Overview
overview
9Static
static
3FiddlerSet...st.exe
windows10-1703-x64
9$PLUGINSDI...up.exe
windows10-1703-x64
3$PLUGINSDI...em.dll
windows10-1703-x64
3Analytics.dll
windows10-1703-x64
1Be.Windows...ox.dll
windows10-1703-x64
1DotNetZip.dll
windows10-1703-x64
1EnableLoopback.exe
windows10-1703-x64
7ExecAction.exe
windows10-1703-x64
1FSE2.exe
windows10-1703-x64
3Fiddler.exe
windows10-1703-x64
7ForceCPU.exe
windows10-1703-x64
1GA.Analyti...or.dll
windows10-1703-x64
1ImportExpo...ts.dll
windows10-1703-x64
1ImportExpo...rt.dll
windows10-1703-x64
1Inspectors...on.dll
windows10-1703-x64
1Inspectors...or.dll
windows10-1703-x64
1Inspectors...es.dll
windows10-1703-x64
1Inspectors...ax.dll
windows10-1703-x64
1Inspectors...rd.dll
windows10-1703-x64
1Inspectors...ew.dll
windows10-1703-x64
1Newtonsoft.Json.dll
windows10-1703-x64
1Plugins/Ne...ws.dll
windows10-1703-x64
1RunNsisUni...rs.bat
windows10-1703-x64
1ScriptEdit...cs.dll
windows10-1703-x64
1ScriptEdit...or.dll
windows10-1703-x64
1ScriptEdit...on.dll
windows10-1703-x64
1ScriptEdit...or.dll
windows10-1703-x64
1ScriptEdit...rs.dll
windows10-1703-x64
1ScriptEdit...ax.dll
windows10-1703-x64
1Scripts/Fi...on.dll
windows10-1703-x64
1Scripts/Fi...on.dll
windows10-1703-x64
1$PLUGINSDI...em.dll
windows10-1703-x64
3Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
23-05-2024 00:18
Static task
static1
Behavioral task
behavioral1
Sample
FiddlerSetup.5.0.20243.10853-latest.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/FiddlerSetup.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
Analytics.dll
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
Be.Windows.Forms.HexBox.dll
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
DotNetZip.dll
Resource
win10-20240404-en
Behavioral task
behavioral7
Sample
EnableLoopback.exe
Resource
win10-20240404-en
Behavioral task
behavioral8
Sample
ExecAction.exe
Resource
win10-20240404-en
Behavioral task
behavioral9
Sample
FSE2.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
Fiddler.exe
Resource
win10-20240404-en
Behavioral task
behavioral11
Sample
ForceCPU.exe
Resource
win10-20240404-en
Behavioral task
behavioral12
Sample
GA.Analytics.Monitor.dll
Resource
win10-20240404-en
Behavioral task
behavioral13
Sample
ImportExport/BasicFormats.dll
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
ImportExport/VSWebTestExport.dll
Resource
win10-20240404-en
Behavioral task
behavioral15
Sample
Inspectors/QWhale.Common.dll
Resource
win10-20240404-en
Behavioral task
behavioral16
Sample
Inspectors/QWhale.Editor.dll
Resource
win10-20240404-en
Behavioral task
behavioral17
Sample
Inspectors/QWhale.Syntax.Schemes.dll
Resource
win10-20240404-en
Behavioral task
behavioral18
Sample
Inspectors/QWhale.Syntax.dll
Resource
win10-20240404-en
Behavioral task
behavioral19
Sample
Inspectors/Standard.dll
Resource
win10-20240404-en
Behavioral task
behavioral20
Sample
Inspectors/SyntaxView.dll
Resource
win10-20240404-en
Behavioral task
behavioral21
Sample
Newtonsoft.Json.dll
Resource
win10-20240404-en
Behavioral task
behavioral22
Sample
Plugins/NetworkConnections/Telerik.NetworkConnections.Windows.dll
Resource
win10-20240404-en
Behavioral task
behavioral23
Sample
RunNsisUninstallers.bat
Resource
win10-20240404-en
Behavioral task
behavioral24
Sample
ScriptEditor/Analytics.dll
Resource
win10-20240404-en
Behavioral task
behavioral25
Sample
ScriptEditor/GA.Analytics.Monitor.dll
Resource
win10-20240404-en
Behavioral task
behavioral26
Sample
ScriptEditor/QWhale.Common.dll
Resource
win10-20240404-en
Behavioral task
behavioral27
Sample
ScriptEditor/QWhale.Editor.dll
Resource
win10-20240404-en
Behavioral task
behavioral28
Sample
ScriptEditor/QWhale.Syntax.Parsers.dll
Resource
win10-20240404-en
Behavioral task
behavioral29
Sample
ScriptEditor/QWhale.Syntax.dll
Resource
win10-20240404-en
Behavioral task
behavioral30
Sample
Scripts/FiddlerOrchestra.Addon.dll
Resource
win10-20240404-en
Behavioral task
behavioral31
Sample
Scripts/FiddlerOrchestra.Connection.dll
Resource
win10-20240404-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240404-en
General
-
Target
FiddlerSetup.5.0.20243.10853-latest.exe
-
Size
4.4MB
-
MD5
68c831dc8ee4a88592e26cb79a08d410
-
SHA1
67ffba83eac8f1b7414d7048d681240ddc747c63
-
SHA256
174c811a5c0da930f53f29d68fcce985e88994e4bef869a04b57f399bef25bbc
-
SHA512
af3de69884cdc9b361a8a8764ddfa2cc2c67ad7e5319f1dceb7496d8f8639a85b042bffddf9516d796f7b21ee453d66dc80b139bcc7213de43b41f92d8acf2d7
-
SSDEEP
98304:Q3T82KbCk8NKNgKl3xpQ3Ll02nSadHnV8t7PrMT:Q3TLkCEpwx02nVdHoDrY
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 5068 netsh.exe 4912 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FiddlerSetup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation FiddlerSetup.exe -
Executes dropped EXE 2 IoCs
Processes:
FiddlerSetup.exeSetupHelperpid process 4464 FiddlerSetup.exe 2988 SetupHelper -
Loads dropped DLL 22 IoCs
Processes:
FiddlerSetup.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 4464 FiddlerSetup.exe 4616 mscorsvw.exe 2324 mscorsvw.exe 2032 mscorsvw.exe 2156 mscorsvw.exe 4924 mscorsvw.exe 2156 mscorsvw.exe 3512 mscorsvw.exe 976 mscorsvw.exe 976 mscorsvw.exe 976 mscorsvw.exe 976 mscorsvw.exe 976 mscorsvw.exe 4576 mscorsvw.exe 1304 mscorsvw.exe 4856 mscorsvw.exe 4856 mscorsvw.exe 2032 mscorsvw.exe 2032 mscorsvw.exe 4856 mscorsvw.exe 1564 mscorsvw.exe 4100 mscorsvw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 31 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeMicrosoftEdgeCP.exemscorsvw.exeMicrosoftEdge.exemscorsvw.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7f0-0\System.Numerics.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\2145e325c531dd03775cc61606722965\Microsoft.JScript.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\bcab827b24e870428fcdda58e1ebec20\System.EnterpriseServices.ni.dll.aux.tmp mscorsvw.exe File opened for modification C:\Windows\assembly\temp\NDK5OCS52L\System.EnterpriseServices.ni.dll mscorsvw.exe File opened for modification C:\Windows\assembly\temp\YHPXYIO0YJ\System.Web.ni.dll.aux mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\9744e094346545d417a938174608d0ad\System.Numerics.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\52c68307282a248618376df5db7f9cce\System.Deployment.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1004-0\System.Runtime.Caching.dll mscorsvw.exe File opened for modification C:\Windows\assembly\temp\NDK5OCS52L\System.EnterpriseServices.ni.dll.aux mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\88bbec18c44a06edb18eb16d6775008f\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt19c51595#\c2577ffc64fd5f786d339c18f95dfae7\System.Runtime.Caching.ni.dll.aux.tmp mscorsvw.exe File opened for modification C:\Windows\assembly\temp\71IHAAQ2II\Microsoft.JScript.ni.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\979d991d7ebbe379753c4bd4de4e7d8a\EnableLoopback.ni.exe.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\61c-0\System.EnterpriseServices.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1208-0\EnableLoopback.exe mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\133c-0\System.Data.SqlXml.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\86c-0\System.Deployment.dll mscorsvw.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\61c-0\System.EnterpriseServices.Wrapper.dll mscorsvw.exe File opened for modification C:\Windows\assembly\temp\YHPXYIO0YJ\System.Web.ni.dll mscorsvw.exe File opened for modification C:\Windows\assembly\temp\71IHAAQ2II\Microsoft.JScript.ni.dll.aux mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\db8-0\System.Runtime.Serialization.Formatters.Soap.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\914-0\System.Security.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\cccf0195b8a7b2804875769b64f41f8a\System.Security.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12f8-0\System.Web.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\5fc5747c2c5a8c9903788db8973ea28a\System.Web.ni.dll.aux.tmp mscorsvw.exe File opened for modification C:\Windows\assembly\temp\NDK5OCS52L\System.EnterpriseServices.Wrapper.dll mscorsvw.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
FiddlerSetup.exebrowser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION FiddlerSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0" FiddlerSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeFiddlerSetup.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.telerik.com MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\MrtCache MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.telerik.com MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Fiddler.ArchiveZip\Shell\Open FiddlerSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\"" FiddlerSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.telerik.com\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\telerik.com\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\telerik.com\ = "0" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed" FiddlerSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "5" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 309d35c7a6acda01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "423267633" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive" FiddlerSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.telerik.com\ = "5" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ed35a1cca6acda01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\"" FiddlerSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Fiddler.ArchiveZip FiddlerSetup.exe Set value (data) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 905bc4dea6acda01 MicrosoftEdge.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
MicrosoftEdgeCP.exepid process 1592 MicrosoftEdgeCP.exe 1592 MicrosoftEdgeCP.exe 1592 MicrosoftEdgeCP.exe 1592 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription pid process Token: SeDebugPrivilege 3532 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3532 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3532 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3532 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4320 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4320 MicrosoftEdgeCP.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exepid process 316 MicrosoftEdge.exe 1592 MicrosoftEdgeCP.exe 3532 MicrosoftEdgeCP.exe 1592 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
FiddlerSetup.5.0.20243.10853-latest.exeFiddlerSetup.exeMicrosoftEdgeCP.exedescription pid process target process PID 3368 wrote to memory of 4464 3368 FiddlerSetup.5.0.20243.10853-latest.exe FiddlerSetup.exe PID 3368 wrote to memory of 4464 3368 FiddlerSetup.5.0.20243.10853-latest.exe FiddlerSetup.exe PID 3368 wrote to memory of 4464 3368 FiddlerSetup.5.0.20243.10853-latest.exe FiddlerSetup.exe PID 4464 wrote to memory of 4912 4464 FiddlerSetup.exe netsh.exe PID 4464 wrote to memory of 4912 4464 FiddlerSetup.exe netsh.exe PID 4464 wrote to memory of 4912 4464 FiddlerSetup.exe netsh.exe PID 4464 wrote to memory of 5068 4464 FiddlerSetup.exe netsh.exe PID 4464 wrote to memory of 5068 4464 FiddlerSetup.exe netsh.exe PID 4464 wrote to memory of 5068 4464 FiddlerSetup.exe netsh.exe PID 4464 wrote to memory of 1568 4464 FiddlerSetup.exe ngen.exe PID 4464 wrote to memory of 1568 4464 FiddlerSetup.exe ngen.exe PID 4464 wrote to memory of 4916 4464 FiddlerSetup.exe ngen.exe PID 4464 wrote to memory of 4916 4464 FiddlerSetup.exe ngen.exe PID 4464 wrote to memory of 2988 4464 FiddlerSetup.exe SetupHelper PID 4464 wrote to memory of 2988 4464 FiddlerSetup.exe SetupHelper PID 4464 wrote to memory of 2988 4464 FiddlerSetup.exe SetupHelper PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1592 wrote to memory of 1152 1592 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FiddlerSetup.5.0.20243.10853-latest.exe"C:\Users\Admin\AppData\Local\Temp\FiddlerSetup.5.0.20243.10853-latest.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nsw6523.tmp\FiddlerSetup.exe"C:\Users\Admin\AppData\Local\Temp\nsw6523.tmp\FiddlerSetup.exe" /D=2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"3⤵
- Modifies Windows Firewall
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 0 -NGENProcess 160 -Pipe 16c -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 0 -NGENProcess 214 -Pipe 19c -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 0 -NGENProcess 240 -Pipe 248 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 0 -NGENProcess 290 -Pipe 280 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 274 -Pipe 28c -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 0 -NGENProcess 220 -Pipe 288 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 168 -InterruptEvent 0 -NGENProcess 284 -Pipe 244 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 2a4 -Pipe 214 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 284 -Pipe 2ac -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 254 -Pipe 29c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 178 -InterruptEvent 0 -NGENProcess 168 -Pipe 174 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 0 -NGENProcess 22c -Pipe 170 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 0 -NGENProcess 23c -Pipe 244 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 0 -NGENProcess 228 -Pipe 210 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 0 -NGENProcess 22c -Pipe 294 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 240 -Pipe 20c -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 27c -Pipe 22c -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper"C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"3⤵
- Executes dropped EXE
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XCFODRP5\edgecompatviewlist[1].xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\CIAP84XW\favicon[1].icoFilesize
20KB
MD512649f4e0c5a37d4a41cbca768c8e7e0
SHA11257dd7949f4aa81c8f791dceeedd66e486dc3a0
SHA2567b990b226fb3e8970b750dec91d4e8b9b59b2b7b069d0243d7bf70febe8ede53
SHA512a0f96e89664c938ed38b33a127ef56b882f2ef3a60a4e01324602905b054c50a0ab87a725a21e61c3c60b5225e8825cbeab8c5664c2e59be168071f1ce1eeed4
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\OAVS82YR\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Analytics.dllFilesize
32KB
MD51c2bd080b0e972a3ee1579895ea17b42
SHA1a09454bc976b4af549a6347618f846d4c93b769b
SHA256166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29
SHA512946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exeFilesize
82KB
MD5a897a628beb719bf888c95d70602ee83
SHA1fe9dcec7c9c6f4f664814db6eb611a9a235a04b7
SHA2561ab2c4a1d6d2b4899f63111466e4ebf944ab2ec7917926b20028bf181b22f49a
SHA51211e6c91db91a3233bd4a68711e26144ad96f5f5b8f22004efb08a45d96e3526592ebc49aa6c20b3b8739c6091e3ffade4badefae20e07983e4ab2bc890354a05
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exeFilesize
3.5MB
MD5d8d686a8e171c52a856187dd6d5b18f2
SHA153bd857635684130bf340995e452457a61bcee23
SHA256892ff0f941cba2ef1e8d5f7ddb14002e21c95f21a132c50762a4c79ef9fdc475
SHA512fb1f026d92cd2cbcdc0ce9a4bb81a370999cca77c99c5db2b6089a510f55af9aa1c908727fe3f31de3ec8eb3142b3b1f7e2deeca641e2b9d56eb3543ebbbe714
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe.configFilesize
261B
MD5c2edc7b631abce6db98b978995561e57
SHA15b1e7a3548763cb6c30145065cfa4b85ed68eb31
SHA256e59afc2818ad61c1338197a112c936a811c5341614f4ad9ad33d35c8356c0b14
SHA5125bef4b5487ecb4226544ef0f68d17309cf64bfe52d5c64732480a10f94259b69d2646e4c1b22aa5c80143a4057ee17b06239ec131d5fe0af6c4ab30e351faba2
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\GA.Analytics.Monitor.dllFilesize
52KB
MD56f9e5c4b5662c7f8d1159edcba6e7429
SHA1c7630476a50a953dab490931b99d2a5eca96f9f6
SHA256e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790
SHA51278fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Newtonsoft.Json.dllFilesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dllFilesize
192KB
MD5ac80e3ca5ec3ed77ef7f1a5648fd605a
SHA1593077c0d921df0819d48b627d4a140967a6b9e0
SHA25693b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5
SHA5123ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dllFilesize
816KB
MD5eaa268802c633f27fcfc90fd0f986e10
SHA121f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f
SHA256fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54
SHA512c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dllFilesize
228KB
MD53be64186e6e8ad19dc3559ee3c307070
SHA12f9e70e04189f6c736a3b9d0642f46208c60380a
SHA25679a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c
SHA5127d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelperFilesize
18KB
MD594dc69e00d3c9728e5b9924907930a11
SHA161a8df9ccf28af1da33a69158de6a9a59a01f848
SHA256b22130b228a0777d7fef3cec8a0ba3789bca488978d1607e36dccc85f3e8372f
SHA512a02e5d28dc1cd95f534e26abe5be2ff076e39c164ec37f44717c2ed6c8c013e0230ad621cb33048f79d5df23bd9dcf2748c747b5c89c777982b7ce4799a24673
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Telerik.NetworkConnections.dllFilesize
34KB
MD5798d6938ceab9271cdc532c0943e19dc
SHA15f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3
SHA256fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2
SHA512644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31
-
C:\Users\Admin\AppData\Local\Temp\nsw6523.tmp\FiddlerSetup.exeFilesize
4.4MB
MD59cfc955fb5d23835a83883134aca8db9
SHA13aaf8cec695c3d4457e4cec2f573c42c1bb597b1
SHA256229085282b304f9e76d1282419255201941948a7961472e00f28f09dd0a20ca2
SHA512f57591cbb90338fa374c80967992498c33f32efac441469f79627f12b01c2d28da690da8e73fa9c2f602c054fae60ac92e1bdf0860540b6f36eda752129dd56d
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\2145e325c531dd03775cc61606722965\Microsoft.JScript.ni.dll.auxFilesize
580B
MD518a1be4943b370e1a4c6c86f4d40edf8
SHA16ee0ce74f2fe6d66f6d4bb756876124f1e125ab7
SHA25683ec02f4b3417470a59969e15bb4b8baaddbb3afdfdb40766cbd4f40f9ac6c7e
SHA512f84075c090794a47167b4881c6d0b60ae6593f91461f27b13fe7c2405f5ce35c523bf3ad7300dd0a76d03d4eaaddadf0deb127e8ed9430bfb31ac62dc63e5944
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dll.auxFilesize
708B
MD597aca6dbcd69e1697c42df21d0eb40dd
SHA14af763051f5d603de72bcc9d4ce438001aa3b4e8
SHA25644e9a0b15c6cdae896e9d06c7bc3d906a2c034d5f454c2e13e677e39c03df98d
SHA51201404dd7e954a35e4c8508bee50b45099dbc20e1d36317915516b0f427feef5395f3da11fda9e0f35a92cf3d5f3708b75763bbd270b0882046225fc4ee79105a
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\52c68307282a248618376df5db7f9cce\System.Deployment.ni.dllFilesize
2.2MB
MD5ccdd9605e7bb07b8b0b3b19d8e938615
SHA149c99a4dba7ea3b3fcd49afc124cb81b14f4cd84
SHA2566a90f268b1848ab002406a929e0c8868838370ccfb4fd747c0b213d62da93572
SHA512dfed841d9b210e9d8eed60c79f1f9ea513b0fe5b00c10002baf3f81ee686c52ea3bf39c612ba69fc1b747c37bba3de25b645f702cc4329f149a28ac036d8bc8b
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\52c68307282a248618376df5db7f9cce\System.Deployment.ni.dll.auxFilesize
1KB
MD55cd7a11162ad343c63b1a095393a4648
SHA1f8800b320e2ff44441b54069a0964394763f5e27
SHA2564cacd78ece0bade472609be173edee977460d08e9f83c076843b00d9f2493979
SHA512031c389882ac237d1114d1c2d7c273e445e5aa6255b67ce913074fcfc15f4e5ba084738d3b3bd5cd3d007fe571c24635d79e93237d54521f371b0ef1b6cfad29
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\9744e094346545d417a938174608d0ad\System.Numerics.ni.dll.auxFilesize
300B
MD592a9c814f3020a41161dbc34bd56f083
SHA16a73beaaa0b9c8311efe48c78340b3c48006b69c
SHA256e19178c57cf46374c21a26fbf667b386e2713b2e34d6ec9995a339298e41d008
SHA5127ee132bfabe022306a3f1f9490a335f515270f28d96cfaa4cbe4f9a5f1cb226af4398f6e59752af19012595d8e360a0523578bf6b82684de968d0c96cb76cc8e
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\88bbec18c44a06edb18eb16d6775008f\System.Runtime.Serialization.Formatters.Soap.ni.dll.auxFilesize
644B
MD55d63037ec7cbf9db439d2fbddc441494
SHA13b9b9360d712915c4b28c1a052e6f440cd9c7f52
SHA256362dcaf8977b5dc235c2fa775baf105757591c342379005476dc291b6649dd1d
SHA5125a935f1934c5267f191ca5912d8a639354c12c90cc78c96d4782b1b4d3ee4d4e124b57f596c99dd8e9628e41354c4b23bfd9dfd3ce7cbd9c09612aeb6443bb54
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\cccf0195b8a7b2804875769b64f41f8a\System.Security.ni.dll.auxFilesize
912B
MD587d06bfb3ab0a53cd9b0b543e904e4a1
SHA19561e273ff56c352d21ce2fa5f25dbf417e433d9
SHA256a5b159194fff9456456b80b593f865ede7796f6938ec0d79ceb3d859913bc2fb
SHA5122dde589b70b5cd44442cf66468e8224b2e143a7318761196490b1d7b151a1263f513d1d6821ea3c2ea20cb2bfa4fa57acc654a8aeaf9bccefc52d13a73174d27
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\5fc5747c2c5a8c9903788db8973ea28a\System.Web.ni.dll.auxFilesize
3KB
MD56510bde649ef42bf85ccbf859750255c
SHA129da63bb6ee7f3f132bb13728a8ac708610996ec
SHA256068d0bb70c540a186c3777eeb1eaae950247e2c83ffcd17f1055d84d8e1e1754
SHA512f256658288e62b7492c8d28a6c2148f19c8ca4b842a1634291aa7537893bddf624dcc528ea244fbd7070a3a48f59801cea3bcfd07b52fc901f508f50bc70f52a
-
C:\Windows\assembly\temp\NDK5OCS52L\System.EnterpriseServices.Wrapper.dllFilesize
325KB
MD531d5e8026f5f75dbe64db30507038143
SHA1ae3c5b26ab4a1195d15685da3a040ec4d2d2ff72
SHA2564c30ca09080aa61b5ea208ab64aa8a430995e5f683ab895bbb62ea88a336f451
SHA51259e8b237704ab64b3ffb8fcbb94ba996ab9a54f8c040d95c06db167a3b1244dd161cc5d23e1539351f9afa89e28e619f088ed949a2880fac6d3860733f088498
-
C:\Windows\assembly\temp\NDK5OCS52L\System.EnterpriseServices.ni.dll.auxFilesize
1KB
MD51ccbcbfa8c0ad96a764ac3b0227a9490
SHA11963d83fb50cb1f061e0a467510f3f42a09eba29
SHA256bf1db8d4dac1a396382f9a060c03f009b8af9e4ed37010db2b918abe4c865989
SHA512b7688a54653f304821e823b9130b7b2e4316e054e9954ab2a06088640c2a46414ff8a4d02f12eece68d7f59ff08c3d71cc3703e1af850425e8d7b9576320be41
-
\Users\Admin\AppData\Local\Temp\nsn801F.tmp\System.dllFilesize
12KB
MD5192639861e3dc2dc5c08bb8f8c7260d5
SHA158d30e460609e22fa0098bc27d928b689ef9af78
SHA25623d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA5126e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc
-
\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\979d991d7ebbe379753c4bd4de4e7d8a\EnableLoopback.ni.exeFilesize
155KB
MD50180b0fed74396b64d9c0c08b7ac1b6d
SHA12906f20b0987091759f0c9705e4616fe4619a05f
SHA2567c7381a24a3406b573c29c33e6eabecf2b58a5319a4059cc6f713f45951781d7
SHA5121abde6207f13eda42ac6dc3bad3f92c39ea7ff72a17def8641a18c6afbf7c37328bceb5a426d48097a7aa4bed96903a51ba72ed66c619b8cdbaae35eb1704ee7
-
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\2145e325c531dd03775cc61606722965\Microsoft.JScript.ni.dllFilesize
2.7MB
MD5d1d5dd7761a0e2c31c2baeeb4442a6ba
SHA1c681dca866baa02e7840bffdbcff349da69ba25c
SHA25684676accc10df0f610772b5d447b058a9fd3c4d399cddc01ef6510d9832915f1
SHA51259891b98e42635c056debe5fdd373b3d31ef1731c653c7df179c0db8544c6bfc6e4899d62a3068b76a652e71899b285e1757260ccaa805658e1e77e00cb9b263
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\cd03f7a1d6c4031c515fb3f50c42e268\System.Data.SqlXml.ni.dllFilesize
3.0MB
MD50bdbc8f0fb2097d58e463ab73f8c44d8
SHA1c159252064305d27d4b6dfbfdbdc233ac331a453
SHA2566cf016fbbee0fd57d6c44b81d913d8206fb7262413d9d15f7c62e7dfe5d5147a
SHA51291afc6b85cbff3fbf4688c117effb8faa1268a2c16e29176a51807204529b40607cda3d6b5a83583a908c791c96073610fe7640f6a934578cc126b560f5d4803
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Ente96d83b35#\bcab827b24e870428fcdda58e1ebec20\System.EnterpriseServices.ni.dllFilesize
972KB
MD5d65dad1e140f825dda9c7b73a6fe93fe
SHA18ed7ca22b3988c9cfdedadd447bc7183e82024a2
SHA256ead52a1635188611f7474e6cc860128116f60d7c3bc0cd00cc1cd36b57a6bc73
SHA512e073ac5fb87bdb3d41175cca1047c52f88ebca9418851b4a0e30852e93fc18ffa0c9fab0d974105aa902c03ea15427e43b97be7920561d141201462c39ebb117
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\9744e094346545d417a938174608d0ad\System.Numerics.ni.dllFilesize
307KB
MD5fd0f9bc0584653e7f39b55dd6e743a32
SHA1ada958995ab3b74bcdf05ac0e6270024857fdee0
SHA256aa8f2ae1967de8b8f1989c7e6f92d0f8828b47d80b1ba69cb7a6c6b6fc1cff9b
SHA51238c76c107b0931b1d3cdf60207f5647cc2029dd69b6a28845bba2a792472325d3c074bb98954a60a95ed9971e179a4c2f44af95245a7b153f386d28c5b835e1f
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt19c51595#\c2577ffc64fd5f786d339c18f95dfae7\System.Runtime.Caching.ni.dllFilesize
292KB
MD55e3818ddd115793a5f1994085a82269a
SHA19c4d6b78b9a6a2b47f83721022b65b6becec61dc
SHA256609bdef733f0c0c582b75b300e8d1da2b1fe33a7dab947cb61b0426d6f92d3a6
SHA512d5dbbe53f7aa88129e5eae5deb434518ff0f66e712d33cf46ce714c51feec6e3083851923ddaa289f76fcc2374aebaf30c80211207f7cdd49cf6c5bc9a8565f5
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\88bbec18c44a06edb18eb16d6775008f\System.Runtime.Serialization.Formatters.Soap.ni.dllFilesize
337KB
MD56a74608b40a2787d6fc3ba420f22e73e
SHA1a91e0bce5d4e7b55b308ca1d01bc050a6075747d
SHA25675a50aa3dc7b54b2ca87630807f20d7a79cca0562b6392a65fce14fd0fe8d253
SHA51219c616bc99168cf0dcf38d6e0ea498956561d877658be992df9a5e9a996e39cc3bf60b6c3d766e940549d7c39fda1d1e3438f8812143574108dc830c52c5183c
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\cccf0195b8a7b2804875769b64f41f8a\System.Security.ni.dllFilesize
960KB
MD513bd4f0a19d3ea71a5b1c1b6d5330635
SHA112909fc81a2cb66a1435803b2c0bbc613a18b243
SHA2563fc2a7a509f23269002e9a5ce3aca634fceb4e4ab70da6cbf56ae1e500fd6052
SHA512400a09b0e29f170c1da464cd4e31f42b1e97de9fb24c29ed531d27014bf1513e6cc943435102e21735973e509c58ed7a099843a35cc2aa115868426047387c96
-
\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\5fc5747c2c5a8c9903788db8973ea28a\System.Web.ni.dllFilesize
15.7MB
MD56ab83e2221c6b1f3a306e4432c4a5e33
SHA123e27796eae9d8e1cf762a85dbedff89d1f68a3f
SHA2568c9da539e47f809693c2d2d631fe28219f28e020805f9b39805760e2652695f7
SHA51241902ab5d3a44e408405656f92b9146bdeb82efd364739bf06d9149ce3dcb0841dbb0703fec5011de4709adc4ea1d0fe8380e301349988d0c5d38a4e289dadb4
-
memory/316-311-0x000002BE54420000-0x000002BE54430000-memory.dmpFilesize
64KB
-
memory/316-295-0x000002BE54320000-0x000002BE54330000-memory.dmpFilesize
64KB
-
memory/316-330-0x000002BE51760000-0x000002BE51762000-memory.dmpFilesize
8KB
-
memory/976-427-0x0000029040660000-0x00000290406AA000-memory.dmpFilesize
296KB
-
memory/976-457-0x0000029040FC0000-0x0000029040FFE000-memory.dmpFilesize
248KB
-
memory/976-429-0x0000029040E40000-0x0000029040EF2000-memory.dmpFilesize
712KB
-
memory/976-422-0x00000290412B0000-0x00000290417D6000-memory.dmpFilesize
5.1MB
-
memory/976-431-0x00000290281A0000-0x00000290281AC000-memory.dmpFilesize
48KB
-
memory/976-445-0x00000290406B0000-0x00000290406EA000-memory.dmpFilesize
232KB
-
memory/976-449-0x0000029040960000-0x0000029040980000-memory.dmpFilesize
128KB
-
memory/976-451-0x0000029040DC0000-0x0000029040E04000-memory.dmpFilesize
272KB
-
memory/976-453-0x00000290409A0000-0x00000290409BA000-memory.dmpFilesize
104KB
-
memory/976-454-0x0000029041030000-0x0000029041152000-memory.dmpFilesize
1.1MB
-
memory/976-456-0x00000290409C0000-0x00000290409DE000-memory.dmpFilesize
120KB
-
memory/976-455-0x0000029040F00000-0x0000029040F7E000-memory.dmpFilesize
504KB
-
memory/976-452-0x0000029040980000-0x000002904099E000-memory.dmpFilesize
120KB
-
memory/976-450-0x0000029040D80000-0x0000029040DB2000-memory.dmpFilesize
200KB
-
memory/976-448-0x00000290406F0000-0x0000029040702000-memory.dmpFilesize
72KB
-
memory/976-447-0x0000029041CB0000-0x000002904217A000-memory.dmpFilesize
4.8MB
-
memory/976-458-0x0000029040E10000-0x0000029040E22000-memory.dmpFilesize
72KB
-
memory/976-424-0x00000290408E0000-0x000002904095A000-memory.dmpFilesize
488KB
-
memory/976-446-0x00000290281D0000-0x00000290281EC000-memory.dmpFilesize
112KB
-
memory/976-460-0x00000290281B0000-0x00000290281C0000-memory.dmpFilesize
64KB
-
memory/976-426-0x0000029026860000-0x000002902686C000-memory.dmpFilesize
48KB
-
memory/976-421-0x0000029040720000-0x00000290407DA000-memory.dmpFilesize
744KB
-
memory/976-419-0x00000290409F0000-0x0000029040D7A000-memory.dmpFilesize
3.5MB
-
memory/1564-941-0x000001F56C120000-0x000001F56C145000-memory.dmpFilesize
148KB
-
memory/2032-272-0x0000064443EC0000-0x0000064443F0F000-memory.dmpFilesize
316KB
-
memory/2324-245-0x0000064449A20000-0x0000064449B13000-memory.dmpFilesize
972KB
-
memory/2988-114-0x0000000000B70000-0x0000000000B78000-memory.dmpFilesize
32KB
-
memory/3996-113-0x000001ADD47D0000-0x000001ADD47F2000-memory.dmpFilesize
136KB
-
memory/3996-110-0x000001ADD4880000-0x000001ADD4956000-memory.dmpFilesize
856KB
-
memory/3996-111-0x000001ADD47A0000-0x000001ADD47C2000-memory.dmpFilesize
136KB
-
memory/3996-112-0x000001ADD4A20000-0x000001ADD4AD2000-memory.dmpFilesize
712KB
-
memory/3996-109-0x000001ADD4750000-0x000001ADD47A0000-memory.dmpFilesize
320KB
-
memory/3996-108-0x000001ADBC470000-0x000001ADBC488000-memory.dmpFilesize
96KB
-
memory/4616-219-0x0000064488000000-0x000006448802A000-memory.dmpFilesize
168KB
-
memory/4856-714-0x00000190F4C60000-0x00000190F4C85000-memory.dmpFilesize
148KB
-
memory/4924-339-0x00000644451A0000-0x0000064445496000-memory.dmpFilesize
3.0MB