umbral | 5c92f0738c290eac319d4ac3006b5725f1d2163fbfe68dbb2047e07920f4d5e8

Analysis

max time kernel
674s
max time network
679s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FiddlerSetup.exe
Size

6.5MB
MD5

7fd1119b5f29e4094228dabf57e65a9d
SHA1

1a4e248bfe07f8c65ce68b4f29013442be6ef7c7
SHA256

5c92f0738c290eac319d4ac3006b5725f1d2163fbfe68dbb2047e07920f4d5e8
SHA512

20d22e16f5c285bd6ffdf3620762c340ffb97cc51c5080717b87442f29a14271644351b082392d9fb2fd1ce40a1fe56a4e6592a290d67f5c587e8e9eb2f33787
SSDEEP

196608:Q962sDwuahkk8ZaQd9NCMbw4fO0ADH6Op:Q5uAkk8ZBCuXfjADH6s

Score

10^/10

umbral discovery evasion stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000231f4-611.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4572	netsh.exe
3020	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	FiddlerSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 53 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\DotNetZip\b3a383423b05afda73d5befea52df23f\DotNetZip.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\66c-0\System.Web.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1384-0\System.Runtime.Caching.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Fiddler\0246347168440311f67418ce72a25f0e\Fiddler.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1144-0\DotNetZip.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\14ec-0\System.EnterpriseServices.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1470-0\Newtonsoft.Json.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\147ecaf76a082c0dd04c1e2ae632921d\EnableLoopback.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9a0-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1520-0\System.Drawing.Design.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt19c51595#\6f69c2900b13ef16144a4dd218db8baf\System.Runtime.Caching.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.82d5542b#\3248866fdc0058e6a1a5d64c5019ee84\System.Web.RegularExpressions.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.8dc504e4#\f95cdc313801411ba86580e09a790db8\System.Web.ApplicationServices.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1028-0\Microsoft.Build.Tasks.v4.0.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ab4-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\a4659c51384187894a071aa2b9d900e7\System.EnterpriseServices.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\13bc-0\System.Data.OracleClient.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Draw0a54d252#\3d5342ebcdfac2e48f2cbb87316da000\System.Drawing.Design.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\414-0\System.Design.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1558-0\System.ComponentModel.Composition.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Analytics\9422cdf8836e5af7e68e6c7719083b46\Analytics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\b7d3fce6d77b982cd4538b089805df8d\System.ServiceModel.Internals.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\7e76b1fb4198734d8af8f5d806b99864\SMDiagnostics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c74-0\System.DirectoryServices.Protocols.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Design\27f97b5687f7139425a49f9cbafaf6e2\System.Design.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data86569bbf#\37b9991e77d6c4ee257ca8b2c1f585ad\System.Data.OracleClient.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Comp46f2b404#\1a856cd8b4506b84f967fb416431e03d\System.ComponentModel.DataAnnotations.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dire5d62f0a2#\dae28270785fd6a19fb72c8c675c81a8\System.DirectoryServices.Protocols.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\14cc-0\Telerik.NetworkConnections.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Telerik.Net8bf66678#\a58ff39c1803c8009577b8aa07f4401d\Telerik.NetworkConnections.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\GA.Analytics.Monitor\581f591747009a39a799777655cec912\GA.Analytics.Monitor.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\764-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bc0-0\Fiddler.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Newtonsoft.Json\c9d532d5040768732fdbb078eb294563\Newtonsoft.Json.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1708-0\Analytics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\151c-0\System.ServiceModel.Internals.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7f0-0\System.Web.RegularExpressions.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1778-0\GA.Analytics.Monitor.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\dc8-0\SMDiagnostics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\16b8-0\System.Web.ApplicationServices.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\41c-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1090-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a3c-0\EnableLoopback.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Compba577418#\d5ea54b023997de3a48807f3b15ff588\System.ComponentModel.Composition.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\14ec-0\System.EnterpriseServices.Wrapper.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\179c-0\System.ComponentModel.DataAnnotations.dll	mscorsvw.exe

Executes dropped EXE 6 IoCs

pid	Process
4980	FiddlerSetup.exe
3172	SetupHelper
4928	Fiddler.exe
5112	Havoc.exe
4164	Havoc.exe
864	Fiddler.exe

Loads dropped DLL 64 IoCs

pid	Process
4980	FiddlerSetup.exe
1892	mscorsvw.exe
1892	mscorsvw.exe
4240	mscorsvw.exe
4240	mscorsvw.exe
4240	mscorsvw.exe
2740	mscorsvw.exe
1052	mscorsvw.exe
3008	mscorsvw.exe
2464	mscorsvw.exe
1052	mscorsvw.exe
4420	mscorsvw.exe
5324	mscorsvw.exe
2436	mscorsvw.exe
5464	mscorsvw.exe
5896	mscorsvw.exe
5232	mscorsvw.exe
6008	mscorsvw.exe
5404	mscorsvw.exe
5232	mscorsvw.exe
3528	mscorsvw.exe
3528	mscorsvw.exe
1644	mscorsvw.exe
5356	mscorsvw.exe
1644	mscorsvw.exe
2032	mscorsvw.exe
1044	mscorsvw.exe
1044	mscorsvw.exe
1644	mscorsvw.exe
5052	mscorsvw.exe
5052	mscorsvw.exe
5408	mscorsvw.exe
5816	mscorsvw.exe
6044	mscorsvw.exe
3188	mscorsvw.exe
3456	mscorsvw.exe
552	mscorsvw.exe
4996	mscorsvw.exe
4136	mscorsvw.exe
4136	mscorsvw.exe
4136	mscorsvw.exe
1044	mscorsvw.exe
4136	mscorsvw.exe
4136	mscorsvw.exe
2196	mscorsvw.exe
2196	mscorsvw.exe
2196	mscorsvw.exe
2196	mscorsvw.exe
2196	mscorsvw.exe
2620	mscorsvw.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
864	Fiddler.exe
864	Fiddler.exe
864	Fiddler.exe
864	Fiddler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000023119-2.dat	nsis_installer_1
behavioral1/files/0x0007000000023119-2.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Fiddler.ArchiveZip	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\.saz	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Fiddler.ArchiveZip\Shell	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 493044.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4980	FiddlerSetup.exe
4980	FiddlerSetup.exe
4784	msedge.exe
4784	msedge.exe
4536	msedge.exe
4536	msedge.exe
5660	identity_helper.exe
5660	identity_helper.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
6088	msedge.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
5064	msedge.exe
5064	msedge.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
4928	Fiddler.exe
864	Fiddler.exe
864	Fiddler.exe
864	Fiddler.exe
864	Fiddler.exe
864	Fiddler.exe
864	Fiddler.exe
864	Fiddler.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4928	Fiddler.exe
Token: SeDebugPrivilege	5112	Havoc.exe
Token: SeIncreaseQuotaPrivilege	4584	wmic.exe
Token: SeSecurityPrivilege	4584	wmic.exe
Token: SeTakeOwnershipPrivilege	4584	wmic.exe
Token: SeLoadDriverPrivilege	4584	wmic.exe
Token: SeSystemProfilePrivilege	4584	wmic.exe
Token: SeSystemtimePrivilege	4584	wmic.exe
Token: SeProfSingleProcessPrivilege	4584	wmic.exe
Token: SeIncBasePriorityPrivilege	4584	wmic.exe
Token: SeCreatePagefilePrivilege	4584	wmic.exe
Token: SeBackupPrivilege	4584	wmic.exe
Token: SeRestorePrivilege	4584	wmic.exe
Token: SeShutdownPrivilege	4584	wmic.exe
Token: SeDebugPrivilege	4584	wmic.exe
Token: SeSystemEnvironmentPrivilege	4584	wmic.exe
Token: SeRemoteShutdownPrivilege	4584	wmic.exe
Token: SeUndockPrivilege	4584	wmic.exe
Token: SeManageVolumePrivilege	4584	wmic.exe
Token: 33	4584	wmic.exe
Token: 34	4584	wmic.exe
Token: 35	4584	wmic.exe
Token: 36	4584	wmic.exe
Token: SeIncreaseQuotaPrivilege	4584	wmic.exe
Token: SeSecurityPrivilege	4584	wmic.exe
Token: SeTakeOwnershipPrivilege	4584	wmic.exe
Token: SeLoadDriverPrivilege	4584	wmic.exe
Token: SeSystemProfilePrivilege	4584	wmic.exe
Token: SeSystemtimePrivilege	4584	wmic.exe
Token: SeProfSingleProcessPrivilege	4584	wmic.exe
Token: SeIncBasePriorityPrivilege	4584	wmic.exe
Token: SeCreatePagefilePrivilege	4584	wmic.exe
Token: SeBackupPrivilege	4584	wmic.exe
Token: SeRestorePrivilege	4584	wmic.exe
Token: SeShutdownPrivilege	4584	wmic.exe
Token: SeDebugPrivilege	4584	wmic.exe
Token: SeSystemEnvironmentPrivilege	4584	wmic.exe
Token: SeRemoteShutdownPrivilege	4584	wmic.exe
Token: SeUndockPrivilege	4584	wmic.exe
Token: SeManageVolumePrivilege	4584	wmic.exe
Token: 33	4584	wmic.exe
Token: 34	4584	wmic.exe
Token: 35	4584	wmic.exe
Token: 36	4584	wmic.exe
Token: SeDebugPrivilege	4164	Havoc.exe
Token: SeDebugPrivilege	864	Fiddler.exe
Token: SeIncreaseQuotaPrivilege	184	wmic.exe
Token: SeSecurityPrivilege	184	wmic.exe
Token: SeTakeOwnershipPrivilege	184	wmic.exe
Token: SeLoadDriverPrivilege	184	wmic.exe
Token: SeSystemProfilePrivilege	184	wmic.exe
Token: SeSystemtimePrivilege	184	wmic.exe
Token: SeProfSingleProcessPrivilege	184	wmic.exe
Token: SeIncBasePriorityPrivilege	184	wmic.exe
Token: SeCreatePagefilePrivilege	184	wmic.exe
Token: SeBackupPrivilege	184	wmic.exe
Token: SeRestorePrivilege	184	wmic.exe
Token: SeShutdownPrivilege	184	wmic.exe
Token: SeDebugPrivilege	184	wmic.exe
Token: SeSystemEnvironmentPrivilege	184	wmic.exe
Token: SeRemoteShutdownPrivilege	184	wmic.exe
Token: SeUndockPrivilege	184	wmic.exe
Token: SeManageVolumePrivilege	184	wmic.exe
Token: 33	184	wmic.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe
4536	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4928	Fiddler.exe
4928	Fiddler.exe
864	Fiddler.exe
864	Fiddler.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 4980	3160	FiddlerSetup.exe	82
PID 3160 wrote to memory of 4980	3160	FiddlerSetup.exe	82
PID 3160 wrote to memory of 4980	3160	FiddlerSetup.exe	82
PID 4980 wrote to memory of 4572	4980	FiddlerSetup.exe	83
PID 4980 wrote to memory of 4572	4980	FiddlerSetup.exe	83
PID 4980 wrote to memory of 4572	4980	FiddlerSetup.exe	83
PID 4980 wrote to memory of 3020	4980	FiddlerSetup.exe	85
PID 4980 wrote to memory of 3020	4980	FiddlerSetup.exe	85
PID 4980 wrote to memory of 3020	4980	FiddlerSetup.exe	85
PID 4980 wrote to memory of 3868	4980	FiddlerSetup.exe	87
PID 4980 wrote to memory of 3868	4980	FiddlerSetup.exe	87
PID 4980 wrote to memory of 740	4980	FiddlerSetup.exe	88
PID 4980 wrote to memory of 740	4980	FiddlerSetup.exe	88
PID 4980 wrote to memory of 3172	4980	FiddlerSetup.exe	89
PID 4980 wrote to memory of 3172	4980	FiddlerSetup.exe	89
PID 4980 wrote to memory of 4536	4980	FiddlerSetup.exe	94
PID 4980 wrote to memory of 4536	4980	FiddlerSetup.exe	94
PID 4536 wrote to memory of 1048	4536	msedge.exe	96
PID 4536 wrote to memory of 1048	4536	msedge.exe	96
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 3088	4536	msedge.exe	99
PID 4536 wrote to memory of 4784	4536	msedge.exe	98
PID 4536 wrote to memory of 4784	4536	msedge.exe	98
PID 4536 wrote to memory of 4688	4536	msedge.exe	100
PID 4536 wrote to memory of 4688	4536	msedge.exe	100
PID 4536 wrote to memory of 4688	4536	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\FiddlerSetup.exe
"C:\Users\Admin\AppData\Local\Temp\FiddlerSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Users\Admin\AppData\Local\Temp\nsaF9B3.tmp\FiddlerSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\nsaF9B3.tmp\FiddlerSetup.exe" /D=
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
    3⤵
    - Modifies Windows Firewall
    PID:4572
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
    3⤵
    - Modifies Windows Firewall
    PID:3020
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
    3⤵
    PID:3868
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
      4⤵
      PID:4596
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 0 -NGENProcess 268 -Pipe 27c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:3008
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 1cc -Pipe 280 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:1892
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2d0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4240
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 268 -Pipe 284 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2740
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:1052
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 0 -NGENProcess 2d0 -Pipe 294 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2464
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 1dc -Pipe 26c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2436
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 0 -NGENProcess 2bc -Pipe 2b4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4420
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2ac -Pipe 268 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:5324
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2ac -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:5464
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 0 -NGENProcess 2b8 -Pipe 278 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:5896
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 0 -NGENProcess 2bc -Pipe 288 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:6008
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 2b8 -Pipe 2c4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:5232
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 1cc -Pipe 2d0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:5404
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 1c4 -Pipe 2f0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:3528
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 2e0 -Pipe 2cc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:5356
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 1cc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:1644
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 0 -NGENProcess 2b0 -Pipe 2fc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2032
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 0 -NGENProcess 294 -Pipe 284 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:1044
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2a8 -Pipe 1d8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:5052
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 0 -NGENProcess 294 -Pipe 300 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:5408
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 2bc -Pipe 2f4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:5816
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 2f0 -Pipe 304 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:6044
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 0 -NGENProcess 314 -Pipe 184 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:3188
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 2d8 -Pipe 308 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      PID:3456
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 0 -NGENProcess 328 -Pipe 29c -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      PID:552
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 310 -Pipe 314 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4996
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 0 -NGENProcess 310 -Pipe 2f8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:4136
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
    3⤵
    PID:740
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1bc -Pipe 1c4 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      PID:2196
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 0 -NGENProcess 258 -Pipe 1d8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Loads dropped DLL
      PID:2620
- - C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
    "C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
    3⤵
    - Executes dropped EXE
    PID:3172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun
    3⤵
    - Enumerates system info in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff295646f8,0x7fff29564708,0x7fff29564718
      4⤵
      PID:1048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:3088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
      4⤵
      PID:4688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:2060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:1
      4⤵
      PID:896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
      4⤵
      PID:948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
      4⤵
      PID:3228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
      4⤵
      PID:4592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
      4⤵
      PID:2112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
      4⤵
      PID:1372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
      4⤵
      PID:1304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
      4⤵
      PID:3468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
      4⤵
      PID:5516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
      4⤵
      PID:5636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:1
      4⤵
      PID:6032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1820 /prefetch:8
      4⤵
      PID:6052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6836 /prefetch:8
      4⤵
      PID:5312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6692 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
      4⤵
      PID:5648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
      4⤵
      PID:1112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,6001713580445734163,17054794302888536508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1296 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2304

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4604

C:\Users\Admin\Downloads\Havoc.exe
"C:\Users\Admin\Downloads\Havoc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5112
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4584

C:\Users\Admin\Downloads\Havoc.exe
"C:\Users\Admin\Downloads\Havoc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4164
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:184

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2e370c00-e746-4c1e-9473-fe628035c332.tmp

Filesize
11KB

MD5
aa01c3fd6cd83bafdce2e8b8db4b8a17

SHA1
98d9aea9c823e1c6f70980679d6f97b5cfa213aa

SHA256
adc42ec9ab2c1ed2ee704cc795b9e4195fb476f3ccdd645b8aee528d6979f3af

SHA512
85818100f6badb318eff6e9acf18e18863b3cf67e71dcee838bf8689697e11c5d243a056b96178b64bdaa64e29ab526bfe8341162858876dacbfbe87c3d72a6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fbbaffc5a50295d007ab405b0885ab5

SHA1
518e87df81db1dded184c3e4e3f129cca15baba1

SHA256
b9cde79357b550b171f70630fa94754ca2dcd6228b94f311aefe2a7f1ccfc7b6

SHA512
011c69bf56eb40e7ac5d201c1a0542878d9b32495e94d28c2f3b480772aa541bfd492a9959957d71e66f27b3e8b1a3c13b91f4a21756a9b8263281fd509c007b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
360dd5debf8bf7b89c4d88d29e38446c

SHA1
65afff8c78aeb12c577a523cb77cd58d401b0f82

SHA256
3d9debe659077c04b288107244a22f1b315bcf7495bee75151a9077e71b41eef

SHA512
0ee5b81f0acc82befa24a4438f2ca417ae6fac43fa8c7f264b83b4c792b1bb8d4cecb94c6cbd6facc120dc10d7e4d67e014cdb6b4db83b1a1b60144bb78f7542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\40c3b35a-6ed1-4f80-965d-38f9712a2624.tmp

Filesize
7KB

MD5
c2c6a0dc9ce2d9f5d4a30ca630649961

SHA1
d8450a4cf1593c2f371d34141f62937d5c5346f9

SHA256
7546b133789dbe87202aef9eef587cdc2561243107e9ebb11f6a12e5ed6ce74a

SHA512
d782327967771279b4f4c3db8752ad21ebfa5210d194f59c7514f0118c11feeaa562b0b1af31f0bb9f11f63170f51d39c0263a59e765f905e926ea7e838dd75c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5087ab39-1ab9-4c38-9dda-68678bfeb8ab.tmp

Filesize
1KB

MD5
f5858afd84974f51492b0262ce6aeedc

SHA1
501bf67f72cc365d8db791d6b3538efe13ef0f4e

SHA256
f97b86cefccb70b384f3f4c94b3b0ded361eea4537372f399b64f944cd12db98

SHA512
21af69e0f31305c3719668d6a75f26730c623a9580df01feb37f4850e9c950d56ac2228b2a7754682ee077b4b2ccac730c66b72a1abaadd53cf3ef560f0aba29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\53a89654-9b2b-4996-a30f-554144965183.tmp

Filesize
7KB

MD5
1a1e95748b95bc5a31e1a1fe4bbef097

SHA1
90dc2d270112b8c968f2f8640791f82bb7d9dec8

SHA256
d2461f81d7cf68828db8d2fc5a8f6815fefd9e19c9b767ab5a0baeda7862d62f

SHA512
713ef5d35d3928e52d0b62b9b3387e0f56d013c47d39de344b0f5885c409eca65c851bf8fc3cb392f60dcc3ef26d95a88e6ddd8e113c6496e89a16437591cf50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6a1961cf-0e94-4358-89e9-e823b5855b01.tmp

Filesize
1KB

MD5
7a1204e5cd3de7ab7c45c0a8c9658e0f

SHA1
d420f2c495debc6bfb10de7f021df705f7671a4e

SHA256
1dfd77b0aa69e27eeb0c035ad3035eddb78f3ec6782d4624a85bf9f9d50432bf

SHA512
b96c563ef919416b5ebf4bf71ee23380bf82a501845919a6d11b2ac6f43c2570204e02972531dd900dead43b7d2e78c469ae76c3f58b49b570df30781beab09c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
8148fc0c21e1ff721bdf94d46df19dd5

SHA1
4f86e4ad1f22cb11d6cb9de40086b0d871ad6958

SHA256
f9bc7e1bdbaf49c78f5a8d92279965ab909ab6d9663d1f329f263c21b836d738

SHA512
221e96429bc057edee394e274dfdbc221c284b6d5a3ec71108c78b639e70b2d732614fe54d04aad2899e7e654764484981f4116191f5f4ea804a70350f937ca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1f77de3cb3743fbce7e88ea77137a0e9

SHA1
1f518ef5f8f96e103a6de68022ed8410f02b93b3

SHA256
6d89d4b9fa656511a96d6c0153513f93ce71baf0ca448c854cce536a06190c00

SHA512
302de47e43c6bbfe77e6fb97e109d9c2e3f7e3925b20c466a5eda13e8826fa54a1062e3b0615fdfb9f2e35c7c5a82931d715cf6e9bfcf218396cf6e2f3b44d28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ae1916f13a0449c6f3434f842c50b2a

SHA1
a719d8e8b6bc4f64ec9c319d95b1ea340f0c1ccf

SHA256
9fa32d0e910b660d688d872a1d802e2d16ba69b025c9bc62e1cd5c451d4cc87e

SHA512
24ef12471523654e318c8fd30b65346392ff6e96744ba5424dd1469bf28d512cf9c2e59f7133524587c745997232c18c9aecdd8997b2ddbe01bd307b7bd54d68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4820c3d9bde4486e7dd50c5e36eac2e1

SHA1
3d06716afa2244470686d4b8a810a81fe9f696d3

SHA256
7bc139ae7eaff8d42e25d2aae122d711509463b4884c460cf6837b024214a596

SHA512
59b3e94482a477d46c4b16b24be3b1f59a3a19675dde8a2c13bcd0a0f5bf8f9a778f016b526043d4c4b7896ef2db33aab857b18adf23715d5d0218feb7b6f3c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8149633058835bdb724470d1e67d1097

SHA1
a5515872c63cbc5bbab23ae5f7e8603274920625

SHA256
4783eac2b3eae2c1a690a28fb3e254189e0a1f5ec739b710cb396ce7a23890d3

SHA512
56020c02b1276908c2334575b2d1117ad4fb35583cf789d9182fd73d9b86b72ac1cbf5c3479b37b10adfc830af914b94f29d1319247113c51104755e9d6f2689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58bca4.TMP

Filesize
1KB

MD5
456eddb89cc06019370af92fbe560cac

SHA1
c90136d8e169c5556418473846d5b39bd47c5ae7

SHA256
d831bccd45ce0487e8a1a1fa444a5f111b044615cec619337f60e80dd95f35e1

SHA512
d92fb178f52d2ce8252507b4ac6a5707f1a97af5186259c412eb21852eefc6cf2eb9de32072cf21d1230c14a94b9bf39d742995df9ed2d897333ea7ffdd3e6de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b96eccd8-8a2d-44c3-9dc3-337bbe5c16b3.tmp

Filesize
7KB

MD5
e921324fdeb5d2f05e37add988653df3

SHA1
13916cc7e13c7ffaacc36250c68bb09958b25f29

SHA256
6c2b7c7bef494b77cc1e9b814d78c0754695ed1b70b24b21c3dde2e56edb3413

SHA512
7384c34a0ff806a972b49bc6794117ad0fe0952ccd767dc0b534f9a21fd141212da7fef6be8ccf18b365c952caa02361351b59218f1a56be26ea08c5b8d5bc6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
04ce637cca1f378ce668ad95bf225e8e

SHA1
5b2990f5133139513cda39303a4c86097f85ae4f

SHA256
484edc96eea0ede771f74f63cea960f3f8501b2ea1fd2e921e061e66b7aa29f7

SHA512
9e3eec6e717e98cad53b18ea5e666c8eb76d5a687b4e467316433332395d0c9123ac0268fa8d34d40e83f7faa1d35f8d67534af00ec575906267b9bb1377808a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dbc99c93e06f0a33b3800b59530fa925

SHA1
4dbadaa7e2d44198456a48d71d81159873fd4b69

SHA256
701843259bb1028641639bb772d501d947b69cfac95a3c01af28c14fbb7ac52e

SHA512
227de16cb1438a80b9be47576a1d671f27fd585ec9b6e979d6da6f6888ad81a10c69c87e8f076d6cb55fd4a4bc8871656797f63ced817c934f4237433030e180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3fc73c1931cbe81b314a10b6e308b602

SHA1
84fdc4cfff9975db3eccce279da312f03f7687a4

SHA256
3dd151043a0af3508533601221af4428db54f2212ef1c397773e540c425767f4

SHA512
afdad446d758f1244a7564e74218d56913fe6700db7ddbc8954985a83b9c3aa50fa6d7309428cee31617df67a58383e06a42421fca33fb10e64e33c32320e002

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Analytics.dll

Filesize
14KB

MD5
79c419b13a18add5a51be82fd10d294c

SHA1
240338ab6dcaccb64a278a34b3b2d1af1ad8f307

SHA256
9221a62373a2cb24fa8119f82c504bc5fc00353331531f0ef7212bf65a53868e

SHA512
845e4eef74794816b045db64b4126cfc50cf6d1b2bbb22e242776b2dae15fadcfb5bfdb97af4d8209419bbf302b463c0c46356fb771f17974ed62d9635b16ac7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\DotNetZip.dll

Filesize
449KB

MD5
11bbdf80d756b3a877af483195c60619

SHA1
99aca4f325d559487abc51b0d2ebd4dca62c9462

SHA256
698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1

SHA512
ad9c16481f95c0e7cf5158d4e921ca7534f580310270fa476e9ebd15d37eee2ab43e11c12d08846eae153f0b43fba89590d60ca00551f5096076d3cf6aa4ce29

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe

Filesize
1.5MB

MD5
a5b8c0f51898e9d55e4b3aa7904adf32

SHA1
5eaff276409670f3e8ce4cbb17086f1362d18868

SHA256
5e3006a575d4acce2e5e3cec684d7e9a1fbc3efbb73f06f5c4604faebf014ad3

SHA512
6abf01f09c8c6e430118de27322f4d67bf25018633544556630c47bfa9adc2c1fd186c94119a0b9be6c2d8dead9bbb46a8b1185fe02da2085601b0e9613ad427

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe.config

Filesize
252B

MD5
38a7379a4b36fc661c69a3e299373a05

SHA1
1b0de45ad7fe759499c57cc1aa9c1da441d9167a

SHA256
70107440ed3e5ce934b947a85669a963ed0370d1d34c27e8f3bd2a8f5f670342

SHA512
5c91d3ebae7a1d0fc068303632cdd7f789bfc3f5158c338d253ef0ba584bde2346e86287dd56f8dd266494ecf1307fb091e548b5cb795a80e5969f09f7507f02

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\GA.Analytics.Monitor.dll

Filesize
52KB

MD5
6f9e5c4b5662c7f8d1159edcba6e7429

SHA1
c7630476a50a953dab490931b99d2a5eca96f9f6

SHA256
e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790

SHA512
78fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Newtonsoft.Json.dll

Filesize
57KB

MD5
710ed879eedb46cdea51b01fdfeebe51

SHA1
41535cbf7f7da9847842ec71bd0f9431daf05219

SHA256
87c01a491f098fdb6d2b51c442831359cb7f08118339a0e05fd6aa71bbc31f3d

SHA512
540152e19d151fb3e38904836b2da3f29e1347eadba18b6171a31eb8b82bca4b76196a3f59f284b03709883da2b5e7ec06129dd8774b67f007043c7d9629f5ae

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dll

Filesize
192KB

MD5
ac80e3ca5ec3ed77ef7f1a5648fd605a

SHA1
593077c0d921df0819d48b627d4a140967a6b9e0

SHA256
93b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5

SHA512
3ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dll

Filesize
816KB

MD5
eaa268802c633f27fcfc90fd0f986e10

SHA1
21f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f

SHA256
fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54

SHA512
c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dll

Filesize
228KB

MD5
3be64186e6e8ad19dc3559ee3c307070

SHA1
2f9e70e04189f6c736a3b9d0642f46208c60380a

SHA256
79a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c

SHA512
7d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper

Filesize
31KB

MD5
45a29924b29cd5881da857104c5554fe

SHA1
75716bfcb46aa02adc1e74369ec60f1c27e309b9

SHA256
b31d4c6a86bad9eaffaa543476261aaa95705fffaaf367a6ab67133c6af5fcfe

SHA512
0ee65dc21bfb5be949a8d96f0d5c04dba70c83988ddf460e9ce18e32eeb27fcb350e85b1ed5951ec2b5b2ad6506fa117fbe5495eabf58756fc66111f52b1b631

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Telerik.NetworkConnections.dll

Filesize
34KB

MD5
798d6938ceab9271cdc532c0943e19dc

SHA1
5f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3

SHA256
fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2

SHA512
644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31

Download Submit
C:\Users\Admin\AppData\Local\Progress_Software_Corpora\Fiddler.exe_Url_gn2suaigfhhkewccgutguryxxqm34vvg\5.0.20211.51073\user.config

Filesize
966B

MD5
dd3cde207c7befa0f2ab4f2aa82f4ba6

SHA1
c43c56f111c679431201a013023c2f106f00867c

SHA256
8732fdc6e708c988a8486eafe1317b59d01c1313077d4b9a8cdb624691aedf0b

SHA512
30903a0f20680888cc4d8c153ff6269fa87edc5b97de5d92e970eac5f7e7d6659b8f4422aa07c7900b9d003ca19bfcbba3d46a1fbc4c00cce0484dc555c1fd8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaF9B3.tmp\FiddlerSetup.exe

Filesize
3.2MB

MD5
092879b4ec0b7a59be6273035da99e27

SHA1
282f2602469017d4d8401e84e248a6c138b7de97

SHA256
87d5fd5bfadffa31f6b72923be4d4a46335b3e32a4f6e306f90d04d4aed49c50

SHA512
dde4050f6a26dc0feecb7a7f2563f33db5615c15c0dd1f3e6bf8ff8aa3a4ced68a53ae66c179f56dda5a50185b5053460e63c5a0489b141d11372aacfcea4cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu1162.tmp\System.dll

Filesize
11KB

MD5
b8992e497d57001ddf100f9c397fcef5

SHA1
e26ddf101a2ec5027975d2909306457c6f61cfbd

SHA256
98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

SHA512
8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 493044.crdownload

Filesize
286KB

MD5
5f6bf16337b893b199a0a07dc23e4083

SHA1
3a121df13d623b916f11d3ef6fbc507fb071fcb9

SHA256
b996359e1043f4244245339f9bd37b8c554362d2c30228545e667c9e7c4f1ac1

SHA512
6ff43db8d4b319bfd375c7c61563741fede3aeb44d3bda3df62ff8f1df1af6c716f6d99f4f9f0860d011c0b3a8f66054f09baddae1961ac63771d5a6b7342a95

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Analytics\9422cdf8836e5af7e68e6c7719083b46\Analytics.ni.dll

Filesize
153KB

MD5
c20e3fe00cf0f4e09294751a67dc50d8

SHA1
14ed469f18dfaa6832c6b82ccaf69c5af198fa12

SHA256
37553c2197d007b659be700cfd9df1900a245ec41bc5b31d5aee4e0593598b8d

SHA512
10202cb440a7644aa1793c95207dab1c03fb5784fea676223882b33231de0cbebccc4c8be11936667569bee2d14e84c4c9d6d8557a413f63353f45f4bc431ce0

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\DotNetZip\b3a383423b05afda73d5befea52df23f\DotNetZip.ni.dll

Filesize
512KB

MD5
12ae1ccd048a13d1f88519f645fddc2b

SHA1
7bcb4761e3c05e2a1b16b2e6e0f8b04fdeea5315

SHA256
e2c517ff99ad81b80012ae814e4681c1b640ff2bb9c41ef14bd9d11cd935f86c

SHA512
ca5a35dd1563333dd4a48a2b495deea7eff71dedea6b0467941c1f76645cf799b4a137ee57cedb15c7001f4df10bcf91dc85396136271e04677544bfec4cb597

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Fiddler\0246347168440311f67418ce72a25f0e\Fiddler.ni.exe

Filesize
2.1MB

MD5
5bfea288f9b3a6b3d1ac1fced69a38e6

SHA1
4b6898da079674f8d581b0032e3c4b679575647d

SHA256
1855f58d27ecf17195ab983728510f32bf26f3ece5066e54352b8469f8bd3c33

SHA512
5d492085341534b70d2b204c96997f828aa04841ae6cc9d3a3522f973857ccc36e8044534723182b82af51ade474e1e2fbb051acf04194daae4e41f606d2c055

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\GA.Analytics.Monitor\581f591747009a39a799777655cec912\GA.Analytics.Monitor.ni.dll

Filesize
97KB

MD5
d13067df5b8861443dd62c24500fa80f

SHA1
aff73935c891ec4f2a22057702af8cecf0e8acc6

SHA256
73be9dfbb3ea011a578fb8fce521f9aa75e47a8ea499dd9b4e0ef2b55dea50ae

SHA512
0f17db95c2fb497f0bfbf136410bf4ee5e3ca0fbf5c12694f87c86466d5797608d5002b77d8a5a462b747ce0c4936683a8cb37384a381c60b5fe6fce8091cac1

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll

Filesize
174KB

MD5
2b4126e5291becd18aef6c45bc0644a7

SHA1
334ac8e9619025e26eea1ea3eaf1f77234f81f23

SHA256
628a7b6f97c11fcfb36f7717cf8a36ec32f03b20b3c499c4da3a63874829f64c

SHA512
f7176bc0d46ffaa412748e13965e9f1b34d36ac247f3ed7ff328ed281416490394713f0353e8defb158b3882e3e9202fa930048ee61d37e9e4cb47495980a703

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Newtonsoft.Json\c9d532d5040768732fdbb078eb294563\Newtonsoft.Json.ni.dll

Filesize
2.8MB

MD5
aefc6b5c43f47c7bea12b8bfcd689903

SHA1
9a015648f178ae41530505784fcf05fc4990fda8

SHA256
64187e23cd6ffa594b9e6eef2ddcd72a735af4a8f16a71427136def0f4d4710c

SHA512
7acd1dfaacccecc2e35e61bfdda654a419b44b744b8d8f927f3bea59f436b1e478fb18fac274691cb3a647d41c111464e897942416676ba78a737a2a6fd66753

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\7e76b1fb4198734d8af8f5d806b99864\SMDiagnostics.ni.dll

Filesize
142KB

MD5
ee791496cf3d4d9c47e410faf2ce6513

SHA1
db05319fee5f2ee451701ac7059caf52a1780b8a

SHA256
7725443ac7cb92308a71c71ab91218abdf2393d96ada57a56a53a03312fd4011

SHA512
19e12c301a514e291a779b2e054a71d20350cabbf468b1a4c1c26eded36053c5dcc373db758bc2d283aa4fa4e5a5406e9c892bb208be3d8c2eaef8c0d724fabb

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Compba577418#\d5ea54b023997de3a48807f3b15ff588\System.ComponentModel.Composition.ni.dll

Filesize
924KB

MD5
f8073fd4b124cbf2bd60f1f8133875a1

SHA1
e6738f2ad6850b21f45a19d7289c9105530420e4

SHA256
4da215f2ac9a44ec3360ecd3b9e5e8998167bf116bc9e334b2fb57409d0b07e1

SHA512
27e147b4d571a3e59592897962719430f0680327992735727570d35fc34e8b2d7276f304a1a8bc50a8b29c361ba580b320c27aeaca68e2382c0409e6740ae8e9

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
1.1MB

MD5
bb8f5309441187b74cb500420af99094

SHA1
235de12c3127818d8f609401196efe0c70928f85

SHA256
e9c12b10ca6737591adef505bef2ec93deb04b03f617c6dccaba848415deb1c1

SHA512
f8429d67fc52eadfe2395741d63ba1469e5718c62f060e8eee4d6feac1ecc338086a22fd4f4748393c66e23e5656503ae70b364717b123f064b342cd42c87b25

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
1024KB

MD5
b584fdfe6d4ded97d84e6beb5f8d1f04

SHA1
e76b7ff9cda23f0ec66b1882abdaf356ebb05d11

SHA256
652a5771588b0bd1be7526e8184e0e3092b8af871d0c294b7083d235eabfbec1

SHA512
a2ee27839d7b7cce280cb0d69d85d30a6111bc0a4a0cce5bb650bf77e69a786bae2246910f5a3e8fbe0e7eb1a7797a539a89f0bc6547174c450d4dcc37adddb0

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
320KB

MD5
b07d986724c61c65ebaeb4cf770ff554

SHA1
02ae96c6474a685b08ccf8eca105bd6892c5e89b

SHA256
98c9838d18898aee3c816a7f77dc6820b0256061e92fcfde464972d722905967

SHA512
5c8b6a7135117609b665bf3ca8d23c64b608718f6d921df3d49b306144bb94f5c6727c1365434bfaae1c29b16058daffc9ba1f3ac9461d3527bd6751990e47c7

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
256KB

MD5
5bf424129c9fd9b439aa0a14e33b85be

SHA1
5a1064cfee407460b400a5d429be42a9c7573ba1

SHA256
eab3f1d0bf2a3871942e6508f624b46d0a57dbf1c5bc4e492e1f988e0911159a

SHA512
b32649b5850d0db86443fa1cf28d1d1a598427fc8eb5824b2cd8b45ebedbedfff673b6124c56cf0243ec2adcf6868e63dbd89d9a87dd6435635895815fd63fb2

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
1.2MB

MD5
8e5048e52fedc53ab8cb19597462a033

SHA1
32d59041563c6dc469d72162b7ce9cc81c0af600

SHA256
858ad7bd566372821e78fb354267ee2911441b7fdc5fdce4fcff0e9408bdd182

SHA512
e1f0a3a1a0f53673963f84a84952991d002150d0533b3a21a5f4cb07599c800246fa1b3081e500d26ef560eedf060d2d0ec4cd502379c72a28a2e371e8fb83b9

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux

Filesize
708B

MD5
688ac15ac387cbac93d705be85b08492

SHA1
a4fabce08bbe0fee991a8a1a8e8e62230f360ff2

SHA256
ce64b26c005cfc1bcf6ac0153f1dbcae07f25934eab3363ff05a72a754992470

SHA512
a756ea603d86a66b67163e3aa5d2325174a2748caf6b0eaa9f0600d42c297daa35aa5bfaf4962a1dedbae9437308d19571818cbd3e1542d7a7a26a4d20796074

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll

Filesize
1.4MB

MD5
eac480c0e0690a0226e4d1a56a4b5b4d

SHA1
2296d6445005c58f112edb36c7c20c7cc2515a78

SHA256
5f2674be47c7975e9c6411f760fed65417b04c1bf2885134eccece9b6c046368

SHA512
13a3f3ca30095773388c5bc5e5320afa034568e9d672077eed4d61326294da8d22ad139456b250ea621bcca315072b09ba5096c0cc2cce34ecd88066753ca537

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\a4659c51384187894a071aa2b9d900e7\System.EnterpriseServices.ni.dll

Filesize
993KB

MD5
f9746e198135ad1434e8a4d7a61011d7

SHA1
380246326d619f4ab314dd5166630909633b6e71

SHA256
be1475efa60535392e503a89eee5f1f4eea59f9ea577505e81bbee89e7d05d77

SHA512
ba91cb2ddfc0f416444761e74580633a86453a7814d3b3c2dd81d61e4b2d24a8dee916a9870bc297aa4a3be7e03ccd3d3570908afc724548ac01314e7e5a5cea

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll

Filesize
314KB

MD5
50b28be2b84f9dd1258a346525f8c2e5

SHA1
203abebaa5c22c9f6ac099d020711669e6655ed8

SHA256
6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

SHA512
d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll

Filesize
297KB

MD5
0962e04f5334d2718c0e6c3e41699b4c

SHA1
0323433ede2b83b459a81b4e4595e78f313cd89b

SHA256
aa275465899b02a86bc115456f2f516e6bb509a18735fa66c3c364ccfb83f76c

SHA512
6af680f1fc40832f8815db85437202a933fbd4a2594115c9738417d7020f38ecfe013c9266b1b7ae04cc9b1cf451939db572aee5227063c2cbf68b146b33809e

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux

Filesize
300B

MD5
5052a26ae1334e99f9c993f0ac477f5b

SHA1
941e82d2397f79faf7707569927bb3dbea9ea34c

SHA256
ec432d36bb95dcdb1876836b09ba1829c03a83c9b53afbb195c6fa0d7d91375f

SHA512
eb5dce71049b099c5764fe449f529b5813aab3d86150331ae384c08973f0487f9a25e1f11498203baa0a093dc2961f6bb0f5d03a86ff9c39f050524c9d32ede2

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll

Filesize
345KB

MD5
35738b026183e92c1f7a6344cfa189fd

SHA1
ccc1510ef4a88a010087321b8af89f0c0c29b6d8

SHA256
4075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb

SHA512
ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

Filesize
115KB

MD5
01f6868875ab0c5b3a465199d4f1b5b5

SHA1
56335d2bf990449c694eadbe4dd6405b07bd42d8

SHA256
ac5142fdda4814bdb073469ae249a6b00adf01681dbd59f330c6585c0c587921

SHA512
0212b417ec1176b15b79f78a09f3693ecc7fde7f71abf604346a21cd15cf5aea660035075c0d507763a86ee3b12bc2eda2da924425056d101e8401ca83e288eb

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

Filesize
986KB

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux

Filesize
912B

MD5
255a843ca54e88fd16d2befcc1bafb7a

SHA1
aee7882de50a5cea1e4c2c2ddfaa4476f20a9be9

SHA256
8cd849585fe99e63f28b49f1dae2d1b47a406268dcc5a161e58331a6a3cba3ed

SHA512
666866c0d25d61dc04341cf95eb61969698cfafce232097e60cb0537ea2a35635e1e4986036e413fb51927187183aa2e64ecac7fbc26bac46998c0bd84f69e45

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\b7d3fce6d77b982cd4538b089805df8d\System.ServiceModel.Internals.ni.dll

Filesize
979KB

MD5
f867096b7d349af76728412feb1885af

SHA1
14d2cd438c2704e480c4d793fae6f9c4eee1ead9

SHA256
981aa78b0eeed437e94f2be357f2816919631277b6ac4593729d1a81d776fd7a

SHA512
a419df8204b029c0a2e0a7c547f2b7ee73dc7ad3aea91c490592a5e127986232c755fe83941fece13705ffc9723e084d3ef92692d6493f4028d88f5836d6edef

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\b7d3fce6d77b982cd4538b089805df8d\System.ServiceModel.Internals.ni.dll

Filesize
832KB

MD5
46e78d39437fb1e8eafc12da653c2c99

SHA1
f89f7cdbe05dc3e197498e8346649f4ec2ce2231

SHA256
b96e58bb6d8bc3f388b43cf79134c4db052065601a68382fb52403a0d05c1e1e

SHA512
44408c8048e90aa4fe3648cc1207a499f73ac6cf0131cf58277604627e6aa2c531693a07f50532901301ceb88b3f64d0abf9e8582d80d912331c5a0c36df7c5c

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\b7d3fce6d77b982cd4538b089805df8d\System.ServiceModel.Internals.ni.dll.aux

Filesize
592B

MD5
4d66b5a16886059c72f02695373b73fd

SHA1
67d9d961352b044ad141d3682154b61ef33a7a58

SHA256
865dabb09f0de89a3658227b2e16d285dc7338d2acab99d46963918d9b9667d2

SHA512
59da03ccc4be8351a22c4db76613f0ee9a268d4a22bfe8a88ba520d1173d3236d9a658a285e6496d9b778b1bfe2d97b77a3d18942963acc07b4a3bc4f254df91

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.82d5542b#\3248866fdc0058e6a1a5d64c5019ee84\System.Web.RegularExpressions.ni.dll

Filesize
302KB

MD5
150c4c418ddecce4978dea59c2ae5acc

SHA1
e1a32875edc6afbfc0fa4d086ab50fb42578c859

SHA256
3322cf01cbea15ba9e327b4d50914539397f1ace4689097a8943d53667297faa

SHA512
421e30e85c587b93c20b9a9a971eb14a68594d1e423cb93863c173320480b73e64437451e30c67690bbac7fade23a53549d7c2326ee057d1ef15b3164828b99d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.82d5542b#\3248866fdc0058e6a1a5d64c5019ee84\System.Web.RegularExpressions.ni.dll.aux

Filesize
432B

MD5
0163bd5998058fea299e529dee5d52cc

SHA1
64031869381527e7bb5bccc65540d8780c0d34fe

SHA256
28db045c5d70d2ad4097af83e6361711438441c0ed6b0efcacf26f9a9c05d792

SHA512
440b7ab5a2cad658599e0e8df226ccf3ceb295b77d68627e3c2611a967ef2102ff22fa97379f51becf0e490b5a9a6ef50d218c9d7590dc38f2bfaabb5f673ab8

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll.aux

Filesize
3KB

MD5
63e9b3188a82677302a3719048abbf2a

SHA1
83e5e36719513fa0f37877752b42b98f67138edb

SHA256
a5c799cde2f9ca15018f56fc05cfca9717055a71015acf9c29248c2001f678e1

SHA512
c951d3b79f13d5853f600652a219831173019e9e1f56096251a60f9801d77afa0cedfef9b77827a2e55d58ff81c915f3754225ebe9f0cfdcc4537372df638269

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Telerik.Net8bf66678#\a58ff39c1803c8009577b8aa07f4401d\Telerik.NetworkConnections.ni.dll

Filesize
95KB

MD5
06c752fe567dd4366682cc47557ed4d3

SHA1
74c1f82a91fdd31c4892c5fcd62a0cbb5c4a91f3

SHA256
0353e43cee872188975775c1e2314fc5178febef54ac5b5a5561c6b6ce075d4a

SHA512
e60fb625ab1000eea1eea8bd8527e50e7c739d062f52b1513e057233ddfae0e0980dc1813b375731eec9b67002eeb83bcda567744dbf39531d7604fd83a65f2c

Download Submit
memory/1052-481-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-455-0x0000064445320000-0x000006444561E000-memory.dmp

Filesize
3.0MB

Download
memory/1052-422-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/1892-254-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/1892-331-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/1892-289-0x00000644451A0000-0x00000644454A4000-memory.dmp

Filesize
3.0MB

Download
memory/2436-480-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/2436-585-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/2464-474-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/2464-449-0x0000064449980000-0x00000644499D8000-memory.dmp

Filesize
352KB

Download
memory/2464-448-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/2740-393-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/2740-409-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/2740-394-0x0000064443EC0000-0x0000064443F11000-memory.dmp

Filesize
324KB

Download
memory/3008-255-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/3008-423-0x0000064488000000-0x00000644884CD000-memory.dmp

Filesize
4.8MB

Download
memory/3008-438-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/3172-196-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/3172-104-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/3172-482-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/3528-784-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4240-391-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4240-372-0x0000064449A20000-0x0000064449B18000-memory.dmp

Filesize
992KB

Download
memory/4240-341-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4420-512-0x00000644A0000000-0x00000644A0103000-memory.dmp

Filesize
1.0MB

Download
memory/4420-527-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4420-511-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-227-0x0000014A2D950000-0x0000014A2D96C000-memory.dmp

Filesize
112KB

Download
memory/4596-209-0x0000014A2DFC0000-0x0000014A2E4E8000-memory.dmp

Filesize
5.2MB

Download
memory/4596-253-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-228-0x0000014A2ED10000-0x0000014A2F1DC000-memory.dmp

Filesize
4.8MB

Download
memory/4596-195-0x0000014A2D630000-0x0000014A2D7AE000-memory.dmp

Filesize
1.5MB

Download
memory/4596-246-0x0000014A2DE90000-0x0000014A2DF0E000-memory.dmp

Filesize
504KB

Download
memory/4596-247-0x0000014A2DB10000-0x0000014A2DB30000-memory.dmp

Filesize
128KB

Download
memory/4596-243-0x0000014A2E840000-0x0000014A2E962000-memory.dmp

Filesize
1.1MB

Download
memory/4596-226-0x0000014A2DAD0000-0x0000014A2DB0A000-memory.dmp

Filesize
232KB

Download
memory/4596-238-0x0000014A2DAB0000-0x0000014A2DACA000-memory.dmp

Filesize
104KB

Download
memory/4596-225-0x0000014A2D930000-0x0000014A2D94E000-memory.dmp

Filesize
120KB

Download
memory/4596-198-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-224-0x0000014A2D550000-0x0000014A2D562000-memory.dmp

Filesize
72KB

Download
memory/4596-218-0x0000014A2D970000-0x0000014A2D9AC000-memory.dmp

Filesize
240KB

Download
memory/4596-199-0x0000014A2D570000-0x0000014A2D62A000-memory.dmp

Filesize
744KB

Download
memory/4596-217-0x0000014A13670000-0x0000014A13680000-memory.dmp

Filesize
64KB

Download
memory/4596-214-0x0000014A15350000-0x0000014A15372000-memory.dmp

Filesize
136KB

Download
memory/4596-213-0x0000014A2DB50000-0x0000014A2DC02000-memory.dmp

Filesize
712KB

Download
memory/4596-201-0x0000014A2D8B0000-0x0000014A2D926000-memory.dmp

Filesize
472KB

Download
memory/4596-237-0x0000014A2DE40000-0x0000014A2DE84000-memory.dmp

Filesize
272KB

Download
memory/4596-212-0x0000014A15320000-0x0000014A15342000-memory.dmp

Filesize
136KB

Download
memory/4596-211-0x0000014A2DC20000-0x0000014A2DDA6000-memory.dmp

Filesize
1.5MB

Download
memory/4596-210-0x0000014A2D500000-0x0000014A2D550000-memory.dmp

Filesize
320KB

Download
memory/4596-231-0x0000014A2DDB0000-0x0000014A2DDE2000-memory.dmp

Filesize
200KB

Download
memory/4596-208-0x0000014A2D9E0000-0x0000014A2DA88000-memory.dmp

Filesize
672KB

Download
memory/4596-206-0x0000014A13660000-0x0000014A1366C000-memory.dmp

Filesize
48KB

Download
memory/4596-204-0x0000014A2D4B0000-0x0000014A2D4FA000-memory.dmp

Filesize
296KB

Download
memory/4596-229-0x0000014A2D9B0000-0x0000014A2D9C2000-memory.dmp

Filesize
72KB

Download
memory/4596-203-0x0000014A13650000-0x0000014A1365C000-memory.dmp

Filesize
48KB

Download
memory/4596-230-0x0000014A2DA90000-0x0000014A2DAB0000-memory.dmp

Filesize
128KB

Download
memory/5232-643-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/5232-779-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/5324-529-0x00000644A0000000-0x00000644A001B000-memory.dmp

Filesize
108KB

Download
memory/5324-547-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/5324-532-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/5356-787-0x000002736A010000-0x000002736A036000-memory.dmp

Filesize
152KB

Download
memory/5356-792-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/5404-660-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/5404-778-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/5464-548-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/5464-610-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/5896-633-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/5896-590-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/6008-655-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download
memory/6008-622-0x00007FFF2DD20000-0x00007FFF2E7E1000-memory.dmp

Filesize
10.8MB

Download