06812518a722af6f98fbd8c3a5ace0cad1c6d53477972618728e64bafcbc948c

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fiddler.exe
Size

3.5MB
MD5

32cf2e7c6ae825d5f7cb2a7d39c2ee24
SHA1

262176d879e7727375025cae4aafc90698adad26
SHA256

d7ea71114bfe70383c1ac2be6dd19676805a0afb6e20c0ad3000018afad093e5
SHA512

a72e70f1a11d4443aedc56a2453cb3ed05bd8106b0e906364f23f01098a378440d2d86ac15f6d98ceedfe18b0a60d80f6806300b390c2969c3de97cb380b82c2
SSDEEP

49152:0Ms91NvXsJm+5Tti9og1fcaufet3YG5kCTnEsRH0jgB3:RsfNvXsJm+5TtiTMfeJnEsRHAgt

Score

9^/10

discovery evasion

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2504 netsh.exe
3624 netsh.exe

pid	process
2504	netsh.exe
3624	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Fiddler.exeFiddlerSetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Fiddler.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	FiddlerSetup.exe

Executes dropped EXE 4 IoCs

Processes:

FiddlerClassicAutoUpdater.exeFiddlerSetup.exeSetupHelperFiddler.exe

pid process

4688 FiddlerClassicAutoUpdater.exe
4700 FiddlerSetup.exe
2592 SetupHelper
1580 Fiddler.exe

pid	process
4688	FiddlerClassicAutoUpdater.exe
4700	FiddlerSetup.exe
2592	SetupHelper
1580	Fiddler.exe

Loads dropped DLL 22 IoCs

Processes:

FiddlerSetup.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exeFiddler.exemscorsvw.exemscorsvw.exe

pid	process
4700	FiddlerSetup.exe
4792	mscorsvw.exe
1144	mscorsvw.exe
3620	mscorsvw.exe
2968	mscorsvw.exe
3128	mscorsvw.exe
2968	mscorsvw.exe
2832	mscorsvw.exe
2376	mscorsvw.exe
2376	mscorsvw.exe
2376	mscorsvw.exe
2376	mscorsvw.exe
2376	mscorsvw.exe
4728	mscorsvw.exe
1356	mscorsvw.exe
1580	Fiddler.exe
1160	mscorsvw.exe
5472	mscorsvw.exe
5472	mscorsvw.exe
1160	mscorsvw.exe
1580	Fiddler.exe
1160	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 17 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\48284cc851a179c6096f5a08fd1c8eb1\EnableLoopback.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c38-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12b8-0\EnableLoopback.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b98-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\488-0\System.Web.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\1M6KAFHRJV\Microsoft.JScript.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\1M6KAFHRJV\Microsoft.JScript.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\478-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b10-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e24-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll.aux.tmp	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

FiddlerSetup.exeFiddler.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\TypedURLs	Fiddler.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe

Modifies registry class 15 IoCs

Processes:

FiddlerSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Shell	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.saz	FiddlerSetup.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Fiddler.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\C10BB76AD4EE815242406A1E3E1117FFEC743D4F	Fiddler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\C10BB76AD4EE815242406A1E3E1117FFEC743D4F\Blob = 030000000100000014000000c10bb76ad4ee815242406a1e3e1117ffec743d4f140000000100000014000000259dd0fc59098663c5ecf3b1133b571c03923611040000000100000010000000e6eb41ad6404317af8a18b64f98c2bcf0f0000000100000020000000d9c7db0b704f07089440c56e69a0f31d730edf77cfbf7514630e8b5390a270fe1900000001000000100000008050a1c09667687456bd1c63be8f6fcb5c0000000100000004000000001000001800000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b44b0000000100000044000000390043004200340033003700330041003400320035003200440045003800440032003200310032003900320039003800330036003300300034004500430035005f0000002000000001000000ec060000308206e8308204d0a003020102021077bd0e05b7590bb61d4761531e3f75ed300d06092a864886f70d01010b05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303732383030303030305a170d3330303732383030303030305a305c310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613132303006035504031329476c6f62616c5369676e204743432052343520455620436f64655369676e696e67204341203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100cb20ef971eb9013243a05ba98a23fd205eae38128bca2cd4ff41d81a55d41953b7fda317e77a395cc0f7ce11a3f9a5ed01fab5ba93efaf93dcf8e2b3194c83b04a4450047884106aa4d696908e81f87cab2fb5a35733d2587b940e6d0fa591262ab3834f72b18a7b6492d0f0b4555f960b11e59ab52cb211cf251b7d512b981f49a35ff8139e35b80302daa4132f854aefc42f700ec1d4cc3312ecbd4095d311cae6cdb3059cc853eb52d7784c51019282de13f3078e74ba84809fd2a4150ee8afebf789f6df71f0d1bea7b241332075ccb1d5ed1d0719c4eb2677f2ab6d179349a9b7e6c3909cc6b8ecccc97b9a5ec5c52493636f7e108b61cf9855a324a28836f2f99fbe932eb2069f26c00c015612e1b28a9f0e1edc988b2ecfdae28934a61f26a0a8ae786deca188153cc2eaeeb7d8ad61a5af7036a2798edc0d73c0f1e42cab94ec5806393648d63b5ae822ce740eaf2cf115dad1b495e8acd5496de5afdd9b6b63205d8e7e3bb243d8623a94e5cdb498b3371924127273ab04b009dc85e6d42204ef402a1d2e6dc769d36eb7016c0de097a716e6268b88f70344865f62674cb5a737a855dc03368c6ecf6d3626f10e8fb03d71c0e132a782e4b6320232307cb593c821fd3c88e66963f8ee75c98bc2abefba3afde95ebfb611f1bef03dca323e6e7dde0f7e9b95c41287e71ab84eee2cc1dfa165e82483c92ac2fdb9530203010001a38201ad308201a9300e0603551d0f0101ff04040302018630130603551d25040c300a06082b0601050507030330120603551d130101ff040830060101ff020100301d0603551d0e04160414259dd0fc59098663c5ecf3b1133b571c03923611301f0603551d230418301680141f00bf46800afc7839b7a5b443d95650bbce963b30819306082b06010505070101048186308183303906082b06010505073001862d687474703a2f2f6f6373702e676c6f62616c7369676e2e636f6d2f636f64657369676e696e67726f6f74723435304606082b06010505073002863a687474703a2f2f7365637572652e676c6f62616c7369676e2e636f6d2f6361636572742f636f64657369676e696e67726f6f747234352e63727430410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f636f64657369676e696e67726f6f747234352e63726c30550603551d20044e304c304106092b06010401a03201023034303206082b06010505070201162668747470733a2f2f7777772e676c6f62616c7369676e2e636f6d2f7265706f7369746f72792f3007060567810c0103300d06092a864886f70d01010b050003820201002575a009c939bab7a139892f189fabd6eb1d4be8947c0d07689b1c9def71b6176a6b024fb33f864587cc659b4ce35806022266d56102c5638fd4a2f1b65e250b7796e9cd7140338829eceef3a26dbc4db53e064bc97333ca08142d3d4ce8b0ba75a6742da4583a6c1349f8a5150a149685b16a68342542af9656f410fa247df12b72c116e16bebe6a998c73e5af4d0189dfd74978677462a3d237d28738aaeef2b1b9abf6c53a7149e3c8771c05e8ec8fbd32a9233ea574d5e075ecac118ac812d1a21fa6ecf97617bdf717a3aca63f7d530443732febb4385dcbafca6ca33192b776ddbcb05f07e5f752ea2b6bf35aa3663c9ce64d9bdfcbc2cf3495600c8122bc627bb37af57efc4cf1e29c4f4e22dce2a61cf57edf50a40e2f518d61ee9902fcad3875f938a481a111de537859f2e66629a5e814e95ac555743dc538b257e3c610f8a0bbaf53fa6d78ef704565e21bb9fd76a7180bf96de7203d8d8222bf327164f38e851400cae92efbe3d7df780c64c36578495a7841548300e5227088d8ea2bd22c719c9a6ca0ea87a36db6aba615f112495a4e28e68ee19a949995ed0b434bdd6f940c710973152393529118724d3c4fba963cb7748d5fa62fc24e0047a4ed0e46edece9e385026f4217165d70925d4c907007ab8c7f377e8c5d4e255d0d31ef67f52e2498db911720c88442633660144dfe4330e21de62894807daf5	Fiddler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	Fiddler.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	Fiddler.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	Fiddler.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Fiddler.exeFiddlerSetup.exeFiddler.exemsedge.exemsedge.exe

pid	process
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
3700	Fiddler.exe
4700	FiddlerSetup.exe
4700	FiddlerSetup.exe
1580	Fiddler.exe
1580	Fiddler.exe
2768	msedge.exe
2768	msedge.exe
1580	Fiddler.exe
1580	Fiddler.exe
4392	msedge.exe
4392	msedge.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe
1580	Fiddler.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Fiddler.exeFiddler.exe

description pid process

Token: SeDebugPrivilege 3700 Fiddler.exe
Token: SeDebugPrivilege 1580 Fiddler.exe

description	pid	process
Token: SeDebugPrivilege	3700	Fiddler.exe
Token: SeDebugPrivilege	1580	Fiddler.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Fiddler.exeFiddler.exe

pid process

3700 Fiddler.exe
3700 Fiddler.exe
1580 Fiddler.exe
1580 Fiddler.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Fiddler.exeFiddlerClassicAutoUpdater.exeFiddlerSetup.exemsedge.exe

description	pid	process	target process
PID 3700 wrote to memory of 4688	3700	Fiddler.exe	FiddlerClassicAutoUpdater.exe
PID 3700 wrote to memory of 4688	3700	Fiddler.exe	FiddlerClassicAutoUpdater.exe
PID 3700 wrote to memory of 4688	3700	Fiddler.exe	FiddlerClassicAutoUpdater.exe
PID 4688 wrote to memory of 4700	4688	FiddlerClassicAutoUpdater.exe	FiddlerSetup.exe
PID 4688 wrote to memory of 4700	4688	FiddlerClassicAutoUpdater.exe	FiddlerSetup.exe
PID 4688 wrote to memory of 4700	4688	FiddlerClassicAutoUpdater.exe	FiddlerSetup.exe
PID 4700 wrote to memory of 2504	4700	FiddlerSetup.exe	netsh.exe
PID 4700 wrote to memory of 2504	4700	FiddlerSetup.exe	netsh.exe
PID 4700 wrote to memory of 2504	4700	FiddlerSetup.exe	netsh.exe
PID 4700 wrote to memory of 3624	4700	FiddlerSetup.exe	netsh.exe
PID 4700 wrote to memory of 3624	4700	FiddlerSetup.exe	netsh.exe
PID 4700 wrote to memory of 3624	4700	FiddlerSetup.exe	netsh.exe
PID 4700 wrote to memory of 2856	4700	FiddlerSetup.exe	ngen.exe
PID 4700 wrote to memory of 2856	4700	FiddlerSetup.exe	ngen.exe
PID 4700 wrote to memory of 2228	4700	FiddlerSetup.exe	ngen.exe
PID 4700 wrote to memory of 2228	4700	FiddlerSetup.exe	ngen.exe
PID 4700 wrote to memory of 2592	4700	FiddlerSetup.exe	SetupHelper
PID 4700 wrote to memory of 2592	4700	FiddlerSetup.exe	SetupHelper
PID 4700 wrote to memory of 2592	4700	FiddlerSetup.exe	SetupHelper
PID 4700 wrote to memory of 4392	4700	FiddlerSetup.exe	msedge.exe
PID 4700 wrote to memory of 4392	4700	FiddlerSetup.exe	msedge.exe
PID 4392 wrote to memory of 4404	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 4404	4392	msedge.exe	msedge.exe
PID 4700 wrote to memory of 1580	4700	FiddlerSetup.exe	Fiddler.exe
PID 4700 wrote to memory of 1580	4700	FiddlerSetup.exe	Fiddler.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe
PID 4392 wrote to memory of 2012	4392	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Fiddler.exe
"C:\Users\Admin\AppData\Local\Temp\Fiddler.exe"
1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\Desktop\FiddlerClassicAutoUpdater.exe
"C:\Users\Admin\Desktop\FiddlerClassicAutoUpdater.exe" /AUTOUPDATE
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\Local\Temp\nst8398.tmp\FiddlerSetup.exe
"C:\Users\Admin\AppData\Local\Temp\nst8398.tmp\FiddlerSetup.exe" /AUTOUPDATE /D=
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
4⤵
- Modifies Windows Firewall
PID:2504

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
4⤵
- Modifies Windows Firewall
PID:3624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
4⤵
PID:2856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
PID:2376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 274 -Pipe 25c -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
PID:4728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 270 -Pipe 280 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1356

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1160

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 2cc -Pipe 2b8 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
PID:5472

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"
5⤵
- Drops file in Windows directory
PID:5844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
4⤵
PID:2228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
5⤵
PID:4488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 26c -Pipe 294 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1dc -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3128

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2b4 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 2b0 -Pipe 298 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3620

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2cc -Pipe 1c8 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2968

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2ac -Pipe 2a8 -Comment "NGen Worker Process"
5⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2832

C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
"C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
4⤵
- Executes dropped EXE
PID:2592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb036646f8,0x7ffb03664708,0x7ffb03664718
5⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
5⤵
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
5⤵
PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
5⤵
PID:780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
5⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
5⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
5⤵
PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
5⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
5⤵
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
5⤵
PID:5648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
5⤵
PID:6008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 /prefetch:8
5⤵
PID:5740

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 /prefetch:8
5⤵
PID:6100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
5⤵
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
5⤵
PID:3672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
5⤵
PID:5940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1328 /prefetch:1
5⤵
PID:5904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
5⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,1793417250455535253,12455545635738451508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:1
5⤵
PID:5836

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe -startedByUpdate
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Win8EL
5⤵
PID:5920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb036646f8,0x7ffb03664708,0x7ffb03664718
6⤵
PID:5932

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1636

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\APPDATA\LOCAL\PROGRAMS\FIDDLER\PLUGINS\NETWORKCONNECTIONS\TELERIK.NETWORKCONNECTIONS.WINDOWS.DLL
Filesize
33KB

MD5
5889357424d717c8629c8bfabcd0be50

SHA1
87e7047a40e24bd5ac23f89e072ee39a14a53023

SHA256
3564b25b24569b8d8a0128f2f4bddec89c0b8986da7542d9c64aac730360a600

SHA512
1af458742cefd4730d64b19ecc05460354f0e47a79cdcd7794877aa0f6c56cfb92f37a0daf66fedaec2a579eb0187d774b7d5ba1fff65d6ab1504df4c3668fad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Fiddler.exe.log
Filesize
2KB

MD5
666fbe2929c630945e035b4c464c1a9b

SHA1
2bbacc9a70144a89273c7c2afd0f5b4d391be44e

SHA256
703fe72237275b644efaf726ab812946452392e8f43a33f6318e085e47e6962c

SHA512
27d081b0f820d4cacae04cdb68e04148ae1230a8dd6ff6937b286ed742f7d2bb796b0337bbdd36957fcfee834725562c90a09aff26a51fd3d3001ba2888c3ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
624B

MD5
10a5821d17f4e3cdb3dfa61641ccac8d

SHA1
8d677f0f3cc85e27d00e662c0500892bbb60b138

SHA256
43aac1adc1c8f7ff8f0766b6b25628e9fda8e3cb423df772968d97518356d3f6

SHA512
27e77835795380d282103a44ef7893063bc8f00aa70fc41c12d757184aa4e76a5548fba561a52768bc335114cb1eb4f521621a758cfbc2a052bae5de212564d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
0f1f8a221591ccc4f91529e0bd9ba75f

SHA1
b0a62c2d5cfc35bc32480068e1ba40b124ab66d7

SHA256
8a8ca67b51d0c83fcc22d71d20e4529f150c555f1442c945a0f9c3ad50c0512b

SHA512
6d84abbe18727a7b91288f61faf29e60580678f6f4ca8753d13053879e77df6234c508a4905bc86dac18ceb8a35c9bad4dd12f231d9f168022305c4450fa09bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
6f7e054cd27898bf71740169ee0652df

SHA1
6adc5fb27e19a15a82b68aa4c45e0d52060f663c

SHA256
efc56b2a2992a5cbb748d54f36da5728d5dba61484447b469204883eef7bbbff

SHA512
03f4f9bb6ff3a67bda5512d337b3f0df7668722efb440d1b0cb271fc658d0bc5940e64e248e0523bf52e57544f97ad50998c73510745c4dc106d817e14a09bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
695f3d85c2b64d1095677f660fb1f73d

SHA1
293bae77e83363ffdfa9d5ae0a725e95abcc44f4

SHA256
3e7c5a632cd423ed7356a1157e2a9157d6a8727bc5c19b0170644f31941a3656

SHA512
55eca737c088d248ce60eecdbba44bfd782b6da4f533442191f1376e2acdf40aad0f0d5491bcfd65dbe6bbabb3f5be5c1fe6f7bb50a4fd4ba7f37517d8b277cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
d783b36ad2e1902ad520fe31c31e1b01

SHA1
a55b5057b6007c5fda9dd14a6ddb465078eb6220

SHA256
41b9adaab46cea1c71c2c193def7eec3ac2403158260f315e3da6b24d57d8a72

SHA512
e2b3f58f183e0230cd5af701af92d9db5cc6a4fd5ca64abb026a8814d12ac737ba8d8e4de867bcdc2f4277537162247b1aab018ac4a89b5b86fe81b09261b2f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5801ff.TMP
Filesize
1KB

MD5
34187791b9a1525b6c29866ea64c3da4

SHA1
7179f6583b969877e2c21370b74b2d30e1905549

SHA256
cc4591086d26add23dff8e7a8e92fe1078e7c4bef8a1cc8d9db992a3d8774cbc

SHA512
7c1d7da854ff29802c036600ef7bb7df675caf00c52a3af100788159942ae77aa8cc696bb1f4ba2216fa951e61369b85106fdbd93cc80d66397ca9d118aaca01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
dd90c1da969595203b659efef24e25dd

SHA1
0006a6dc532bbedfe976291873b82fbb0f62317b

SHA256
ba137e1bfe9b1a2abe2c71fbcf8450815f62346286719f899dbf92289cbfdfaa

SHA512
9b3bcac8676f111c627c9fed1b13e765a0e8aa66a3c90387627e37a074d65eedd6d453f2463c9c34f1fe71b592f1e921bc4a9a3c3bd912e4e44f8d2aafe2d66c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Analytics.dll
Filesize
32KB

MD5
1c2bd080b0e972a3ee1579895ea17b42

SHA1
a09454bc976b4af549a6347618f846d4c93b769b

SHA256
166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29

SHA512
946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\DotNetZip.dll
Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe
Filesize
82KB

MD5
a897a628beb719bf888c95d70602ee83

SHA1
fe9dcec7c9c6f4f664814db6eb611a9a235a04b7

SHA256
1ab2c4a1d6d2b4899f63111466e4ebf944ab2ec7917926b20028bf181b22f49a

SHA512
11e6c91db91a3233bd4a68711e26144ad96f5f5b8f22004efb08a45d96e3526592ebc49aa6c20b3b8739c6091e3ffade4badefae20e07983e4ab2bc890354a05

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
Filesize
3.5MB

MD5
d8d686a8e171c52a856187dd6d5b18f2

SHA1
53bd857635684130bf340995e452457a61bcee23

SHA256
892ff0f941cba2ef1e8d5f7ddb14002e21c95f21a132c50762a4c79ef9fdc475

SHA512
fb1f026d92cd2cbcdc0ce9a4bb81a370999cca77c99c5db2b6089a510f55af9aa1c908727fe3f31de3ec8eb3142b3b1f7e2deeca641e2b9d56eb3543ebbbe714

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe.config
Filesize
261B

MD5
c2edc7b631abce6db98b978995561e57

SHA1
5b1e7a3548763cb6c30145065cfa4b85ed68eb31

SHA256
e59afc2818ad61c1338197a112c936a811c5341614f4ad9ad33d35c8356c0b14

SHA512
5bef4b5487ecb4226544ef0f68d17309cf64bfe52d5c64732480a10f94259b69d2646e4c1b22aa5c80143a4057ee17b06239ec131d5fe0af6c4ab30e351faba2

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\GA.Analytics.Monitor.dll
Filesize
52KB

MD5
6f9e5c4b5662c7f8d1159edcba6e7429

SHA1
c7630476a50a953dab490931b99d2a5eca96f9f6

SHA256
e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790

SHA512
78fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Inspectors\Standard.dll
Filesize
247KB

MD5
0f8191a9defbcc4e27cb6d6d455bbd09

SHA1
17fe3a6f0d93082e1fcca23925db99be023b65c4

SHA256
e673dc35530cac477135267c41212de263798fe49b0e77ba9511eef908e4f7db

SHA512
43c07afe0e53ea7007cd1718797c53c87843c04bdcae58f531a5f1cfd579c8927b0938489e158c7106a9c77ed41b4a2e4ae805449686408cd2c65908cf091f68

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Inspectors\SyntaxView.dll
Filesize
68KB

MD5
9271edebeb231896252e527ad4f2c1c5

SHA1
518b8a5415b879147a9666e9c8b6ddc5841c290f

SHA256
75ace796c6f2f1cafbb487b9de9fae7b33b8c6f68c56869654b0ae77618535ba

SHA512
2fb2265b7fa7fbac6ecdde4fe27047f44e0d11d74f917b4d43aaf7303f5a70452e1f1b050e4545875d0f47d4dd2b7aa63d842eac39224f119a4c6aeb7dc64a02

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Newtonsoft.Json.dll
Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dll
Filesize
192KB

MD5
ac80e3ca5ec3ed77ef7f1a5648fd605a

SHA1
593077c0d921df0819d48b627d4a140967a6b9e0

SHA256
93b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5

SHA512
3ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dll
Filesize
816KB

MD5
eaa268802c633f27fcfc90fd0f986e10

SHA1
21f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f

SHA256
fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54

SHA512
c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dll
Filesize
228KB

MD5
3be64186e6e8ad19dc3559ee3c307070

SHA1
2f9e70e04189f6c736a3b9d0642f46208c60380a

SHA256
79a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c

SHA512
7d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\FiddlerOrchestra.Addon.dll
Filesize
46KB

MD5
094270ab2522a4228925480f5a07f4bb

SHA1
bb450f6931252a132c029c23b2fa10278a8c695f

SHA256
c3ae6b22fc6d7a8842747fb2bdea9f89bad48b7ba0de0440cbb6f41425ef8684

SHA512
01d23e7c0733c2326ec2238938aaa7c0749c74ab0966025ae2b0fec965da54eeb6ab0a097db9fe401c9110334e8f7f433060a3266d1da9a3851b41bb5bb21600

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\FiddlerOrchestra.Connection.dll
Filesize
1.8MB

MD5
8dfc61a6a71de70bb8fb9e637b35611c

SHA1
e6deaec2920460f7fb61cd3a9a35ff4d8ce8cb27

SHA256
d7521e7e1e669ffe5a75738f55f685cba0ba4c4af1b81faa6b681678f5ad4c3f

SHA512
54da6d578f40ecfdcf532285a78e287d3ca8d91dc9bde5c3fd009bf54718bbcb0696ea757cca8b77dff6bcb332bd16a834e1b90a014ac1170981d9f924a20c4d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\FiddlerOrchestra.Protocol.dll
Filesize
23KB

MD5
6a2eae44b3c3119e58f7f45a333104b7

SHA1
af79a4a2b7cb5db17616eecaaeeff213f06868e6

SHA256
cf4288d9c5f821fa031e1345fb2f84a29595939a116bbdfb534998a9bf80c82b

SHA512
6426e22a4443ee89cff7c1ebd3569fd6bbac4e7208a4f8435735aa7565ee416396880ba3c4b01fbf0eab5a3da076e591baf0b3f8014eed5347db5582e382335a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\FiddlerOrchestra.Utilities.dll
Filesize
18KB

MD5
9cc10f9727a4711b75f77a02d48a052e

SHA1
f6096f609eacd11175a651773990ec5a6eba546d

SHA256
e6ffde792bf1b185f6832c44bc6cb3ac32e062c21f4741909ed8275bc1490f36

SHA512
d66ce0207a240206ec5214901887b39a87f36b4ec751db5d429b4b4b5e7bd10b4555ca046f11822f315cd9021ec7d761c0157bdc62df0d48c449b2bfdf46ed9d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\RulesTab2.dll
Filesize
35KB

MD5
b2bd0db74d2cce3553a3cb84a7b0db92

SHA1
1858ecedd27126ffa3c66bac3fcb54b7cc8e083c

SHA256
17cc1be54b11bac35f7d130a78684bc7a25d32891d51ba619f748b42c5eabfca

SHA512
241c34343a82d61c2202e5431de2143d72b2393f54698980b2b2002c111e54803e9fc87b72fa1d28ad8ae2029f841eaa633e79ce7a9755204216854e539977a7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\SampleRules.js
Filesize
22KB

MD5
cb7bf8b2d0e15c0ecc290a242b9f743a

SHA1
f1215262c0729dc6700fd5158ef6e437e64a4821

SHA256
69cc5397e0fa9f99a0d21476da21147631a213f9f15652f8f182f34025abb500

SHA512
49202347079e366477ba67372b086f5064b108c0c40aa52dfd833dee821b87cc37d9929d5da4fefdd62a824ebf34c161107f08ea7b33d866d21c266ce99972fe

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\SimpleFilter.dll
Filesize
136KB

MD5
429d745780defb0e1dd4a2c99a48eab1

SHA1
ece6236e18d2f6d21295519c459139cf8dbcabbf

SHA256
bbf13d9928338c6a12046987d9027f809fb79abbc3d0854fecad62e3bcb6e6f3

SHA512
4929093a2e0126ed2efe714c7ce20e9d1abe5001504dc1ecfbbb1a5fe8b570fe960e94bb04d349a5c263cabf9b97d053150d6514b4642a453068ad410e64b187

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\Timeline.dll
Filesize
39KB

MD5
524430838cca89a4143e927c98175159

SHA1
26b960380f92c7dbe20c6627cf726030c0bf5f77

SHA256
44202e9142630d1466829578aa85ffef5446b959235a3f2bf816d48a9a529789

SHA512
230fb6794287cad2382b12b52ef5275db4a5af3cc345adc44e9a2c551f2527a86e3558ba68c3b20c87bf501a86e4300e7d2b9e58e3af946a71ed0b4c9f293691

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
Filesize
18KB

MD5
94dc69e00d3c9728e5b9924907930a11

SHA1
61a8df9ccf28af1da33a69158de6a9a59a01f848

SHA256
b22130b228a0777d7fef3cec8a0ba3789bca488978d1607e36dccc85f3e8372f

SHA512
a02e5d28dc1cd95f534e26abe5be2ff076e39c164ec37f44717c2ed6c8c013e0230ad621cb33048f79d5df23bd9dcf2748c747b5c89c777982b7ce4799a24673

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Telerik.NetworkConnections.dll
Filesize
34KB

MD5
798d6938ceab9271cdc532c0943e19dc

SHA1
5f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3

SHA256
fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2

SHA512
644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31

Download Submit
C:\Users\Admin\AppData\Local\Progress_Software_Corpora\Fiddler.exe_Url_gn2suaigfhhkewccgutguryxxqm34vvg\5.0.20243.10853\user.config
Filesize
966B

MD5
4976132fffd86207a32a9298ff5369e1

SHA1
60a25361212731643fd75d7cbc0edc79062da2ca

SHA256
1ca4d7a22b9fe21661225046dc7c1dda805cc7212ce39a9d5595e7481b7f2ebc

SHA512
2d93d1ea2176cbe5664215792bf75422ab8f79429b9d8e23377499d7c8841510a3d488747dfee80e9f9acf2391e7110ded26bf5e14be5e8712571d5dd833715e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg94D0.tmp\System.dll
Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8398.tmp\FiddlerSetup.exe
Filesize
4.4MB

MD5
9cfc955fb5d23835a83883134aca8db9

SHA1
3aaf8cec695c3d4457e4cec2f573c42c1bb597b1

SHA256
229085282b304f9e76d1282419255201941948a7961472e00f28f09dd0a20ca2

SHA512
f57591cbb90338fa374c80967992498c33f32efac441469f79627f12b01c2d28da690da8e73fa9c2f602c054fae60ac92e1bdf0860540b6f36eda752129dd56d

Download Submit
C:\Users\Admin\Desktop\FiddlerClassicAutoUpdater.exe
Filesize
4.4MB

MD5
68c831dc8ee4a88592e26cb79a08d410

SHA1
67ffba83eac8f1b7414d7048d681240ddc747c63

SHA256
174c811a5c0da930f53f29d68fcce985e88994e4bef869a04b57f399bef25bbc

SHA512
af3de69884cdc9b361a8a8764ddfa2cc2c67ad7e5319f1dceb7496d8f8639a85b042bffddf9516d796f7b21ee453d66dc80b139bcc7213de43b41f92d8acf2d7

Download Submit
C:\Users\Admin\Documents\Fiddler2\AutoResponder.xml
Filesize
247B

MD5
0e3a4ab1450632461c8d9cb1b2e10a5d

SHA1
44250635285d08985e071a31b971c309f6e6e7b1

SHA256
cd4029999f46f8fe8b2c36ef90d87ec7e9b74c9feba4fdcea5ba27c7e5342263

SHA512
5555cdc85f37a7503a2f7bccc5d91d6a7f3f7dcc96f464fe796b1b718fa566f1be1ef44e43111890c035aafbe8df51306ecfae8140ec5f8ea4ffef8c52c3d00e

Download Submit
C:\Users\Admin\Documents\Fiddler2\CustomMimeMappings.xml
Filesize
338B

MD5
7f107f3545b86fb8249523f58b4e5eac

SHA1
3c02ed862b0cbfb7a87dc62fa04402bb779b56fe

SHA256
242f53e1a4a8000e41b2fb8eb6a274edf445bf9670ceba42eb7b97ed60ad7e22

SHA512
99f49545362bdb486d5f3d4b2d0b52c66fd1f8ab7b8f9930bccaac1bbceeef846e13e28b3a52fb6d0902912608534823a6c201a300f066d689970f032d4c5701

Download Submit
C:\Users\Admin\Documents\Fiddler2\Scripts\BrowserPAC.js
Filesize
281B

MD5
98fdeef2a46dc15e8003f4011e3d0672

SHA1
0bdf43d67f01b1fe37f28ea7d1d74ebcdac5d0ef

SHA256
4a8cd7eaa74ae85c16255c6c4ce0829f6db44815e07cf9af88cbd2ffdd84d4f0

SHA512
cf554c86b1731e3a4738d994e6a7097e96ee54c041c0fac196a551121b7450aeb26d0b12918332e8fe4d7d8943ff5868ddfa2827c026a976bba4202b21b78e27

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\48284cc851a179c6096f5a08fd1c8eb1\EnableLoopback.ni.exe
Filesize
160KB

MD5
708f04787779748e29ea1d9e3a5d3552

SHA1
8e785213451151149b6d3c3793f694155d3db7f0

SHA256
62db9e31c4707d922f377d592bc54c0dc4c80e26a09a9fa3baed0eb79a5e27e1

SHA512
ac371ae6176f3f5311b5ed3edc9ee08b4f4e4ba17058ee369742ec2c153be2b260865934f3c5633d12b73592349cf60413eb53a514ecd9ac798e9a88d8838abd

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll
Filesize
2.7MB

MD5
89bedf9727f90a9f8e15826df509d7b9

SHA1
f0c590abc08815c38aa522afee4438d69a78c490

SHA256
224851ed49ed39bd526910bd252a6f53cc32c0067d80066a30f84329500ba929

SHA512
4d300c96062d5853e644675059afb4687246a610d5c86cfe1aa7380e4d69da255e743009339d59b4d00e79991cd8251330a99064447cde28f08821c3dbe448b9

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll
Filesize
3.0MB

MD5
b0bd1b2c367441f420d9cc270cf7fab6

SHA1
bdd65767f9c8047125a86b66b5678d8d72a76911

SHA256
447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa

SHA512
551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux
Filesize
708B

MD5
688ac15ac387cbac93d705be85b08492

SHA1
a4fabce08bbe0fee991a8a1a8e8e62230f360ff2

SHA256
ce64b26c005cfc1bcf6ac0153f1dbcae07f25934eab3363ff05a72a754992470

SHA512
a756ea603d86a66b67163e3aa5d2325174a2748caf6b0eaa9f0600d42c297daa35aa5bfaf4962a1dedbae9437308d19571818cbd3e1542d7a7a26a4d20796074

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll
Filesize
3.0MB

MD5
3385fdacfda1fc77da651550a705936d

SHA1
207023bf3b3ff2c93e9368ba018d32bb11e47a8a

SHA256
44a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec

SHA512
bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux
Filesize
1KB

MD5
b019b58a1fc23042c21fa5518b2c18d5

SHA1
a594de6ae6ef0a22c44a5cfacb8e35891f5e557b

SHA256
2014e4b8b8183db7940c5dbb1e27fbe3a3993d13b90c04f6286dbe17174e1a1e

SHA512
26f9e8ace5821ae91f8a72ad0df19b9dc45f2b6028421f0fbaa7e8de8c65651792bc75d475d8098dde8150440ce14201aa418c91b1c4ad172286f93716d23837

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll
Filesize
314KB

MD5
50b28be2b84f9dd1258a346525f8c2e5

SHA1
203abebaa5c22c9f6ac099d020711669e6655ed8

SHA256
6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

SHA512
d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux
Filesize
300B

MD5
5052a26ae1334e99f9c993f0ac477f5b

SHA1
941e82d2397f79faf7707569927bb3dbea9ea34c

SHA256
ec432d36bb95dcdb1876836b09ba1829c03a83c9b53afbb195c6fa0d7d91375f

SHA512
eb5dce71049b099c5764fe449f529b5813aab3d86150331ae384c08973f0487f9a25e1f11498203baa0a093dc2961f6bb0f5d03a86ff9c39f050524c9d32ede2

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll
Filesize
345KB

MD5
35738b026183e92c1f7a6344cfa189fd

SHA1
ccc1510ef4a88a010087321b8af89f0c0c29b6d8

SHA256
4075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb

SHA512
ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux
Filesize
644B

MD5
caba9e7248016ec410e8346b3cf4f51b

SHA1
f9e23982f25f1977b0f668090c92cedc783efc89

SHA256
638feb99f77dec41e6acd96a76d0b48bbd710a3c25df09d20e226730517c5149

SHA512
4577677bd631c76d33521a45de97f4d3e51badb6f859525f91f93abf8bdc86de9b1e27736636aaa5d1bbe677cc98b6d3aac93f873aaf6621fcf186c1274691e4

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll
Filesize
986KB

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux
Filesize
912B

MD5
255a843ca54e88fd16d2befcc1bafb7a

SHA1
aee7882de50a5cea1e4c2c2ddfaa4476f20a9be9

SHA256
8cd849585fe99e63f28b49f1dae2d1b47a406268dcc5a161e58331a6a3cba3ed

SHA512
666866c0d25d61dc04341cf95eb61969698cfafce232097e60cb0537ea2a35635e1e4986036e413fb51927187183aa2e64ecac7fbc26bac46998c0bd84f69e45

Download Submit
\??\pipe\LOCAL\crashpad_4392_UHYIOYEFPNCUQMXF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1144-290-0x0000064449A20000-0x0000064449B18000-memory.dmp

Filesize
992KB

Download
memory/1160-574-0x000002395A580000-0x000002395A5A6000-memory.dmp

Filesize
152KB

Download
memory/1356-503-0x000006443CC40000-0x000006443CEF8000-memory.dmp

Filesize
2.7MB

Download
memory/1580-369-0x00000226BE190000-0x00000226BE19C000-memory.dmp

Filesize
48KB

Download
memory/1580-405-0x00000226DB610000-0x00000226DB652000-memory.dmp

Filesize
264KB

Download
memory/1580-575-0x0000022EDDE50000-0x0000022EDE5F6000-memory.dmp

Filesize
7.6MB

Download
memory/1580-423-0x00000226DC430000-0x00000226DC60A000-memory.dmp

Filesize
1.9MB

Download
memory/1580-428-0x00000226D8E30000-0x00000226D8E3A000-memory.dmp

Filesize
40KB

Download
memory/1580-430-0x00000226D8E40000-0x00000226D8E48000-memory.dmp

Filesize
32KB

Download
memory/1580-432-0x00000226D8F30000-0x00000226D8F3C000-memory.dmp

Filesize
48KB

Download
memory/1580-434-0x00000226DB560000-0x00000226DB586000-memory.dmp

Filesize
152KB

Download
memory/1580-436-0x00000226D8F50000-0x00000226D8F5E000-memory.dmp

Filesize
56KB

Download
memory/1580-421-0x00000226D8E20000-0x00000226D8E30000-memory.dmp

Filesize
64KB

Download
memory/1580-408-0x00000226D8F70000-0x00000226D8F82000-memory.dmp

Filesize
72KB

Download
memory/1580-326-0x00000226BD8D0000-0x00000226BDC5A000-memory.dmp

Filesize
3.5MB

Download
memory/2376-406-0x0000015FAB730000-0x0000015FABABA000-memory.dmp

Filesize
3.5MB

Download
memory/2376-453-0x0000015FAB620000-0x0000015FAB63E000-memory.dmp

Filesize
120KB

Download
memory/2376-412-0x0000015FABAC0000-0x0000015FABB72000-memory.dmp

Filesize
712KB

Download
memory/2376-443-0x0000015F931C0000-0x0000015F931DC000-memory.dmp

Filesize
112KB

Download
memory/2376-444-0x0000015FAC9F0000-0x0000015FACEBC000-memory.dmp

Filesize
4.8MB

Download
memory/2376-485-0x0000015F91620000-0x0000015F91630000-memory.dmp

Filesize
64KB

Download
memory/2376-410-0x0000015FAB560000-0x0000015FAB5DA000-memory.dmp

Filesize
488KB

Download
memory/2376-478-0x0000015FABC30000-0x0000015FABC6C000-memory.dmp

Filesize
240KB

Download
memory/2376-479-0x0000015FABBF0000-0x0000015FABC02000-memory.dmp

Filesize
72KB

Download
memory/2376-471-0x0000015FAB6A0000-0x0000015FAB71E000-memory.dmp

Filesize
504KB

Download
memory/2376-472-0x0000015FABBD0000-0x0000015FABBF0000-memory.dmp

Filesize
128KB

Download
memory/2376-449-0x0000015FAB660000-0x0000015FAB692000-memory.dmp

Filesize
200KB

Download
memory/2376-446-0x0000015FAB5E0000-0x0000015FAB5F2000-memory.dmp

Filesize
72KB

Download
memory/2376-447-0x0000015FAB600000-0x0000015FAB620000-memory.dmp

Filesize
128KB

Download
memory/2376-455-0x0000015FABD00000-0x0000015FABE22000-memory.dmp

Filesize
1.1MB

Download
memory/2376-452-0x0000015FABB80000-0x0000015FABBC4000-memory.dmp

Filesize
272KB

Download
memory/2376-442-0x0000015F93240000-0x0000015F9327A000-memory.dmp

Filesize
232KB

Download
memory/2376-454-0x0000015FAB640000-0x0000015FAB65A000-memory.dmp

Filesize
104KB

Download
memory/2592-182-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2832-378-0x0000064449980000-0x00000644499D8000-memory.dmp

Filesize
352KB

Download
memory/2968-350-0x0000064445320000-0x000006444561E000-memory.dmp

Filesize
3.0MB

Download
memory/3128-327-0x00000644451A0000-0x00000644454A4000-memory.dmp

Filesize
3.0MB

Download
memory/3620-305-0x0000064443EC0000-0x0000064443F11000-memory.dmp

Filesize
324KB

Download
memory/3700-17-0x000002125F090000-0x000002125F09A000-memory.dmp

Filesize
40KB

Download
memory/3700-9-0x0000021262710000-0x000002126271C000-memory.dmp

Filesize
48KB

Download
memory/3700-15-0x0000021262C20000-0x0000021262DFA000-memory.dmp

Filesize
1.9MB

Download
memory/3700-18-0x000002125F0F0000-0x000002125F0F8000-memory.dmp

Filesize
32KB

Download
memory/3700-21-0x000002125F130000-0x000002125F13E000-memory.dmp

Filesize
56KB

Download
memory/3700-20-0x000002125F160000-0x000002125F186000-memory.dmp

Filesize
152KB

Download
memory/3700-1-0x0000021243BF0000-0x0000021243F72000-memory.dmp

Filesize
3.5MB

Download
memory/3700-22-0x000002125F250000-0x000002125F30A000-memory.dmp

Filesize
744KB

Download
memory/3700-19-0x000002125F100000-0x000002125F10C000-memory.dmp

Filesize
48KB

Download
memory/3700-2-0x00007FFB06B60000-0x00007FFB07621000-memory.dmp

Filesize
10.8MB

Download
memory/3700-0-0x00007FFB06B63000-0x00007FFB06B65000-memory.dmp

Filesize
8KB

Download
memory/3700-14-0x000002125F060000-0x000002125F070000-memory.dmp

Filesize
64KB

Download
memory/3700-16-0x000002125F110000-0x000002125F12A000-memory.dmp

Filesize
104KB

Download
memory/3700-3-0x00007FFB06B60000-0x00007FFB07621000-memory.dmp

Filesize
10.8MB

Download
memory/3700-23-0x00000212633B0000-0x0000021263954000-memory.dmp

Filesize
5.6MB

Download
memory/3700-24-0x000002125F140000-0x000002125F148000-memory.dmp

Filesize
32KB

Download
memory/3700-4-0x00007FFB06B60000-0x00007FFB07621000-memory.dmp

Filesize
10.8MB

Download
memory/3700-28-0x000002125F310000-0x000002125F360000-memory.dmp

Filesize
320KB

Download
memory/3700-30-0x00000212636C0000-0x0000021263BE8000-memory.dmp

Filesize
5.2MB

Download
memory/3700-13-0x000002125F070000-0x000002125F082000-memory.dmp

Filesize
72KB

Download
memory/3700-12-0x000002125F0A0000-0x000002125F0E2000-memory.dmp

Filesize
264KB

Download
memory/3700-5-0x00007FFB06B60000-0x00007FFB07621000-memory.dmp

Filesize
10.8MB

Download
memory/3700-11-0x00007FFB06B60000-0x00007FFB07621000-memory.dmp

Filesize
10.8MB

Download
memory/3700-10-0x00007FFB06B60000-0x00007FFB07621000-memory.dmp

Filesize
10.8MB

Download
memory/3700-7-0x00000212626F0000-0x00000212626FC000-memory.dmp

Filesize
48KB

Download
memory/3700-6-0x00007FFB06B60000-0x00007FFB07621000-memory.dmp

Filesize
10.8MB

Download
memory/3700-8-0x00000212627D0000-0x000002126281A000-memory.dmp

Filesize
296KB

Download
memory/3700-79-0x00007FFB06B60000-0x00007FFB07621000-memory.dmp

Filesize
10.8MB

Download
memory/3700-78-0x0000021261870000-0x0000021261FC7000-memory.dmp

Filesize
7.3MB

Download
memory/4488-186-0x000001BDF7250000-0x000001BDF7272000-memory.dmp

Filesize
136KB

Download
memory/4488-181-0x000001BDDEBC0000-0x000001BDDEBD8000-memory.dmp

Filesize
96KB

Download
memory/4488-183-0x000001BDF73B0000-0x000001BDF7536000-memory.dmp

Filesize
1.5MB

Download
memory/4488-184-0x000001BDF7220000-0x000001BDF7242000-memory.dmp

Filesize
136KB

Download
memory/4488-185-0x000001BDF7540000-0x000001BDF75F2000-memory.dmp

Filesize
712KB

Download
memory/4792-275-0x0000064488000000-0x000006448802B000-memory.dmp

Filesize
172KB

Download