9ddd2984852b80fb41546e96a1c3414a55415050761a47633d28a4faeef7a3d1

Resubmissions

11-12-2024 18:37

241211-w9f3rstpez 10

11-12-2024 18:28

241211-w4jayatnat 10

Analysis

max time kernel
141s
max time network
154s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-12-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virus/FiddlerSetup.5.0.20245.10105-latest.exe
Size

4.4MB
MD5

c1980b018489df28be8809eb32519001
SHA1

e860439703d7b6665af4507b20bbef2bbb7b73f4
SHA256

588024037b1e5929b1f2a741fff52a207bcab17f0650ec7cb0cd3cb78051998d
SHA512

f70d419e869e56700a9e23350a9779f5dd56bb78adb9a1b0d5039287a24f20004db20f842294d234d4717feaa3184a5e6d90f0ee3666208bad2ea518d37b0a35
SSDEEP

98304:qMgxyUnSAaB1eXq8yOkLiGXv72Qomw6pvtFIAwdaRdA:qMoWvePjqHv72Qo96pvtF5wH

Score

9^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3972	netsh.exe
3652	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\Geo\Nation	FiddlerSetup.exe

Executes dropped EXE 2 IoCs

pid	Process
420	FiddlerSetup.exe
1108	SetupHelper

Loads dropped DLL 20 IoCs

pid	Process
420	FiddlerSetup.exe
3952	mscorsvw.exe
1468	mscorsvw.exe
2480	mscorsvw.exe
4904	mscorsvw.exe
708	mscorsvw.exe
4700	mscorsvw.exe
708	mscorsvw.exe
3540	mscorsvw.exe
3540	mscorsvw.exe
3540	mscorsvw.exe
3540	mscorsvw.exe
3540	mscorsvw.exe
1592	mscorsvw.exe
2160	mscorsvw.exe
4932	mscorsvw.exe
4404	mscorsvw.exe
4932	mscorsvw.exe
4404	mscorsvw.exe
4932	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\temp\R87HSA8ESK\Microsoft.JScript.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\6c172340af3f46e7e45d3cea5ee80a56\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\a8e9750dcec3b7be6005a908fe2c2d8f\EnableLoopback.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5bc-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1328-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\88b596885c6a2aecfe43892d03c5ba6b\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\180d439c36f3cf6ec5649e1360f67487\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1344-0\System.Web.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\R87HSA8ESK\Microsoft.JScript.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\f70-0\EnableLoopback.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\0c073f42cf7c0b89bd4ceb4244060ceb\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\125c-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\ab300698ff0e6328a779058c8a6abc9a\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\42c7a19a453afb14fda2fe8479e4d8b2\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\2c4-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\debe458f6197408829bf76c18c262527\System.Web.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9b0-0\System.Numerics.dll	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupHelper
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FiddlerSetup.5.0.20245.10105-latest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FiddlerSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Fiddler.ArchiveZip	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1411052346-3904498293-150013998-1000\{3CB9F555-3A05-45D0-BA4B-E05CB2D67202}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\.saz	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Fiddler.ArchiveZip\Shell	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
420	FiddlerSetup.exe
420	FiddlerSetup.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 420	1064	FiddlerSetup.5.0.20245.10105-latest.exe	89
PID 1064 wrote to memory of 420	1064	FiddlerSetup.5.0.20245.10105-latest.exe	89
PID 1064 wrote to memory of 420	1064	FiddlerSetup.5.0.20245.10105-latest.exe	89
PID 420 wrote to memory of 3972	420	FiddlerSetup.exe	91
PID 420 wrote to memory of 3972	420	FiddlerSetup.exe	91
PID 420 wrote to memory of 3972	420	FiddlerSetup.exe	91
PID 420 wrote to memory of 3652	420	FiddlerSetup.exe	93
PID 420 wrote to memory of 3652	420	FiddlerSetup.exe	93
PID 420 wrote to memory of 3652	420	FiddlerSetup.exe	93
PID 420 wrote to memory of 2988	420	FiddlerSetup.exe	95
PID 420 wrote to memory of 2988	420	FiddlerSetup.exe	95
PID 420 wrote to memory of 1288	420	FiddlerSetup.exe	96
PID 420 wrote to memory of 1288	420	FiddlerSetup.exe	96
PID 420 wrote to memory of 1108	420	FiddlerSetup.exe	97
PID 420 wrote to memory of 1108	420	FiddlerSetup.exe	97
PID 420 wrote to memory of 1108	420	FiddlerSetup.exe	97
PID 420 wrote to memory of 3708	420	FiddlerSetup.exe	105
PID 420 wrote to memory of 3708	420	FiddlerSetup.exe	105

C:\Users\Admin\AppData\Local\Temp\virus\FiddlerSetup.5.0.20245.10105-latest.exe
"C:\Users\Admin\AppData\Local\Temp\virus\FiddlerSetup.5.0.20245.10105-latest.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\nsc30FF.tmp\FiddlerSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\nsc30FF.tmp\FiddlerSetup.exe" /D=
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3972
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3652
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
    3⤵
    PID:2988
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 0 -NGENProcess 1e4 -Pipe 1f0 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      PID:3540
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 204 -Pipe 1e4 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      PID:1592
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 290 -Pipe 298 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:2160
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 0 -NGENProcess 290 -Pipe 2a8 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:4932
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2a0 -Pipe 2cc -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      PID:4404
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 204 -Pipe 2c8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:848
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
    3⤵
    PID:1288
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 0 -NGENProcess 1e4 -Pipe 1f0 -Comment "NGen Worker Process"
      4⤵
      PID:1476
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 0 -NGENProcess 28c -Pipe 1ec -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:3952
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 1f4 -Pipe 29c -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:4904
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2ec -Pipe 294 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:1468
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 0 -NGENProcess 28c -Pipe 2f0 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:2480
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 28c -Pipe 2e8 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:708
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 0 -NGENProcess 2dc -Pipe 298 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:4700
- - C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
    "C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun
    3⤵
    PID:3708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=4124,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=3988 /prefetch:8
1⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=5248,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=5372 /prefetch:1
1⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=5236,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:1
1⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --string-annotations=is-enterprise-managed=no --field-trial-handle=5748,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=5720 /prefetch:8
1⤵
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=6040,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:1
1⤵
PID:3308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --string-annotations=is-enterprise-managed=no --field-trial-handle=5256,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:8
1⤵
PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations=is-enterprise-managed=no --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=6352,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:1
1⤵
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --string-annotations=is-enterprise-managed=no --field-trial-handle=7068,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=6772 /prefetch:8
1⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=6784,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=6684 /prefetch:8
1⤵
- Modifies registry class
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --string-annotations=is-enterprise-managed=no --field-trial-handle=5796,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=5712 /prefetch:8
1⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=3152,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=6892 /prefetch:8
1⤵
PID:1092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=4296,i,4538255413480930743,12957764444767653848,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:8
1⤵
PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\Fiddler\Analytics.dll

Filesize
32KB

MD5
1c2bd080b0e972a3ee1579895ea17b42

SHA1
a09454bc976b4af549a6347618f846d4c93b769b

SHA256
166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29

SHA512
946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\DotNetZip.dll

Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe

Filesize
82KB

MD5
81564947d42846910eec2d08310e0d25

SHA1
b7a167dcd3afb29c8a0e18c943d634e3fc58a44c

SHA256
543f16b73f7d40177585332f433ce76dddc1526e12bcd62cb73edd11eb002341

SHA512
8f06409517697b022787bc9e2ed7e73100018422177aa3f63ecb406c3bdb6b021624f909a16fca0430002bfa7d35a461b38750c79c0273a154f63316b4e13037

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe

Filesize
3.5MB

MD5
87bc17f56e744e74408e6ae8bb28b724

SHA1
3aa572388083ff00a95405d34d1189c99c7ff5be

SHA256
ffb24fc36ade87988f9908e848d0333ce7ffb2b4e4d0ffb43f6556246069d057

SHA512
cbeee155c97b87a22b92b808f86fee25c18db51ab43a36b657d532d2d47d3a7db2f4507a699b72af904bf6d5ed851d1ae1fcfb4833a57096e6c7787211c0f35d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe.config

Filesize
261B

MD5
c2edc7b631abce6db98b978995561e57

SHA1
5b1e7a3548763cb6c30145065cfa4b85ed68eb31

SHA256
e59afc2818ad61c1338197a112c936a811c5341614f4ad9ad33d35c8356c0b14

SHA512
5bef4b5487ecb4226544ef0f68d17309cf64bfe52d5c64732480a10f94259b69d2646e4c1b22aa5c80143a4057ee17b06239ec131d5fe0af6c4ab30e351faba2

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\GA.Analytics.Monitor.dll

Filesize
52KB

MD5
6f9e5c4b5662c7f8d1159edcba6e7429

SHA1
c7630476a50a953dab490931b99d2a5eca96f9f6

SHA256
e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790

SHA512
78fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dll

Filesize
192KB

MD5
ac80e3ca5ec3ed77ef7f1a5648fd605a

SHA1
593077c0d921df0819d48b627d4a140967a6b9e0

SHA256
93b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5

SHA512
3ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dll

Filesize
816KB

MD5
eaa268802c633f27fcfc90fd0f986e10

SHA1
21f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f

SHA256
fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54

SHA512
c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dll

Filesize
228KB

MD5
3be64186e6e8ad19dc3559ee3c307070

SHA1
2f9e70e04189f6c736a3b9d0642f46208c60380a

SHA256
79a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c

SHA512
7d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper

Filesize
18KB

MD5
b1827fca38a5d49fb706a4a7eee4a778

SHA1
95e342f3b6ee3ebc34f98bbb14ca042bca3d779f

SHA256
77523d1504ab2c0a4cde6fcc2c8223ca1172841e2fd9d59d18e5fc132e808ae2

SHA512
41be41372fe3c12dd97f504ebabb70ce899473c0c502ff7bfeaddc748b223c4a78625b6481dbab9cb54c10615e62b8b2dbe9a9c08eb2f69c54ebf5933efbeb1b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Telerik.NetworkConnections.dll

Filesize
34KB

MD5
798d6938ceab9271cdc532c0943e19dc

SHA1
5f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3

SHA256
fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2

SHA512
644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc30FF.tmp\FiddlerSetup.exe

Filesize
4.4MB

MD5
c2a0eb6f104eacec3f39581451ee208f

SHA1
9ae7d02aeb640fbd090dfc01885b98dd5dd0b6cc

SHA256
1f926cc353301e547e76c6d2eff23fcbe85495ba0292174cc6344fac26457af8

SHA512
8b062e4f0af1dce3a12b5776646fe8c235f30de6772f579da1a6ab2bb559ed69b3bd32af95eee248c48008ddcbd40a7e49eae722a44bc9b49dd13fe38113a3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh49E7.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\a8e9750dcec3b7be6005a908fe2c2d8f\EnableLoopback.ni.exe

Filesize
160KB

MD5
0965e5069f4a44a943dd21af16ebea50

SHA1
4a6866a29d58672a05cdbf764a45c2b682e0cd5f

SHA256
2bf8d3166b4b3725564dfdf44072a6fe10c3a08574d7f5ac17aa80d7d3edc29b

SHA512
394c6c71bea21aebbc9f625a360e33fbb7512e919988db106c7e4120afd6c8d0b945d3238ae2a7d5f0af2c71122d57bfd8d56133f70ad00e78b65ea9ee7e84db

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\180d439c36f3cf6ec5649e1360f67487\Microsoft.JScript.ni.dll

Filesize
2.7MB

MD5
a2ef1f6d5df4e7b6447b54190a3b6ccc

SHA1
cbeb2b07942b3d9b95d3a7263629bcbec6b25ce1

SHA256
2b14dbd9d9c8050100f813b1e51942520d49ab51ef8ffde16414ac8b35765dd4

SHA512
f089315b0435d8f0cfd8523698a36205cbc493cb2ea1c561d811e9141423df20640107ad3507abba44575b970dc010d380fee6e6f3880fc8f91f63f66e000f77

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\180d439c36f3cf6ec5649e1360f67487\Microsoft.JScript.ni.dll.aux

Filesize
580B

MD5
b094143c78c988ef07a1bf541fccf4e6

SHA1
978ba20e486e74fba9cf306a7450240a96cc314c

SHA256
e6a53272d081895d24999b96ab02509ef5ac6a30a1ef901dad3f9e62252d8f80

SHA512
88eb0924df8c56a1e711b87f1a548b73aa18c90a197a3733c601e90793a4e74a0c771bd764e45111832196b2f81ebd90393c21053b3a93c7d85deee5eb536f5e

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\6c172340af3f46e7e45d3cea5ee80a56\System.Data.SqlXml.ni.dll

Filesize
3.0MB

MD5
942af167f631f760c83a8ada0592cb82

SHA1
73c08eec36472b200554465ee5d6e3f7792704ed

SHA256
c662e6d62258cfc15fb0fbb98fc3b428955ba2d7bbceced1e4f87a66d16b173b

SHA512
55944b185f4799fa81cd03d4131d6f24506d3b8329c7a0800aae486d9e75d2dcbbef2e564e4d86cfe7bc880a2bf6bac083ccb995429061666333dc56fef68418

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\6c172340af3f46e7e45d3cea5ee80a56\System.Data.SqlXml.ni.dll.aux

Filesize
708B

MD5
3c3231d300935c65976ed0ca2d93f346

SHA1
70611f15414423d2cb6db3d8bbb384e98df4996f

SHA256
96ae9bed2a9512ea7858cc3b28dc28d172cd1c3c15f60fa04ee20b8063a1b1a3

SHA512
28f2c7dd019085cd18995232f2a87ea45b834f08d1d4923b799917eceea6d3dfc8b1c1caf7c0a2fb215df79defd095e1d70eda12c2c75475a57e84225da9d666

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\88b596885c6a2aecfe43892d03c5ba6b\System.Deployment.ni.dll

Filesize
3.0MB

MD5
2ad389cde81c8ddc7056e7eba382c92d

SHA1
99eebd8f5e3471efd5e13555426c279eb1051a17

SHA256
de3a8589468a14dc7a61d19be614081d4b5000ae1604d81894f3399611e4e328

SHA512
692e35cf3f0c2351eca65f139975c8c621e60b9a7a88ab12f5d60517e6f3ead20a2b04b47c5f360090d05527e9435ba620776712474829110e67fae25619e7bd

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\88b596885c6a2aecfe43892d03c5ba6b\System.Deployment.ni.dll.aux

Filesize
1KB

MD5
218a0ba6f4d67451c5de690e2d79a50b

SHA1
2d88b63c563de1335f76678a7736d16ad0107f77

SHA256
5b3d423230067b3cd4270224ff23c0f65c4f0309525f3f0e8a9ecd4b05f633f5

SHA512
98043423bbfa6d92ce2b1077639a53ebbbe4af7fb24553e22f34ae68cc5b49d79df7d3ae6a6035567978787bbf467f7ebedc55ff3c8add1c3a20f19cf2f5acf3

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\0c073f42cf7c0b89bd4ceb4244060ceb\System.Numerics.ni.dll

Filesize
314KB

MD5
73699d2573263453632fe45cff1dc094

SHA1
b3df4e2af5e7520eca101c52e7145a85d29ee5df

SHA256
cc1326839110e27d2cbf5cf72d74e36ebe6346f65993353cf7c8ea5afd4be381

SHA512
489630de5b13fc1cc0ac6c93baa76b9a31da0fa48b9f53fe40d55606d3b5b344fb5bd10e549194a4187f90bb605c39b9d46ba34d93e9436862984b6688f5a71a

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\0c073f42cf7c0b89bd4ceb4244060ceb\System.Numerics.ni.dll.aux

Filesize
300B

MD5
905fbaf34d730796e231f38c60feffeb

SHA1
a8f995d3b27f6ea0feb485870832560025b50e4e

SHA256
b04b3113d61b1756e9b8087df88533276adaab7ece3d4e18cba1e956f662f21e

SHA512
4716d2ea8f71362bb5264a69abd252276fda352712ef89a7433c66366907a47b96ce3c50925a9036f9f378e5e67de2f94a2a74a4c99ca97930ef6b274c60f6f2

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\ab300698ff0e6328a779058c8a6abc9a\System.Runtime.Serialization.Formatters.Soap.ni.dll

Filesize
345KB

MD5
fa423347a2e17ce6ad208963bcccea75

SHA1
bfbe02326cbc38d16fcb7c18ae93cd5b19ef1bf4

SHA256
36182d6b01a0529c83f20732a1a62430d3f446bed2a8094b4a5b57423228973d

SHA512
3d99f29b8c16fe568d1f2771faad856446da626f7dc368944b4d315d1a6f603c900c70f44346febecc3f709871c3efa37afaf227ac10de81eb30ea0268f54cd0

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\ab300698ff0e6328a779058c8a6abc9a\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux

Filesize
644B

MD5
659b7690365e7746edfe6e96c3f11d6d

SHA1
fdcd84bb30c5c8adeb6c9341dcba873ad3994c07

SHA256
95129a62658451e9a013e7f482bebbd2fd48c2925dca596ade2b5b9bcaa23309

SHA512
fc52c330aa042ab816e739f117e1fc0208ea8855ec6a9e19b8e3ab42b18af61794429ae85d1b8b9d902c06ae64897215e721c66674b64b31f7ca6c91034af985

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\42c7a19a453afb14fda2fe8479e4d8b2\System.Security.ni.dll

Filesize
986KB

MD5
898474cba76cf084b5d914c0f2f8f07c

SHA1
8a93edb2b46038c0e4b916f8d48c96abe0cfc241

SHA256
f2fd3ae74d836a4f971b4d8eccb109e27cd9e9f8d62ae8a4dd248828d4c936e0

SHA512
d1fae5172a4fed48fefc78954390ce356936a3bfb2331640355bc9c3659585b2f1aeda897a2c490586934682083522839b691b45fb2205c87c4cab926d5d5640

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\42c7a19a453afb14fda2fe8479e4d8b2\System.Security.ni.dll.aux

Filesize
912B

MD5
2919ee7ce3a32fb9281b48b99fb0b92c

SHA1
6aab45597d8a120a9373bac86fe3cbb19ff8e470

SHA256
d00cbd723a0870bc12e155e0edd51defcec623bb0c8fe0e927ea196da545e6a2

SHA512
b6fdbc82671af88a79e1ea6e0942a493e13a3c2527f3512079dd48b62ca704d988311ce33a944556766cea64d1b4be5460920de938c2e0ac6975e4ec55c714c1

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\debe458f6197408829bf76c18c262527\System.Web.ni.dll

Filesize
16.2MB

MD5
6ec78f886589d95ea7f788af3923deb5

SHA1
d5247883bfc4f7bf92cc1d3e062eccf89a31f3c1

SHA256
4e01f30dcb3ee4cde2ba0d9cebe4958c7ed16b55d549b29559989104c2e8ebba

SHA512
9a5375a435f1d11903a7964fe89c31df168ab96ab1c23835705b46fe5c162aebef2df7b2594caad97868dbb97015ee1c0b6241d687034267cdd2d1fad5e7bb8c

Download Submit
memory/708-279-0x0000064445320000-0x000006444561E000-memory.dmp

Filesize
3.0MB

Download
memory/1108-106-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/1468-215-0x0000064449A20000-0x0000064449B18000-memory.dmp

Filesize
992KB

Download
memory/1476-108-0x00000263F7980000-0x00000263F7B08000-memory.dmp

Filesize
1.5MB

Download
memory/1476-112-0x00000263F77B0000-0x00000263F77D2000-memory.dmp

Filesize
136KB

Download
memory/1476-109-0x00000263F7710000-0x00000263F7732000-memory.dmp

Filesize
136KB

Download
memory/1476-107-0x00000263F7760000-0x00000263F77B0000-memory.dmp

Filesize
320KB

Download
memory/1476-105-0x00000263F75B0000-0x00000263F75C8000-memory.dmp

Filesize
96KB

Download
memory/1476-110-0x00000263F78B0000-0x00000263F7962000-memory.dmp

Filesize
712KB

Download
memory/2160-337-0x000006443CC40000-0x000006443CEF8000-memory.dmp

Filesize
2.7MB

Download
memory/2480-230-0x0000064443EC0000-0x0000064443F11000-memory.dmp

Filesize
324KB

Download
memory/3540-329-0x00000236FB060000-0x00000236FB182000-memory.dmp

Filesize
1.1MB

Download
memory/3540-299-0x00000236FA7B0000-0x00000236FA82A000-memory.dmp

Filesize
488KB

Download
memory/3540-294-0x00000236FAA40000-0x00000236FADC4000-memory.dmp

Filesize
3.5MB

Download
memory/3540-306-0x00000236FA510000-0x00000236FA51C000-memory.dmp

Filesize
48KB

Download
memory/3540-321-0x00000236FA540000-0x00000236FA55C000-memory.dmp

Filesize
112KB

Download
memory/3540-322-0x00000236FBD00000-0x00000236FC1CC000-memory.dmp

Filesize
4.8MB

Download
memory/3540-328-0x00000236FA9C0000-0x00000236FA9DA000-memory.dmp

Filesize
104KB

Download
memory/3540-304-0x00000236FADD0000-0x00000236FAE82000-memory.dmp

Filesize
712KB

Download
memory/3540-335-0x00000236FA520000-0x00000236FA530000-memory.dmp

Filesize
64KB

Download
memory/3540-297-0x00000236FB300000-0x00000236FB828000-memory.dmp

Filesize
5.2MB

Download
memory/3540-333-0x00000236FAE90000-0x00000236FAEA2000-memory.dmp

Filesize
72KB

Download
memory/3540-332-0x00000236FAFB0000-0x00000236FAFEC000-memory.dmp

Filesize
240KB

Download
memory/3540-301-0x00000236FA500000-0x00000236FA50C000-memory.dmp

Filesize
48KB

Download
memory/3540-302-0x00000236FA930000-0x00000236FA97A000-memory.dmp

Filesize
296KB

Download
memory/3540-331-0x00000236FAA20000-0x00000236FAA40000-memory.dmp

Filesize
128KB

Download
memory/3540-330-0x00000236FAF30000-0x00000236FAFAE000-memory.dmp

Filesize
504KB

Download
memory/3540-327-0x00000236FA9A0000-0x00000236FA9BE000-memory.dmp

Filesize
120KB

Download
memory/3540-326-0x00000236FAEE0000-0x00000236FAF24000-memory.dmp

Filesize
272KB

Download
memory/3540-325-0x00000236FA9E0000-0x00000236FAA12000-memory.dmp

Filesize
200KB

Download
memory/3540-324-0x00000236FA980000-0x00000236FA9A0000-memory.dmp

Filesize
128KB

Download
memory/3540-323-0x00000236FA560000-0x00000236FA572000-memory.dmp

Filesize
72KB

Download
memory/3540-320-0x00000236FA830000-0x00000236FA86A000-memory.dmp

Filesize
232KB

Download
memory/3540-296-0x00000236FA870000-0x00000236FA92A000-memory.dmp

Filesize
744KB

Download
memory/3952-200-0x0000064488000000-0x000006448802B000-memory.dmp

Filesize
172KB

Download
memory/4700-263-0x0000064449980000-0x00000644499D8000-memory.dmp

Filesize
352KB

Download
memory/4904-244-0x00000644451A0000-0x00000644454A4000-memory.dmp

Filesize
3.0MB

Download
memory/4932-359-0x00000275B8740000-0x00000275B8766000-memory.dmp

Filesize
152KB

Download
memory/4932-361-0x00000644C00C0000-0x00000644C10EA000-memory.dmp

Filesize
16.2MB

Download