Overview
overview
10Static
static
3FiddlerSet...st.exe
windows10-2004-x64
10$PLUGINSDI...up.exe
windows10-2004-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analytics.dll
windows10-2004-x64
1Be.Windows...ox.dll
windows10-2004-x64
1DotNetZip.dll
windows10-2004-x64
1EnableLoopback.exe
windows10-2004-x64
7ExecAction.exe
windows10-2004-x64
1FSE2.exe
windows10-2004-x64
3Fiddler.exe
windows10-2004-x64
9ForceCPU.exe
windows10-2004-x64
1GA.Analyti...or.dll
windows10-2004-x64
1ImportExpo...ts.dll
windows10-2004-x64
1ImportExpo...rt.dll
windows10-2004-x64
1Inspectors...on.dll
windows10-2004-x64
1Inspectors...or.dll
windows10-2004-x64
1Inspectors...es.dll
windows10-2004-x64
1Inspectors...ax.dll
windows10-2004-x64
1Inspectors...rd.dll
windows10-2004-x64
1Inspectors...ew.dll
windows10-2004-x64
1Newtonsoft.Json.dll
windows10-2004-x64
1Plugins/Ne...ws.dll
windows10-2004-x64
1RunNsisUni...rs.bat
windows10-2004-x64
1ScriptEdit...cs.dll
windows10-2004-x64
1ScriptEdit...or.dll
windows10-2004-x64
1ScriptEdit...on.dll
windows10-2004-x64
1ScriptEdit...or.dll
windows10-2004-x64
1ScriptEdit...rs.dll
windows10-2004-x64
1ScriptEdit...ax.dll
windows10-2004-x64
1Scripts/Fi...on.dll
windows10-2004-x64
1Scripts/Fi...on.dll
windows10-2004-x64
1$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 15:13
Static task
static1
Behavioral task
behavioral1
Sample
FiddlerSetup.5.0.20242.10753-latest.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/FiddlerSetup.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
Analytics.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Be.Windows.Forms.HexBox.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
DotNetZip.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
EnableLoopback.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
ExecAction.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
FSE2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
Fiddler.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
ForceCPU.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
GA.Analytics.Monitor.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
ImportExport/BasicFormats.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
ImportExport/VSWebTestExport.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
Inspectors/QWhale.Common.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
Inspectors/QWhale.Editor.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Inspectors/QWhale.Syntax.Schemes.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
Inspectors/QWhale.Syntax.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
Inspectors/Standard.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
Inspectors/SyntaxView.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
Newtonsoft.Json.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
Plugins/NetworkConnections/Telerik.NetworkConnections.Windows.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
RunNsisUninstallers.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral24
Sample
ScriptEditor/Analytics.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
ScriptEditor/GA.Analytics.Monitor.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral26
Sample
ScriptEditor/QWhale.Common.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
ScriptEditor/QWhale.Editor.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral28
Sample
ScriptEditor/QWhale.Syntax.Parsers.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
ScriptEditor/QWhale.Syntax.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
Scripts/FiddlerOrchestra.Addon.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
Scripts/FiddlerOrchestra.Connection.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
General
-
Target
Fiddler.exe
-
Size
3.5MB
-
MD5
32cf2e7c6ae825d5f7cb2a7d39c2ee24
-
SHA1
262176d879e7727375025cae4aafc90698adad26
-
SHA256
d7ea71114bfe70383c1ac2be6dd19676805a0afb6e20c0ad3000018afad093e5
-
SHA512
a72e70f1a11d4443aedc56a2453cb3ed05bd8106b0e906364f23f01098a378440d2d86ac15f6d98ceedfe18b0a60d80f6806300b390c2969c3de97cb380b82c2
-
SSDEEP
49152:0Ms91NvXsJm+5Tti9og1fcaufet3YG5kCTnEsRH0jgB3:RsfNvXsJm+5TtiTMfeJnEsRHAgt
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2504 netsh.exe 3624 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Fiddler.exeFiddlerSetup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Fiddler.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation FiddlerSetup.exe -
Executes dropped EXE 4 IoCs
Processes:
FiddlerClassicAutoUpdater.exeFiddlerSetup.exeSetupHelperFiddler.exepid process 4688 FiddlerClassicAutoUpdater.exe 4700 FiddlerSetup.exe 2592 SetupHelper 1580 Fiddler.exe -
Loads dropped DLL 22 IoCs
Processes:
FiddlerSetup.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeFiddler.exemscorsvw.exemscorsvw.exepid process 4700 FiddlerSetup.exe 4792 mscorsvw.exe 1144 mscorsvw.exe 3620 mscorsvw.exe 2968 mscorsvw.exe 3128 mscorsvw.exe 2968 mscorsvw.exe 2832 mscorsvw.exe 2376 mscorsvw.exe 2376 mscorsvw.exe 2376 mscorsvw.exe 2376 mscorsvw.exe 2376 mscorsvw.exe 4728 mscorsvw.exe 1356 mscorsvw.exe 1580 Fiddler.exe 1160 mscorsvw.exe 5472 mscorsvw.exe 5472 mscorsvw.exe 1160 mscorsvw.exe 1580 Fiddler.exe 1160 mscorsvw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 17 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedescription ioc process File created C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\48284cc851a179c6096f5a08fd1c8eb1\EnableLoopback.ni.exe.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c38-0\System.Data.SqlXml.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12b8-0\EnableLoopback.exe mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b98-0\System.Deployment.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\488-0\System.Web.dll mscorsvw.exe File opened for modification C:\Windows\assembly\temp\1M6KAFHRJV\Microsoft.JScript.ni.dll mscorsvw.exe File opened for modification C:\Windows\assembly\temp\1M6KAFHRJV\Microsoft.JScript.ni.dll.aux mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\478-0\System.Security.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b10-0\System.Runtime.Serialization.Formatters.Soap.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e24-0\System.Numerics.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll.aux.tmp mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
FiddlerSetup.exeFiddler.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0" FiddlerSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\TypedURLs Fiddler.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION FiddlerSetup.exe -
Modifies registry class 15 IoCs
Processes:
FiddlerSetup.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\DefaultIcon FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Shell\Open FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command FiddlerSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.saz\ = "Fiddler.ArchiveZip" FiddlerSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\ = "Fiddler Session Archive" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Shell FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip FiddlerSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\"" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer FiddlerSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive" FiddlerSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command FiddlerSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\"" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.saz FiddlerSetup.exe -
Processes:
Fiddler.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\C10BB76AD4EE815242406A1E3E1117FFEC743D4F Fiddler.exe Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\C10BB76AD4EE815242406A1E3E1117FFEC743D4F\Blob = 030000000100000014000000c10bb76ad4ee815242406a1e3e1117ffec743d4f140000000100000014000000259dd0fc59098663c5ecf3b1133b571c03923611040000000100000010000000e6eb41ad6404317af8a18b64f98c2bcf0f0000000100000020000000d9c7db0b704f07089440c56e69a0f31d730edf77cfbf7514630e8b5390a270fe1900000001000000100000008050a1c09667687456bd1c63be8f6fcb5c0000000100000004000000001000001800000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b44b0000000100000044000000390043004200340033003700330041003400320035003200440045003800440032003200310032003900320039003800330036003300300034004500430035005f0000002000000001000000ec060000308206e8308204d0a003020102021077bd0e05b7590bb61d4761531e3f75ed300d06092a864886f70d01010b05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303732383030303030305a170d3330303732383030303030305a305c310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613132303006035504031329476c6f62616c5369676e204743432052343520455620436f64655369676e696e67204341203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100cb20ef971eb9013243a05ba98a23fd205eae38128bca2cd4ff41d81a55d41953b7fda317e77a395cc0f7ce11a3f9a5ed01fab5ba93efaf93dcf8e2b3194c83b04a4450047884106aa4d696908e81f87cab2fb5a35733d2587b940e6d0fa591262ab3834f72b18a7b6492d0f0b4555f960b11e59ab52cb211cf251b7d512b981f49a35ff8139e35b80302daa4132f854aefc42f700ec1d4cc3312ecbd4095d311cae6cdb3059cc853eb52d7784c51019282de13f3078e74ba84809fd2a4150ee8afebf789f6df71f0d1bea7b241332075ccb1d5ed1d0719c4eb2677f2ab6d179349a9b7e6c3909cc6b8ecccc97b9a5ec5c52493636f7e108b61cf9855a324a28836f2f99fbe932eb2069f26c00c015612e1b28a9f0e1edc988b2ecfdae28934a61f26a0a8ae786deca188153cc2eaeeb7d8ad61a5af7036a2798edc0d73c0f1e42cab94ec5806393648d63b5ae822ce740eaf2cf115dad1b495e8acd5496de5afdd9b6b63205d8e7e3bb243d8623a94e5cdb498b3371924127273ab04b009dc85e6d42204ef402a1d2e6dc769d36eb7016c0de097a716e6268b88f70344865f62674cb5a737a855dc03368c6ecf6d3626f10e8fb03d71c0e132a782e4b6320232307cb593c821fd3c88e66963f8ee75c98bc2abefba3afde95ebfb611f1bef03dca323e6e7dde0f7e9b95c41287e71ab84eee2cc1dfa165e82483c92ac2fdb9530203010001a38201ad308201a9300e0603551d0f0101ff04040302018630130603551d25040c300a06082b0601050507030330120603551d130101ff040830060101ff020100301d0603551d0e04160414259dd0fc59098663c5ecf3b1133b571c03923611301f0603551d230418301680141f00bf46800afc7839b7a5b443d95650bbce963b30819306082b06010505070101048186308183303906082b06010505073001862d687474703a2f2f6f6373702e676c6f62616c7369676e2e636f6d2f636f64657369676e696e67726f6f74723435304606082b06010505073002863a687474703a2f2f7365637572652e676c6f62616c7369676e2e636f6d2f6361636572742f636f64657369676e696e67726f6f747234352e63727430410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f636f64657369676e696e67726f6f747234352e63726c30550603551d20044e304c304106092b06010401a03201023034303206082b06010505070201162668747470733a2f2f7777772e676c6f62616c7369676e2e636f6d2f7265706f7369746f72792f3007060567810c0103300d06092a864886f70d01010b050003820201002575a009c939bab7a139892f189fabd6eb1d4be8947c0d07689b1c9def71b6176a6b024fb33f864587cc659b4ce35806022266d56102c5638fd4a2f1b65e250b7796e9cd7140338829eceef3a26dbc4db53e064bc97333ca08142d3d4ce8b0ba75a6742da4583a6c1349f8a5150a149685b16a68342542af9656f410fa247df12b72c116e16bebe6a998c73e5af4d0189dfd74978677462a3d237d28738aaeef2b1b9abf6c53a7149e3c8771c05e8ec8fbd32a9233ea574d5e075ecac118ac812d1a21fa6ecf97617bdf717a3aca63f7d530443732febb4385dcbafca6ca33192b776ddbcb05f07e5f752ea2b6bf35aa3663c9ce64d9bdfcbc2cf3495600c8122bc627bb37af57efc4cf1e29c4f4e22dce2a61cf57edf50a40e2f518d61ee9902fcad3875f938a481a111de537859f2e66629a5e814e95ac555743dc538b257e3c610f8a0bbaf53fa6d78ef704565e21bb9fd76a7180bf96de7203d8d8222bf327164f38e851400cae92efbe3d7df780c64c36578495a7841548300e5227088d8ea2bd22c719c9a6ca0ea87a36db6aba615f112495a4e28e68ee19a949995ed0b434bdd6f940c710973152393529118724d3c4fba963cb7748d5fa62fc24e0047a4ed0e46edece9e385026f4217165d70925d4c907007ab8c7f377e8c5d4e255d0d31ef67f52e2498db911720c88442633660144dfe4330e21de62894807daf5 Fiddler.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Fiddler.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 Fiddler.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 Fiddler.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Fiddler.exeFiddlerSetup.exeFiddler.exemsedge.exemsedge.exepid process 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 3700 Fiddler.exe 4700 FiddlerSetup.exe 4700 FiddlerSetup.exe 1580 Fiddler.exe 1580 Fiddler.exe 2768 msedge.exe 2768 msedge.exe 1580 Fiddler.exe 1580 Fiddler.exe 4392 msedge.exe 4392 msedge.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
Processes:
msedge.exepid process 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Fiddler.exeFiddler.exedescription pid process Token: SeDebugPrivilege 3700 Fiddler.exe Token: SeDebugPrivilege 1580 Fiddler.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe 4392 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Fiddler.exeFiddler.exepid process 3700 Fiddler.exe 3700 Fiddler.exe 1580 Fiddler.exe 1580 Fiddler.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Fiddler.exeFiddlerClassicAutoUpdater.exeFiddlerSetup.exemsedge.exedescription pid process target process PID 3700 wrote to memory of 4688 3700 Fiddler.exe FiddlerClassicAutoUpdater.exe PID 3700 wrote to memory of 4688 3700 Fiddler.exe FiddlerClassicAutoUpdater.exe PID 3700 wrote to memory of 4688 3700 Fiddler.exe FiddlerClassicAutoUpdater.exe PID 4688 wrote to memory of 4700 4688 FiddlerClassicAutoUpdater.exe FiddlerSetup.exe PID 4688 wrote to memory of 4700 4688 FiddlerClassicAutoUpdater.exe FiddlerSetup.exe PID 4688 wrote to memory of 4700 4688 FiddlerClassicAutoUpdater.exe FiddlerSetup.exe PID 4700 wrote to memory of 2504 4700 FiddlerSetup.exe netsh.exe PID 4700 wrote to memory of 2504 4700 FiddlerSetup.exe netsh.exe PID 4700 wrote to memory of 2504 4700 FiddlerSetup.exe netsh.exe PID 4700 wrote to memory of 3624 4700 FiddlerSetup.exe netsh.exe PID 4700 wrote to memory of 3624 4700 FiddlerSetup.exe netsh.exe PID 4700 wrote to memory of 3624 4700 FiddlerSetup.exe netsh.exe PID 4700 wrote to memory of 2856 4700 FiddlerSetup.exe ngen.exe PID 4700 wrote to memory of 2856 4700 FiddlerSetup.exe ngen.exe PID 4700 wrote to memory of 2228 4700 FiddlerSetup.exe ngen.exe PID 4700 wrote to memory of 2228 4700 FiddlerSetup.exe ngen.exe PID 4700 wrote to memory of 2592 4700 FiddlerSetup.exe SetupHelper PID 4700 wrote to memory of 2592 4700 FiddlerSetup.exe SetupHelper PID 4700 wrote to memory of 2592 4700 FiddlerSetup.exe SetupHelper PID 4700 wrote to memory of 4392 4700 FiddlerSetup.exe msedge.exe PID 4700 wrote to memory of 4392 4700 FiddlerSetup.exe msedge.exe PID 4392 wrote to memory of 4404 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 4404 4392 msedge.exe msedge.exe PID 4700 wrote to memory of 1580 4700 FiddlerSetup.exe Fiddler.exe PID 4700 wrote to memory of 1580 4700 FiddlerSetup.exe Fiddler.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe PID 4392 wrote to memory of 2012 4392 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fiddler.exe"C:\Users\Admin\AppData\Local\Temp\Fiddler.exe"1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\Desktop\FiddlerClassicAutoUpdater.exe"C:\Users\Admin\Desktop\FiddlerClassicAutoUpdater.exe" /AUTOUPDATE2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\nst8398.tmp\FiddlerSetup.exe"C:\Users\Admin\AppData\Local\Temp\nst8398.tmp\FiddlerSetup.exe" /AUTOUPDATE /D=3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"4⤵
- Modifies Windows Firewall
PID:2504 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"4⤵
- Modifies Windows Firewall
PID:3624 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"4⤵PID:2856
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
PID:2376 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
PID:4728 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1356 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1160 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 2cc -Pipe 2b8 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
PID:5472 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"5⤵
- Drops file in Windows directory
PID:5844 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"4⤵PID:2228
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"5⤵PID:4488
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 26c -Pipe 294 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4792 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1dc -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3128 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2b4 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1144 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3620 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2cc -Pipe 1c8 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2968 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2ac -Pipe 2a8 -Comment "NGen Worker Process"5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2832 -
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper"C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"4⤵
- Executes dropped EXE
PID:2592 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb036646f8,0x7ffb03664708,0x7ffb036647185⤵PID:4404
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:25⤵PID:2012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:85⤵PID:2336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:15⤵PID:780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:15⤵PID:392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:15⤵PID:4540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:15⤵PID:5232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:15⤵PID:5240
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:15⤵PID:5640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:15⤵PID:5648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:15⤵PID:6008
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 /prefetch:85⤵PID:5740
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 /prefetch:85⤵PID:6100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:15⤵PID:5436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:15⤵PID:3672
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:15⤵PID:5940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1328 /prefetch:15⤵PID:5904
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:25⤵PID:3212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:15⤵PID:5836
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exeC:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe -startedByUpdate4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1580 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Win8EL5⤵PID:5920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb036646f8,0x7ffb03664708,0x7ffb036647186⤵PID:5932
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1984
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2052
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1636
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\USERS\ADMIN\APPDATA\LOCAL\PROGRAMS\FIDDLER\PLUGINS\NETWORKCONNECTIONS\TELERIK.NETWORKCONNECTIONS.WINDOWS.DLLFilesize
33KB
MD55889357424d717c8629c8bfabcd0be50
SHA187e7047a40e24bd5ac23f89e072ee39a14a53023
SHA2563564b25b24569b8d8a0128f2f4bddec89c0b8986da7542d9c64aac730360a600
SHA5121af458742cefd4730d64b19ecc05460354f0e47a79cdcd7794877aa0f6c56cfb92f37a0daf66fedaec2a579eb0187d774b7d5ba1fff65d6ab1504df4c3668fad
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Fiddler.exe.logFilesize
2KB
MD5666fbe2929c630945e035b4c464c1a9b
SHA12bbacc9a70144a89273c7c2afd0f5b4d391be44e
SHA256703fe72237275b644efaf726ab812946452392e8f43a33f6318e085e47e6962c
SHA51227d081b0f820d4cacae04cdb68e04148ae1230a8dd6ff6937b286ed742f7d2bb796b0337bbdd36957fcfee834725562c90a09aff26a51fd3d3001ba2888c3ff1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
624B
MD510a5821d17f4e3cdb3dfa61641ccac8d
SHA18d677f0f3cc85e27d00e662c0500892bbb60b138
SHA25643aac1adc1c8f7ff8f0766b6b25628e9fda8e3cb423df772968d97518356d3f6
SHA51227e77835795380d282103a44ef7893063bc8f00aa70fc41c12d757184aa4e76a5548fba561a52768bc335114cb1eb4f521621a758cfbc2a052bae5de212564d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD50f1f8a221591ccc4f91529e0bd9ba75f
SHA1b0a62c2d5cfc35bc32480068e1ba40b124ab66d7
SHA2568a8ca67b51d0c83fcc22d71d20e4529f150c555f1442c945a0f9c3ad50c0512b
SHA5126d84abbe18727a7b91288f61faf29e60580678f6f4ca8753d13053879e77df6234c508a4905bc86dac18ceb8a35c9bad4dd12f231d9f168022305c4450fa09bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD56f7e054cd27898bf71740169ee0652df
SHA16adc5fb27e19a15a82b68aa4c45e0d52060f663c
SHA256efc56b2a2992a5cbb748d54f36da5728d5dba61484447b469204883eef7bbbff
SHA51203f4f9bb6ff3a67bda5512d337b3f0df7668722efb440d1b0cb271fc658d0bc5940e64e248e0523bf52e57544f97ad50998c73510745c4dc106d817e14a09bce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5695f3d85c2b64d1095677f660fb1f73d
SHA1293bae77e83363ffdfa9d5ae0a725e95abcc44f4
SHA2563e7c5a632cd423ed7356a1157e2a9157d6a8727bc5c19b0170644f31941a3656
SHA51255eca737c088d248ce60eecdbba44bfd782b6da4f533442191f1376e2acdf40aad0f0d5491bcfd65dbe6bbabb3f5be5c1fe6f7bb50a4fd4ba7f37517d8b277cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5d783b36ad2e1902ad520fe31c31e1b01
SHA1a55b5057b6007c5fda9dd14a6ddb465078eb6220
SHA25641b9adaab46cea1c71c2c193def7eec3ac2403158260f315e3da6b24d57d8a72
SHA512e2b3f58f183e0230cd5af701af92d9db5cc6a4fd5ca64abb026a8814d12ac737ba8d8e4de867bcdc2f4277537162247b1aab018ac4a89b5b86fe81b09261b2f8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5801ff.TMPFilesize
1KB
MD534187791b9a1525b6c29866ea64c3da4
SHA17179f6583b969877e2c21370b74b2d30e1905549
SHA256cc4591086d26add23dff8e7a8e92fe1078e7c4bef8a1cc8d9db992a3d8774cbc
SHA5127c1d7da854ff29802c036600ef7bb7df675caf00c52a3af100788159942ae77aa8cc696bb1f4ba2216fa951e61369b85106fdbd93cc80d66397ca9d118aaca01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5dd90c1da969595203b659efef24e25dd
SHA10006a6dc532bbedfe976291873b82fbb0f62317b
SHA256ba137e1bfe9b1a2abe2c71fbcf8450815f62346286719f899dbf92289cbfdfaa
SHA5129b3bcac8676f111c627c9fed1b13e765a0e8aa66a3c90387627e37a074d65eedd6d453f2463c9c34f1fe71b592f1e921bc4a9a3c3bd912e4e44f8d2aafe2d66c
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Analytics.dllFilesize
32KB
MD51c2bd080b0e972a3ee1579895ea17b42
SHA1a09454bc976b4af549a6347618f846d4c93b769b
SHA256166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29
SHA512946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exeFilesize
82KB
MD5a897a628beb719bf888c95d70602ee83
SHA1fe9dcec7c9c6f4f664814db6eb611a9a235a04b7
SHA2561ab2c4a1d6d2b4899f63111466e4ebf944ab2ec7917926b20028bf181b22f49a
SHA51211e6c91db91a3233bd4a68711e26144ad96f5f5b8f22004efb08a45d96e3526592ebc49aa6c20b3b8739c6091e3ffade4badefae20e07983e4ab2bc890354a05
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exeFilesize
3.5MB
MD5d8d686a8e171c52a856187dd6d5b18f2
SHA153bd857635684130bf340995e452457a61bcee23
SHA256892ff0f941cba2ef1e8d5f7ddb14002e21c95f21a132c50762a4c79ef9fdc475
SHA512fb1f026d92cd2cbcdc0ce9a4bb81a370999cca77c99c5db2b6089a510f55af9aa1c908727fe3f31de3ec8eb3142b3b1f7e2deeca641e2b9d56eb3543ebbbe714
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe.configFilesize
261B
MD5c2edc7b631abce6db98b978995561e57
SHA15b1e7a3548763cb6c30145065cfa4b85ed68eb31
SHA256e59afc2818ad61c1338197a112c936a811c5341614f4ad9ad33d35c8356c0b14
SHA5125bef4b5487ecb4226544ef0f68d17309cf64bfe52d5c64732480a10f94259b69d2646e4c1b22aa5c80143a4057ee17b06239ec131d5fe0af6c4ab30e351faba2
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\GA.Analytics.Monitor.dllFilesize
52KB
MD56f9e5c4b5662c7f8d1159edcba6e7429
SHA1c7630476a50a953dab490931b99d2a5eca96f9f6
SHA256e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790
SHA51278fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Inspectors\Standard.dllFilesize
247KB
MD50f8191a9defbcc4e27cb6d6d455bbd09
SHA117fe3a6f0d93082e1fcca23925db99be023b65c4
SHA256e673dc35530cac477135267c41212de263798fe49b0e77ba9511eef908e4f7db
SHA51243c07afe0e53ea7007cd1718797c53c87843c04bdcae58f531a5f1cfd579c8927b0938489e158c7106a9c77ed41b4a2e4ae805449686408cd2c65908cf091f68
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Inspectors\SyntaxView.dllFilesize
68KB
MD59271edebeb231896252e527ad4f2c1c5
SHA1518b8a5415b879147a9666e9c8b6ddc5841c290f
SHA25675ace796c6f2f1cafbb487b9de9fae7b33b8c6f68c56869654b0ae77618535ba
SHA5122fb2265b7fa7fbac6ecdde4fe27047f44e0d11d74f917b4d43aaf7303f5a70452e1f1b050e4545875d0f47d4dd2b7aa63d842eac39224f119a4c6aeb7dc64a02
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Newtonsoft.Json.dllFilesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dllFilesize
192KB
MD5ac80e3ca5ec3ed77ef7f1a5648fd605a
SHA1593077c0d921df0819d48b627d4a140967a6b9e0
SHA25693b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5
SHA5123ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dllFilesize
816KB
MD5eaa268802c633f27fcfc90fd0f986e10
SHA121f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f
SHA256fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54
SHA512c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dllFilesize
228KB
MD53be64186e6e8ad19dc3559ee3c307070
SHA12f9e70e04189f6c736a3b9d0642f46208c60380a
SHA25679a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c
SHA5127d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\FiddlerOrchestra.Addon.dllFilesize
46KB
MD5094270ab2522a4228925480f5a07f4bb
SHA1bb450f6931252a132c029c23b2fa10278a8c695f
SHA256c3ae6b22fc6d7a8842747fb2bdea9f89bad48b7ba0de0440cbb6f41425ef8684
SHA51201d23e7c0733c2326ec2238938aaa7c0749c74ab0966025ae2b0fec965da54eeb6ab0a097db9fe401c9110334e8f7f433060a3266d1da9a3851b41bb5bb21600
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\FiddlerOrchestra.Connection.dllFilesize
1.8MB
MD58dfc61a6a71de70bb8fb9e637b35611c
SHA1e6deaec2920460f7fb61cd3a9a35ff4d8ce8cb27
SHA256d7521e7e1e669ffe5a75738f55f685cba0ba4c4af1b81faa6b681678f5ad4c3f
SHA51254da6d578f40ecfdcf532285a78e287d3ca8d91dc9bde5c3fd009bf54718bbcb0696ea757cca8b77dff6bcb332bd16a834e1b90a014ac1170981d9f924a20c4d
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\FiddlerOrchestra.Protocol.dllFilesize
23KB
MD56a2eae44b3c3119e58f7f45a333104b7
SHA1af79a4a2b7cb5db17616eecaaeeff213f06868e6
SHA256cf4288d9c5f821fa031e1345fb2f84a29595939a116bbdfb534998a9bf80c82b
SHA5126426e22a4443ee89cff7c1ebd3569fd6bbac4e7208a4f8435735aa7565ee416396880ba3c4b01fbf0eab5a3da076e591baf0b3f8014eed5347db5582e382335a
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\FiddlerOrchestra.Utilities.dllFilesize
18KB
MD59cc10f9727a4711b75f77a02d48a052e
SHA1f6096f609eacd11175a651773990ec5a6eba546d
SHA256e6ffde792bf1b185f6832c44bc6cb3ac32e062c21f4741909ed8275bc1490f36
SHA512d66ce0207a240206ec5214901887b39a87f36b4ec751db5d429b4b4b5e7bd10b4555ca046f11822f315cd9021ec7d761c0157bdc62df0d48c449b2bfdf46ed9d
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\RulesTab2.dllFilesize
35KB
MD5b2bd0db74d2cce3553a3cb84a7b0db92
SHA11858ecedd27126ffa3c66bac3fcb54b7cc8e083c
SHA25617cc1be54b11bac35f7d130a78684bc7a25d32891d51ba619f748b42c5eabfca
SHA512241c34343a82d61c2202e5431de2143d72b2393f54698980b2b2002c111e54803e9fc87b72fa1d28ad8ae2029f841eaa633e79ce7a9755204216854e539977a7
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\SampleRules.jsFilesize
22KB
MD5cb7bf8b2d0e15c0ecc290a242b9f743a
SHA1f1215262c0729dc6700fd5158ef6e437e64a4821
SHA25669cc5397e0fa9f99a0d21476da21147631a213f9f15652f8f182f34025abb500
SHA51249202347079e366477ba67372b086f5064b108c0c40aa52dfd833dee821b87cc37d9929d5da4fefdd62a824ebf34c161107f08ea7b33d866d21c266ce99972fe
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\SimpleFilter.dllFilesize
136KB
MD5429d745780defb0e1dd4a2c99a48eab1
SHA1ece6236e18d2f6d21295519c459139cf8dbcabbf
SHA256bbf13d9928338c6a12046987d9027f809fb79abbc3d0854fecad62e3bcb6e6f3
SHA5124929093a2e0126ed2efe714c7ce20e9d1abe5001504dc1ecfbbb1a5fe8b570fe960e94bb04d349a5c263cabf9b97d053150d6514b4642a453068ad410e64b187
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\Timeline.dllFilesize
39KB
MD5524430838cca89a4143e927c98175159
SHA126b960380f92c7dbe20c6627cf726030c0bf5f77
SHA25644202e9142630d1466829578aa85ffef5446b959235a3f2bf816d48a9a529789
SHA512230fb6794287cad2382b12b52ef5275db4a5af3cc345adc44e9a2c551f2527a86e3558ba68c3b20c87bf501a86e4300e7d2b9e58e3af946a71ed0b4c9f293691
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelperFilesize
18KB
MD594dc69e00d3c9728e5b9924907930a11
SHA161a8df9ccf28af1da33a69158de6a9a59a01f848
SHA256b22130b228a0777d7fef3cec8a0ba3789bca488978d1607e36dccc85f3e8372f
SHA512a02e5d28dc1cd95f534e26abe5be2ff076e39c164ec37f44717c2ed6c8c013e0230ad621cb33048f79d5df23bd9dcf2748c747b5c89c777982b7ce4799a24673
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\Telerik.NetworkConnections.dllFilesize
34KB
MD5798d6938ceab9271cdc532c0943e19dc
SHA15f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3
SHA256fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2
SHA512644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31
-
C:\Users\Admin\AppData\Local\Progress_Software_Corpora\Fiddler.exe_Url_gn2suaigfhhkewccgutguryxxqm34vvg\5.0.20243.10853\user.configFilesize
966B
MD54976132fffd86207a32a9298ff5369e1
SHA160a25361212731643fd75d7cbc0edc79062da2ca
SHA2561ca4d7a22b9fe21661225046dc7c1dda805cc7212ce39a9d5595e7481b7f2ebc
SHA5122d93d1ea2176cbe5664215792bf75422ab8f79429b9d8e23377499d7c8841510a3d488747dfee80e9f9acf2391e7110ded26bf5e14be5e8712571d5dd833715e
-
C:\Users\Admin\AppData\Local\Temp\nsg94D0.tmp\System.dllFilesize
12KB
MD5192639861e3dc2dc5c08bb8f8c7260d5
SHA158d30e460609e22fa0098bc27d928b689ef9af78
SHA25623d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA5126e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc
-
C:\Users\Admin\AppData\Local\Temp\nst8398.tmp\FiddlerSetup.exeFilesize
4.4MB
MD59cfc955fb5d23835a83883134aca8db9
SHA13aaf8cec695c3d4457e4cec2f573c42c1bb597b1
SHA256229085282b304f9e76d1282419255201941948a7961472e00f28f09dd0a20ca2
SHA512f57591cbb90338fa374c80967992498c33f32efac441469f79627f12b01c2d28da690da8e73fa9c2f602c054fae60ac92e1bdf0860540b6f36eda752129dd56d
-
C:\Users\Admin\Desktop\FiddlerClassicAutoUpdater.exeFilesize
4.4MB
MD568c831dc8ee4a88592e26cb79a08d410
SHA167ffba83eac8f1b7414d7048d681240ddc747c63
SHA256174c811a5c0da930f53f29d68fcce985e88994e4bef869a04b57f399bef25bbc
SHA512af3de69884cdc9b361a8a8764ddfa2cc2c67ad7e5319f1dceb7496d8f8639a85b042bffddf9516d796f7b21ee453d66dc80b139bcc7213de43b41f92d8acf2d7
-
C:\Users\Admin\Documents\Fiddler2\AutoResponder.xmlFilesize
247B
MD50e3a4ab1450632461c8d9cb1b2e10a5d
SHA144250635285d08985e071a31b971c309f6e6e7b1
SHA256cd4029999f46f8fe8b2c36ef90d87ec7e9b74c9feba4fdcea5ba27c7e5342263
SHA5125555cdc85f37a7503a2f7bccc5d91d6a7f3f7dcc96f464fe796b1b718fa566f1be1ef44e43111890c035aafbe8df51306ecfae8140ec5f8ea4ffef8c52c3d00e
-
C:\Users\Admin\Documents\Fiddler2\CustomMimeMappings.xmlFilesize
338B
MD57f107f3545b86fb8249523f58b4e5eac
SHA13c02ed862b0cbfb7a87dc62fa04402bb779b56fe
SHA256242f53e1a4a8000e41b2fb8eb6a274edf445bf9670ceba42eb7b97ed60ad7e22
SHA51299f49545362bdb486d5f3d4b2d0b52c66fd1f8ab7b8f9930bccaac1bbceeef846e13e28b3a52fb6d0902912608534823a6c201a300f066d689970f032d4c5701
-
C:\Users\Admin\Documents\Fiddler2\Scripts\BrowserPAC.jsFilesize
281B
MD598fdeef2a46dc15e8003f4011e3d0672
SHA10bdf43d67f01b1fe37f28ea7d1d74ebcdac5d0ef
SHA2564a8cd7eaa74ae85c16255c6c4ce0829f6db44815e07cf9af88cbd2ffdd84d4f0
SHA512cf554c86b1731e3a4738d994e6a7097e96ee54c041c0fac196a551121b7450aeb26d0b12918332e8fe4d7d8943ff5868ddfa2827c026a976bba4202b21b78e27
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\48284cc851a179c6096f5a08fd1c8eb1\EnableLoopback.ni.exeFilesize
160KB
MD5708f04787779748e29ea1d9e3a5d3552
SHA18e785213451151149b6d3c3793f694155d3db7f0
SHA25662db9e31c4707d922f377d592bc54c0dc4c80e26a09a9fa3baed0eb79a5e27e1
SHA512ac371ae6176f3f5311b5ed3edc9ee08b4f4e4ba17058ee369742ec2c153be2b260865934f3c5633d12b73592349cf60413eb53a514ecd9ac798e9a88d8838abd
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dllFilesize
2.7MB
MD589bedf9727f90a9f8e15826df509d7b9
SHA1f0c590abc08815c38aa522afee4438d69a78c490
SHA256224851ed49ed39bd526910bd252a6f53cc32c0067d80066a30f84329500ba929
SHA5124d300c96062d5853e644675059afb4687246a610d5c86cfe1aa7380e4d69da255e743009339d59b4d00e79991cd8251330a99064447cde28f08821c3dbe448b9
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dllFilesize
3.0MB
MD5b0bd1b2c367441f420d9cc270cf7fab6
SHA1bdd65767f9c8047125a86b66b5678d8d72a76911
SHA256447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa
SHA512551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.auxFilesize
708B
MD5688ac15ac387cbac93d705be85b08492
SHA1a4fabce08bbe0fee991a8a1a8e8e62230f360ff2
SHA256ce64b26c005cfc1bcf6ac0153f1dbcae07f25934eab3363ff05a72a754992470
SHA512a756ea603d86a66b67163e3aa5d2325174a2748caf6b0eaa9f0600d42c297daa35aa5bfaf4962a1dedbae9437308d19571818cbd3e1542d7a7a26a4d20796074
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dllFilesize
3.0MB
MD53385fdacfda1fc77da651550a705936d
SHA1207023bf3b3ff2c93e9368ba018d32bb11e47a8a
SHA25644a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec
SHA512bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.auxFilesize
1KB
MD5b019b58a1fc23042c21fa5518b2c18d5
SHA1a594de6ae6ef0a22c44a5cfacb8e35891f5e557b
SHA2562014e4b8b8183db7940c5dbb1e27fbe3a3993d13b90c04f6286dbe17174e1a1e
SHA51226f9e8ace5821ae91f8a72ad0df19b9dc45f2b6028421f0fbaa7e8de8c65651792bc75d475d8098dde8150440ce14201aa418c91b1c4ad172286f93716d23837
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dllFilesize
314KB
MD550b28be2b84f9dd1258a346525f8c2e5
SHA1203abebaa5c22c9f6ac099d020711669e6655ed8
SHA2566c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac
SHA512d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.auxFilesize
300B
MD55052a26ae1334e99f9c993f0ac477f5b
SHA1941e82d2397f79faf7707569927bb3dbea9ea34c
SHA256ec432d36bb95dcdb1876836b09ba1829c03a83c9b53afbb195c6fa0d7d91375f
SHA512eb5dce71049b099c5764fe449f529b5813aab3d86150331ae384c08973f0487f9a25e1f11498203baa0a093dc2961f6bb0f5d03a86ff9c39f050524c9d32ede2
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dllFilesize
345KB
MD535738b026183e92c1f7a6344cfa189fd
SHA1ccc1510ef4a88a010087321b8af89f0c0c29b6d8
SHA2564075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb
SHA512ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.auxFilesize
644B
MD5caba9e7248016ec410e8346b3cf4f51b
SHA1f9e23982f25f1977b0f668090c92cedc783efc89
SHA256638feb99f77dec41e6acd96a76d0b48bbd710a3c25df09d20e226730517c5149
SHA5124577677bd631c76d33521a45de97f4d3e51badb6f859525f91f93abf8bdc86de9b1e27736636aaa5d1bbe677cc98b6d3aac93f873aaf6621fcf186c1274691e4
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dllFilesize
986KB
MD5e4b53e736786edcfbfc70f87c5ef4aad
SHA162cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5
SHA2569ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46
SHA51242a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.auxFilesize
912B
MD5255a843ca54e88fd16d2befcc1bafb7a
SHA1aee7882de50a5cea1e4c2c2ddfaa4476f20a9be9
SHA2568cd849585fe99e63f28b49f1dae2d1b47a406268dcc5a161e58331a6a3cba3ed
SHA512666866c0d25d61dc04341cf95eb61969698cfafce232097e60cb0537ea2a35635e1e4986036e413fb51927187183aa2e64ecac7fbc26bac46998c0bd84f69e45
-
\??\pipe\LOCAL\crashpad_4392_UHYIOYEFPNCUQMXFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1144-290-0x0000064449A20000-0x0000064449B18000-memory.dmpFilesize
992KB
-
memory/1160-574-0x000002395A580000-0x000002395A5A6000-memory.dmpFilesize
152KB
-
memory/1356-503-0x000006443CC40000-0x000006443CEF8000-memory.dmpFilesize
2.7MB
-
memory/1580-369-0x00000226BE190000-0x00000226BE19C000-memory.dmpFilesize
48KB
-
memory/1580-405-0x00000226DB610000-0x00000226DB652000-memory.dmpFilesize
264KB
-
memory/1580-575-0x0000022EDDE50000-0x0000022EDE5F6000-memory.dmpFilesize
7.6MB
-
memory/1580-423-0x00000226DC430000-0x00000226DC60A000-memory.dmpFilesize
1.9MB
-
memory/1580-428-0x00000226D8E30000-0x00000226D8E3A000-memory.dmpFilesize
40KB
-
memory/1580-430-0x00000226D8E40000-0x00000226D8E48000-memory.dmpFilesize
32KB
-
memory/1580-432-0x00000226D8F30000-0x00000226D8F3C000-memory.dmpFilesize
48KB
-
memory/1580-434-0x00000226DB560000-0x00000226DB586000-memory.dmpFilesize
152KB
-
memory/1580-436-0x00000226D8F50000-0x00000226D8F5E000-memory.dmpFilesize
56KB
-
memory/1580-421-0x00000226D8E20000-0x00000226D8E30000-memory.dmpFilesize
64KB
-
memory/1580-408-0x00000226D8F70000-0x00000226D8F82000-memory.dmpFilesize
72KB
-
memory/1580-326-0x00000226BD8D0000-0x00000226BDC5A000-memory.dmpFilesize
3.5MB
-
memory/2376-406-0x0000015FAB730000-0x0000015FABABA000-memory.dmpFilesize
3.5MB
-
memory/2376-453-0x0000015FAB620000-0x0000015FAB63E000-memory.dmpFilesize
120KB
-
memory/2376-412-0x0000015FABAC0000-0x0000015FABB72000-memory.dmpFilesize
712KB
-
memory/2376-443-0x0000015F931C0000-0x0000015F931DC000-memory.dmpFilesize
112KB
-
memory/2376-444-0x0000015FAC9F0000-0x0000015FACEBC000-memory.dmpFilesize
4.8MB
-
memory/2376-485-0x0000015F91620000-0x0000015F91630000-memory.dmpFilesize
64KB
-
memory/2376-410-0x0000015FAB560000-0x0000015FAB5DA000-memory.dmpFilesize
488KB
-
memory/2376-478-0x0000015FABC30000-0x0000015FABC6C000-memory.dmpFilesize
240KB
-
memory/2376-479-0x0000015FABBF0000-0x0000015FABC02000-memory.dmpFilesize
72KB
-
memory/2376-471-0x0000015FAB6A0000-0x0000015FAB71E000-memory.dmpFilesize
504KB
-
memory/2376-472-0x0000015FABBD0000-0x0000015FABBF0000-memory.dmpFilesize
128KB
-
memory/2376-449-0x0000015FAB660000-0x0000015FAB692000-memory.dmpFilesize
200KB
-
memory/2376-446-0x0000015FAB5E0000-0x0000015FAB5F2000-memory.dmpFilesize
72KB
-
memory/2376-447-0x0000015FAB600000-0x0000015FAB620000-memory.dmpFilesize
128KB
-
memory/2376-455-0x0000015FABD00000-0x0000015FABE22000-memory.dmpFilesize
1.1MB
-
memory/2376-452-0x0000015FABB80000-0x0000015FABBC4000-memory.dmpFilesize
272KB
-
memory/2376-442-0x0000015F93240000-0x0000015F9327A000-memory.dmpFilesize
232KB
-
memory/2376-454-0x0000015FAB640000-0x0000015FAB65A000-memory.dmpFilesize
104KB
-
memory/2592-182-0x0000000000670000-0x0000000000678000-memory.dmpFilesize
32KB
-
memory/2832-378-0x0000064449980000-0x00000644499D8000-memory.dmpFilesize
352KB
-
memory/2968-350-0x0000064445320000-0x000006444561E000-memory.dmpFilesize
3.0MB
-
memory/3128-327-0x00000644451A0000-0x00000644454A4000-memory.dmpFilesize
3.0MB
-
memory/3620-305-0x0000064443EC0000-0x0000064443F11000-memory.dmpFilesize
324KB
-
memory/3700-17-0x000002125F090000-0x000002125F09A000-memory.dmpFilesize
40KB
-
memory/3700-9-0x0000021262710000-0x000002126271C000-memory.dmpFilesize
48KB
-
memory/3700-15-0x0000021262C20000-0x0000021262DFA000-memory.dmpFilesize
1.9MB
-
memory/3700-18-0x000002125F0F0000-0x000002125F0F8000-memory.dmpFilesize
32KB
-
memory/3700-21-0x000002125F130000-0x000002125F13E000-memory.dmpFilesize
56KB
-
memory/3700-20-0x000002125F160000-0x000002125F186000-memory.dmpFilesize
152KB
-
memory/3700-1-0x0000021243BF0000-0x0000021243F72000-memory.dmpFilesize
3.5MB
-
memory/3700-22-0x000002125F250000-0x000002125F30A000-memory.dmpFilesize
744KB
-
memory/3700-19-0x000002125F100000-0x000002125F10C000-memory.dmpFilesize
48KB
-
memory/3700-2-0x00007FFB06B60000-0x00007FFB07621000-memory.dmpFilesize
10.8MB
-
memory/3700-0-0x00007FFB06B63000-0x00007FFB06B65000-memory.dmpFilesize
8KB
-
memory/3700-14-0x000002125F060000-0x000002125F070000-memory.dmpFilesize
64KB
-
memory/3700-16-0x000002125F110000-0x000002125F12A000-memory.dmpFilesize
104KB
-
memory/3700-3-0x00007FFB06B60000-0x00007FFB07621000-memory.dmpFilesize
10.8MB
-
memory/3700-23-0x00000212633B0000-0x0000021263954000-memory.dmpFilesize
5.6MB
-
memory/3700-24-0x000002125F140000-0x000002125F148000-memory.dmpFilesize
32KB
-
memory/3700-4-0x00007FFB06B60000-0x00007FFB07621000-memory.dmpFilesize
10.8MB
-
memory/3700-28-0x000002125F310000-0x000002125F360000-memory.dmpFilesize
320KB
-
memory/3700-30-0x00000212636C0000-0x0000021263BE8000-memory.dmpFilesize
5.2MB
-
memory/3700-13-0x000002125F070000-0x000002125F082000-memory.dmpFilesize
72KB
-
memory/3700-12-0x000002125F0A0000-0x000002125F0E2000-memory.dmpFilesize
264KB
-
memory/3700-5-0x00007FFB06B60000-0x00007FFB07621000-memory.dmpFilesize
10.8MB
-
memory/3700-11-0x00007FFB06B60000-0x00007FFB07621000-memory.dmpFilesize
10.8MB
-
memory/3700-10-0x00007FFB06B60000-0x00007FFB07621000-memory.dmpFilesize
10.8MB
-
memory/3700-7-0x00000212626F0000-0x00000212626FC000-memory.dmpFilesize
48KB
-
memory/3700-6-0x00007FFB06B60000-0x00007FFB07621000-memory.dmpFilesize
10.8MB
-
memory/3700-8-0x00000212627D0000-0x000002126281A000-memory.dmpFilesize
296KB
-
memory/3700-79-0x00007FFB06B60000-0x00007FFB07621000-memory.dmpFilesize
10.8MB
-
memory/3700-78-0x0000021261870000-0x0000021261FC7000-memory.dmpFilesize
7.3MB
-
memory/4488-186-0x000001BDF7250000-0x000001BDF7272000-memory.dmpFilesize
136KB
-
memory/4488-181-0x000001BDDEBC0000-0x000001BDDEBD8000-memory.dmpFilesize
96KB
-
memory/4488-183-0x000001BDF73B0000-0x000001BDF7536000-memory.dmpFilesize
1.5MB
-
memory/4488-184-0x000001BDF7220000-0x000001BDF7242000-memory.dmpFilesize
136KB
-
memory/4488-185-0x000001BDF7540000-0x000001BDF75F2000-memory.dmpFilesize
712KB
-
memory/4792-275-0x0000064488000000-0x000006448802B000-memory.dmpFilesize
172KB