9ddd2984852b80fb41546e96a1c3414a55415050761a47633d28a4faeef7a3d1

Resubmissions

11-12-2024 18:37

241211-w9f3rstpez 10

11-12-2024 18:28

241211-w4jayatnat 10

Analysis

max time kernel
1696s
max time network
1701s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-12-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/FiddlerSetup.exe
Size

4.4MB
MD5

c2a0eb6f104eacec3f39581451ee208f
SHA1

9ae7d02aeb640fbd090dfc01885b98dd5dd0b6cc
SHA256

1f926cc353301e547e76c6d2eff23fcbe85495ba0292174cc6344fac26457af8
SHA512

8b062e4f0af1dce3a12b5776646fe8c235f30de6772f579da1a6ab2bb559ed69b3bd32af95eee248c48008ddcbd40a7e49eae722a44bc9b49dd13fe38113a3ca
SSDEEP

98304:KgxyUnSAaB1eXq8yOkLiGXv72Qomw6pvtFIAwdaRdAM:KoWvePjqHv72Qo96pvtF5wHM

Score

9^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3712	netsh.exe
3804	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
672	SetupHelper

Loads dropped DLL 20 IoCs

pid	Process
3640	FiddlerSetup.exe
1124	mscorsvw.exe
3424	mscorsvw.exe
3424	mscorsvw.exe
1852	mscorsvw.exe
3064	mscorsvw.exe
4988	mscorsvw.exe
3064	mscorsvw.exe
1696	mscorsvw.exe
2972	mscorsvw.exe
1928	mscorsvw.exe
1928	mscorsvw.exe
1928	mscorsvw.exe
3176	mscorsvw.exe
3128	mscorsvw.exe
1416	mscorsvw.exe
1380	mscorsvw.exe
4496	mscorsvw.exe
2068	mscorsvw.exe
1380	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 37 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\129af40f419d925ba9d07ca47a83708d\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\8OEEOKJYP8\System.Numerics.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\588-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\814-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\564-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d60-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\b5497fca4e4478881056c95fd8c01ee6\System.Web.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\4ZX5HR8ZVD\System.Deployment.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c38-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1190-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\013dda0e1c13c8182e02719f12e71861\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\129af40f419d925ba9d07ca47a83708d\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\429d1f533624b62ab398cd9238b6be2f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bf8-0\System.Deployment.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\4ZX5HR8ZVD\System.Deployment.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\7034YPF6XS\System.Security.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\788-0\System.Web.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\32FGV6M1M3\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\VJH3Z7MVMJ\System.Data.SqlXml.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\1776d8abbd15098818c8578c5f6d9e17\EnableLoopback.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\32FGV6M1M3\System.Runtime.Serialization.Formatters.Soap.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\c3e367eff9875c967c92b75a8688c55b\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\73c-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\4345ad0cb22fa57a9281f1b35b0ca60f\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\1CUJ7X2LSH\Microsoft.JScript.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\8OEEOKJYP8\System.Numerics.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\VJH3Z7MVMJ\System.Data.SqlXml.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c68-0\EnableLoopback.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\013dda0e1c13c8182e02719f12e71861\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\6a0-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\c3e367eff9875c967c92b75a8688c55b\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\1CUJ7X2LSH\Microsoft.JScript.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\464-0\System.Data.SqlXml.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\7034YPF6XS\System.Security.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\429d1f533624b62ab398cd9238b6be2f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FiddlerSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupHelper

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Fiddler.ArchiveZip\Shell	FiddlerSetup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018527317-446799424-2810249686-1000\{6F715A56-2F03-4982-9CAA-F850FBE4B855}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\.saz	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Fiddler.ArchiveZip	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3640	FiddlerSetup.exe
3640	FiddlerSetup.exe
3416	msedge.exe
3416	msedge.exe
1116	msedge.exe
1116	msedge.exe
3364	msedge.exe
3364	msedge.exe
1808	msedge.exe
1808	msedge.exe
5036	identity_helper.exe
5036	identity_helper.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe
3516	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe
1116	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3640 wrote to memory of 3712	3640	FiddlerSetup.exe	77
PID 3640 wrote to memory of 3712	3640	FiddlerSetup.exe	77
PID 3640 wrote to memory of 3712	3640	FiddlerSetup.exe	77
PID 3640 wrote to memory of 3804	3640	FiddlerSetup.exe	79
PID 3640 wrote to memory of 3804	3640	FiddlerSetup.exe	79
PID 3640 wrote to memory of 3804	3640	FiddlerSetup.exe	79
PID 3640 wrote to memory of 3400	3640	FiddlerSetup.exe	81
PID 3640 wrote to memory of 3400	3640	FiddlerSetup.exe	81
PID 3640 wrote to memory of 4648	3640	FiddlerSetup.exe	83
PID 3640 wrote to memory of 4648	3640	FiddlerSetup.exe	83
PID 3640 wrote to memory of 672	3640	FiddlerSetup.exe	84
PID 3640 wrote to memory of 672	3640	FiddlerSetup.exe	84
PID 3640 wrote to memory of 672	3640	FiddlerSetup.exe	84
PID 3640 wrote to memory of 1116	3640	FiddlerSetup.exe	88
PID 3640 wrote to memory of 1116	3640	FiddlerSetup.exe	88
PID 1116 wrote to memory of 1080	1116	msedge.exe	91
PID 1116 wrote to memory of 1080	1116	msedge.exe	91
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 4252	1116	msedge.exe	94
PID 1116 wrote to memory of 3416	1116	msedge.exe	95
PID 1116 wrote to memory of 3416	1116	msedge.exe	95
PID 1116 wrote to memory of 3152	1116	msedge.exe	96
PID 1116 wrote to memory of 3152	1116	msedge.exe	96
PID 1116 wrote to memory of 3152	1116	msedge.exe	96
PID 1116 wrote to memory of 3152	1116	msedge.exe	96
PID 1116 wrote to memory of 3152	1116	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FiddlerSetup.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FiddlerSetup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3712
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
  2⤵
  PID:3400
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c8 -Pipe 1c0 -Comment "NGen Worker Process"
    3⤵
    PID:124
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 294 -Pipe 29c -Comment "NGen Worker Process"
    3⤵
    PID:1552
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 0 -NGENProcess 2a4 -Pipe 2ac -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1124
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 2a8 -Pipe 26c -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3424
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1bc -Pipe 298 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1852
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 2d0 -Pipe 2a8 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3064
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 0 -NGENProcess 2e4 -Pipe 1bc -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:4988
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 2dc -Pipe 278 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1696
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2dc -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2972
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 0 -NGENProcess 2a0 -Pipe 2ec -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1928
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2fc -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2c0 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1272
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 2fc -Pipe 2e8 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:2808
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 294 -Pipe 2a0 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3008
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2cc -Pipe 300 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:460
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2d4 -Pipe 2c8 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1776
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 2d0 -Pipe 2fc -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:1220
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
  2⤵
  PID:4648
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1cc -Comment "NGen Worker Process"
    3⤵
    PID:1720
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 0 -NGENProcess 268 -Pipe 280 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3176
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 290 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4496
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 260 -Pipe 294 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3128
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 2bc -Pipe 2cc -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1416
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2bc -Pipe 1e8 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1380
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 0 -NGENProcess 284 -Pipe 2d0 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:2068
- C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
  "C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee6b83cb8,0x7ffee6b83cc8,0x7ffee6b83cd8
    3⤵
    PID:1080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:2
    3⤵
    PID:4252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
    3⤵
    PID:3152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
    3⤵
    PID:3444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
    3⤵
    PID:4752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
    3⤵
    PID:2028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
    3⤵
    PID:1504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5484 /prefetch:8
    3⤵
    PID:3996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5536 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
    3⤵
    PID:4780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
    3⤵
    PID:800
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6360 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
    3⤵
    PID:3076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
    3⤵
    PID:3308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,11935412668206205862,4621754813322290322,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2512 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
210e98e9353d558801b9119e1b4a6364

SHA1
22668e95ed6011303b33821fd2aea45e499d3673

SHA256
ad1cda1510cdc41b4b5cb38c66352b92c2c4905fb1a08f3b5eb8e6d1de552628

SHA512
f5ac8d1a2cf0b2a93528d8e29898cd9dd4ef6b3f2b4fb755eebf6621f57a1129a3cb5681069cf00aecb7c6ff2cde066d112619b630bf90ec7ab951fe85b12f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3e0b2a426ea1f157098b34831ac5840b

SHA1
ff53534de6ce9bfe40aa51bfbf70f0df5bd5f116

SHA256
afd8db6dffe9ecd68a4aabc38218776c210a8d391db6287fed8f26bb51a3908e

SHA512
99c5444bb8375794f2c4305ba379e686659cffff3a79415965e3d9bab9364d7081f716b03010206b862d9c95115b5fe864c9338d96413d073b9356809c0bb297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
829e9f178142565473858b327bd90e2a

SHA1
910dd6b1c2c6a7c220b125443dab3db26e7aa382

SHA256
35abf5200aa3bffc344f7231c88fb445afd899e39024fde964104258e93b252e

SHA512
2b5dbc46814e03001660af501121a3a5899622c60dbe3db81f6bc1090ba19cb516f3954093d9d18225df9ba01f335f80b86b0d4ac247bf0c12c5843a7362919f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
af2dc785310be201ad84942dda4733bf

SHA1
5d7407974df8bc465007a090570bb76daaa31df4

SHA256
9ed5b395cadad77fa06e0e978cf585b82372de339cc5d76d9b7a220d0900f826

SHA512
4400d2fc39555a1ec774e99e4bc65957b01883e47e4430b53d872c35e789604001da49a96f3b3c3367a4dc362741160d00bcc903ba5882950ad06f8a139e4df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f43416d637d9a4aaed002ff477fd74a7

SHA1
26a034aa8cce2b50b88c37b4891c9723a7366696

SHA256
d036ae1403f22035964a3f167deb3525753765163f778f095785c42163017cfb

SHA512
94e96b8e82baf198a7094c5c1d99ef029346d8acd3943daaab089e3ee4e4cbda9b871cc47d86bfb5c058c24f774f6bc7de8f87d76df28d84f49e90bf2ddbf238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5856e5.TMP

Filesize
48B

MD5
cd138abb2ca7c0bf5a74b572125c935d

SHA1
60766891d0b3901c41e7bb2570c32dba0d0eb3ff

SHA256
3b45456a79a05385418a4ef93226c8af6b1160cad740015a74fe2249bff1ed11

SHA512
694d4cb2adcdde6feb56e50f6bf31f838426acbc0e10b026989df839cff897c168808b11ab78c68f8c1e09554d683583d74ba54b533347d27252170008be1ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b3f5dcef5eb1defc4b1e5a774eb706c3

SHA1
458b75793baf68867a5caa111a3f7153a7562ba6

SHA256
a66123e8139352a1aa5924f5c238b576502c4451d8370c1f6de79a73309f27eb

SHA512
4ad793883741f8aeec92cf658f98d71ab6f1639f5ab13b7edd08668995ceb073a641ad3107613950c54ff10606d29b192bab0cd739c603f9bbc14f7e0df387ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5bd8e05697b8d8a06736808f364674a0

SHA1
54dc586b158d4b06b8275f09277401ac3f8221d0

SHA256
8b7ea2ad1957352670d2843e87b758b307135c525ce08687bb1776db9c83948d

SHA512
6282641a98ee642ce19016f345b1897b962a1fce87a2578cf3566d0b0a6abf3a8560c48ea5ea3f8385cf88d3ad93c45d3afc66ac1fc1c3d5f1976ab76185f9b7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Analytics.dll

Filesize
32KB

MD5
1c2bd080b0e972a3ee1579895ea17b42

SHA1
a09454bc976b4af549a6347618f846d4c93b769b

SHA256
166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29

SHA512
946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\DotNetZip.dll

Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe

Filesize
82KB

MD5
81564947d42846910eec2d08310e0d25

SHA1
b7a167dcd3afb29c8a0e18c943d634e3fc58a44c

SHA256
543f16b73f7d40177585332f433ce76dddc1526e12bcd62cb73edd11eb002341

SHA512
8f06409517697b022787bc9e2ed7e73100018422177aa3f63ecb406c3bdb6b021624f909a16fca0430002bfa7d35a461b38750c79c0273a154f63316b4e13037

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe

Filesize
3.5MB

MD5
87bc17f56e744e74408e6ae8bb28b724

SHA1
3aa572388083ff00a95405d34d1189c99c7ff5be

SHA256
ffb24fc36ade87988f9908e848d0333ce7ffb2b4e4d0ffb43f6556246069d057

SHA512
cbeee155c97b87a22b92b808f86fee25c18db51ab43a36b657d532d2d47d3a7db2f4507a699b72af904bf6d5ed851d1ae1fcfb4833a57096e6c7787211c0f35d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe.config

Filesize
261B

MD5
c2edc7b631abce6db98b978995561e57

SHA1
5b1e7a3548763cb6c30145065cfa4b85ed68eb31

SHA256
e59afc2818ad61c1338197a112c936a811c5341614f4ad9ad33d35c8356c0b14

SHA512
5bef4b5487ecb4226544ef0f68d17309cf64bfe52d5c64732480a10f94259b69d2646e4c1b22aa5c80143a4057ee17b06239ec131d5fe0af6c4ab30e351faba2

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\GA.Analytics.Monitor.dll

Filesize
52KB

MD5
6f9e5c4b5662c7f8d1159edcba6e7429

SHA1
c7630476a50a953dab490931b99d2a5eca96f9f6

SHA256
e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790

SHA512
78fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dll

Filesize
192KB

MD5
ac80e3ca5ec3ed77ef7f1a5648fd605a

SHA1
593077c0d921df0819d48b627d4a140967a6b9e0

SHA256
93b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5

SHA512
3ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dll

Filesize
816KB

MD5
eaa268802c633f27fcfc90fd0f986e10

SHA1
21f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f

SHA256
fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54

SHA512
c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dll

Filesize
228KB

MD5
3be64186e6e8ad19dc3559ee3c307070

SHA1
2f9e70e04189f6c736a3b9d0642f46208c60380a

SHA256
79a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c

SHA512
7d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper

Filesize
18KB

MD5
b1827fca38a5d49fb706a4a7eee4a778

SHA1
95e342f3b6ee3ebc34f98bbb14ca042bca3d779f

SHA256
77523d1504ab2c0a4cde6fcc2c8223ca1172841e2fd9d59d18e5fc132e808ae2

SHA512
41be41372fe3c12dd97f504ebabb70ce899473c0c502ff7bfeaddc748b223c4a78625b6481dbab9cb54c10615e62b8b2dbe9a9c08eb2f69c54ebf5933efbeb1b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Telerik.NetworkConnections.dll

Filesize
34KB

MD5
798d6938ceab9271cdc532c0943e19dc

SHA1
5f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3

SHA256
fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2

SHA512
644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxD9D7.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\1776d8abbd15098818c8578c5f6d9e17\EnableLoopback.ni.exe

Filesize
160KB

MD5
9a9571696cf9750d8486a6d986b5e6b0

SHA1
2211824c637ab2190c9f572999cc220ccfc1d295

SHA256
de93c77e08acde6d9b1867d562e1dd43471e20c11089658deb2e1e1b8bdf8943

SHA512
3b7b7248477ad4c31af8cf76837305ae18d834029110edf8f68008406f61eafd12ac8f1d2d1fcd720459cb03b501e857a0f2952ef6d58fee35f954c91b9de688

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\4345ad0cb22fa57a9281f1b35b0ca60f\Microsoft.JScript.ni.dll

Filesize
2.7MB

MD5
fbf426ceb9dcf71f91b9c0e705c7887a

SHA1
da50100d4c2e743d49134540d848526ea008af40

SHA256
3aef7382577c7ef23f48a1332b415fd26b3d7fa6c9bbe5f0de383bef8e770efc

SHA512
de52e8feb3a6f67e5d4cfdcba5f62313a25efe13f331625e14d6bd48f59440f878ff5ee1dd6e18ea72947ded8612e56d2eee28a681dd8db4eccd2308479c9de8

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\013dda0e1c13c8182e02719f12e71861\System.Data.SqlXml.ni.dll

Filesize
3.0MB

MD5
5968702720c09d48fc7a0aae9f458a3e

SHA1
64ec4c0ee94a26fdd26f7f02892a313793ca3333

SHA256
1db11e73cdfebf485614216e227af712214049b909490e500bd0189a580a7eea

SHA512
107b18bb1f4d5441c015a657aab87581d4e37d72321ceac4208ff00f93e82d98f340dce8e6493e8f89a0104c3f71443455ab7f88433a173b5dc75e1274b21164

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\013dda0e1c13c8182e02719f12e71861\System.Data.SqlXml.ni.dll.aux

Filesize
708B

MD5
babee7fd2083dd07600dd5c55c7ccb19

SHA1
d60268525947cb482d08dc82bf8dbedc4153ecc7

SHA256
211f95dde18026099e727ea7dd3c59b2f44e4b8d6bc37a400b4e77dd35407fb8

SHA512
fb07b7940e0caa80c779f80a79c855f360a6032f4cfbc55d1d244070d638e2edc7969ebdbb1bc695b7a6e2a4ea8b9197287ee27acaf6e0ec3e7a2114c892034c

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\129af40f419d925ba9d07ca47a83708d\System.Deployment.ni.dll

Filesize
3.0MB

MD5
5ce272c443c76c6a0268b17307086373

SHA1
9da215c4f1fa2367b0abb062ae23c49c27e0cf6e

SHA256
1bda44e93fabab317c5d2768199ae87d47868e2ba1bd5c4eafbbc78fa3ae7414

SHA512
a6a66cc3a2b2080973edea313fc2f486c26c43280ffb1790c39f7e4983671abeb7c4b7e42c247823e2f30c284467e0848259d9d8bbbe50e3858bb5dc23a29d94

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\429d1f533624b62ab398cd9238b6be2f\System.Numerics.ni.dll

Filesize
314KB

MD5
0ec738c1551385a6ab8287162ead2385

SHA1
576f4ac07fa966785607109902714f104c2b6fdb

SHA256
2be57b6de3fa61e65fab74f2911edeee2d0c4d3f0e2e0371bfca72498a4ac60e

SHA512
abfa6e2d47c55b65bf81a240c32bc7dbbdf739b23d4ddeb6b95d4c39eec7c0f59d3b788239b7ef4419d31176cd2a5338bda535c9241ba24ddecaaae36b57303a

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\429d1f533624b62ab398cd9238b6be2f\System.Numerics.ni.dll.aux

Filesize
300B

MD5
faeaf52985536c4d7a6fea9ebd88c910

SHA1
29332a0eea7cb852223164a4863f4843fe101ba3

SHA256
ae8066274c5b4a5cdfc469e39463a94233d614fe44af31ea431e36a3cfe61a9a

SHA512
c305626c0ae72c62eaa00bc9ca5b5377fc562a52b97020c360fb7f69386d3a09646a3843da7161c4693f32264d141f6e102fa70f2c5beae443d7b8e1d52e1f29

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\c3e367eff9875c967c92b75a8688c55b\System.Runtime.Serialization.Formatters.Soap.ni.dll

Filesize
345KB

MD5
9ca5ccbe1085d777dc220ad37e26d6d3

SHA1
7f63e7d7764a4dc13a8b9cbec50749229cb93bca

SHA256
f362820cf09248efe993990b005ae1cbc856a048f08d7e1b494d980bff8a2342

SHA512
bc5142e7741071dcbff36c8320d7b217ddfc95c43b3c2a422ff2439e0eb46669c23d1ceda2956735c9a5cf66f489de21eba9a85d3b8d50959d898a213be3c3ea

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dll

Filesize
986KB

MD5
f7c61b3ccddcebf97d4f2fcd7d2fc298

SHA1
3d4149310ceafb8b989afda01ac47abd4b9eae32

SHA256
8effa08244a2d3dc6573065c372c8fc06e515f584d6f7760ffafc6fcd91b7957

SHA512
0fd5437a6f77375b930ae913f955ef5b25c1374ae0ac491e4873ba4e303a0e4542a312d82096cbd6c171b4ed81859f2ab8ef2e2dcb20d534e5a923eb5314fa4f

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\ed88e474eb5a0dec06f9de17e677f038\System.Security.ni.dll.aux

Filesize
912B

MD5
c7f1888df8d5f0cee44055889d7145a0

SHA1
2b38514613fdcf0bd151d72e1754f82c8600238f

SHA256
86a58da68258f409d91c6178502763d92d53d5a81a0c65ea0da5826aa95dced2

SHA512
a96ac1b47a8ddb9efcf4b1483c47ef8141b05e47c68e9357ffb239033434b9450ef562f5a1ebb0a741c401c384da95780482a647270fd39558a1d73990101670

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\b5497fca4e4478881056c95fd8c01ee6\System.Web.ni.dll

Filesize
16.2MB

MD5
9cfb48343d8e37ceb5d53c4f73c87721

SHA1
4946db9e6de00d729e99f263c311dd501be92059

SHA256
4c8d6b0e4a15a1da294d9dabbf3f022136973ea9b3c6fabdfd577813f8fd0433

SHA512
ddf1950b340257e7d3964b018d32971233da5bfc442aabe3362cc1fe1bdc62bec3d64284ee82cf5601bf64533bd47291010cade9dbf962210aabbb36a69e9186

Download Submit
C:\Windows\assembly\temp\1CUJ7X2LSH\Microsoft.JScript.ni.dll.aux

Filesize
580B

MD5
8354f38ef9dd329b59e8722316ea5ce6

SHA1
82da5accdf6f7a67f85001c9abe07b50e9031d1f

SHA256
5183d73f7acdde68a4adeae0837984de7887412397bd65631335df82c61adfba

SHA512
c8ff4dd9638bbb68a3f2df6b70e9b78faf58b41d91129684bff85a29e8cb280f895b4224f7fc0b34fb75a390e7da2e733d3fdcf9475dff9afe4ccd06984f9d54

Download Submit
C:\Windows\assembly\temp\32FGV6M1M3\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux

Filesize
644B

MD5
bdf14ce4a416cf686dae47be34fcc09e

SHA1
bc428571a58afc330553097b0ebc1eeef7ca0c61

SHA256
b31d328b94dfdebba040c34c00ab2269c92cd2f3f43db684007732b771d6c7b8

SHA512
b103c980e692559a44d704a8311ff7ae1fe81506699625310936c061881b6396f5bc786362be972029bbd42e11fe394406cfcc8b1baa05846f82da4e37a39efa

Download Submit
C:\Windows\assembly\temp\4ZX5HR8ZVD\System.Deployment.ni.dll.aux

Filesize
1KB

MD5
9536262da7ce4d5ae19f8dcbe22b1d33

SHA1
f35fd018806da18a371487575126f4460e832abf

SHA256
a2fde0e404bd1a8784d2fb3a4c3079eae6a19a690b7a3f7a1e98488faf3af814

SHA512
1df59e38781de47b56006aaede26695f5073f5c64cd9edf59d9e33cac5e5da49eae682e14654f532ba58585b492bc70a8018bada7eda93a11b60f979466e9f0a

Download Submit
memory/124-217-0x000001FA2A200000-0x000001FA2A212000-memory.dmp

Filesize
72KB

Download
memory/124-200-0x000001FA11980000-0x000001FA119A2000-memory.dmp

Filesize
136KB

Download
memory/124-216-0x000001FA2AA10000-0x000001FA2AA4C000-memory.dmp

Filesize
240KB

Download
memory/124-215-0x000001FA2A1E0000-0x000001FA2A200000-memory.dmp

Filesize
128KB

Download
memory/124-214-0x000001FA2A990000-0x000001FA2AA0E000-memory.dmp

Filesize
504KB

Download
memory/124-101-0x000001FA2A220000-0x000001FA2A5A4000-memory.dmp

Filesize
3.5MB

Download
memory/124-212-0x000001FA2B010000-0x000001FA2B132000-memory.dmp

Filesize
1.1MB

Download
memory/124-211-0x000001FA2A180000-0x000001FA2A19A000-memory.dmp

Filesize
104KB

Download
memory/124-104-0x000001FA29F90000-0x000001FA2A04A000-memory.dmp

Filesize
744KB

Download
memory/124-209-0x000001FA2A780000-0x000001FA2A7C4000-memory.dmp

Filesize
272KB

Download
memory/124-107-0x000001FA2A050000-0x000001FA2A0CA000-memory.dmp

Filesize
488KB

Download
memory/124-210-0x000001FA2A160000-0x000001FA2A17E000-memory.dmp

Filesize
120KB

Download
memory/124-207-0x000001FA11A10000-0x000001FA11A30000-memory.dmp

Filesize
128KB

Download
memory/124-109-0x000001FA11850000-0x000001FA1185C000-memory.dmp

Filesize
48KB

Download
memory/124-208-0x000001FA2A1A0000-0x000001FA2A1D2000-memory.dmp

Filesize
200KB

Download
memory/124-205-0x000001FA2B4E0000-0x000001FA2B9AC000-memory.dmp

Filesize
4.8MB

Download
memory/124-112-0x000001FA2A5B0000-0x000001FA2A662000-memory.dmp

Filesize
712KB

Download
memory/124-206-0x000001FA119E0000-0x000001FA119F2000-memory.dmp

Filesize
72KB

Download
memory/124-115-0x000001FA11860000-0x000001FA1186C000-memory.dmp

Filesize
48KB

Download
memory/124-105-0x000001FA2AAE0000-0x000001FA2B008000-memory.dmp

Filesize
5.2MB

Download
memory/124-110-0x000001FA11930000-0x000001FA1197A000-memory.dmp

Filesize
296KB

Download
memory/124-203-0x000001FA2A120000-0x000001FA2A15A000-memory.dmp

Filesize
232KB

Download
memory/124-204-0x000001FA11890000-0x000001FA118AC000-memory.dmp

Filesize
112KB

Download
memory/124-201-0x000001FA2A670000-0x000001FA2A722000-memory.dmp

Filesize
712KB

Download
memory/124-116-0x000001FA2A0D0000-0x000001FA2A120000-memory.dmp

Filesize
320KB

Download
memory/124-224-0x000001FA11870000-0x000001FA11880000-memory.dmp

Filesize
64KB

Download
memory/124-202-0x000001FA119B0000-0x000001FA119D2000-memory.dmp

Filesize
136KB

Download
memory/124-199-0x000001FA2A800000-0x000001FA2A988000-memory.dmp

Filesize
1.5MB

Download
memory/672-103-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/1124-242-0x00000644451A0000-0x00000644454A4000-memory.dmp

Filesize
3.0MB

Download
memory/1696-357-0x0000064449980000-0x00000644499D8000-memory.dmp

Filesize
352KB

Download
memory/1720-506-0x000002D406C10000-0x000002D406C28000-memory.dmp

Filesize
96KB

Download
memory/1852-278-0x0000064443EC0000-0x0000064443F11000-memory.dmp

Filesize
324KB

Download
memory/1928-476-0x00000644C00C0000-0x00000644C10EA000-memory.dmp

Filesize
16.2MB

Download
memory/1928-472-0x00000227AE220000-0x00000227AE246000-memory.dmp

Filesize
152KB

Download
memory/2972-376-0x000006443CC40000-0x000006443CEF8000-memory.dmp

Filesize
2.7MB

Download
memory/3064-334-0x0000064445320000-0x000006444561E000-memory.dmp

Filesize
3.0MB

Download
memory/3176-507-0x0000064488000000-0x000006448802B000-memory.dmp

Filesize
172KB

Download
memory/3424-261-0x0000064449A20000-0x0000064449B18000-memory.dmp

Filesize
992KB

Download