Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
9Static
static
3FiddlerSet...st.exe
windows7-x64
9FiddlerSet...st.exe
windows10-2004-x64
9$PLUGINSDI...up.exe
windows7-x64
9$PLUGINSDI...up.exe
windows10-2004-x64
9$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analytics.dll
windows7-x64
1Analytics.dll
windows10-2004-x64
1Be.Windows...ox.dll
windows7-x64
1Be.Windows...ox.dll
windows10-2004-x64
1DotNetZip.dll
windows7-x64
1DotNetZip.dll
windows10-2004-x64
1EnableLoopback.exe
windows7-x64
3EnableLoopback.exe
windows10-2004-x64
7ExecAction.exe
windows7-x64
1ExecAction.exe
windows10-2004-x64
1FSE2.exe
windows7-x64
3FSE2.exe
windows10-2004-x64
3Fiddler.exe
windows7-x64
1Fiddler.exe
windows10-2004-x64
3ForceCPU.exe
windows7-x64
1ForceCPU.exe
windows10-2004-x64
1GA.Analyti...or.dll
windows7-x64
1GA.Analyti...or.dll
windows10-2004-x64
1ImportExpo...ts.dll
windows7-x64
1ImportExpo...ts.dll
windows10-2004-x64
1ImportExpo...rt.dll
windows7-x64
1ImportExpo...rt.dll
windows10-2004-x64
1Inspectors...on.dll
windows7-x64
1Inspectors...on.dll
windows10-2004-x64
1Inspectors...or.dll
windows7-x64
1Inspectors...or.dll
windows10-2004-x64
1Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/10/2024, 10:02
Static task
static1
Behavioral task
behavioral1
Sample
FiddlerSetup.5.0.20242.10753-latest.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
FiddlerSetup.5.0.20242.10753-latest.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/FiddlerSetup.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/FiddlerSetup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Analytics.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Analytics.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Be.Windows.Forms.HexBox.dll
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
Be.Windows.Forms.HexBox.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
DotNetZip.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
DotNetZip.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
EnableLoopback.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
EnableLoopback.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
ExecAction.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
ExecAction.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
FSE2.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
FSE2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Fiddler.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Fiddler.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
ForceCPU.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
ForceCPU.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
GA.Analytics.Monitor.dll
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
GA.Analytics.Monitor.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
ImportExport/BasicFormats.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
ImportExport/BasicFormats.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
ImportExport/VSWebTestExport.dll
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
ImportExport/VSWebTestExport.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Inspectors/QWhale.Common.dll
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
Inspectors/QWhale.Common.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Inspectors/QWhale.Editor.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
Inspectors/QWhale.Editor.dll
Resource
win10v2004-20241007-en
General
-
Target
$PLUGINSDIR/FiddlerSetup.exe
-
Size
4.3MB
-
MD5
5d96b95b066d797c7c468d125882ddcf
-
SHA1
8a130db5e4f6207b70939c5007d6689c22378c7d
-
SHA256
7ea1a09eeab47eb4658938bf4a023c6231de726ad076fde189c3383ffb4091fe
-
SHA512
fd746263b0aad96e90468aac664a3f02af20c2291e03138cf201d68036bd8ce26cc36b5fdc4e97ae5f93c65a5660de91988e3ee7156359de509fea9b4308550a
-
SSDEEP
98304:uB6cDqnTgnRkidZ7C0eNGyJW3lE4RrtRmrpIZhGuul38YR7O8sOKduG8xOvC:uRdnRkgCNGyJ/IJYR7vsOKwGYO
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1792 netsh.exe 1500 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2720 SetupHelper -
Loads dropped DLL 18 IoCs
pid Process 2592 FiddlerSetup.exe 2592 FiddlerSetup.exe 2592 FiddlerSetup.exe 2592 FiddlerSetup.exe 3048 mscorsvw.exe 2816 mscorsvw.exe 1248 mscorsvw.exe 2656 mscorsvw.exe 2656 mscorsvw.exe 2656 mscorsvw.exe 2528 mscorsvw.exe 2984 mscorsvw.exe 2024 mscorsvw.exe 2024 mscorsvw.exe 2024 mscorsvw.exe 1584 mscorsvw.exe 2332 mscorsvw.exe 300 mscorsvw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 27 IoCs
description ioc Process File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\630-0\Newtonsoft.Json.dll mscorsvw.exe File opened for modification C:\Windows\assembly\temp\ZDJOEAL9Q7\GA.Analytics.Monitor.ni.dll mscorsvw.exe File opened for modification C:\Windows\assembly\temp\WELM7XQHIX\Microsoft.Build.Utilities.v4.0.ni.dll mscorsvw.exe File opened for modification C:\Windows\assembly\temp\WELM7XQHIX\Microsoft.Build.Utilities.v4.0.ni.dll.aux mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Telerik.Net8bf66678#\e5f4977994d2fd10324efd51321f1c59\Telerik.NetworkConnections.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Newtonsoft.Json\1ebe746ea3a361d99ffc6ea2e12b5a66\Newtonsoft.Json.ni.dll.aux.tmp mscorsvw.exe File opened for modification C:\Windows\assembly\temp\ONQ7LGW0WS\Analytics.ni.dll.aux mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\DotNetZip\330381c0d4a4a49e56426709e084cc48\DotNetZip.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Analytics\d756563aa7cd4e9c00502605394ea611\Analytics.ni.dll.aux.tmp mscorsvw.exe File opened for modification C:\Windows\assembly\temp\J9XEXEOMIV\Microsoft.JScript.ni.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\GA.Analytics.Monitor\3bf155f5fe5c3c876614c4d82313933c\GA.Analytics.Monitor.ni.dll.aux.tmp mscorsvw.exe File opened for modification C:\Windows\assembly\temp\J9XEXEOMIV\Microsoft.JScript.ni.dll.aux mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12c-0\GA.Analytics.Monitor.dll mscorsvw.exe File opened for modification C:\Windows\assembly\temp\GYW9KHKYBB\Telerik.NetworkConnections.ni.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ba8-0\Telerik.NetworkConnections.dll mscorsvw.exe File opened for modification C:\Windows\assembly\temp\ZDJOEAL9Q7\GA.Analytics.Monitor.ni.dll.aux mscorsvw.exe File opened for modification C:\Windows\assembly\temp\ONQ7LGW0WS\Analytics.ni.dll mscorsvw.exe File opened for modification C:\Windows\assembly\temp\GYW9KHKYBB\Telerik.NetworkConnections.ni.dll.aux mscorsvw.exe File opened for modification C:\Windows\assembly\temp\5L34S0CMV6\DotNetZip.ni.dll.aux mscorsvw.exe File opened for modification C:\Windows\assembly\temp\JLMKUNBOAS\Microsoft.Build.Framework.ni.dll.aux mscorsvw.exe File opened for modification C:\Windows\assembly\temp\5L34S0CMV6\DotNetZip.ni.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\2145e325c531dd03775cc61606722965\Microsoft.JScript.ni.dll.aux.tmp mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9e0-0\DotNetZip.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\91c-0\Analytics.dll mscorsvw.exe File opened for modification C:\Windows\assembly\temp\77MTOBTHYN\Microsoft.Build.Tasks.v4.0.ni.dll mscorsvw.exe File opened for modification C:\Windows\assembly\temp\77MTOBTHYN\Microsoft.Build.Tasks.v4.0.ni.dll.aux mscorsvw.exe File opened for modification C:\Windows\assembly\temp\JLMKUNBOAS\Microsoft.Build.Framework.ni.dll mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupHelper Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FiddlerSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0081bb0bfc1adb01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434716603" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f5420000000002000000000010660000000100002000000062046deb01671d9e64f6fbffa7e3c4fe7bc03177058371690f63592f45493a28000000000e8000000002000020000000ff28415e2374d8114241f22d504dcab266c5a14a9c479a9b2b600624898473839000000019adc3f47665ed4df90766b24aebe92ee21d0fe91fcc047301c9cc3bb8e330f7c7f360d2793cdd08fc6fe2e20e54cc0a2ae7bec2c22632227ab79658e2ae28b6fa28289ec46df35867dd24cd8ac8deb9b9dd42ce1646015f195bc1c54ab797e9c98dac6618c702fb9e52cecb32c05e1b48023568cc941cebee78dd18fea261cc6b0dcdd251f524f407cc294f7a81956340000000d6938029480eb1a05ffa0cfb984724d15b19fbec850c6e995279dfedd99cfcc4c066c5caf667ed84d642ee3d34c42c81a82fadb538ec309a85626e5bb7cbff1b iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MAIN FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{317B61D1-86EF-11EF-A045-62CAC36041A9} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION FiddlerSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000e2c051a140c90b2df34e6ff6826ebc4b4bd8723c84e35f5e163fbbf22cdee7af000000000e80000000020000200000001afc707b6e0f80af38cffcbf43b8a5111b83b985e53e0afa4d266fe438c5843d20000000a18b2552aaf38517ea704c00ba46dce7df432c9770db2d0b5353bfd371dfd24940000000d1608cd12f26b59b005dc012af98bdf6046d8007565f75ad8955c12d1845928a23597254941f24d95ced108eadcba7baa2d2570c101caa7176175bd8c683d683 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive" FiddlerSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\"" FiddlerSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.saz\ = "Fiddler.ArchiveZip" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\DefaultIcon FiddlerSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open &in Viewer\command FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.saz FiddlerSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\"" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open &in Viewer FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip FiddlerSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\ = "Fiddler Session Archive" FiddlerSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\PerceivedType = "compressed" FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open\command FiddlerSetup.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Shell FiddlerSetup.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1860 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1860 iexplore.exe 1860 iexplore.exe 960 IEXPLORE.EXE 960 IEXPLORE.EXE 960 IEXPLORE.EXE 960 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2592 wrote to memory of 1792 2592 FiddlerSetup.exe 31 PID 2592 wrote to memory of 1792 2592 FiddlerSetup.exe 31 PID 2592 wrote to memory of 1792 2592 FiddlerSetup.exe 31 PID 2592 wrote to memory of 1792 2592 FiddlerSetup.exe 31 PID 2592 wrote to memory of 1500 2592 FiddlerSetup.exe 32 PID 2592 wrote to memory of 1500 2592 FiddlerSetup.exe 32 PID 2592 wrote to memory of 1500 2592 FiddlerSetup.exe 32 PID 2592 wrote to memory of 1500 2592 FiddlerSetup.exe 32 PID 2592 wrote to memory of 892 2592 FiddlerSetup.exe 34 PID 2592 wrote to memory of 892 2592 FiddlerSetup.exe 34 PID 2592 wrote to memory of 892 2592 FiddlerSetup.exe 34 PID 2592 wrote to memory of 892 2592 FiddlerSetup.exe 34 PID 2592 wrote to memory of 396 2592 FiddlerSetup.exe 36 PID 2592 wrote to memory of 396 2592 FiddlerSetup.exe 36 PID 2592 wrote to memory of 396 2592 FiddlerSetup.exe 36 PID 2592 wrote to memory of 396 2592 FiddlerSetup.exe 36 PID 2592 wrote to memory of 2720 2592 FiddlerSetup.exe 39 PID 2592 wrote to memory of 2720 2592 FiddlerSetup.exe 39 PID 2592 wrote to memory of 2720 2592 FiddlerSetup.exe 39 PID 2592 wrote to memory of 2720 2592 FiddlerSetup.exe 39 PID 2592 wrote to memory of 2720 2592 FiddlerSetup.exe 39 PID 2592 wrote to memory of 2720 2592 FiddlerSetup.exe 39 PID 2592 wrote to memory of 2720 2592 FiddlerSetup.exe 39 PID 2592 wrote to memory of 1860 2592 FiddlerSetup.exe 42 PID 2592 wrote to memory of 1860 2592 FiddlerSetup.exe 42 PID 2592 wrote to memory of 1860 2592 FiddlerSetup.exe 42 PID 2592 wrote to memory of 1860 2592 FiddlerSetup.exe 42 PID 1860 wrote to memory of 960 1860 iexplore.exe 43 PID 1860 wrote to memory of 960 1860 iexplore.exe 43 PID 1860 wrote to memory of 960 1860 iexplore.exe 43 PID 1860 wrote to memory of 960 1860 iexplore.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FiddlerSetup.exe"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FiddlerSetup.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1792
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1500
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"2⤵PID:892
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"3⤵PID:1600
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 0 -NGENProcess 164 -Pipe 168 -Comment "NGen Worker Process"3⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3048
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 18c -InterruptEvent 0 -NGENProcess 180 -Pipe 188 -Comment "NGen Worker Process"3⤵PID:1804
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 0 -NGENProcess 160 -Pipe 18c -Comment "NGen Worker Process"3⤵
- Loads dropped DLL
PID:2816
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 0 -NGENProcess 184 -Pipe 1d0 -Comment "NGen Worker Process"3⤵
- Loads dropped DLL
PID:1248
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 0 -NGENProcess 1e8 -Pipe 1d4 -Comment "NGen Worker Process"3⤵
- Loads dropped DLL
PID:2656
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 0 -NGENProcess 194 -Pipe 1dc -Comment "NGen Worker Process"3⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2528
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 0 -NGENProcess 164 -Pipe 1e4 -Comment "NGen Worker Process"3⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2984
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 194 -Pipe 160 -Comment "NGen Worker Process"3⤵
- Loads dropped DLL
PID:2024
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 0 -NGENProcess 1a4 -Pipe 180 -Comment "NGen Worker Process"3⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1584
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1cc -Pipe 184 -Comment "NGen Worker Process"3⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2332
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1c8 -Comment "NGen Worker Process"3⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:300
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 178 -Comment "NGen Worker Process"3⤵
- Drops file in Windows directory
PID:2396
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 194 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1ec -Comment "NGen Worker Process"3⤵
- Drops file in Windows directory
PID:2680
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 194 -Pipe 164 -Comment "NGen Worker Process"3⤵PID:2992
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1a4 -Comment "NGen Worker Process"3⤵
- Drops file in Windows directory
PID:3032
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 0 -NGENProcess 1c4 -Pipe 1c0 -Comment "NGen Worker Process"3⤵
- Drops file in Windows directory
PID:284
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 0 -NGENProcess 1f0 -Pipe 1d8 -Comment "NGen Worker Process"3⤵
- Drops file in Windows directory
PID:1032
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 0 -NGENProcess 1f4 -Pipe 194 -Comment "NGen Worker Process"3⤵
- Drops file in Windows directory
PID:2848
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 0 -NGENProcess 1f8 -Pipe 1e0 -Comment "NGen Worker Process"3⤵
- Drops file in Windows directory
PID:1616
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 0 -NGENProcess 1fc -Pipe 1c4 -Comment "NGen Worker Process"3⤵
- Drops file in Windows directory
PID:600
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"2⤵PID:396
-
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper"C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://fiddler2.com/r/?Fiddler2FirstRun2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1860 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:960
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bbb85a5e5a8d75b80f0d8d75605c0aea
SHA10b5fa4aa9600501fd9166da8e7dc408bd19bfc0b
SHA2565044c4e28f360b16cc83f5b14ece1ca34ea0de710b8f4303383972a514828f42
SHA512beaf17dd64046d89a66b0b948c225128fc0007077a4e60695bea0e7089964520f089aa6e504df71700e7cbb7f4d07903e712e3de7a3082770550473dd8daa952
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f8abe770c00ba7f3d1b6c4136bb18976
SHA1819c348a2fd3f06d29845d035733156cdd638b03
SHA2565445600d5277342a7d418c8ae94d33520f29fbdfae71541d78f0bd961d17f8d0
SHA512950fed4cfc0d12ad3cd3edc93731da72f51a8e23d573bc4bcc3fdbf086dd2457802bcb2ef902b161c4efd48e6d59c3da82a9604680749bc78f89cd00b6566691
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fa18b1d273763d1ce93c5bac7b5ecbe0
SHA10ce8389400642e1f51f582b1ca81f47ef057253e
SHA256d02fbf4ef3d6e4447c7d42d487aa1418c758960701e019b9557705b6f0a6a4e0
SHA5121632621a35a08818c0a02b76549084d9425f193358418b45cc01b0bc6c52c99d9f548985d72328c29e4396a0aabbffcedf05d4fb5dd4c73eb9297151f10a121f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f638bfb49c675eeb1c6378f0191383f7
SHA187ef251aa88026eefb8af0ee1ce60d581872567f
SHA25616f4b44b69b687bb94043f2707c18be8ae337274deb58f266013bee56fe48db7
SHA5125ebd7f7219df858ec428952e04ef1c8b4aee6a62ee8063999def14e83f11232d9e1790103d095a1d1aa7a69ab434d5f54c117ff6c9efbfff1096fbd1df51aef6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d15dc50ceda9509cc1fb14516e961efe
SHA18813009b6753a8de5e4a0c1bb600d66a8b64dbf5
SHA25673cef9bc9c33ca2ed51e2745e36025f1853fc3f9ca81cd010883599f069911ef
SHA51240e510ab9b9872495a4f6b38bf03ced830c0fc02d4bf699c0eb664e8a270509017b79d3b7b7f469fd4742f649dccf926ff2277707b9782f01b2b8b468a74400b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a272dce198a9e318556d2f35a3a0d1aa
SHA1ba6992788755be50b9a02ba54c6a414bf03d5797
SHA256256a44032c18dc500063e6a63ad75a85ad0e74117e2c5c92e3e59c9895407082
SHA5126b4d7dd37dbbc2ba21a233c8dec83e2b23f92e273372678bfc7152180779591317b772f90c97f15a522315374f4c34e0692f731839d3313b28f3db8bd8c02cfe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD588e1cb64b7157244211deee718d7f26f
SHA138d05ca884aa9e77f9f4c5546a330d3dc5dcfa6a
SHA2562d320dbffeeda01e33c833147ae238b54c66b5a9a554818dfafeb6edf7b3b4b1
SHA5129af6491c0a5d021163dfd5444a2e55cf7459b3ceb111a90cf4c50bf4a3ec5f3be3bdb9fea7a763f9762119c22bb6fa5749540fba5032d5d14293b3b7a91db400
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b6dd115b2ce7dc9474db023869fa328b
SHA1bfdf39cf8dbcc39f51a15c457c7513a1d98b89f5
SHA256eabb045732ed9c6a57d3f302c12bbc11f1db526cf26d231ecc894fe0b02c61b5
SHA5125af6928792ea74d2c96602f89125ada030224c861e509c3f680c76ce9aa8b5f6d5e945b8a51d2c2f2eae5a8c43d291c921b212b4c62586d27beb50f500afa78c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ced51c084f2b2e5feca2f813b49a8b01
SHA1b8a28d02d5dd0fa35969ebbfd5a4d3846d72f549
SHA256c00fdee1beadddb723b6b09cae37c853ab7bdd16ada48408f8784dbfa504cf11
SHA512d84961a3e37324c4c48ab7bcda03926b04000af52601e200c987b02ff8d97c94ca6a58cdd141a74049674329e98cc8d52c48c8a936f677a391f41f21aaee338f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cdcd50dc9114edf043ce656d61f76de7
SHA1d07e28eebc68d657729be5d63da5adda7fff2c2c
SHA2567154fff61b8f3708d17feaff23464c3a9594b4f4c765291f688e5e82bf1d1d1a
SHA51291ef9e7052eb06c3ea83499e63b685e559b1f2ec0dd6a911ae01c8fd51d6bacf0d8e7208fea710e2d65231af15c47d5347ecabf1e60bc03bfbdb7da5c222dfab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f8ced0ed964d4217ea6ab8b3834627ca
SHA1ca2ee73cde85bf0be517d04df297ec69796a3b0e
SHA256e467c52265bd73280f7e2cb86f55e1312a0bd3b63bcdb337c25f6569e6023239
SHA5127b6b460dc11d63e0e8e63d219d31c44a62c7a1c635bd560c3656942c51fdce5288db651e7c53b08be84f499a47914dad4a362db27b03df9fd130a2cf025862ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD573d305204a859ebcdc8fda672eb2ae6e
SHA1908bef7432a349ee4622ea84bc48fa3a3efe25c1
SHA256b0a36b5434f71edcc9ba09bfb6ec09991bf958be39cb35d28b7ba6058017b2f0
SHA512d0b033250b47808f99bcd5a6f6ba4b5e5451a747e66b7afb6b112f20d4d629b4893b02accc6946c8e9de5edcf184c279f30642550f279ded21a46dc90546a29a
-
Filesize
32KB
MD51c2bd080b0e972a3ee1579895ea17b42
SHA1a09454bc976b4af549a6347618f846d4c93b769b
SHA256166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29
SHA512946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0
-
Filesize
449KB
MD511bbdf80d756b3a877af483195c60619
SHA199aca4f325d559487abc51b0d2ebd4dca62c9462
SHA256698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1
SHA512ad9c16481f95c0e7cf5158d4e921ca7534f580310270fa476e9ebd15d37eee2ab43e11c12d08846eae153f0b43fba89590d60ca00551f5096076d3cf6aa4ce29
-
Filesize
261B
MD5c2edc7b631abce6db98b978995561e57
SHA15b1e7a3548763cb6c30145065cfa4b85ed68eb31
SHA256e59afc2818ad61c1338197a112c936a811c5341614f4ad9ad33d35c8356c0b14
SHA5125bef4b5487ecb4226544ef0f68d17309cf64bfe52d5c64732480a10f94259b69d2646e4c1b22aa5c80143a4057ee17b06239ec131d5fe0af6c4ab30e351faba2
-
Filesize
52KB
MD56f9e5c4b5662c7f8d1159edcba6e7429
SHA1c7630476a50a953dab490931b99d2a5eca96f9f6
SHA256e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790
SHA51278fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8
-
Filesize
647KB
MD55afda7c7d4f7085e744c2e7599279db3
SHA13a833eb7c6be203f16799d7b7ccd8b8c9d439261
SHA256f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4
SHA5127cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944
-
Filesize
192KB
MD5ac80e3ca5ec3ed77ef7f1a5648fd605a
SHA1593077c0d921df0819d48b627d4a140967a6b9e0
SHA25693b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5
SHA5123ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159
-
Filesize
816KB
MD5eaa268802c633f27fcfc90fd0f986e10
SHA121f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f
SHA256fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54
SHA512c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47
-
Filesize
228KB
MD53be64186e6e8ad19dc3559ee3c307070
SHA12f9e70e04189f6c736a3b9d0642f46208c60380a
SHA25679a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c
SHA5127d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78
-
Filesize
18KB
MD51289dc21a51fb89e685fa4c91764c00e
SHA1b24210c4e71ace272a1984e171d50380687f73fe
SHA2563e6f9a8b9dbd8adb521ce02a1c34e20350b3df438deb5bc4ada33c8cca6d25b9
SHA5129cf63f042197470e622b97bf11845722c6338e69f08932b2f11eca576162235ff82c2def13bf42cea4c3b583ebd0342ca10ca6e5f2a3c53e4a6db5ae7006a0f2
-
Filesize
34KB
MD5798d6938ceab9271cdc532c0943e19dc
SHA15f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3
SHA256fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2
SHA512644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\DotNetZip\330381c0d4a4a49e56426709e084cc48\DotNetZip.ni.dll.aux
Filesize532B
MD5874863d695af07df17460e56498a47db
SHA1c64deff1aac7d97fee51aa09a1f8a64bb3679ed6
SHA256d8e59722d2b4881df93b9cde8d01523b73adc9a2eceb204fb7cd1963aff75c73
SHA512864b081d61881839495a097a4eb4ea71bb6a29246968fd981bc7e7d318558bb831fd673941459329e096625e454883b7f2af2e9b2f3785fe51b672f275e38728
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\4f44abb46807a5ad0f0bf1ae5ba48323\Microsoft.Build.Framework.ni.dll.aux
Filesize588B
MD590dde7396bbc17dddaa7dcdec75c2d7b
SHA1613a143997175a531af577c3e47611d006cd585c
SHA256a3613a9ea1e995ce43a3754b3eab8f09325f039188593a4666bba0fa56dc5c03
SHA5123cb619a3fe00d5cff37830e080a5db2e27d122293fb15f200a6bb59ad905d32bb99c720d36d1a8f6fcd89cad5c8e2610dbf89c09db28f7ec1974041d4b026c18
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\4a58f2013ffa484c7f872e70952613ca\Microsoft.Build.Utilities.v4.0.ni.dll.aux
Filesize888B
MD50c2e9bf2f96be2986d8b8449c0028067
SHA1c41ba485bc1d847ebba609bc4bcc37b4109f7fca
SHA2564d9d156b27b902a1265a2d36a47fb285ecba5abb97ca730df3893f3397f5da4a
SHA5128a8eb919323d37cacad9665b671d5639bcd4f0955997f5321a486c1e3179bb6762b2ae009cc658b402dbb4dc0d873e110e58f5b67565c458eff2d16c8f1e46f1
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\2145e325c531dd03775cc61606722965\Microsoft.JScript.ni.dll.aux
Filesize580B
MD50fa7a2200ae2493f05b85e85688aa663
SHA118ce43782b1a150948a3c80df0dd3374372cf675
SHA256d2573a4a215ae02c70b6fac850c22931a757c18ff243c16b819b03d1dc2bf92e
SHA51284629c719112dc1257a89bd0de5d4be7465abe6b81a25c8326a05f5001c51e6f3b921652cb81da68bbec7e975f476aed6f8606d1da6e736f456c65853072e129
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\Telerik.Net8bf66678#\e5f4977994d2fd10324efd51321f1c59\Telerik.NetworkConnections.ni.dll.aux
Filesize732B
MD561d90bbb5964d416b86d7ef8b9adef40
SHA1eba684714c32c9f2939499ee896a492122da707d
SHA2569051805012f5ce17fc5f4a71482b34f9c0c4b61bf640ee31f48719a926782ab9
SHA512867d21199f7fd950cdf9a4f2ce5435326abd7411a137f60c406b8ec185ae7d50e211dbf98a37591aba24bdd00fbcfee974e46f6691e8589e6dae2d11e2e8f47a
-
Filesize
2KB
MD5c228a99297b86188b16cd8ae9f9e95c7
SHA1b4603bf9196c3908a94ddff0ac2e51d1edd40777
SHA2564bf1bad2d0aa458307845c6cfff003ad168b9af1c183d4fd44de734bf66ead97
SHA512f6933920fa6c75bd3facbc91d8b6d594461ebfd54c5557155fbda4d6fd35c135d2438e377538540103947f7394d404d05dc7b08fd731e067cf45d94919cf474d
-
Filesize
716B
MD517c17240ab6ab6254d5e377730f02a1a
SHA11d3958db4e5d2a29732e45ed2eadfa08d1d879ed
SHA256d9923f94b9cba213ffac3e41953b9ca991a562fbfc5c1765b4fd05c25fb94b0e
SHA512d3046376bbfd7591a34be448bc102c380816b779a3866757c39998248739c165bd724321ff63ef0114090ff37b9c4043c89b058e253fe072f42e68a3d677f101
-
Filesize
712B
MD5edf737aa1f61c81d720917eb84e9fd5d
SHA18f6e5fd53b5c381491caa2d4a93cf81421088bce
SHA256495b3d096ede487f9c7a7308ca15eb61b06a220089f7b9cd216013e0131bccdc
SHA51245bb1c38ce0276730bfca53b6400db107f4854c9f9a80465e98bd98d40b69d4b2db8e2eb8e39bd26dbc16d26303ca1e21417aa67e88ef146e1254e33d39801fc
-
Filesize
3.5MB
MD532cf2e7c6ae825d5f7cb2a7d39c2ee24
SHA1262176d879e7727375025cae4aafc90698adad26
SHA256d7ea71114bfe70383c1ac2be6dd19676805a0afb6e20c0ad3000018afad093e5
SHA512a72e70f1a11d4443aedc56a2453cb3ed05bd8106b0e906364f23f01098a378440d2d86ac15f6d98ceedfe18b0a60d80f6806300b390c2969c3de97cb380b82c2
-
Filesize
50KB
MD57a8df7276257139271a09a8947da44e5
SHA1965c788156e2e29b6d1012430afee0cad13093b0
SHA2568b0b9859af32d467fb7031ac8164779ffdb274cdaff959d89d11a65a365c8e12
SHA5122769f62f0de76726c33cb0eae42c933806ddceae6c1f97d16302c575a8955fe33d4388824ca2a2c1269b09755e42b82fa5dceca825bd19e3e83ed43f97ca1f79
-
Filesize
12KB
MD54add245d4ba34b04f213409bfe504c07
SHA1ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA2569111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA5121bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
-
\Windows\assembly\NativeImages_v4.0.30319_64\Analytics\d756563aa7cd4e9c00502605394ea611\Analytics.ni.dll
Filesize148KB
MD54b962d3d8b3c91fa54e20ea48d09a990
SHA135468f050fb1b4a5e57a437b644d2c9e512f862f
SHA2563e7dc77c58ae21758add41de81b649240e95707abcbd6d02fccdaa73449ab33f
SHA5125ba87664ebadc3611523e69c9b26b6b9f4576240eb5c3a7e39a21a3a6f68f37142c9902fe4410f4e60593556d0e641a9ee82a37c1cb29e50d6247db2804ac3c5
-
\Windows\assembly\NativeImages_v4.0.30319_64\DotNetZip\330381c0d4a4a49e56426709e084cc48\DotNetZip.ni.dll
Filesize1013KB
MD575466b5e53a262f579d58042eb0c6fa5
SHA1aba87382496d180a3e71c3626b617bb65308d358
SHA256dd470f06556af0b809868b8ddcf6db70833d41fb1b7d2086de7ecde34e3085fe
SHA512efe4fc459cdf8148792f0d43da4b5e6e5ef86f6f2ba2fde868ae6b4ad72f58ed8af6e134de72d754f5916e3570e7d1f205633321605c4f939453537cbd538bb9
-
\Windows\assembly\NativeImages_v4.0.30319_64\GA.Analytics.Monitor\3bf155f5fe5c3c876614c4d82313933c\GA.Analytics.Monitor.ni.dll
Filesize158KB
MD5188e0e27618fc054e447005da14b39e6
SHA1fa53f294d3f2d484b513f17ca5d21b33a52e2500
SHA2567602634749732ab0411aebe3b5789b736c8e68d07688dd22d83f29b6e86675c9
SHA512717e160dec70f5d647e6152ed1ce8ed1e4d64118cd68ffaa091264d8a7b947175261552a9171ebf4ddc7fe0096608a9a4f5d1b24857d1c8eb5d750b2e085670c
-
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\4f44abb46807a5ad0f0bf1ae5ba48323\Microsoft.Build.Framework.ni.dll
Filesize546KB
MD575de4db178e3310ebf8bfa83a003b8e2
SHA1c0d05985fb9e28ede26b00143d939839cb0e3ae6
SHA256304ae94177bcd5f8659eb5a232676c2a9857dc495c273fce2e2e65fab4ae4eb6
SHA5124310161d72d60ef55a5ca6601bf4f5773518a9fcbeab4fda60afc18b334a1fbded3a5426795ed3587b5c51e2f6fc39176014a75e75aca2d3cfafc8a19d85b983
-
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\4a58f2013ffa484c7f872e70952613ca\Microsoft.Build.Utilities.v4.0.ni.dll
Filesize1011KB
MD56d7e1bc098c599dc54b552531ed637ac
SHA1ff4648a4ce473a3cbe6e3c75e1c606d593353de1
SHA256874ece1c76a575a96e174eb846edcbeb6134ee66e71bfd025a250a7406627ef5
SHA5121e88c80b969c0ac44e880316189ce3789f2fb0d8044e39c90ef99edfe4de83f7c21dc21adf4c51f6d88f77b92035b519794ed91d9d04c74cef971aa3424ce04a
-
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\faa890702be0a0b8574aa82cb24b9da3\Microsoft.Build.Tasks.v4.0.ni.dll
Filesize4.1MB
MD507de6b9bdeebae49461ef58e29953464
SHA15ba78e69c3d93724c6a3de013157b9350bcd6eb9
SHA25685da41cc1f1beac3528bab39240912ecb8ac7fb313a89342e3fffd9cf0a99c74
SHA5121b10add9a8cab2913299a03da26ad4fcb84826ff33c847d53078d18e3459b4c07a3b0ee52b67d9fe2f5b90ae7f98da502369159c2edc3e81fa569242184ab0b4
-
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\2145e325c531dd03775cc61606722965\Microsoft.JScript.ni.dll
Filesize2.7MB
MD5d1d5dd7761a0e2c31c2baeeb4442a6ba
SHA1c681dca866baa02e7840bffdbcff349da69ba25c
SHA25684676accc10df0f610772b5d447b058a9fd3c4d399cddc01ef6510d9832915f1
SHA51259891b98e42635c056debe5fdd373b3d31ef1731c653c7df179c0db8544c6bfc6e4899d62a3068b76a652e71899b285e1757260ccaa805658e1e77e00cb9b263
-
\Windows\assembly\NativeImages_v4.0.30319_64\Newtonsoft.Json\1ebe746ea3a361d99ffc6ea2e12b5a66\Newtonsoft.Json.ni.dll
Filesize3.7MB
MD503eabadb3e9fe0a8566ce36fde2ed959
SHA1c0da077a84d61426c6de7d27b5bd3d5beb034352
SHA2562467069bdc725532c792ab7f026bbafbbdbbd311d5ba83c502cc35a044b90860
SHA512b60a5ac1f0b062ba3319ba93171f2d150a536fa4ce37bc7061a76949ca98c5ee08dc342f232bf47b36753c4046c23828fea8560b083778f175d5303906c9bc82
-
\Windows\assembly\NativeImages_v4.0.30319_64\Telerik.Net8bf66678#\e5f4977994d2fd10324efd51321f1c59\Telerik.NetworkConnections.ni.dll
Filesize94KB
MD58c1196b2476c2ae2dee297e3db1cf37f
SHA127b4c6bc7876d7f52f34bffe2fb1f3cee88444ff
SHA256f298ac1090234846c34b192f4683d34477f84f5eb8b844afedac9d4de246e104
SHA512cd4bbe93c3a40035c65358ba714f39b8c6770aa44bdb87ed6dd23292f7a641c3da3977691fb1ecf83f1dbb6fe704edc6eeb817d1da48b4f2f9de62cf9c2ec591