gh0strat | d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
Size

5.0MB
MD5

c7adb0aee7e3651e7ffb04337f42be90
SHA1

6eae418e08d9429d9e19f28272f25e2f311b2704
SHA256

d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4
SHA512

724cadc39071567da7152cd9c295ad724255bc564567ca3475e31471d99163a1cc36c3975773e2048d1cac963ca471569cfce0ab128a70afcf31e1bf5c8364b9
SSDEEP

98304:xcy2LkcMNB6cDqnTgnRkidZ7C0eNGyJW3lE4RrtRmrpIZhGuul38YR7O8sOKduGs:6y2LkcMNRdnRkgCNGyJ/IJYR7vsOKwGV

Score

10^/10

gh0strat purplefox discovery evasion persistence privilege_escalation rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 8 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2432-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2432-14-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2848-27-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2896-41-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2848-42-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2896-46-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2432-39-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2896-47-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral1/memory/2432-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2432-14-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2432-12-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2848-27-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2896-41-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2848-42-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2896-46-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2432-39-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2896-47-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2356	netsh.exe
2128	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 6 IoCs

pid	Process
2432	RVN.exe
2436	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
2848	TXPlatforn.exe
2876	FiddlerSetup.exe
2896	TXPlatforn.exe
904	SetupHelper

Loads dropped DLL 18 IoCs

pid	Process
2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
2436	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
2848	TXPlatforn.exe
2876	FiddlerSetup.exe
2876	FiddlerSetup.exe
2876	FiddlerSetup.exe
2876	FiddlerSetup.exe
2184	mscorsvw.exe
904	mscorsvw.exe
2096	mscorsvw.exe
1132	mscorsvw.exe
1132	mscorsvw.exe
2836	mscorsvw.exe
1132	mscorsvw.exe
916	mscorsvw.exe
2432	mscorsvw.exe
3048	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2432-9-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2432-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2432-14-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2432-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2848-27-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2896-41-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2848-42-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2896-46-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2432-39-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2896-47-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\2145e325c531dd03775cc61606722965\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Telerik.Net8bf66678#\e5f4977994d2fd10324efd51321f1c59\Telerik.NetworkConnections.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\be8-0\Newtonsoft.Json.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\36FFIYH2JV\DotNetZip.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\0C7E0RCKSF\Microsoft.Build.Framework.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\0C7E0RCKSF\Microsoft.Build.Framework.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\VL0QFKECNK\Microsoft.Build.Utilities.v4.0.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\394-0\DotNetZip.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Newtonsoft.Json\1ebe746ea3a361d99ffc6ea2e12b5a66\Newtonsoft.Json.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\OHBT5BVHTN\Telerik.NetworkConnections.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\36FFIYH2JV\DotNetZip.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\15LWRXSUNF\Microsoft.Build.Tasks.v4.0.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\15LWRXSUNF\Microsoft.Build.Tasks.v4.0.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\VL0QFKECNK\Microsoft.Build.Utilities.v4.0.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\DotNetZip\330381c0d4a4a49e56426709e084cc48\DotNetZip.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\980-0\Telerik.NetworkConnections.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\II2PZ7VSAY\Microsoft.JScript.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\OHBT5BVHTN\Telerik.NetworkConnections.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\II2PZ7VSAY\Microsoft.JScript.ni.dll	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupHelper
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatforn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RVN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FiddlerSetup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2852	cmd.exe
2700	PING.EXE

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8C57EB51-C01F-11EF-87C7-F2088C279AF6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.telerik.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000e4caf0ed0c08e13f335e18bd720266bc9fe451ccdb7d5f05c8c5b51c95cfcd0c000000000e80000000020000200000002526f9c8a541aceeb1dce2b531fd4b91ef9b37949ddaa2197b45fbbbb39edf97900000002d47530635bd92bd4d4852e6bbcd84c7bf0801a22b3638bf90e5e245858eab764376168a42281dfa31c60e37190247a2818608d7670d0f78dd2609f5e79f63d7b1109e907732b8d4d660e19ad5625dac543b0afef52f47739ffa1d87accd6c4a748d569c0a19fda1c91de2118b181076ade9519dac435f9ce7ae020b0c3b4cef378deed6c4bc0336f785b7fb510e018840000000897fe71d232ea18a92eaadc44e916fb65e438c0caf46c9c20078b9ab4b5832b751624317b419705352b2f70a83a8e43ba868685e248f4595dfc8b1e71f5bed74	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "187"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.telerik.com\ = "187"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\telerik.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\telerik.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\telerik.com\Total = "5"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000423921f9cce68b2c7005f598bb642073ed9d634c5ae43a2f1d26657207dddfe3000000000e8000000002000020000000dd08a1d9f3d4730ec3d24bef7cabc2e0ad437c98c55249621341276008cf6f5120000000d94daceadc939f27548a81234cd9f5638edc8cfacc796932b70e7e23ccc0417b40000000a97160fd1ad29a96407f81f5745f60ba0fb9c6c3a1e5477925822a4fd353b9c4f1439696939cb51d8ca9069ffdb8b364fddec66a7bbabf8ff21697d1e023e34c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MAIN	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.telerik.com\ = "5"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\telerik.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\telerik.com\Total = "187"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "5"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.telerik.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8041f1672c54db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441004591"	iexplore.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Fiddler.ArchiveZip	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\.saz	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Fiddler.ArchiveZip\Shell	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2700	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2896	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2432	RVN.exe
Token: SeLoadDriverPrivilege	2896	TXPlatforn.exe
Token: 33	2896	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2896	TXPlatforn.exe
Token: 33	2896	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2896	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2152	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
2152	iexplore.exe
2152	iexplore.exe
1876	IEXPLORE.EXE
1876	IEXPLORE.EXE
1876	IEXPLORE.EXE
1876	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2432	2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	29
PID 2220 wrote to memory of 2432	2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	29
PID 2220 wrote to memory of 2432	2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	29
PID 2220 wrote to memory of 2432	2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	29
PID 2220 wrote to memory of 2432	2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	29
PID 2220 wrote to memory of 2432	2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	29
PID 2220 wrote to memory of 2432	2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	29
PID 2220 wrote to memory of 2436	2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	30
PID 2220 wrote to memory of 2436	2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	30
PID 2220 wrote to memory of 2436	2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	30
PID 2220 wrote to memory of 2436	2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	30
PID 2220 wrote to memory of 2436	2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	30
PID 2220 wrote to memory of 2436	2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	30
PID 2220 wrote to memory of 2436	2220	d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	30
PID 2436 wrote to memory of 2876	2436	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	32
PID 2436 wrote to memory of 2876	2436	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	32
PID 2436 wrote to memory of 2876	2436	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	32
PID 2436 wrote to memory of 2876	2436	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	32
PID 2436 wrote to memory of 2876	2436	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	32
PID 2436 wrote to memory of 2876	2436	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	32
PID 2436 wrote to memory of 2876	2436	HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe	32
PID 2848 wrote to memory of 2896	2848	TXPlatforn.exe	33
PID 2848 wrote to memory of 2896	2848	TXPlatforn.exe	33
PID 2848 wrote to memory of 2896	2848	TXPlatforn.exe	33
PID 2848 wrote to memory of 2896	2848	TXPlatforn.exe	33
PID 2848 wrote to memory of 2896	2848	TXPlatforn.exe	33
PID 2848 wrote to memory of 2896	2848	TXPlatforn.exe	33
PID 2848 wrote to memory of 2896	2848	TXPlatforn.exe	33
PID 2432 wrote to memory of 2852	2432	RVN.exe	34
PID 2432 wrote to memory of 2852	2432	RVN.exe	34
PID 2432 wrote to memory of 2852	2432	RVN.exe	34
PID 2432 wrote to memory of 2852	2432	RVN.exe	34
PID 2852 wrote to memory of 2700	2852	cmd.exe	36
PID 2852 wrote to memory of 2700	2852	cmd.exe	36
PID 2852 wrote to memory of 2700	2852	cmd.exe	36
PID 2852 wrote to memory of 2700	2852	cmd.exe	36
PID 2876 wrote to memory of 2356	2876	FiddlerSetup.exe	37
PID 2876 wrote to memory of 2356	2876	FiddlerSetup.exe	37
PID 2876 wrote to memory of 2356	2876	FiddlerSetup.exe	37
PID 2876 wrote to memory of 2356	2876	FiddlerSetup.exe	37
PID 2876 wrote to memory of 2128	2876	FiddlerSetup.exe	39
PID 2876 wrote to memory of 2128	2876	FiddlerSetup.exe	39
PID 2876 wrote to memory of 2128	2876	FiddlerSetup.exe	39
PID 2876 wrote to memory of 2128	2876	FiddlerSetup.exe	39
PID 2876 wrote to memory of 2104	2876	FiddlerSetup.exe	41
PID 2876 wrote to memory of 2104	2876	FiddlerSetup.exe	41
PID 2876 wrote to memory of 2104	2876	FiddlerSetup.exe	41
PID 2876 wrote to memory of 2104	2876	FiddlerSetup.exe	41
PID 2876 wrote to memory of 2520	2876	FiddlerSetup.exe	43
PID 2876 wrote to memory of 2520	2876	FiddlerSetup.exe	43
PID 2876 wrote to memory of 2520	2876	FiddlerSetup.exe	43
PID 2876 wrote to memory of 2520	2876	FiddlerSetup.exe	43
PID 2876 wrote to memory of 904	2876	FiddlerSetup.exe	45
PID 2876 wrote to memory of 904	2876	FiddlerSetup.exe	45
PID 2876 wrote to memory of 904	2876	FiddlerSetup.exe	45
PID 2876 wrote to memory of 904	2876	FiddlerSetup.exe	45
PID 2876 wrote to memory of 904	2876	FiddlerSetup.exe	45
PID 2876 wrote to memory of 904	2876	FiddlerSetup.exe	45
PID 2876 wrote to memory of 904	2876	FiddlerSetup.exe	45
PID 2876 wrote to memory of 2152	2876	FiddlerSetup.exe	48
PID 2876 wrote to memory of 2152	2876	FiddlerSetup.exe	48
PID 2876 wrote to memory of 2152	2876	FiddlerSetup.exe	48
PID 2876 wrote to memory of 2152	2876	FiddlerSetup.exe	48
PID 2152 wrote to memory of 1876	2152	iexplore.exe	49

C:\Users\Admin\AppData\Local\Temp\d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
"C:\Users\Admin\AppData\Local\Temp\d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\RVN.exe
  C:\Users\Admin\AppData\Local\Temp\\RVN.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2700
- C:\Users\Admin\AppData\Local\Temp\HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
  C:\Users\Admin\AppData\Local\Temp\HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\nso1E5.tmp\FiddlerSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\nso1E5.tmp\FiddlerSetup.exe" /D=
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2356
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2128
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
      4⤵
      PID:2104
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
        5⤵
        
        PID:560
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 0 -NGENProcess 15c -Pipe 168 -Comment "NGen Worker Process"
        5⤵
        
        PID:3044
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 19c -InterruptEvent 0 -NGENProcess 190 -Pipe 198 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2184
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 0 -NGENProcess 19c -Pipe 18c -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        
        PID:904
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 0 -NGENProcess 1c4 -Pipe 1b4 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        
        PID:2096
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1bc -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        
        PID:1132
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 190 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 15c -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        
        PID:2836
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 0 -NGENProcess 1c8 -Pipe 1cc -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:916
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 0 -NGENProcess 190 -Pipe 1d4 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2432
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1d8 -Comment "NGen Worker Process"
        5⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:3048
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 0 -NGENProcess 194 -Pipe 19c -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:1756
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 0 -NGENProcess 164 -Pipe 190 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:2712
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1dc -Pipe 1c4 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:2556
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1c8 -Pipe 1d0 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:2080
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 194 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:2592
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1e4 -Pipe 164 -Comment "NGen Worker Process"
        5⤵
        Drops file in Windows directory
        
        PID:2368
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
      4⤵
      PID:2520
  - - C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
      "C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:904
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://fiddler2.com/r/?Fiddler2FirstRun
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2152 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1876

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
1KB

MD5
03b182f27cdfd040048ac8fc84c68d09

SHA1
1bc000abb6728c8ca59dd75a15f3192207857f76

SHA256
ff746c865267113fc6c57881565f4c6e2bc3cbd1212a6e0492ecd38470bf0f09

SHA512
f09bdba2ef092c36a45825e6121eb1c199189c3e81aa188f3e77a1837fbdaa22a41723c0784bb2e9fc32634950d22d7188447902c41cda4313d8b147e2ae3e01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
20d76396cd99c76b73518cc31b20c49b

SHA1
7f422aef01197f28900a5f98ce454aca0850e480

SHA256
bed4bfb4efa20f7ec5fbe341cf7ad5a7ff569a9d51f47da58772afb79764dba1

SHA512
1c2d72e27ec19515b8fb847d1aab0d59d89a658aecf553dc25975cc9dcf757777e8948bae7c602259a60bbe26568bdcb7419222ceabfb548be2f598a7a07ad24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
a59470ded093df71f02bf166c24807a1

SHA1
95cbe309197003008cd42d61ab8897e43485ef39

SHA256
8cd66e4c55f86d2f56d39097904c8cdfd05cb5b5fddd00d7eac0c0580ce53553

SHA512
a644e28e67bf321652fffbe5bdd4b3b8b9df0df717e9b408fa81b5fef37db15c02642c107a3d82dca7ada207de41ef8e95ec0cc58c2c3e7ebc1d8082e5daf849

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
5deefc1f3d957b183da33b10331454ca

SHA1
673f3e03ff142542227ff95623969f5c4612df92

SHA256
85d84636206150947bff503baa4216f97ed9562b0ab91d553ed27440bb594548

SHA512
9122a923dd0656ec49c70419ed591aa39f5a41592826ae8ed4ef35fb84bd007dcb5870c4c2a29aa4f54f3a8003a47ad9e762f51d17d1ae3ea77d73eda888a3fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
2655e96a1435bb303295a5fd2d62eba1

SHA1
a2280bcec8bad06e1d32c9adfb3012c428bd03d6

SHA256
4415c648dc9acac2256b94732efc7a864b0fed78a1f3bcd2d677e2547ae833a6

SHA512
7c1281e7afa62f04353a526584392eb2969cfc028235037f6598826686e6952bed5df220f7aad5012880542503aa16d0baabf37403fa92835e37fdeae035ec98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
438B

MD5
3ca3f4d40b49fb0694acb2a81223c122

SHA1
978e7cb3fb59ed12efdd6fb4f62cf39a6eb3790b

SHA256
f01cb6ac083b690730830b6b9ac86c1a49cfa1318ce6c896e8ee80459ac9a2a1

SHA512
200cfeb1db24e27f795cb548ce090649d7c26b381d2a00697b8eb8328cf9283f3eefc03e8cc6e1c673a7f7bccd09529eee1f2571d2d8261dbda5f27e36c839d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81f51619d185dabab90593a0425e408a

SHA1
d0a21f5ed3a92ccd0c27a6895dfdef9ee29c65c6

SHA256
a6129d8bb66e99b49c11577bef9de6716c20460662fa1ee3225559322e57052b

SHA512
b6dab92489c3ba8e5e33dd0e8be42c2a0349937a770a2fc5648d613c05b1b766412b6acefa9deb7804850ea8e3a774056b0b457b69b073d87309d3484a8147b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea1eab143a364e89e366a00ee619a5a2

SHA1
bc578c00b7bd8f4a4fbe039a4e881173e300bfa0

SHA256
275624d1d47c859d41f067d9e0fa32ae0ff3eb435cf98bff142b8552fd9c4ee5

SHA512
e781e4accef9016557a14a3db334671d7637c582fd2b6d47f6fc58fe8270cb016dd25ef75c245b120e8bb9e60b2b09613bd44ff820384d270f30310b76bcc116

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83c325ce21644e2e886936487a1630e9

SHA1
71c78986cc25f2546efda7c654d78d24154c1c59

SHA256
87a24097433957500558936396788c006dac3fc43333c17a777c8ee55ee01a11

SHA512
13d77cda2075ba37d86f9f6c29142623f85b9af492248cb250f4af9e6c21b93548c59ad22de8ef81feba7c018b760015dc671b22415016c9f8e1addf8c3ca1ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3e8b46509a04d75e2723378aa541256

SHA1
32eb22584fc592f7f4edad079e76b8c163488060

SHA256
1cedebe3aa55d099207e60151d494191344c32bf1407723525370e15cdf0c1fb

SHA512
aa8b3d1983421274100194749a54576ee470751651aa5d1f04c138d9379ded1f2909807a166134056b05ee626861f9b5425db2e9d0072b9d79718cc5424bc430

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0aefb558a9cc61e7711cf1c1ee96f93f

SHA1
d285f4e2aa9bb1022c63b683693ca89b835b34da

SHA256
5e0677493ab3d06072d3147fd1cf33bf3073ff89c0df019cd4e0cb100ad75730

SHA512
81146bc1ad76037f39c0b68c17f5df7fe1b32fc6e8fb562eda5cff8fb252e08658d974ce8ca086170fa31ff7dd4f6f5ef93d3237cd495066d8ce6dd6d1db1b04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
131d5158fb1093fbe604af92b31d8533

SHA1
eb5f8400e122f0ced2ea6d6440785676c9c45757

SHA256
52fdfa382076bdc1cb87705259ae0dcf2d7a5134b9a035844d3993216beb315e

SHA512
26d418a2d6bb14b2561b23d71c603cdca91aad6b33b6695f9382ee8651576bcae6a386c14e0e93d8b115d47eceacbdaa1466e18c5060971c9fb584a03eb5fd55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d548655ecef49b303161d00f211ab26e

SHA1
07dac80c92f19b66795e0c3e70959e4dcd255c34

SHA256
059566c05bda1f9e61c463e69449267bcbfc0315b23789393a6ec592b204195f

SHA512
2583b0c3b9d6255ff03c9f894b73c568fcd5c6a7d9f86666120e1b98b7468162a348ca30377eebcf7d5d3dbe5fdb3e2e4735b7c07144f511bff9502773576529

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c60f39ff43221f790dc047696190bbed

SHA1
719ceea7c9fab4d8a782d4908e21b890a14d9e3f

SHA256
bbd8fffe281573ca6fc7587eded5f98691a46c3a194e8c5258fb6f6c2d5ef2ae

SHA512
3ee4da0ec1993b95ff72854e76b3b75070cce323bbae0a3b8b654ae0a73c068b92742a640d2152c6f680f1d5e837a54848ad001d6606810af8afa62d9e9d558c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef1974cdf7387a363641c2d34d509f19

SHA1
68ddd38d5f65e145228bf0af2d23df27bcbead22

SHA256
1bd4f1412a35fbc100c8c15496a016e9628397b9d11d65787705e6f67d25df0d

SHA512
e175f5fa162906fae6c7134b9fca308838a72df1a6b9208c7d3b6f670c98506f102bf18a9b1acc030fe78a946dedd30a8005f5b0147a1bf8bf1b137afc316e12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8eb849d5447de80962187cbe948b68d

SHA1
6083d502a8e238aaacc1f40ac77ff1c7d041e829

SHA256
e6b08656ab502999fe3f83c992ebba4c7c813c3d54642c60b8332964cb5df0d1

SHA512
5e568eb2a8119cc2763fc308a3915680cc4becbcbb6b9afbfad02a4ce9701a9cb2c39da6a814d31c4d2ccc61f0afac20f8b14959e80d9f31e2229165b6e190ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68569e490b33db7411e9fc2b19f3f8c2

SHA1
188625f059552e2ff6bf1a7d6c661e6d3b36f778

SHA256
64d54662fbda1f5bbdce1f6baab4808904bc674b239eb8b703847c91ec3947f6

SHA512
91709d43f58734c87c8ebb586ecbdd8e310e1a20197ea34a6f7db5a0486460cec07ef9e91e65005549a501187afbfe826583e2ebb64c7f63e0c956a5dadc47b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5d9162fdd14b0ee69d1723a184ac1b8

SHA1
4704bf9aadf683abd178eb599947c1f3014b7147

SHA256
c57dc178764f62b29a3f443f675f37ba07fc958cc67e3e771fc0f31c0dd23105

SHA512
f9f4a6ad2e5157a2971db4fa34a2eede53e0ea48e4c4f8a67139eabb64c35001c962b7539a51272cd3f68d17732dd8592d4d48e850a10bec737419f0592c4ce9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57f8ea22cc8139213a025c7469b56cd7

SHA1
58f83240537bc2b714c21628a9aef8c05992f3ba

SHA256
7ca42126f1b1839fccbbcf5b79f40cd45c6f8b5cca106f3fa27b893bed838a89

SHA512
1319e2a52b4d70d59061f8bb0aa2a816092ddce6a7ec20100f864567c2deb23190a39761d2d73869a2bf5b2d007b4feb4b72af9bea990c9b23d1c1af50c66035

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11d69fcfbbdb9a0187e0e8303165908d

SHA1
fe626e0df876f82c67501ac8bfac8496b27e5f76

SHA256
187b7b7bf133b28ccd4b9ca89efb09a6aee8d2dbae12f66e96d55ccf75f808ad

SHA512
ee2710f74a6f16d6d399efcc94c0fe3727ed02f10e94a5fe4820c82bdfda30b4703944f68309d8ccd01120b71ddaeb2386667bb9762b5ed797dc967f2cf25ab4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7c5b8fffbd6fd421d212e05fcb5cf8d

SHA1
66d7674afbae66e23b21563adb29be7dbc4a7fba

SHA256
12057889b5cd62cfa3d467455476060f12bd3213ab61cf548eed8cfa76642c41

SHA512
0887051b298341fb0f17d9b8e351488b843527036c5aeb48b3f7f2bd5eeca92015e2007ac34b1cc10810d01810116021dd2bd5bc081b57ae48162c8e3f2e5070

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e2d520e1498cb026217021995af2fd4

SHA1
6e08e8b55e0d143a41f60835bab37da018d56fe3

SHA256
6979d7cd67407c8dee58f6729f1769b7f0ee3f168d7d1c3cecc1c5f40769713a

SHA512
a05100a2667e7e22cfe96de7b24782d0a1e211cf544a9172013e3b8edcc15ed9a720025fa59cb14ae02cfeffb53edcfd43eb0f04820fd4fae5f1223a2d11c00c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ca8272d24ff2ec055b1e4dba882821a

SHA1
2389de03ccf2fe0ff481c59b13bf9608b6afa6fd

SHA256
8d06b3b6042e3aede59bf67d6019c6bd0b0e39ca11bc43dff7494bbead1ba8b4

SHA512
f98280e85314184de8f1b1b6815ddb3f5324d2c18b327844af4bb1aea4e2b1eb160c30da1edcfa0fe213ce8eca0a6f8558139ddb1896929282fe92ab757aeecb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fa0cc7fbc7fa7953712d92b8948b529

SHA1
48e0d3a23765048df3868251e4bb1c18e0fdc244

SHA256
1a5abc3dea265c5b8422b4749263db7dfd0487ce217f9c4bb86539a0e880634e

SHA512
f691e48362ac995d0b53b5643633de404a07a6bfeac434bed05bc2b4ede9324620332d57a46f572542eb01d58e99214840bb9619dc3083d87c7d85434fb290fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7ac97875eb4d1f0b9c0cbdad794fde4

SHA1
07a2c3904fd5f355b4d622ad1b07c63b1bc28d1f

SHA256
4f91fcb20f6f159f9cff2fce3308166948b5ca5077c334ae586eb0c2e0807bc9

SHA512
2a00ae1303d403388936d7dbd23d5e6a85c70e76c523781957a8b8edabd301d5cfff098e8cb9cc549bc0b535d3524c6114816e8f4522647cc0807be9486e9f67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e527c6f7c0c9acac90fa6501c25e6a9e

SHA1
329a9e7f53253c19aaf2e2edbcf8f9d7524e0abe

SHA256
6892043381b9cd463c927521cf089edb207255ceff18a3196c0683e334a0dd4d

SHA512
e8f8876daab1467bb96fb2ad8e3ceada716ddebc3efbdf37daedc97e5f713056ae0ad1d02d54da391ea115ba59ef80b419c811e90c1c68dbd63413a5368812b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00871537497004c04f3cf808fa9b192c

SHA1
0a458e7d8518bf7c561a605ab686eaa5345bdbcf

SHA256
7beefa074ef238a72b22cb3e958e0eb9ef354cb0026923b983fe793c42265b5e

SHA512
60447c15027a9c3592a6e0061441e6bd6b64e047f937558bd5bee3c3324f653a9f1338a4750a25a00f259525d1a282dfe1fa5df0e5036b6916b8d45b95499625

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fcd5cdce861e7c183c012b8a8c0d941

SHA1
b3f5d06f604a075dcf80bfadb356ea0e9d58f248

SHA256
c79fab73ddce3007a4f05deaec47329ea403ad88fcefa93f0b9a72b1890e09a4

SHA512
e1d6efda2370e5f15f78d7565ed6f3b5c2dd4c934f86d46a14b965100b1a74200339f0ba52c567bc5263718045daf158cd479684318d21c9684672c7c8fcc22c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66edbdf041b94639d31fcb07ded958b3

SHA1
2df031960fcfd4e1e918e3d393ebd3bed693361d

SHA256
263da2824581569f47c95bf0f6ca2cc4b2a2a56303a8e1a37adab2edc968105c

SHA512
1c918d4f53e8173c3e23285db0eceea9159a4ab9c38ef7f8379f3997d01c43277e3fa38b8dce624aa84dbe9b043760fde922a472e4ff1f77a5d39846958ad07e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f7942354d28003870939ff9c677a37e

SHA1
5b33feb6d93436442ee146b129e508368017e209

SHA256
e198d34b2e654e7c76390bfff44bf0d086642a351fde884cfcaefd8a4c57255d

SHA512
5ca304f173272978e77f0fe1ad79e75f57601b45f7365130d2c45e7e9e8888ecdbae90ccf4096f3745adbd2ea7d7e63eca505bba5c7c9e8f500c0138560a62af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab3a8a1058b4c972b8538908590e782a

SHA1
87a308915fbf98533f0110e35b4a45d51e280ae7

SHA256
dab12adbd6f4ec4fdc4a1f86865b7e146fad58a418b86b65d2f9b7c299a898bb

SHA512
56f0056fc70c232e62f6f6cb3aaf03650e610efa78eb9f048d85bbf7c44b1f1f317cb9c0cd5f6ad1d72ed43f9941937277e0922a054d2faa4919596396aa4fcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9832a362c7de0f1c52fc67b5a11fad55

SHA1
f09ab266fdbdbfa113c04afe2f7f318aaea78cb4

SHA256
51327438860f025066d4562c9f2c7fcdb278aa68168bdab9a855dec391d94d4d

SHA512
7e5958fb987fb0da7022f0641d4e3665dc3d5139b4ec0ef3b910175c29b18d937340061e47d1c184f80c8fdf122fcbd84589ed3a138a10927b16ec95fd2bf129

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
1e6cbd1d5da1a658dc598feca97ed5ca

SHA1
81c5d0a2dc2957b8b44a34559b65b7ce63d3bca8

SHA256
13990ec6b808646b8f60d7ad9657b12c7d75c603aebaa89a474ce48f2e466f2e

SHA512
df005738ea3e3bb0b4dcd05c1411484c1b14d7e1dba8949b25043bdfcc2de3a6a06d32260bf8b883fb57f4d59d622c759640d7ca091d1fc6c8766472877fa16c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
24687c0c752186d7d3977459d56951a0

SHA1
73b8f8c79f8466443d6afa8bdd048a0e41093474

SHA256
e9739808f03e0e167d0903c306b198c6721d711cbe1f4020bedeec8f8294c790

SHA512
664a3f2d4e9ab3ef3249bad62b0d2ba44501c4f825bfbc4e210899b061c952850c10cf16c9c39733b08d41feb3411d5e14b03f7e2fb45a7567ae7a871d2f6282

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f5a836ca271f4af36f147cdfa2384896

SHA1
7107039573bbfa5acf5647b68f7456133df3613a

SHA256
278e3ccdce05a4d65a1cd4625272f12ee170a41cb6e94438d9a0eb3e34e23be1

SHA512
5da8a39cb0c2829d66af32973ee4d7a0a39754dc83286cc2b42e07db8515fb61defe037f97d6d7f993cfb5c0f6b816103b3571885abff8757173c189d3ebd9d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NCB0WETV\www.telerik[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

Filesize
21KB

MD5
3c2ac3ec78b2718159eb45006a324b84

SHA1
d593e96e66366b8d40e6ed6ac2a9e49e1d0dad6f

SHA256
d84a8536034c2f8eb7ac03c5d7bcc6091dd6de8404077c2b74b0bc296f5d7daa

SHA512
9d98cdb818b6cefdc4197f65539baa0f41ef7b896199bab4ec9a80da628ec439d4966ef81bfe6522440d180fc91980797929942272236f8ca80bdb4ad8ae693b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\favicon[1].ico

Filesize
20KB

MD5
12649f4e0c5a37d4a41cbca768c8e7e0

SHA1
1257dd7949f4aa81c8f791dceeedd66e486dc3a0

SHA256
7b990b226fb3e8970b750dec91d4e8b9b59b2b7b069d0243d7bf70febe8ede53

SHA512
a0f96e89664c938ed38b33a127ef56b882f2ef3a60a4e01324602905b054c50a0ab87a725a21e61c3c60b5225e8825cbeab8c5664c2e59be168071f1ce1eeed4

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Analytics.dll

Filesize
32KB

MD5
1c2bd080b0e972a3ee1579895ea17b42

SHA1
a09454bc976b4af549a6347618f846d4c93b769b

SHA256
166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29

SHA512
946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\DotNetZip.dll

Filesize
449KB

MD5
11bbdf80d756b3a877af483195c60619

SHA1
99aca4f325d559487abc51b0d2ebd4dca62c9462

SHA256
698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1

SHA512
ad9c16481f95c0e7cf5158d4e921ca7534f580310270fa476e9ebd15d37eee2ab43e11c12d08846eae153f0b43fba89590d60ca00551f5096076d3cf6aa4ce29

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe.config

Filesize
261B

MD5
c2edc7b631abce6db98b978995561e57

SHA1
5b1e7a3548763cb6c30145065cfa4b85ed68eb31

SHA256
e59afc2818ad61c1338197a112c936a811c5341614f4ad9ad33d35c8356c0b14

SHA512
5bef4b5487ecb4226544ef0f68d17309cf64bfe52d5c64732480a10f94259b69d2646e4c1b22aa5c80143a4057ee17b06239ec131d5fe0af6c4ab30e351faba2

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\GA.Analytics.Monitor.dll

Filesize
52KB

MD5
6f9e5c4b5662c7f8d1159edcba6e7429

SHA1
c7630476a50a953dab490931b99d2a5eca96f9f6

SHA256
e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790

SHA512
78fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dll

Filesize
192KB

MD5
ac80e3ca5ec3ed77ef7f1a5648fd605a

SHA1
593077c0d921df0819d48b627d4a140967a6b9e0

SHA256
93b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5

SHA512
3ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dll

Filesize
816KB

MD5
eaa268802c633f27fcfc90fd0f986e10

SHA1
21f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f

SHA256
fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54

SHA512
c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dll

Filesize
228KB

MD5
3be64186e6e8ad19dc3559ee3c307070

SHA1
2f9e70e04189f6c736a3b9d0642f46208c60380a

SHA256
79a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c

SHA512
7d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Telerik.NetworkConnections.dll

Filesize
34KB

MD5
798d6938ceab9271cdc532c0943e19dc

SHA1
5f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3

SHA256
fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2

SHA512
644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4F4D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
576KB

MD5
9b75bff27fe85a88f5e6816d12323638

SHA1
579c9a21460c00fd73a1260e4b03cbb9209e00c0

SHA256
6d01f24cf5d016a536e294adb33251dc41464b02e403d42245c44cc183bdd5c9

SHA512
0d8fa75757d9bd424a2d0f8d5331c4510516f49ff5d0a773f367884b58f4f8fbba8d66723128b526c3fda956709db47470e778145fb58b98b853c0abcfe24690

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4F4E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\4f44abb46807a5ad0f0bf1ae5ba48323\Microsoft.Build.Framework.ni.dll.aux

Filesize
588B

MD5
90dde7396bbc17dddaa7dcdec75c2d7b

SHA1
613a143997175a531af577c3e47611d006cd585c

SHA256
a3613a9ea1e995ce43a3754b3eab8f09325f039188593a4666bba0fa56dc5c03

SHA512
3cb619a3fe00d5cff37830e080a5db2e27d122293fb15f200a6bb59ad905d32bb99c720d36d1a8f6fcd89cad5c8e2610dbf89c09db28f7ec1974041d4b026c18

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\4a58f2013ffa484c7f872e70952613ca\Microsoft.Build.Utilities.v4.0.ni.dll.aux

Filesize
888B

MD5
0c2e9bf2f96be2986d8b8449c0028067

SHA1
c41ba485bc1d847ebba609bc4bcc37b4109f7fca

SHA256
4d9d156b27b902a1265a2d36a47fb285ecba5abb97ca730df3893f3397f5da4a

SHA512
8a8eb919323d37cacad9665b671d5639bcd4f0955997f5321a486c1e3179bb6762b2ae009cc658b402dbb4dc0d873e110e58f5b67565c458eff2d16c8f1e46f1

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\2145e325c531dd03775cc61606722965\Microsoft.JScript.ni.dll.aux

Filesize
580B

MD5
0fa7a2200ae2493f05b85e85688aa663

SHA1
18ce43782b1a150948a3c80df0dd3374372cf675

SHA256
d2573a4a215ae02c70b6fac850c22931a757c18ff243c16b819b03d1dc2bf92e

SHA512
84629c719112dc1257a89bd0de5d4be7465abe6b81a25c8326a05f5001c51e6f3b921652cb81da68bbec7e975f476aed6f8606d1da6e736f456c65853072e129

Download Submit
C:\Windows\assembly\temp\15LWRXSUNF\Microsoft.Build.Tasks.v4.0.ni.dll.aux

Filesize
2KB

MD5
c228a99297b86188b16cd8ae9f9e95c7

SHA1
b4603bf9196c3908a94ddff0ac2e51d1edd40777

SHA256
4bf1bad2d0aa458307845c6cfff003ad168b9af1c183d4fd44de734bf66ead97

SHA512
f6933920fa6c75bd3facbc91d8b6d594461ebfd54c5557155fbda4d6fd35c135d2438e377538540103947f7394d404d05dc7b08fd731e067cf45d94919cf474d

Download Submit
C:\Windows\assembly\temp\36FFIYH2JV\DotNetZip.ni.dll.aux

Filesize
532B

MD5
874863d695af07df17460e56498a47db

SHA1
c64deff1aac7d97fee51aa09a1f8a64bb3679ed6

SHA256
d8e59722d2b4881df93b9cde8d01523b73adc9a2eceb204fb7cd1963aff75c73

SHA512
864b081d61881839495a097a4eb4ea71bb6a29246968fd981bc7e7d318558bb831fd673941459329e096625e454883b7f2af2e9b2f3785fe51b672f275e38728

Download Submit
C:\Windows\assembly\temp\OHBT5BVHTN\Telerik.NetworkConnections.ni.dll.aux

Filesize
732B

MD5
61d90bbb5964d416b86d7ef8b9adef40

SHA1
eba684714c32c9f2939499ee896a492122da707d

SHA256
9051805012f5ce17fc5f4a71482b34f9c0c4b61bf640ee31f48719a926782ab9

SHA512
867d21199f7fd950cdf9a4f2ce5435326abd7411a137f60c406b8ec185ae7d50e211dbf98a37591aba24bdd00fbcfee974e46f6691e8589e6dae2d11e2e8f47a

Download Submit
\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe

Filesize
3.5MB

MD5
32cf2e7c6ae825d5f7cb2a7d39c2ee24

SHA1
262176d879e7727375025cae4aafc90698adad26

SHA256
d7ea71114bfe70383c1ac2be6dd19676805a0afb6e20c0ad3000018afad093e5

SHA512
a72e70f1a11d4443aedc56a2453cb3ed05bd8106b0e906364f23f01098a378440d2d86ac15f6d98ceedfe18b0a60d80f6806300b390c2969c3de97cb380b82c2

Download Submit
\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\FSE2.exe

Filesize
50KB

MD5
7a8df7276257139271a09a8947da44e5

SHA1
965c788156e2e29b6d1012430afee0cad13093b0

SHA256
8b0b9859af32d467fb7031ac8164779ffdb274cdaff959d89d11a65a365c8e12

SHA512
2769f62f0de76726c33cb0eae42c933806ddceae6c1f97d16302c575a8955fe33d4388824ca2a2c1269b09755e42b82fa5dceca825bd19e3e83ed43f97ca1f79

Download Submit
\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper

Filesize
18KB

MD5
1289dc21a51fb89e685fa4c91764c00e

SHA1
b24210c4e71ace272a1984e171d50380687f73fe

SHA256
3e6f9a8b9dbd8adb521ce02a1c34e20350b3df438deb5bc4ada33c8cca6d25b9

SHA512
9cf63f042197470e622b97bf11845722c6338e69f08932b2f11eca576162235ff82c2def13bf42cea4c3b583ebd0342ca10ca6e5f2a3c53e4a6db5ae7006a0f2

Download Submit
\Users\Admin\AppData\Local\Temp\HD_d4a126a8d0ecf6db5aff4d2ee4fa65bae21a7d85a8697e425644f74769a851a4.exe

Filesize
4.4MB

MD5
78537045a5e032d4ac93514f027c7a47

SHA1
5b6e705b20652c0cf39ee890013b9b8e8ad26b07

SHA256
06812518a722af6f98fbd8c3a5ace0cad1c6d53477972618728e64bafcbc948c

SHA512
8fee84a791ae85175b7d61b54c66fc47abd4e231b7194779d2213f94c388b23e3f8e0408a1f29856b2a0404d824f17858f6b0676f6a1656428424665658c4a47

Download Submit
\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
\Users\Admin\AppData\Local\Temp\nso1E5.tmp\FiddlerSetup.exe

Filesize
4.3MB

MD5
5d96b95b066d797c7c468d125882ddcf

SHA1
8a130db5e4f6207b70939c5007d6689c22378c7d

SHA256
7ea1a09eeab47eb4658938bf4a023c6231de726ad076fde189c3383ffb4091fe

SHA512
fd746263b0aad96e90468aac664a3f02af20c2291e03138cf201d68036bd8ce26cc36b5fdc4e97ae5f93c65a5660de91988e3ee7156359de509fea9b4308550a

Download Submit
\Users\Admin\AppData\Local\Temp\nsz33CF.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\DotNetZip\330381c0d4a4a49e56426709e084cc48\DotNetZip.ni.dll

Filesize
1013KB

MD5
75466b5e53a262f579d58042eb0c6fa5

SHA1
aba87382496d180a3e71c3626b617bb65308d358

SHA256
dd470f06556af0b809868b8ddcf6db70833d41fb1b7d2086de7ecde34e3085fe

SHA512
efe4fc459cdf8148792f0d43da4b5e6e5ef86f6f2ba2fde868ae6b4ad72f58ed8af6e134de72d754f5916e3570e7d1f205633321605c4f939453537cbd538bb9

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\4f44abb46807a5ad0f0bf1ae5ba48323\Microsoft.Build.Framework.ni.dll

Filesize
546KB

MD5
75de4db178e3310ebf8bfa83a003b8e2

SHA1
c0d05985fb9e28ede26b00143d939839cb0e3ae6

SHA256
304ae94177bcd5f8659eb5a232676c2a9857dc495c273fce2e2e65fab4ae4eb6

SHA512
4310161d72d60ef55a5ca6601bf4f5773518a9fcbeab4fda60afc18b334a1fbded3a5426795ed3587b5c51e2f6fc39176014a75e75aca2d3cfafc8a19d85b983

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\4a58f2013ffa484c7f872e70952613ca\Microsoft.Build.Utilities.v4.0.ni.dll

Filesize
1011KB

MD5
6d7e1bc098c599dc54b552531ed637ac

SHA1
ff4648a4ce473a3cbe6e3c75e1c606d593353de1

SHA256
874ece1c76a575a96e174eb846edcbeb6134ee66e71bfd025a250a7406627ef5

SHA512
1e88c80b969c0ac44e880316189ce3789f2fb0d8044e39c90ef99edfe4de83f7c21dc21adf4c51f6d88f77b92035b519794ed91d9d04c74cef971aa3424ce04a

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\faa890702be0a0b8574aa82cb24b9da3\Microsoft.Build.Tasks.v4.0.ni.dll

Filesize
4.1MB

MD5
07de6b9bdeebae49461ef58e29953464

SHA1
5ba78e69c3d93724c6a3de013157b9350bcd6eb9

SHA256
85da41cc1f1beac3528bab39240912ecb8ac7fb313a89342e3fffd9cf0a99c74

SHA512
1b10add9a8cab2913299a03da26ad4fcb84826ff33c847d53078d18e3459b4c07a3b0ee52b67d9fe2f5b90ae7f98da502369159c2edc3e81fa569242184ab0b4

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\2145e325c531dd03775cc61606722965\Microsoft.JScript.ni.dll

Filesize
2.7MB

MD5
d1d5dd7761a0e2c31c2baeeb4442a6ba

SHA1
c681dca866baa02e7840bffdbcff349da69ba25c

SHA256
84676accc10df0f610772b5d447b058a9fd3c4d399cddc01ef6510d9832915f1

SHA512
59891b98e42635c056debe5fdd373b3d31ef1731c653c7df179c0db8544c6bfc6e4899d62a3068b76a652e71899b285e1757260ccaa805658e1e77e00cb9b263

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\Newtonsoft.Json\1ebe746ea3a361d99ffc6ea2e12b5a66\Newtonsoft.Json.ni.dll

Filesize
3.7MB

MD5
03eabadb3e9fe0a8566ce36fde2ed959

SHA1
c0da077a84d61426c6de7d27b5bd3d5beb034352

SHA256
2467069bdc725532c792ab7f026bbafbbdbbd311d5ba83c502cc35a044b90860

SHA512
b60a5ac1f0b062ba3319ba93171f2d150a536fa4ce37bc7061a76949ca98c5ee08dc342f232bf47b36753c4046c23828fea8560b083778f175d5303906c9bc82

Download Submit
\Windows\assembly\NativeImages_v4.0.30319_64\Telerik.Net8bf66678#\e5f4977994d2fd10324efd51321f1c59\Telerik.NetworkConnections.ni.dll

Filesize
94KB

MD5
8c1196b2476c2ae2dee297e3db1cf37f

SHA1
27b4c6bc7876d7f52f34bffe2fb1f3cee88444ff

SHA256
f298ac1090234846c34b192f4683d34477f84f5eb8b844afedac9d4de246e104

SHA512
cd4bbe93c3a40035c65358ba714f39b8c6770aa44bdb87ed6dd23292f7a641c3da3977691fb1ecf83f1dbb6fe704edc6eeb817d1da48b4f2f9de62cf9c2ec591

Download Submit
memory/560-249-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/560-251-0x0000000001FA0000-0x0000000001FBA000-memory.dmp

Filesize
104KB

Download
memory/560-255-0x0000000001F10000-0x0000000001F20000-memory.dmp

Filesize
64KB

Download
memory/560-253-0x000000001B0B0000-0x000000001B1D2000-memory.dmp

Filesize
1.1MB

Download
memory/560-239-0x000000001B390000-0x000000001B712000-memory.dmp

Filesize
3.5MB

Download
memory/560-241-0x0000000002A40000-0x0000000002AFA000-memory.dmp

Filesize
744KB

Download
memory/560-250-0x00000000020C0000-0x0000000002104000-memory.dmp

Filesize
272KB

Download
memory/560-243-0x0000000002700000-0x0000000002776000-memory.dmp

Filesize
472KB

Download
memory/560-247-0x000000001B000000-0x000000001B0A8000-memory.dmp

Filesize
672KB

Download
memory/560-245-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/904-1309-0x0000064438000000-0x00000644380FF000-memory.dmp

Filesize
1020KB

Download
memory/904-1213-0x0000000001ED0000-0x0000000001F14000-memory.dmp

Filesize
272KB

Download
memory/904-1214-0x00000000004D0000-0x00000000004EA000-memory.dmp

Filesize
104KB

Download
memory/904-151-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/916-1453-0x00000644A0000000-0x00000644A0100000-memory.dmp

Filesize
1024KB

Download
memory/1132-1403-0x0000064438000000-0x0000064438429000-memory.dmp

Filesize
4.2MB

Download
memory/1132-1365-0x0000000002E60000-0x0000000002F82000-memory.dmp

Filesize
1.1MB

Download
memory/2096-1336-0x0000000000560000-0x000000000057A000-memory.dmp

Filesize
104KB

Download
memory/2096-1343-0x0000064438000000-0x000006443808B000-memory.dmp

Filesize
556KB

Download
memory/2184-256-0x000000001B0E0000-0x000000001B19A000-memory.dmp

Filesize
744KB

Download
memory/2184-1099-0x000006443CC40000-0x000006443CEEC000-memory.dmp

Filesize
2.7MB

Download
memory/2432-14-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2432-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2432-1559-0x00000644A0000000-0x00000644A001A000-memory.dmp

Filesize
104KB

Download
memory/2432-9-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2432-39-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2432-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2836-1386-0x000000001B350000-0x000000001B3F8000-memory.dmp

Filesize
672KB

Download
memory/2836-1387-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2836-1385-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2836-1381-0x000000001B4E0000-0x000000001B862000-memory.dmp

Filesize
3.5MB

Download
memory/2848-42-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2848-27-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2896-47-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2896-46-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2896-41-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3044-274-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/3044-264-0x0000000002A70000-0x0000000002AE6000-memory.dmp

Filesize
472KB

Download
memory/3044-275-0x000000001B460000-0x000000001B508000-memory.dmp

Filesize
672KB

Download
memory/3044-276-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download