eb2f33787
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll
Filesize3.0MB
MD50bdbc8f0fb2097d58e463ab73f8c44d8
SHA1c159252064305d27d4b6dfbfdbdc233ac331a453
SHA2566cf016fbbee0fd57d6c44b81d913d8206fb7262413d9d15f7c62e7dfe5d5147a
SHA51291afc6b85cbff3fbf4688c117effb8faa1268a2c16e29176a51807204529b40607cda3d6b5a83583a908c791c96073610fe7640f6a934578cc126b560f5d4803
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll.aux
Filesize708B
MD5687026ae573da61c56cce10032a5ce53
SHA10e0fea55825ab9e475116206434693bc3d2e828b
SHA25626a21e06efa6e2266e76451979a2f4b0c33a5ccfa441d5684783287191ee0819
SHA512b21d132e4109dc0e715e7b29541867ddad13da79c8c9d2e314dc88b95932c7b85c38e67d0f2a2319bd8d658c6d82c95baa5f360e87c013b28fa6ee02b459f21e
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\bcab827b24e870428fcdda58e1ebec20\System.EnterpriseServices.ni.dll
Filesize972KB
MD5d65dad1e140f825dda9c7b73a6fe93fe
SHA18ed7ca22b3988c9cfdedadd447bc7183e82024a2
SHA256ead52a1635188611f7474e6cc860128116f60d7c3bc0cd00cc1cd36b57a6bc73
SHA512e073ac5fb87bdb3d41175cca1047c52f88ebca9418851b4a0e30852e93fc18ffa0c9fab0d974105aa902c03ea15427e43b97be7920561d141201462c39ebb117
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\bcab827b24e870428fcdda58e1ebec20\System.EnterpriseServices.ni.dll.aux
Filesize1KB
MD5420766149da311dd18224fe5e975dc91
SHA168c4b679f7e3188f86172eef5911ca15dde3cc1d
SHA2567dc42c05a5f8dc4f9d58d0907cdcea5136dd9bc9b6ebc1b76f8234c61abce586
SHA51265e70956bed12a3217d793dd61c27d842d0d20413540262495cb1a51d071dee01b0a1a4bd6f4f2bcbf49e8ca7adea445eb557aa7d1435747207a5c0e3051165c
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\9744e094346545d417a938174608d0ad\System.Numerics.ni.dll
Filesize307KB
MD5fd0f9bc0584653e7f39b55dd6e743a32
SHA1ada958995ab3b74bcdf05ac0e6270024857fdee0
SHA256aa8f2ae1967de8b8f1989c7e6f92d0f8828b47d80b1ba69cb7a6c6b6fc1cff9b
SHA51238c76c107b0931b1d3cdf60207f5647cc2029dd69b6a28845bba2a792472325d3c074bb98954a60a95ed9971e179a4c2f44af95245a7b153f386d28c5b835e1f
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\9744e094346545d417a938174608d0ad\System.Numerics.ni.dll.aux
Filesize300B
MD52640a8a11a02da42c175b0e52750a589
SHA12dbe1d6884ee3e03ec67edc273b135522a10d7b7
SHA256b04e2d6ba72c3aa745d69df6ff84583e9f7a410b46911aebb1044caa127e1d51
SHA512d2e074e1bc295128ba2cd39acfacf260a953eabb2856429d14a4e2d77e63274ad412bda91ee9c62bfaa7af2977c14176eb175a1c4a3397f7c41a04ea64dea5c9
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\88bbec18c44a06edb18eb16d6775008f\System.Runtime.Serialization.Formatters.Soap.ni.dll
Filesize337KB
MD56a74608b40a2787d6fc3ba420f22e73e
SHA1a91e0bce5d4e7b55b308ca1d01bc050a6075747d
SHA25675a50aa3dc7b54b2ca87630807f20d7a79cca0562b6392a65fce14fd0fe8d253
SHA51219c616bc99168cf0dcf38d6e0ea498956561d877658be992df9a5e9a996e39cc3bf60b6c3d766e940549d7c39fda1d1e3438f8812143574108dc830c52c5183c
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\88bbec18c44a06edb18eb16d6775008f\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux
Filesize644B
MD5cc7473dd66613d55fbaeb61c42360443
SHA12c0bef9fbf68c99045f13aef8fe5d288552023e7
SHA2566b34e80a06c27b5559497b963613db641688ab720ff85ba1cfdfb5ae7c319413
SHA51282ad8ef1896167c6104c1a654dc1c34eaf2180341f5f8665253354dfada6c853686735fde821bae22a20d8704a5fefb3f722b2ff418897665b5f9a148b533f4b
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\cccf0195b8a7b2804875769b64f41f8a\System.Security.ni.dll
Filesize960KB
MD513bd4f0a19d3ea71a5b1c1b6d5330635
SHA112909fc81a2cb66a1435803b2c0bbc613a18b243
SHA2563fc2a7a509f23269002e9a5ce3aca634fceb4e4ab70da6cbf56ae1e500fd6052
SHA512400a09b0e29f170c1da464cd4e31f42b1e97de9fb24c29ed531d27014bf1513e6cc943435102e21735973e509c58ed7a099843a35cc2aa115868426047387c96
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\cccf0195b8a7b2804875769b64f41f8a\System.Security.ni.dll.aux
Filesize912B
MD57da904b6068158ad644e7ba9944c2a30
SHA19e2b272ea9459cde17b7f22b1beb6a31470d503d
SHA25699307802e7f1629a381dd5560fe1bb82653ebd1ee08fcccf87df651e069ce5d6
SHA51282158b5987d9f82f5b233345ff05747fbbcb1cda33f2fd380857e27a26956a3604bd07e73bc0413810abfc9d793a5b82125a7326acbc32e30d65da4951b7bc2e
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\9fab28f14be5a0da526b1ceaaa04a4c3\System.ServiceModel.Internals.ni.dll
Filesize967KB
MD5cc6bd7a1d7ea753579d70fb40d7c57ad
SHA116e06913e1b5363ff534d33d81488d1ad5124778
SHA256e8d98a32d6bc669edca2edf2c87dd07d42fc5e1fc72e79f0dd513fac1abacfca
SHA512739873fb98d043be541796633a3ed5b6b589863a50d00088b1b4554f9de455e21f0f6b98cb58815f40e0f8702a821fc55df169fc8effa0f6847123ee1bba4422
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\9fab28f14be5a0da526b1ceaaa04a4c3\System.ServiceModel.Internals.ni.dll.aux
Filesize592B
MD5d12b3a72f6d383b06cd20e97d846271d
SHA11dc6b34971a165a6d9cf9842acfbe752971c5058
SHA256f2e76310e73010f274bb564c10a9db5014f161a0ea3a977c567885cad93e7525
SHA5120eb2f8f353596afe4009a9ab818fbedff541b69449269b3a75ba8b2a11a1c0cf0e997a373c219aebd996a881cf358db45f5eaf33f450455104262afe943253bf
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.82d5542b#\d56e83822b7799e202533e1b84b3c134\System.Web.RegularExpressions.ni.dll
Filesize283KB
MD5656432e3e93d85cf4468ddfae2a75c1b
SHA1f03dcca48cd68cc14e1e03e14daaaccebcd2b420
SHA256643647116569e1099a594c459814b8817b2f33b0d261622b3b48eb9257b85692
SHA5123b0b9b4cd686bd4f9427a9da6996850c33f1b8724baee0aba81f860a49f4b7e9dd1212360eb7d46d98212cd4195b90940d466a93907795ae093cdec124e25223
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.82d5542b#\d56e83822b7799e202533e1b84b3c134\System.Web.RegularExpressions.ni.dll.aux
Filesize432B
MD53d28781592909e687008d1d880eb8e85
SHA13810b47a9019e4a5ae73e00d2238fb46566b03ec
SHA256a11360917a2f4b47340cc441bbc0a64a3ce12d8d206bb05bf2d8cad3a58750fb
SHA512dbf4d914bb3da4839a2724462ff8a16548d576c0f32699ea8e7f26e77fa910e70bc0f382d32e5479d0701906b1671cdfc005de46cc6d781f384a10e7126577e1
-
Filesize
11KB
MD5b8992e497d57001ddf100f9c397fcef5
SHA1e26ddf101a2ec5027975d2909306457c6f61cfbd
SHA25698bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b
SHA5128823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c
-
\Windows\assembly\NativeImages_v4.0.30319_64\Analytics\d756563aa7cd4e9c00502605394ea611\Analytics.ni.dll
Filesize148KB
MD54b962d3d8b3c91fa54e20ea48d09a990
SHA135468f050fb1b4a5e57a437b644d2c9e512f862f
SHA2563e7dc77c58ae21758add41de81b649240e95707abcbd6d02fccdaa73449ab33f
SHA5125ba87664ebadc3611523e69c9b26b6b9f4576240eb5c3a7e39a21a3a6f68f37142c9902fe4410f4e60593556d0e641a9ee82a37c1cb29e50d6247db2804ac3c5
-
\Windows\assembly\NativeImages_v4.0.30319_64\DotNetZip\330381c0d4a4a49e56426709e084cc48\DotNetZip.ni.dll
Filesize1013KB
MD575466b5e53a262f579d58042eb0c6fa5
SHA1aba87382496d180a3e71c3626b617bb65308d358
SHA256dd470f06556af0b809868b8ddcf6db70833d41fb1b7d2086de7ecde34e3085fe
SHA512efe4fc459cdf8148792f0d43da4b5e6e5ef86f6f2ba2fde868ae6b4ad72f58ed8af6e134de72d754f5916e3570e7d1f205633321605c4f939453537cbd538bb9
-
\Windows\assembly\NativeImages_v4.0.30319_64\Fiddler\9bceff61f42640de809b19116b58c90e\Fiddler.ni.exe
Filesize4.7MB
MD52e5e7001ac04e3a5f7e5d9efec5a1ede
SHA142675c88e7c7a8707415ada873d63f1ff6c22323
SHA256beceb37a23669c867bbeecf60ad36548b51a38e29712b0e3d01566c0a496b781
SHA5122d16c47e81c08b3cac6fb611f78c6a42c0694b80cad89e41ef04d5f8ff90e6f7d2d718545848faaac556ca59e62c53e678fc4fe515f2705f5e0567751786fc7e
-
\Windows\assembly\NativeImages_v4.0.30319_64\GA.Analytics.Monitor\3bf155f5fe5c3c876614c4d82313933c\GA.Analytics.Monitor.ni.dll
Filesize158KB
MD5188e0e27618fc054e447005da14b39e6
SHA1fa53f294d3f2d484b513f17ca5d21b33a52e2500
SHA2567602634749732ab0411aebe3b5789b736c8e68d07688dd22d83f29b6e86675c9
SHA512717e160dec70f5d647e6152ed1ce8ed1e4d64118cd68ffaa091264d8a7b947175261552a9171ebf4ddc7fe0096608a9a4f5d1b24857d1c8eb5d750b2e085670c
-
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\4f44abb46807a5ad0f0bf1ae5ba48323\Microsoft.Build.Framework.ni.dll
Filesize546KB
MD575de4db178e3310ebf8bfa83a003b8e2
SHA1c0d05985fb9e28ede26b00143d939839cb0e3ae6
SHA256304ae94177bcd5f8659eb5a232676c2a9857dc495c273fce2e2e65fab4ae4eb6
SHA5124310161d72d60ef55a5ca6601bf4f5773518a9fcbeab4fda60afc18b334a1fbded3a5426795ed3587b5c51e2f6fc39176014a75e75aca2d3cfafc8a19d85b983
-
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\2145e325c531dd03775cc61606722965\Microsoft.JScript.ni.dll
Filesize2.7MB
MD5d1d5dd7761a0e2c31c2baeeb4442a6ba
SHA1c681dca866baa02e7840bffdbcff349da69ba25c
SHA25684676accc10df0f610772b5d447b058a9fd3c4d399cddc01ef6510d9832915f1
SHA51259891b98e42635c056debe5fdd373b3d31ef1731c653c7df179c0db8544c6bfc6e4899d62a3068b76a652e71899b285e1757260ccaa805658e1e77e00cb9b263
-
\Windows\assembly\NativeImages_v4.0.30319_64\Newtonsoft.Json\1ebe746ea3a361d99ffc6ea2e12b5a66\Newtonsoft.Json.ni.dll
Filesize3.7MB
MD503eabadb3e9fe0a8566ce36fde2ed959
SHA1c0da077a84d61426c6de7d27b5bd3d5beb034352
SHA2562467069bdc725532c792ab7f026bbafbbdbbd311d5ba83c502cc35a044b90860
SHA512b60a5ac1f0b062ba3319ba93171f2d150a536fa4ce37bc7061a76949ca98c5ee08dc342f232bf47b36753c4046c23828fea8560b083778f175d5303906c9bc82
-
\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\c7d01590f25b87c1d82c1b48e56d5865\SMDiagnostics.ni.dll
Filesize146KB
MD53a58323549cfa56e6adc67c49e23df3a
SHA12836bee70901ab28058f51c5564e22513645b7a7
SHA2563ac9cf3eee053c92901ff1b24e1a866c17935f72c54571f36e9cd4bede01bf1c
SHA512bd9d658137753f0966d8cb53675c7faff3089f989e5a074df7999f3cbd56222646193b603672cdcf62cbee94ee7e67c074e545c95b4fd46ce47bf34f879bacac
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Comp46f2b404#\64b3b0b1aba5ca1918056740cd4dd1f3\System.ComponentModel.DataAnnotations.ni.dll
Filesize343KB
MD52ed1f6932c5183ded8fe4b2cbac31679
SHA152109cc1722564f70fbfe9faa393d3d34eb03659
SHA256df407336974517003e2869adc7696d0c75d2497f1105cbb105d49fa5b8ac11c3
SHA512d1c491c661545dd95d260fb57b2e8be4e31400040afd5c979b2f1e33e749b879cb60c43ad9e0b62c5d121576235bf8dcce172d88413047a658a5cc79a64e5513
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Compba577418#\dee98e5b0e1a766ada50708c26bad1aa\System.ComponentModel.Composition.ni.dll
Filesize1.3MB
MD5146a01a7f6ff0034d34697d9787785ca
SHA1b1c4bcb0b3c5cd8d1777c794492ceaf133506204
SHA256f681e4a24d7c1844aba2b7388a73c0224c9e57e89ee30af9e0a829fad06f3104
SHA512e14fae2ebce62de00cd6f25456118e9faa4eec14c222fe14988cf9cbf962b5f0628f6a77f8ce44d4e976779bffb11de8e935259bdd4b6c5bdbc4c635653e7f9e
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll
Filesize3.0MB
MD50bdbc8f0fb2097d58e463ab73f8c44d8
SHA1c159252064305d27d4b6dfbfdbdc233ac331a453
SHA2566cf016fbbee0fd57d6c44b81d913d8206fb7262413d9d15f7c62e7dfe5d5147a
SHA51291afc6b85cbff3fbf4688c117effb8faa1268a2c16e29176a51807204529b40607cda3d6b5a83583a908c791c96073610fe7640f6a934578cc126b560f5d4803
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll
Filesize3.0MB
MD50bdbc8f0fb2097d58e463ab73f8c44d8
SHA1c159252064305d27d4b6dfbfdbdc233ac331a453
SHA2566cf016fbbee0fd57d6c44b81d913d8206fb7262413d9d15f7c62e7dfe5d5147a
SHA51291afc6b85cbff3fbf4688c117effb8faa1268a2c16e29176a51807204529b40607cda3d6b5a83583a908c791c96073610fe7640f6a934578cc126b560f5d4803
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll
Filesize3.0MB
MD50bdbc8f0fb2097d58e463ab73f8c44d8
SHA1c159252064305d27d4b6dfbfdbdc233ac331a453
SHA2566cf016fbbee0fd57d6c44b81d913d8206fb7262413d9d15f7c62e7dfe5d5147a
SHA51291afc6b85cbff3fbf4688c117effb8faa1268a2c16e29176a51807204529b40607cda3d6b5a83583a908c791c96073610fe7640f6a934578cc126b560f5d4803
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Data86569bbf#\98a4068512ff6a2566204bc1e759b0be\System.Data.OracleClient.ni.dll
Filesize1.3MB
MD5ab58a8f6f62be042ba2501751254ad21
SHA1828b41deb857a2977e8bcee6ac7748ed46a9ecda
SHA256f1da1b1b8d95a3294e7753908ae927d1280176b2e009337d146f6649192965c3
SHA51219be8c93d52dfbd5f6d4c8a370d5869b783d9d5a6ce1f066860ad7c8f0c5fd34464bd6c82bcffc29d83286ed4ff3730d0c51650aebf73094a62ca7ad2fa6e1da
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\52c68307282a248618376df5db7f9cce\System.Deployment.ni.dll
Filesize2.2MB
MD5ccdd9605e7bb07b8b0b3b19d8e938615
SHA149c99a4dba7ea3b3fcd49afc124cb81b14f4cd84
SHA2566a90f268b1848ab002406a929e0c8868838370ccfb4fd747c0b213d62da93572
SHA512dfed841d9b210e9d8eed60c79f1f9ea513b0fe5b00c10002baf3f81ee686c52ea3bf39c612ba69fc1b747c37bba3de25b645f702cc4329f149a28ac036d8bc8b
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Design\e54657ea70d60e1ad13dc5f818f32e90\System.Design.ni.dll
Filesize12.0MB
MD590850f355510bac4d8e8f60054c077ba
SHA10b502683c0a49878715a5aa0cfb8a67e1852abea
SHA256993960a4b0a46a7422250b75a91cfb2291d8c4dc8704a6513dd29d91d69042df
SHA512b9c83dbe5a2791ba2308651ef1e3af98a8d1ae2ff631e682f6333a6683f13b7f601182729ad62759a982da4edc68cb0dcf9988bf23414df7cfdc623dd1b69299
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Dire5d62f0a2#\74935b58bfe4054a47e71f128e498aba\System.DirectoryServices.Protocols.ni.dll
Filesize534KB
MD5e9271a4f94bbe932b905106b69e07d98
SHA1d00da1aabe9540ed33f69ff2d6e32a3a791750d2
SHA256a6213350d678a9906e0175514b5fb450d4eea5f6fcfaf2134a11e2d57d968460
SHA5121765ec1773009aa81c1f699d733a2b579e302f66e7aa52f37b239b0c0461ef4e3f1e45746f418b84008c0fb4880a4ca89e2e3fda1c2f5c73f49946eb032899b4
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Draw0a54d252#\ef31f92d5ee5c2a437add4506830d025\System.Drawing.Design.ni.dll
Filesize304KB
MD5186cd5fe6d50bd85dfdf1d91c216a86c
SHA1f9bdda32f17da061f9e56b66634ad328c0f3ab7f
SHA25601ab228fd80edaee26b2c25583c17055d2ecbb864336f0727ebb2338eb82910c
SHA51225d9b40de2e0e4caebdb8dc8844e7c84de25134a6a6724a532c46ae0d185aa83969c8b99341a6aaadd7bb969e2e7913ddd7db387d67aad8e2808b8fcd7ffe821
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\bcab827b24e870428fcdda58e1ebec20\System.EnterpriseServices.ni.dll
Filesize972KB
MD5d65dad1e140f825dda9c7b73a6fe93fe
SHA18ed7ca22b3988c9cfdedadd447bc7183e82024a2
SHA256ead52a1635188611f7474e6cc860128116f60d7c3bc0cd00cc1cd36b57a6bc73
SHA512e073ac5fb87bdb3d41175cca1047c52f88ebca9418851b4a0e30852e93fc18ffa0c9fab0d974105aa902c03ea15427e43b97be7920561d141201462c39ebb117
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\bcab827b24e870428fcdda58e1ebec20\System.EnterpriseServices.ni.dll
Filesize972KB
MD5d65dad1e140f825dda9c7b73a6fe93fe
SHA18ed7ca22b3988c9cfdedadd447bc7183e82024a2
SHA256ead52a1635188611f7474e6cc860128116f60d7c3bc0cd00cc1cd36b57a6bc73
SHA512e073ac5fb87bdb3d41175cca1047c52f88ebca9418851b4a0e30852e93fc18ffa0c9fab0d974105aa902c03ea15427e43b97be7920561d141201462c39ebb117
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\bcab827b24e870428fcdda58e1ebec20\System.EnterpriseServices.ni.dll
Filesize972KB
MD5d65dad1e140f825dda9c7b73a6fe93fe
SHA18ed7ca22b3988c9cfdedadd447bc7183e82024a2
SHA256ead52a1635188611f7474e6cc860128116f60d7c3bc0cd00cc1cd36b57a6bc73
SHA512e073ac5fb87bdb3d41175cca1047c52f88ebca9418851b4a0e30852e93fc18ffa0c9fab0d974105aa902c03ea15427e43b97be7920561d141201462c39ebb117
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\9744e094346545d417a938174608d0ad\System.Numerics.ni.dll
Filesize307KB
MD5fd0f9bc0584653e7f39b55dd6e743a32
SHA1ada958995ab3b74bcdf05ac0e6270024857fdee0
SHA256aa8f2ae1967de8b8f1989c7e6f92d0f8828b47d80b1ba69cb7a6c6b6fc1cff9b
SHA51238c76c107b0931b1d3cdf60207f5647cc2029dd69b6a28845bba2a792472325d3c074bb98954a60a95ed9971e179a4c2f44af95245a7b153f386d28c5b835e1f
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\9744e094346545d417a938174608d0ad\System.Numerics.ni.dll
Filesize307KB
MD5fd0f9bc0584653e7f39b55dd6e743a32
SHA1ada958995ab3b74bcdf05ac0e6270024857fdee0
SHA256aa8f2ae1967de8b8f1989c7e6f92d0f8828b47d80b1ba69cb7a6c6b6fc1cff9b
SHA51238c76c107b0931b1d3cdf60207f5647cc2029dd69b6a28845bba2a792472325d3c074bb98954a60a95ed9971e179a4c2f44af95245a7b153f386d28c5b835e1f
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\88bbec18c44a06edb18eb16d6775008f\System.Runtime.Serialization.Formatters.Soap.ni.dll
Filesize337KB
MD56a74608b40a2787d6fc3ba420f22e73e
SHA1a91e0bce5d4e7b55b308ca1d01bc050a6075747d
SHA25675a50aa3dc7b54b2ca87630807f20d7a79cca0562b6392a65fce14fd0fe8d253
SHA51219c616bc99168cf0dcf38d6e0ea498956561d877658be992df9a5e9a996e39cc3bf60b6c3d766e940549d7c39fda1d1e3438f8812143574108dc830c52c5183c
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\88bbec18c44a06edb18eb16d6775008f\System.Runtime.Serialization.Formatters.Soap.ni.dll
Filesize337KB
MD56a74608b40a2787d6fc3ba420f22e73e
SHA1a91e0bce5d4e7b55b308ca1d01bc050a6075747d
SHA25675a50aa3dc7b54b2ca87630807f20d7a79cca0562b6392a65fce14fd0fe8d253
SHA51219c616bc99168cf0dcf38d6e0ea498956561d877658be992df9a5e9a996e39cc3bf60b6c3d766e940549d7c39fda1d1e3438f8812143574108dc830c52c5183c
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\cccf0195b8a7b2804875769b64f41f8a\System.Security.ni.dll
Filesize960KB
MD513bd4f0a19d3ea71a5b1c1b6d5330635
SHA112909fc81a2cb66a1435803b2c0bbc613a18b243
SHA2563fc2a7a509f23269002e9a5ce3aca634fceb4e4ab70da6cbf56ae1e500fd6052
SHA512400a09b0e29f170c1da464cd4e31f42b1e97de9fb24c29ed531d27014bf1513e6cc943435102e21735973e509c58ed7a099843a35cc2aa115868426047387c96
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\cccf0195b8a7b2804875769b64f41f8a\System.Security.ni.dll
Filesize960KB
MD513bd4f0a19d3ea71a5b1c1b6d5330635
SHA112909fc81a2cb66a1435803b2c0bbc613a18b243
SHA2563fc2a7a509f23269002e9a5ce3aca634fceb4e4ab70da6cbf56ae1e500fd6052
SHA512400a09b0e29f170c1da464cd4e31f42b1e97de9fb24c29ed531d27014bf1513e6cc943435102e21735973e509c58ed7a099843a35cc2aa115868426047387c96
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\cccf0195b8a7b2804875769b64f41f8a\System.Security.ni.dll
Filesize960KB
MD513bd4f0a19d3ea71a5b1c1b6d5330635
SHA112909fc81a2cb66a1435803b2c0bbc613a18b243
SHA2563fc2a7a509f23269002e9a5ce3aca634fceb4e4ab70da6cbf56ae1e500fd6052
SHA512400a09b0e29f170c1da464cd4e31f42b1e97de9fb24c29ed531d27014bf1513e6cc943435102e21735973e509c58ed7a099843a35cc2aa115868426047387c96
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\9fab28f14be5a0da526b1ceaaa04a4c3\System.ServiceModel.Internals.ni.dll
Filesize967KB
MD5cc6bd7a1d7ea753579d70fb40d7c57ad
SHA116e06913e1b5363ff534d33d81488d1ad5124778
SHA256e8d98a32d6bc669edca2edf2c87dd07d42fc5e1fc72e79f0dd513fac1abacfca
SHA512739873fb98d043be541796633a3ed5b6b589863a50d00088b1b4554f9de455e21f0f6b98cb58815f40e0f8702a821fc55df169fc8effa0f6847123ee1bba4422
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\9fab28f14be5a0da526b1ceaaa04a4c3\System.ServiceModel.Internals.ni.dll
Filesize967KB
MD5cc6bd7a1d7ea753579d70fb40d7c57ad
SHA116e06913e1b5363ff534d33d81488d1ad5124778
SHA256e8d98a32d6bc669edca2edf2c87dd07d42fc5e1fc72e79f0dd513fac1abacfca
SHA512739873fb98d043be541796633a3ed5b6b589863a50d00088b1b4554f9de455e21f0f6b98cb58815f40e0f8702a821fc55df169fc8effa0f6847123ee1bba4422
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.82d5542b#\d56e83822b7799e202533e1b84b3c134\System.Web.RegularExpressions.ni.dll
Filesize283KB
MD5656432e3e93d85cf4468ddfae2a75c1b
SHA1f03dcca48cd68cc14e1e03e14daaaccebcd2b420
SHA256643647116569e1099a594c459814b8817b2f33b0d261622b3b48eb9257b85692
SHA5123b0b9b4cd686bd4f9427a9da6996850c33f1b8724baee0aba81f860a49f4b7e9dd1212360eb7d46d98212cd4195b90940d466a93907795ae093cdec124e25223
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.82d5542b#\d56e83822b7799e202533e1b84b3c134\System.Web.RegularExpressions.ni.dll
Filesize283KB
MD5656432e3e93d85cf4468ddfae2a75c1b
SHA1f03dcca48cd68cc14e1e03e14daaaccebcd2b420
SHA256643647116569e1099a594c459814b8817b2f33b0d261622b3b48eb9257b85692
SHA5123b0b9b4cd686bd4f9427a9da6996850c33f1b8724baee0aba81f860a49f4b7e9dd1212360eb7d46d98212cd4195b90940d466a93907795ae093cdec124e25223
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.8dc504e4#\4a5f2a8626e8af6b6f54e42a0f59f2b6\System.Web.ApplicationServices.ni.dll
Filesize110KB
MD58e67871c1b73c9afe4e246f788ad9e7f
SHA1d27b109ec7ab22851716401e0919eb27e3650e8d
SHA2568c24736ab0e61b63457c38972dc9c469f773c16f5d4f878a5d93ed144beca534
SHA5120aa833d7784f97b69d880597625e042d43fd7ecb40a5a69007cff52bde188c3e8cf79ff8cb7d9f0fc220d11f317b40c0bdd706b38eef862eb3fbabb230f0c256
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\5fc5747c2c5a8c9903788db8973ea28a\System.Web.ni.dll
Filesize15.7MB
MD56ab83e2221c6b1f3a306e4432c4a5e33
SHA123e27796eae9d8e1cf762a85dbedff89d1f68a3f
SHA2568c9da539e47f809693c2d2d631fe28219f28e020805f9b39805760e2652695f7
SHA51241902ab5d3a44e408405656f92b9146bdeb82efd364739bf06d9149ce3dcb0841dbb0703fec5011de4709adc4ea1d0fe8380e301349988d0c5d38a4e289dadb4
-
\Windows\assembly\NativeImages_v4.0.30319_64\Telerik.Net8bf66678#\e5f4977994d2fd10324efd51321f1c59\Telerik.NetworkConnections.ni.dll
Filesize94KB
MD58c1196b2476c2ae2dee297e3db1cf37f
SHA127b4c6bc7876d7f52f34bffe2fb1f3cee88444ff
SHA256f298ac1090234846c34b192f4683d34477f84f5eb8b844afedac9d4de246e104
SHA512cd4bbe93c3a40035c65358ba714f39b8c6770aa44bdb87ed6dd23292f7a641c3da3977691fb1ecf83f1dbb6fe704edc6eeb817d1da48b4f2f9de62cf9c2ec591