06812518a722af6f98fbd8c3a5ace0cad1c6d53477972618728e64bafcbc948c

Analysis

max time kernel
147s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/FiddlerSetup.exe
Size

4.3MB
MD5

5d96b95b066d797c7c468d125882ddcf
SHA1

8a130db5e4f6207b70939c5007d6689c22378c7d
SHA256

7ea1a09eeab47eb4658938bf4a023c6231de726ad076fde189c3383ffb4091fe
SHA512

fd746263b0aad96e90468aac664a3f02af20c2291e03138cf201d68036bd8ce26cc36b5fdc4e97ae5f93c65a5660de91988e3ee7156359de509fea9b4308550a
SSDEEP

98304:uB6cDqnTgnRkidZ7C0eNGyJW3lE4RrtRmrpIZhGuul38YR7O8sOKduG8xOvC:uRdnRkgCNGyJ/IJYR7vsOKwGYO

Score

9^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1792	netsh.exe
1500	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2720	SetupHelper

Loads dropped DLL 18 IoCs

pid	Process
2592	FiddlerSetup.exe
2592	FiddlerSetup.exe
2592	FiddlerSetup.exe
2592	FiddlerSetup.exe
3048	mscorsvw.exe
2816	mscorsvw.exe
1248	mscorsvw.exe
2656	mscorsvw.exe
2656	mscorsvw.exe
2656	mscorsvw.exe
2528	mscorsvw.exe
2984	mscorsvw.exe
2024	mscorsvw.exe
2024	mscorsvw.exe
2024	mscorsvw.exe
1584	mscorsvw.exe
2332	mscorsvw.exe
300	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\630-0\Newtonsoft.Json.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\ZDJOEAL9Q7\GA.Analytics.Monitor.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\WELM7XQHIX\Microsoft.Build.Utilities.v4.0.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\WELM7XQHIX\Microsoft.Build.Utilities.v4.0.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Telerik.Net8bf66678#\e5f4977994d2fd10324efd51321f1c59\Telerik.NetworkConnections.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Newtonsoft.Json\1ebe746ea3a361d99ffc6ea2e12b5a66\Newtonsoft.Json.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\ONQ7LGW0WS\Analytics.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\DotNetZip\330381c0d4a4a49e56426709e084cc48\DotNetZip.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Analytics\d756563aa7cd4e9c00502605394ea611\Analytics.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\J9XEXEOMIV\Microsoft.JScript.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\GA.Analytics.Monitor\3bf155f5fe5c3c876614c4d82313933c\GA.Analytics.Monitor.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\J9XEXEOMIV\Microsoft.JScript.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12c-0\GA.Analytics.Monitor.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\GYW9KHKYBB\Telerik.NetworkConnections.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ba8-0\Telerik.NetworkConnections.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\ZDJOEAL9Q7\GA.Analytics.Monitor.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\ONQ7LGW0WS\Analytics.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\GYW9KHKYBB\Telerik.NetworkConnections.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\5L34S0CMV6\DotNetZip.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\JLMKUNBOAS\Microsoft.Build.Framework.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\5L34S0CMV6\DotNetZip.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\2145e325c531dd03775cc61606722965\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9e0-0\DotNetZip.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\91c-0\Analytics.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\77MTOBTHYN\Microsoft.Build.Tasks.v4.0.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\77MTOBTHYN\Microsoft.Build.Tasks.v4.0.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\JLMKUNBOAS\Microsoft.Build.Framework.ni.dll	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupHelper
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FiddlerSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0081bb0bfc1adb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434716603"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f5420000000002000000000010660000000100002000000062046deb01671d9e64f6fbffa7e3c4fe7bc03177058371690f63592f45493a28000000000e8000000002000020000000ff28415e2374d8114241f22d504dcab266c5a14a9c479a9b2b600624898473839000000019adc3f47665ed4df90766b24aebe92ee21d0fe91fcc047301c9cc3bb8e330f7c7f360d2793cdd08fc6fe2e20e54cc0a2ae7bec2c22632227ab79658e2ae28b6fa28289ec46df35867dd24cd8ac8deb9b9dd42ce1646015f195bc1c54ab797e9c98dac6618c702fb9e52cecb32c05e1b48023568cc941cebee78dd18fea261cc6b0dcdd251f524f407cc294f7a81956340000000d6938029480eb1a05ffa0cfb984724d15b19fbec850c6e995279dfedd99cfcc4c066c5caf667ed84d642ee3d34c42c81a82fadb538ec309a85626e5bb7cbff1b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\MAIN	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{317B61D1-86EF-11EF-A045-62CAC36041A9} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000e2c051a140c90b2df34e6ff6826ebc4b4bd8723c84e35f5e163fbbf22cdee7af000000000e80000000020000200000001afc707b6e0f80af38cffcbf43b8a5111b83b985e53e0afa4d266fe438c5843d20000000a18b2552aaf38517ea704c00ba46dce7df432c9770db2d0b5353bfd371dfd24940000000d1608cd12f26b59b005dc012af98bdf6046d8007565f75ad8955c12d1845928a23597254941f24d95ced108eadcba7baa2d2570c101caa7176175bd8c683d683	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\.saz	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Fiddler.ArchiveZip\Shell	FiddlerSetup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1860	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1860	iexplore.exe
1860	iexplore.exe
960	IEXPLORE.EXE
960	IEXPLORE.EXE
960	IEXPLORE.EXE
960	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 1792	2592	FiddlerSetup.exe	31
PID 2592 wrote to memory of 1792	2592	FiddlerSetup.exe	31
PID 2592 wrote to memory of 1792	2592	FiddlerSetup.exe	31
PID 2592 wrote to memory of 1792	2592	FiddlerSetup.exe	31
PID 2592 wrote to memory of 1500	2592	FiddlerSetup.exe	32
PID 2592 wrote to memory of 1500	2592	FiddlerSetup.exe	32
PID 2592 wrote to memory of 1500	2592	FiddlerSetup.exe	32
PID 2592 wrote to memory of 1500	2592	FiddlerSetup.exe	32
PID 2592 wrote to memory of 892	2592	FiddlerSetup.exe	34
PID 2592 wrote to memory of 892	2592	FiddlerSetup.exe	34
PID 2592 wrote to memory of 892	2592	FiddlerSetup.exe	34
PID 2592 wrote to memory of 892	2592	FiddlerSetup.exe	34
PID 2592 wrote to memory of 396	2592	FiddlerSetup.exe	36
PID 2592 wrote to memory of 396	2592	FiddlerSetup.exe	36
PID 2592 wrote to memory of 396	2592	FiddlerSetup.exe	36
PID 2592 wrote to memory of 396	2592	FiddlerSetup.exe	36
PID 2592 wrote to memory of 2720	2592	FiddlerSetup.exe	39
PID 2592 wrote to memory of 2720	2592	FiddlerSetup.exe	39
PID 2592 wrote to memory of 2720	2592	FiddlerSetup.exe	39
PID 2592 wrote to memory of 2720	2592	FiddlerSetup.exe	39
PID 2592 wrote to memory of 2720	2592	FiddlerSetup.exe	39
PID 2592 wrote to memory of 2720	2592	FiddlerSetup.exe	39
PID 2592 wrote to memory of 2720	2592	FiddlerSetup.exe	39
PID 2592 wrote to memory of 1860	2592	FiddlerSetup.exe	42
PID 2592 wrote to memory of 1860	2592	FiddlerSetup.exe	42
PID 2592 wrote to memory of 1860	2592	FiddlerSetup.exe	42
PID 2592 wrote to memory of 1860	2592	FiddlerSetup.exe	42
PID 1860 wrote to memory of 960	1860	iexplore.exe	43
PID 1860 wrote to memory of 960	1860	iexplore.exe	43
PID 1860 wrote to memory of 960	1860	iexplore.exe	43
PID 1860 wrote to memory of 960	1860	iexplore.exe	43

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FiddlerSetup.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FiddlerSetup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1792
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1500
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
  2⤵
  PID:892
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
    3⤵
    PID:1600
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 0 -NGENProcess 164 -Pipe 168 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3048
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 18c -InterruptEvent 0 -NGENProcess 180 -Pipe 188 -Comment "NGen Worker Process"
    3⤵
    PID:1804
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 0 -NGENProcess 160 -Pipe 18c -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:2816
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 0 -NGENProcess 184 -Pipe 1d0 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:1248
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 0 -NGENProcess 1e8 -Pipe 1d4 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:2656
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 0 -NGENProcess 194 -Pipe 1dc -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2528
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 0 -NGENProcess 164 -Pipe 1e4 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2984
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 194 -Pipe 160 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:2024
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 0 -NGENProcess 1a4 -Pipe 180 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1584
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1cc -Pipe 184 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2332
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1c8 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:300
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 178 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:2396
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 194 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1ec -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:2680
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 194 -Pipe 164 -Comment "NGen Worker Process"
    3⤵
    PID:2992
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1a4 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3032
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 0 -NGENProcess 1c4 -Pipe 1c0 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:284
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 0 -NGENProcess 1f0 -Pipe 1d8 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1032
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 0 -NGENProcess 1f4 -Pipe 194 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:2848
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 0 -NGENProcess 1f8 -Pipe 1e0 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1616
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 0 -NGENProcess 1fc -Pipe 1c4 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
  2⤵
  PID:396
- C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
  "C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://fiddler2.com/r/?Fiddler2FirstRun
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1860 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbb85a5e5a8d75b80f0d8d75605c0aea

SHA1
0b5fa4aa9600501fd9166da8e7dc408bd19bfc0b

SHA256
5044c4e28f360b16cc83f5b14ece1ca34ea0de710b8f4303383972a514828f42

SHA512
beaf17dd64046d89a66b0b948c225128fc0007077a4e60695bea0e7089964520f089aa6e504df71700e7cbb7f4d07903e712e3de7a3082770550473dd8daa952

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8abe770c00ba7f3d1b6c4136bb18976

SHA1
819c348a2fd3f06d29845d035733156cdd638b03

SHA256
5445600d5277342a7d418c8ae94d33520f29fbdfae71541d78f0bd961d17f8d0

SHA512
950fed4cfc0d12ad3cd3edc93731da72f51a8e23d573bc4bcc3fdbf086dd2457802bcb2ef902b161c4efd48e6d59c3da82a9604680749bc78f89cd00b6566691

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa18b1d273763d1ce93c5bac7b5ecbe0

SHA1
0ce8389400642e1f51f582b1ca81f47ef057253e

SHA256
d02fbf4ef3d6e4447c7d42d487aa1418c758960701e019b9557705b6f0a6a4e0

SHA512
1632621a35a08818c0a02b76549084d9425f193358418b45cc01b0bc6c52c99d9f548985d72328c29e4396a0aabbffcedf05d4fb5dd4c73eb9297151f10a121f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f638bfb49c675eeb1c6378f0191383f7

SHA1
87ef251aa88026eefb8af0ee1ce60d581872567f

SHA256
16f4b44b69b687bb94043f2707c18be8ae337274deb58f266013bee56fe48db7

SHA512
5ebd7f7219df858ec428952e04ef1c8b4aee6a62ee8063999def14e83f11232d9e1790103d095a1d1aa7a69ab434d5f54c117ff6c9efbfff1096fbd1df51aef6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d15dc50ceda9509cc1fb14516e961efe

SHA1
8813009b6753a8de5e4a0c1bb600d66a8b64dbf5

SHA256
73cef9bc9c33ca2ed51e2745e36025f1853fc3f9ca81cd010883599f069911ef

SHA512
40e510ab9b9872495a4f6b38bf03ced830c0fc02d4bf699c0eb664e8a270509017b79d3b7b7f469fd4742f649dccf926ff2277707b9782f01b2b8b468a74400b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a272dce198a9e318556d2f35a3a0d1aa

SHA1
ba6992788755be50b9a02ba54c6a414bf03d5797

SHA256
256a44032c18dc500063e6a63ad75a85ad0e74117e2c5c92e3e59c9895407082

SHA512
6b4d7dd37dbbc2ba21a233c8dec83e2b23f92e273372678bfc7152180779591317b772f90c97f15a522315374f4c34e0692f731839d3313b28f3db8bd8c02cfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88e1cb64b7157244211deee718d7f26f

SHA1
38d05ca884aa9e77f9f4c5546a330d3dc5dcfa6a

SHA256
2d320dbffeeda01e33c833147ae238b54c66b5a9a554818dfafeb6edf7b3b4b1

SHA512
9af6491c0a5d021163dfd5444a2e55cf7459b3ceb111a90cf4c50bf4a3ec5f3be3bdb9fea7a763f9762119c22bb6fa5749540fba5032d5d14293b3b7a91db400

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6dd115b2ce7dc9474db023869fa328b

SHA1
bfdf39cf8dbcc39f51a15c457c7513a1d98b89f5

SHA256
eabb045732ed9c6a57d3f302c12bbc11f1db526cf26d231ecc894fe0b02c61b5

SHA512
5af6928792ea74d2c96602f89125ada030224c861e509c3f680c76ce9aa8b5f6d5e945b8a51d2c2f2eae5a8c43d291c921b212b4c62586d27beb50f500afa78c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ced51c084f2b2e5feca2f813b49a8b01

SHA1
b8a28d02d5dd0fa35969ebbfd5a4d3846d72f549

SHA256
c00fdee1beadddb723b6b09cae37c853ab7bdd16ada48408f8784dbfa504cf11

SHA512
d84961a3e37324c4c48ab7bcda03926b04000af52601e200c987b02ff8d97c94ca6a58cdd141a74049674329e98cc8d52c48c8a936f677a391f41f21aaee338f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdcd50dc9114edf043ce656d61f76de7

SHA1
d07e28eebc68d657729be5d63da5adda7fff2c2c

SHA256
7154fff61b8f3708d17feaff23464c3a9594b4f4c765291f688e5e82bf1d1d1a

SHA512
91ef9e7052eb06c3ea83499e63b685e559b1f2ec0dd6a911ae01c8fd51d6bacf0d8e7208fea710e2d65231af15c47d5347ecabf1e60bc03bfbdb7da5c222dfab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8ced0ed964d4217ea6ab8b3834627ca

SHA1
ca2ee73cde85bf0be517d04df297ec69796a3b0e

SHA256
e467c52265bd73280f7e2cb86f55e1312a0bd3b63bcdb337c25f6569e6023239

SHA512
7b6b460dc11d63e0e8e63d219d31c44a62c7a1c635bd560c3656942c51fdce5288db651e7c53b08be84f499a47914dad4a362db27b03df9fd130a2cf025862ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73d305204a859ebcdc8fda672eb2ae6e

SHA1
908bef7432a349ee4622ea84bc48fa3a3efe25c1

SHA256
b0a36b5434f71edcc9ba09bfb6ec09991bf958be39cb35d28b7ba6058017b2f0

SHA512
d0b033250b47808f99bcd5a6f6ba4b5e5451a747e66b7afb6b112f20d4d629b4893b02accc6946c8e9de5edcf184c279f30642550f279ded21a46dc90546a29a

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Analytics.dll

Filesize
32KB

MD5
1c2bd080b0e972a3ee1579895ea17b42

SHA1
a09454bc976b4af549a6347618f846d4c93b769b

SHA256
166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29

SHA512
946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\DotNetZip.dll

Filesize
449KB

MD5
11bbdf80d756b3a877af483195c60619

SHA1
99aca4f325d559487abc51b0d2ebd4dca62c9462

SHA256
698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1

SHA512
ad9c16481f95c0e7cf5158d4e921ca7534f580310270fa476e9ebd15d37eee2ab43e11c12d08846eae153f0b43fba89590d60ca00551f5096076d3cf6aa4ce29

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe.config

Filesize
261B

MD5
c2edc7b631abce6db98b978995561e57

SHA1
5b1e7a3548763cb6c30145065cfa4b85ed68eb31

SHA256
e59afc2818ad61c1338197a112c936a811c5341614f4ad9ad33d35c8356c0b14

SHA512
5bef4b5487ecb4226544ef0f68d17309cf64bfe52d5c64732480a10f94259b69d2646e4c1b22aa5c80143a4057ee17b06239ec131d5fe0af6c4ab30e351faba2

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\GA.Analytics.Monitor.dll

Filesize
52KB

MD5
6f9e5c4b5662c7f8d1159edcba6e7429

SHA1
c7630476a50a953dab490931b99d2a5eca96f9f6

SHA256
e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790

SHA512
78fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dll

Filesize
192KB

MD5
ac80e3ca5ec3ed77ef7f1a5648fd605a

SHA1
593077c0d921df0819d48b627d4a140967a6b9e0

SHA256
93b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5

SHA512
3ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dll

Filesize
816KB

MD5
eaa268802c633f27fcfc90fd0f986e10

SHA1
21f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f

SHA256
fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54

SHA512
c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dll

Filesize
228KB

MD5
3be64186e6e8ad19dc3559ee3c307070

SHA1
2f9e70e04189f6c736a3b9d0642f46208c60380a

SHA256
79a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c

SHA512
7d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper

Filesize
18KB

MD5
1289dc21a51fb89e685fa4c91764c00e

SHA1
b24210c4e71ace272a1984e171d50380687f73fe

SHA256
3e6f9a8b9dbd8adb521ce02a1c34e20350b3df438deb5bc4ada33c8cca6d25b9

SHA512
9cf63f042197470e622b97bf11845722c6338e69f08932b2f11eca576162235ff82c2def13bf42cea4c3b583ebd0342ca10ca6e5f2a3c53e4a6db5ae7006a0f2

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Telerik.NetworkConnections.dll

Filesize
34KB

MD5
798d6938ceab9271cdc532c0943e19dc

SHA1
5f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3

SHA256
fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2

SHA512
644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2C21.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2CD0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\DotNetZip\330381c0d4a4a49e56426709e084cc48\DotNetZip.ni.dll.aux

Filesize
532B

MD5
874863d695af07df17460e56498a47db

SHA1
c64deff1aac7d97fee51aa09a1f8a64bb3679ed6

SHA256
d8e59722d2b4881df93b9cde8d01523b73adc9a2eceb204fb7cd1963aff75c73

SHA512
864b081d61881839495a097a4eb4ea71bb6a29246968fd981bc7e7d318558bb831fd673941459329e096625e454883b7f2af2e9b2f3785fe51b672f275e38728

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\4f44abb46807a5ad0f0bf1ae5ba48323\Microsoft.Build.Framework.ni.dll.aux

Filesize
588B

MD5
90dde7396bbc17dddaa7dcdec75c2d7b

SHA1
613a143997175a531af577c3e47611d006cd585c

SHA256
a3613a9ea1e995ce43a3754b3eab8f09325f039188593a4666bba0fa56dc5c03

SHA512
3cb619a3fe00d5cff37830e080a5db2e27d122293fb15f200a6bb59ad905d32bb99c720d36d1a8f6fcd89cad5c8e2610dbf89c09db28f7ec1974041d4b026c18

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\4a58f2013ffa484c7f872e70952613ca\Microsoft.Build.Utilities.v4.0.ni.dll.aux

Filesize
888B

MD5
0c2e9bf2f96be2986d8b8449c0028067

SHA1
c41ba485bc1d847ebba609bc4bcc37b4109f7fca

SHA256
4d9d156b27b902a1265a2d36a47fb285ecba5abb97ca730df3893f3397f5da4a

SHA512
8a8eb919323d37cacad9665b671d5639bcd4f0955997f5321a486c1e3179bb6762b2ae009cc658b402dbb4dc0d873e110e58f5b67565c458eff2d16c8f1e46f1

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\2145e325c531dd03775cc61606722965\Microsoft.JScript.ni.dll.aux

Filesize
580B

MD5
0fa7a2200ae2493f05b85e85688aa663

SHA1
18ce43782b1a150948a3c80df0dd3374372cf675

SHA256
d2573a4a215ae02c70b6fac850c22931a757c18ff243c16b819b03d1dc2bf92e

SHA512
84629c719112dc1257a89bd0de5d4be7465abe6b81a25c8326a05f5001c51e6f3b921652cb81da68bbec7e975f476aed6f8606d1da6e736f456c65853072e129

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Telerik.Net8bf66678#\e5f4977994d2fd10324efd51321f1c59\Telerik.NetworkConnections.ni.dll.aux

Filesize
732B

MD5
61d90bbb5964d416b86d7ef8b9adef40

SHA1
eba684714c32c9f2939499ee896a492122da707d

SHA256
9051805012f5ce17fc5f4a71482b34f9c0c4b61bf640ee31f48719a926782ab9

SHA512
867d21199f7fd950cdf9a4f2ce5435326abd7411a137f60c406b8ec185ae7d50e211dbf98a37591aba24bdd00fbcfee974e46f6691e8589e6dae2d11e2e8f47a

Download Submit
C:\Windows\assembly\temp\77MTOBTHYN\Microsoft.Build.Tasks.v4.0.ni.dll.aux

Filesize
2KB

MD5
c228a99297b86188b16cd8ae9f9e95c7

SHA1
b4603bf9196c3908a94ddff0ac2e51d1edd40777

SHA256
4bf1bad2d0aa458307845c6cfff003ad168b9af1c183d4fd44de734bf66ead97

SHA512
f6933920fa6c75bd3facbc91d8b6d594461ebfd54c5557155fbda4d6fd35c135d2438e377538540103947f7394d404d05dc7b08fd731e067cf45d94919cf474d

Download Submit
C:\Windows\assembly\temp\ONQ7LGW0WS\Analytics.ni.dll.aux

Filesize
716B

MD5
17c17240ab6ab6254d5e377730f02a1a

SHA1
1d3958db4e5d2a29732e45ed2eadfa08d1d879ed

SHA256
d9923f94b9cba213ffac3e41953b9ca991a562fbfc5c1765b4fd05c25fb94b0e

SHA512
d3046376bbfd7591a34be448bc102c380816b779a3866757c39998248739c165bd724321ff63ef0114090ff37b9c4043c89b058e253fe072f42e68a3d677f101

Download Submit
C:\Windows\assembly\temp\ZDJOEAL9Q7\GA.Analytics.Monitor.ni.dll.aux

Filesize
712B

MD5
edf737aa1f61c81d720917eb84e9fd5d

SHA1
8f6e5fd53b5c381491caa2d4a93cf81421088bce

SHA256
495b3d096ede487f9c7a7308ca15eb61b06a220089f7b9cd216013e0131bccdc

SHA512
45bb1c38ce0276730bfca53b6400db107f4854c9f9a80465e98bd98d40b69d4b2db8e2eb8e39bd26dbc16d26303ca1e21417aa67e88ef146e1254e33d39801fc

Download Submit
\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe

Filesize
3.5MB

MD5
32cf2e7c6ae825d5f7cb2a7d39c2ee24

SHA1
262176d879e7727375025cae4aafc90698adad26

SHA256
d7ea71114bfe70383c1ac2be6dd19676805a0afb6e20c0ad3000018afad093e5

SHA512
a72e70f1a11d4443aedc56a2453cb3ed05bd8106b0e906364f23f01098a378440d2d86ac15f6d98ceedfe18b0a60d80f6806300b390c2969c3de97cb380b82c2

Download Submit
\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\FSE2.exe

Filesize
50KB

MD5
7a8df7276257139271a09a8947da44e5

SHA1
965c788156e2e29b6d1012430afee0cad13093b0

SHA256
8b0b9859af32d467fb7031ac8164779ffdb274cdaff959d89d11a65a365c8e12

SHA512
2769f62f0de76726c33cb0eae42c933806ddceae6c1f97d16302c575a8955fe33d4388824ca2a2c1269b09755e42b82fa5dceca825bd19e3e83ed43f97ca1f79

Download Submit
\Users\Admin\AppData\Local\Temp\nsy12A8.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\Analytics\d756563aa7cd4e9c00502605394ea611\Analytics.ni.dll

Filesize
148KB

MD5
4b962d3d8b3c91fa54e20ea48d09a990

SHA1
35468f050fb1b4a5e57a437b644d2c9e512f862f

SHA256
3e7dc77c58ae21758add41de81b649240e95707abcbd6d02fccdaa73449ab33f

SHA512
5ba87664ebadc3611523e69c9b26b6b9f4576240eb5c3a7e39a21a3a6f68f37142c9902fe4410f4e60593556d0e641a9ee82a37c1cb29e50d6247db2804ac3c5

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\DotNetZip\330381c0d4a4a49e56426709e084cc48\DotNetZip.ni.dll

Filesize
1013KB

MD5
75466b5e53a262f579d58042eb0c6fa5

SHA1
aba87382496d180a3e71c3626b617bb65308d358

SHA256
dd470f06556af0b809868b8ddcf6db70833d41fb1b7d2086de7ecde34e3085fe

SHA512
efe4fc459cdf8148792f0d43da4b5e6e5ef86f6f2ba2fde868ae6b4ad72f58ed8af6e134de72d754f5916e3570e7d1f205633321605c4f939453537cbd538bb9

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\GA.Analytics.Monitor\3bf155f5fe5c3c876614c4d82313933c\GA.Analytics.Monitor.ni.dll

Filesize
158KB

MD5
188e0e27618fc054e447005da14b39e6

SHA1
fa53f294d3f2d484b513f17ca5d21b33a52e2500

SHA256
7602634749732ab0411aebe3b5789b736c8e68d07688dd22d83f29b6e86675c9

SHA512
717e160dec70f5d647e6152ed1ce8ed1e4d64118cd68ffaa091264d8a7b947175261552a9171ebf4ddc7fe0096608a9a4f5d1b24857d1c8eb5d750b2e085670c

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\4f44abb46807a5ad0f0bf1ae5ba48323\Microsoft.Build.Framework.ni.dll

Filesize
546KB

MD5
75de4db178e3310ebf8bfa83a003b8e2

SHA1
c0d05985fb9e28ede26b00143d939839cb0e3ae6

SHA256
304ae94177bcd5f8659eb5a232676c2a9857dc495c273fce2e2e65fab4ae4eb6

SHA512
4310161d72d60ef55a5ca6601bf4f5773518a9fcbeab4fda60afc18b334a1fbded3a5426795ed3587b5c51e2f6fc39176014a75e75aca2d3cfafc8a19d85b983

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\4a58f2013ffa484c7f872e70952613ca\Microsoft.Build.Utilities.v4.0.ni.dll

Filesize
1011KB

MD5
6d7e1bc098c599dc54b552531ed637ac

SHA1
ff4648a4ce473a3cbe6e3c75e1c606d593353de1

SHA256
874ece1c76a575a96e174eb846edcbeb6134ee66e71bfd025a250a7406627ef5

SHA512
1e88c80b969c0ac44e880316189ce3789f2fb0d8044e39c90ef99edfe4de83f7c21dc21adf4c51f6d88f77b92035b519794ed91d9d04c74cef971aa3424ce04a

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\faa890702be0a0b8574aa82cb24b9da3\Microsoft.Build.Tasks.v4.0.ni.dll

Filesize
4.1MB

MD5
07de6b9bdeebae49461ef58e29953464

SHA1
5ba78e69c3d93724c6a3de013157b9350bcd6eb9

SHA256
85da41cc1f1beac3528bab39240912ecb8ac7fb313a89342e3fffd9cf0a99c74

SHA512
1b10add9a8cab2913299a03da26ad4fcb84826ff33c847d53078d18e3459b4c07a3b0ee52b67d9fe2f5b90ae7f98da502369159c2edc3e81fa569242184ab0b4

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\2145e325c531dd03775cc61606722965\Microsoft.JScript.ni.dll

Filesize
2.7MB

MD5
d1d5dd7761a0e2c31c2baeeb4442a6ba

SHA1
c681dca866baa02e7840bffdbcff349da69ba25c

SHA256
84676accc10df0f610772b5d447b058a9fd3c4d399cddc01ef6510d9832915f1

SHA512
59891b98e42635c056debe5fdd373b3d31ef1731c653c7df179c0db8544c6bfc6e4899d62a3068b76a652e71899b285e1757260ccaa805658e1e77e00cb9b263

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\Newtonsoft.Json\1ebe746ea3a361d99ffc6ea2e12b5a66\Newtonsoft.Json.ni.dll

Filesize
3.7MB

MD5
03eabadb3e9fe0a8566ce36fde2ed959

SHA1
c0da077a84d61426c6de7d27b5bd3d5beb034352

SHA256
2467069bdc725532c792ab7f026bbafbbdbbd311d5ba83c502cc35a044b90860

SHA512
b60a5ac1f0b062ba3319ba93171f2d150a536fa4ce37bc7061a76949ca98c5ee08dc342f232bf47b36753c4046c23828fea8560b083778f175d5303906c9bc82

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\Telerik.Net8bf66678#\e5f4977994d2fd10324efd51321f1c59\Telerik.NetworkConnections.ni.dll

Filesize
94KB

MD5
8c1196b2476c2ae2dee297e3db1cf37f

SHA1
27b4c6bc7876d7f52f34bffe2fb1f3cee88444ff

SHA256
f298ac1090234846c34b192f4683d34477f84f5eb8b844afedac9d4de246e104

SHA512
cd4bbe93c3a40035c65358ba714f39b8c6770aa44bdb87ed6dd23292f7a641c3da3977691fb1ecf83f1dbb6fe704edc6eeb817d1da48b4f2f9de62cf9c2ec591

Download Submit
memory/300-383-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/1248-244-0x0000064438000000-0x000006443808B000-memory.dmp

Filesize
556KB

Download
memory/1584-343-0x00000644A0000000-0x00000644A03AA000-memory.dmp

Filesize
3.7MB

Download
memory/1584-320-0x0000000002170000-0x0000000002218000-memory.dmp

Filesize
672KB

Download
memory/1600-202-0x0000000000680000-0x000000000069A000-memory.dmp

Filesize
104KB

Download
memory/1600-205-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/1600-201-0x0000000002CA0000-0x0000000002CE4000-memory.dmp

Filesize
272KB

Download
memory/1600-203-0x000000001B1A0000-0x000000001B2C2000-memory.dmp

Filesize
1.1MB

Download
memory/1600-200-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/1600-139-0x000000001B530000-0x000000001B8B2000-memory.dmp

Filesize
3.5MB

Download
memory/1600-198-0x0000000002780000-0x0000000002828000-memory.dmp

Filesize
672KB

Download
memory/1600-192-0x00000000020D0000-0x000000000218A000-memory.dmp

Filesize
744KB

Download
memory/1600-196-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/1600-194-0x0000000000600000-0x0000000000676000-memory.dmp

Filesize
472KB

Download
memory/1804-211-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/1804-207-0x000000001B610000-0x000000001B992000-memory.dmp

Filesize
3.5MB

Download
memory/1804-210-0x000000001B480000-0x000000001B528000-memory.dmp

Filesize
672KB

Download
memory/1804-209-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/1804-208-0x0000000002750000-0x00000000027C6000-memory.dmp

Filesize
472KB

Download
memory/2024-296-0x000000001B690000-0x000000001BA12000-memory.dmp

Filesize
3.5MB

Download
memory/2024-321-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2024-326-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2024-325-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2024-315-0x0000000001F10000-0x0000000001F86000-memory.dmp

Filesize
472KB

Download
memory/2024-319-0x0000000001F10000-0x0000000001F86000-memory.dmp

Filesize
472KB

Download
memory/2332-367-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/2332-368-0x00000644A0000000-0x00000644A0029000-memory.dmp

Filesize
164KB

Download
memory/2528-281-0x00000644A0000000-0x00000644A0100000-memory.dmp

Filesize
1024KB

Download
memory/2656-259-0x000000001AF90000-0x000000001B0B2000-memory.dmp

Filesize
1.1MB

Download
memory/2656-266-0x0000064438000000-0x0000064438429000-memory.dmp

Filesize
4.2MB

Download
memory/2720-103-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/2816-228-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/2816-227-0x0000000000250000-0x0000000000294000-memory.dmp

Filesize
272KB

Download
memory/2816-229-0x0000064438000000-0x00000644380FF000-memory.dmp

Filesize
1020KB

Download
memory/2984-297-0x00000644A0000000-0x00000644A001A000-memory.dmp

Filesize
104KB

Download
memory/3048-206-0x0000000002930000-0x00000000029EA000-memory.dmp

Filesize
744KB

Download
memory/3048-212-0x000006443CC40000-0x000006443CEEC000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads