lumma | 67385b876e3f23b60975da253b4e8e6609ae991a0b7438d24e8d2c37138ebc87

Analysis

max time kernel
543s
max time network
545s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fiddler Triage shit.zip
Size

24.0MB
MD5

aab4af7ab6d12b3601ac10f1b964a68b
SHA1

455a4309576110b0941c4274cab6aa50d39ab5de
SHA256

67385b876e3f23b60975da253b4e8e6609ae991a0b7438d24e8d2c37138ebc87
SHA512

57b360fef21732dab4c2a090eb5bb144116c667ba1cd4fffff211c37394473cd81d141880928647058ce457943fecc78e72fe26d103eba381c850a39bf7786c4
SSDEEP

786432:43pbRYbps1mkEsOVZeBILTsnnTTg3izTFaf:EZREs1pNUGInOn00Ry

Score

10^/10

lumma discovery evasion persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2576	netsh.exe
2516	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	FiddlerSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Fiddler.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	EnableLoopback.exe

Executes dropped EXE 8 IoCs

pid	Process
2460	FiddlerSetup.5.0.20245.10105-latest.exe
3684	FiddlerSetup.exe
2756	SetupHelper
1908	Fiddler.exe
5916	EnableLoopback.exe
6080	FSE2.exe
1464	TrustCert.exe
1192	Fiddler.exe

Loads dropped DLL 39 IoCs

pid	Process
3684	FiddlerSetup.exe
5100	mscorsvw.exe
1964	mscorsvw.exe
1964	mscorsvw.exe
3132	mscorsvw.exe
5040	mscorsvw.exe
5040	mscorsvw.exe
5216	mscorsvw.exe
5784	mscorsvw.exe
5360	mscorsvw.exe
5920	mscorsvw.exe
5920	mscorsvw.exe
5920	mscorsvw.exe
3668	mscorsvw.exe
5828	mscorsvw.exe
1544	mscorsvw.exe
1544	mscorsvw.exe
4940	mscorsvw.exe
6116	mscorsvw.exe
4940	mscorsvw.exe
5392	mscorsvw.exe
1908	Fiddler.exe
6080	FSE2.exe
6080	FSE2.exe
6080	FSE2.exe
6080	FSE2.exe
6080	FSE2.exe
6080	FSE2.exe
6080	FSE2.exe
6080	FSE2.exe
6080	FSE2.exe
6080	FSE2.exe
6080	FSE2.exe
6080	FSE2.exe
6080	FSE2.exe
6080	FSE2.exe
6080	FSE2.exe
6080	FSE2.exe
1192	Fiddler.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 38 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\812ZVS5E4R\Microsoft.JScript.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\7M1GPZYQ2T\System.Security.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\KJHCYJ6CGS\System.Data.SqlXml.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1720-0\System.Web.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7ac-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\59301724925cee80b0409b0c7e65aad8\EnableLoopback.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\608-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\13ec-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\13b0-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\14f0-0\Microsoft.JScript.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\VG4W5L1D0B\System.Numerics.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\7WAJY5W6YY\System.Deployment.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\VG4W5L1D0B\System.Numerics.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\7M1GPZYQ2T\System.Security.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\KJHCYJ6CGS\System.Data.SqlXml.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1510-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c3c-0\System.Numerics.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\812ZVS5E4R\Microsoft.JScript.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\16c4-0\System.Security.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\7WAJY5W6YY\System.Deployment.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\e54-0\EnableLoopback.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\134c-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1460-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\LM48JGQ557\System.Runtime.Serialization.Formatters.Soap.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\LM48JGQ557\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\17e4-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1096	1440	WerFault.exe	203
1104	5128	WerFault.exe	209
2852	5368	WerFault.exe	214
4424	3344	WerFault.exe	219

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FiddlerSetup.5.0.20245.10105-latest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FSE2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FiddlerSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupHelper
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EnableLoopback.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrustCert.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Fiddler.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fiddler.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TypedURLs	Fiddler.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TypedURLs	Fiddler.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	Fiddler.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133805452026059915"	Fiddler.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	Fiddler.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.saz	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Fiddler.ArchiveZip	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Fiddler.ArchiveZip\Shell	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe

Modifies system certificate store 2 TTPs 19 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	Fiddler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\C10BB76AD4EE815242406A1E3E1117FFEC743D4F\Blob = 030000000100000014000000c10bb76ad4ee815242406a1e3e1117ffec743d4f140000000100000014000000259dd0fc59098663c5ecf3b1133b571c03923611040000000100000010000000e6eb41ad6404317af8a18b64f98c2bcf0f0000000100000020000000d9c7db0b704f07089440c56e69a0f31d730edf77cfbf7514630e8b5390a270fe1900000001000000100000008050a1c09667687456bd1c63be8f6fcb5c0000000100000004000000001000001800000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b44b0000000100000044000000390043004200340033003700330041003400320035003200440045003800440032003200310032003900320039003800330036003300300034004500430035005f0000002000000001000000ec060000308206e8308204d0a003020102021077bd0e05b7590bb61d4761531e3f75ed300d06092a864886f70d01010b05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303732383030303030305a170d3330303732383030303030305a305c310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613132303006035504031329476c6f62616c5369676e204743432052343520455620436f64655369676e696e67204341203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100cb20ef971eb9013243a05ba98a23fd205eae38128bca2cd4ff41d81a55d41953b7fda317e77a395cc0f7ce11a3f9a5ed01fab5ba93efaf93dcf8e2b3194c83b04a4450047884106aa4d696908e81f87cab2fb5a35733d2587b940e6d0fa591262ab3834f72b18a7b6492d0f0b4555f960b11e59ab52cb211cf251b7d512b981f49a35ff8139e35b80302daa4132f854aefc42f700ec1d4cc3312ecbd4095d311cae6cdb3059cc853eb52d7784c51019282de13f3078e74ba84809fd2a4150ee8afebf789f6df71f0d1bea7b241332075ccb1d5ed1d0719c4eb2677f2ab6d179349a9b7e6c3909cc6b8ecccc97b9a5ec5c52493636f7e108b61cf9855a324a28836f2f99fbe932eb2069f26c00c015612e1b28a9f0e1edc988b2ecfdae28934a61f26a0a8ae786deca188153cc2eaeeb7d8ad61a5af7036a2798edc0d73c0f1e42cab94ec5806393648d63b5ae822ce740eaf2cf115dad1b495e8acd5496de5afdd9b6b63205d8e7e3bb243d8623a94e5cdb498b3371924127273ab04b009dc85e6d42204ef402a1d2e6dc769d36eb7016c0de097a716e6268b88f70344865f62674cb5a737a855dc03368c6ecf6d3626f10e8fb03d71c0e132a782e4b6320232307cb593c821fd3c88e66963f8ee75c98bc2abefba3afde95ebfb611f1bef03dca323e6e7dde0f7e9b95c41287e71ab84eee2cc1dfa165e82483c92ac2fdb9530203010001a38201ad308201a9300e0603551d0f0101ff04040302018630130603551d25040c300a06082b0601050507030330120603551d130101ff040830060101ff020100301d0603551d0e04160414259dd0fc59098663c5ecf3b1133b571c03923611301f0603551d230418301680141f00bf46800afc7839b7a5b443d95650bbce963b30819306082b06010505070101048186308183303906082b06010505073001862d687474703a2f2f6f6373702e676c6f62616c7369676e2e636f6d2f636f64657369676e696e67726f6f74723435304606082b06010505073002863a687474703a2f2f7365637572652e676c6f62616c7369676e2e636f6d2f6361636572742f636f64657369676e696e67726f6f747234352e63727430410603551d1f043a30383036a034a0328630687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f636f64657369676e696e67726f6f747234352e63726c30550603551d20044e304c304106092b06010401a03201023034303206082b06010505070201162668747470733a2f2f7777772e676c6f62616c7369676e2e636f6d2f7265706f7369746f72792f3007060567810c0103300d06092a864886f70d01010b050003820201002575a009c939bab7a139892f189fabd6eb1d4be8947c0d07689b1c9def71b6176a6b024fb33f864587cc659b4ce35806022266d56102c5638fd4a2f1b65e250b7796e9cd7140338829eceef3a26dbc4db53e064bc97333ca08142d3d4ce8b0ba75a6742da4583a6c1349f8a5150a149685b16a68342542af9656f410fa247df12b72c116e16bebe6a998c73e5af4d0189dfd74978677462a3d237d28738aaeef2b1b9abf6c53a7149e3c8771c05e8ec8fbd32a9233ea574d5e075ecac118ac812d1a21fa6ecf97617bdf717a3aca63f7d530443732febb4385dcbafca6ca33192b776ddbcb05f07e5f752ea2b6bf35aa3663c9ce64d9bdfcbc2cf3495600c8122bc627bb37af57efc4cf1e29c4f4e22dce2a61cf57edf50a40e2f518d61ee9902fcad3875f938a481a111de537859f2e66629a5e814e95ac555743dc538b257e3c610f8a0bbaf53fa6d78ef704565e21bb9fd76a7180bf96de7203d8d8222bf327164f38e851400cae92efbe3d7df780c64c36578495a7841548300e5227088d8ea2bd22c719c9a6ca0ea87a36db6aba615f112495a4e28e68ee19a949995ed0b434bdd6f940c710973152393529118724d3c4fba963cb7748d5fa62fc24e0047a4ed0e46edece9e385026f4217165d70925d4c907007ab8c7f377e8c5d4e255d0d31ef67f52e2498db911720c88442633660144dfe4330e21de62894807daf5	Fiddler.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\C034123C9B136D8B4A32B0C41138532F0748A6AE	Fiddler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\C034123C9B136D8B4A32B0C41138532F0748A6AE\Blob = 1400000001000000140000000f1a7fe2196308828b7d844c3df17dc59f4a53d50200000001000000cc0000001c0000006c00000001000000000000000000000000000000020000007b00380038003800450042003600370045002d0041004500370045002d0034004200300034002d0041004400340042002d004500440042003400300032004400320035003700330030007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000003800000044004f005f004e004f0054005f00540052005500530054005f0046006900640064006c006500720052006f006f0074002d00430045000000030000000100000014000000c034123c9b136d8b4a32b0c41138532f0748a6ae0f000000010000002000000067312db3547f23d201d4ece7e2a4ade23b16fd7b44097f684ae2156a42bada7e2000000001000000b6030000308203b23082029aa00302010202105648ecbaa712a5a048c96a9d5956c65f300d06092a864886f70d01010b05003067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3234313232393130303634325a170d3237303332393130303634325a3067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b602ead95e26a252b2a969bcabc261c409b5f7012817e1481fc88bbddd377c1e37fececfb1658dbff31c7aa18b26d86b7e552c31558a404bea60c4331e2486a390c18ec41c367522c1a413238984f17356bd897df0660d9ccecf9d95aff0c28fa83ee019c2dea038fedcb1b1f4cfe704ffc1ddbb1c987f18cc65c191093a3c8e8b2052b78c2a9060bbfe290d298b7ecc5ad38ce80f4b56ee5a5da4fd784e56d0b5e7bfb0ffe143b65313c060751b6905808e8c11a2aec33bcf7183ff4b784ddd0f1a6ce245bdfd86b047372a3d79ab1ba2fe07111072483fa6aa1151b2fa2af74f52496a354d126d4c9604ff408540c074bdb9ceeff08c8c7ff10f08cc2381810203010001a35a305830130603551d25040c300a06082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e041604140f1a7fe2196308828b7d844c3df17dc59f4a53d5300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101001f6d1f5ae81f454c745767e8601c75795321f574c29705dc9b5cf3c334ed067e14a8b6069b7636a1df63897924612c0fe8a5fb3346bbbea7d76414dba1d3e7f5d35fff024a7d43fc24bb18a3c06cac4f8383a5af19ab90d26a0188172e3453e6043c6f1a0ec54c77afc62f531ba71de5456431aca937a0f2592df91e59939eb4e71d88ba7a3d28b720cb77d3c4864cd65b3082c5ecababcd956464ee9d1c70bf19edf9533f90e2b669109df4c0b1cebd91ef39e2ba7c616852053eed6bb6064d26c738eccbc930f38b088ae5ea1509b1f0ad8fb3fb0a4439ad14686cec8385f326a7481202931c9b668f8c32af371d6304aa8c2cbf7d20c81323f42b25690865	Fiddler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\C034123C9B136D8B4A32B0C41138532F0748A6AE\Blob = 190000000100000010000000ce008bb016fe41819b69b3c5b4a3d3af1400000001000000140000000f1a7fe2196308828b7d844c3df17dc59f4a53d50200000001000000cc0000001c0000006c00000001000000000000000000000000000000020000007b00380038003800450042003600370045002d0041004500370045002d0034004200300034002d0041004400340042002d004500440042003400300032004400320035003700330030007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000003800000044004f005f004e004f0054005f00540052005500530054005f0046006900640064006c006500720052006f006f0074002d00430045000000030000000100000014000000c034123c9b136d8b4a32b0c41138532f0748a6ae0f000000010000002000000067312db3547f23d201d4ece7e2a4ade23b16fd7b44097f684ae2156a42bada7e040000000100000010000000060bca29818b1476b921b3fcc84b1a7b2000000001000000b6030000308203b23082029aa00302010202105648ecbaa712a5a048c96a9d5956c65f300d06092a864886f70d01010b05003067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3234313232393130303634325a170d3237303332393130303634325a3067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b602ead95e26a252b2a969bcabc261c409b5f7012817e1481fc88bbddd377c1e37fececfb1658dbff31c7aa18b26d86b7e552c31558a404bea60c4331e2486a390c18ec41c367522c1a413238984f17356bd897df0660d9ccecf9d95aff0c28fa83ee019c2dea038fedcb1b1f4cfe704ffc1ddbb1c987f18cc65c191093a3c8e8b2052b78c2a9060bbfe290d298b7ecc5ad38ce80f4b56ee5a5da4fd784e56d0b5e7bfb0ffe143b65313c060751b6905808e8c11a2aec33bcf7183ff4b784ddd0f1a6ce245bdfd86b047372a3d79ab1ba2fe07111072483fa6aa1151b2fa2af74f52496a354d126d4c9604ff408540c074bdb9ceeff08c8c7ff10f08cc2381810203010001a35a305830130603551d25040c300a06082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e041604140f1a7fe2196308828b7d844c3df17dc59f4a53d5300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101001f6d1f5ae81f454c745767e8601c75795321f574c29705dc9b5cf3c334ed067e14a8b6069b7636a1df63897924612c0fe8a5fb3346bbbea7d76414dba1d3e7f5d35fff024a7d43fc24bb18a3c06cac4f8383a5af19ab90d26a0188172e3453e6043c6f1a0ec54c77afc62f531ba71de5456431aca937a0f2592df91e59939eb4e71d88ba7a3d28b720cb77d3c4864cd65b3082c5ecababcd956464ee9d1c70bf19edf9533f90e2b669109df4c0b1cebd91ef39e2ba7c616852053eed6bb6064d26c738eccbc930f38b088ae5ea1509b1f0ad8fb3fb0a4439ad14686cec8385f326a7481202931c9b668f8c32af371d6304aa8c2cbf7d20c81323f42b25690865	Fiddler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\C034123C9B136D8B4A32B0C41138532F0748A6AE\Blob = 5c000000010000000400000000080000040000000100000010000000060bca29818b1476b921b3fcc84b1a7b0f000000010000002000000067312db3547f23d201d4ece7e2a4ade23b16fd7b44097f684ae2156a42bada7e030000000100000014000000c034123c9b136d8b4a32b0c41138532f0748a6ae0b000000010000003800000044004f005f004e004f0054005f00540052005500530054005f0046006900640064006c006500720052006f006f0074002d004300450000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000020000007b00380038003800450042003600370045002d0041004500370045002d0034004200300034002d0041004400340042002d004500440042003400300032004400320035003700330030007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000001400000001000000140000000f1a7fe2196308828b7d844c3df17dc59f4a53d5190000000100000010000000ce008bb016fe41819b69b3c5b4a3d3af2000000001000000b6030000308203b23082029aa00302010202105648ecbaa712a5a048c96a9d5956c65f300d06092a864886f70d01010b05003067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3234313232393130303634325a170d3237303332393130303634325a3067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b602ead95e26a252b2a969bcabc261c409b5f7012817e1481fc88bbddd377c1e37fececfb1658dbff31c7aa18b26d86b7e552c31558a404bea60c4331e2486a390c18ec41c367522c1a413238984f17356bd897df0660d9ccecf9d95aff0c28fa83ee019c2dea038fedcb1b1f4cfe704ffc1ddbb1c987f18cc65c191093a3c8e8b2052b78c2a9060bbfe290d298b7ecc5ad38ce80f4b56ee5a5da4fd784e56d0b5e7bfb0ffe143b65313c060751b6905808e8c11a2aec33bcf7183ff4b784ddd0f1a6ce245bdfd86b047372a3d79ab1ba2fe07111072483fa6aa1151b2fa2af74f52496a354d126d4c9604ff408540c074bdb9ceeff08c8c7ff10f08cc2381810203010001a35a305830130603551d25040c300a06082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e041604140f1a7fe2196308828b7d844c3df17dc59f4a53d5300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101001f6d1f5ae81f454c745767e8601c75795321f574c29705dc9b5cf3c334ed067e14a8b6069b7636a1df63897924612c0fe8a5fb3346bbbea7d76414dba1d3e7f5d35fff024a7d43fc24bb18a3c06cac4f8383a5af19ab90d26a0188172e3453e6043c6f1a0ec54c77afc62f531ba71de5456431aca937a0f2592df91e59939eb4e71d88ba7a3d28b720cb77d3c4864cd65b3082c5ecababcd956464ee9d1c70bf19edf9533f90e2b669109df4c0b1cebd91ef39e2ba7c616852053eed6bb6064d26c738eccbc930f38b088ae5ea1509b1f0ad8fb3fb0a4439ad14686cec8385f326a7481202931c9b668f8c32af371d6304aa8c2cbf7d20c81323f42b25690865	Fiddler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C034123C9B136D8B4A32B0C41138532F0748A6AE	Fiddler.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\C10BB76AD4EE815242406A1E3E1117FFEC743D4F	Fiddler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C034123C9B136D8B4A32B0C41138532F0748A6AE	TrustCert.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\SystemCertificates\REQUEST	Fiddler.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\C034123C9B136D8B4A32B0C41138532F0748A6AE	Fiddler.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C034123C9B136D8B4A32B0C41138532F0748A6AE\Blob = 040000000100000010000000060bca29818b1476b921b3fcc84b1a7b1400000001000000140000000f1a7fe2196308828b7d844c3df17dc59f4a53d5030000000100000014000000c034123c9b136d8b4a32b0c41138532f0748a6ae0f000000010000002000000067312db3547f23d201d4ece7e2a4ade23b16fd7b44097f684ae2156a42bada7e190000000100000010000000ce008bb016fe41819b69b3c5b4a3d3af2000000001000000b6030000308203b23082029aa00302010202105648ecbaa712a5a048c96a9d5956c65f300d06092a864886f70d01010b05003067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3234313232393130303634325a170d3237303332393130303634325a3067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b602ead95e26a252b2a969bcabc261c409b5f7012817e1481fc88bbddd377c1e37fececfb1658dbff31c7aa18b26d86b7e552c31558a404bea60c4331e2486a390c18ec41c367522c1a413238984f17356bd897df0660d9ccecf9d95aff0c28fa83ee019c2dea038fedcb1b1f4cfe704ffc1ddbb1c987f18cc65c191093a3c8e8b2052b78c2a9060bbfe290d298b7ecc5ad38ce80f4b56ee5a5da4fd784e56d0b5e7bfb0ffe143b65313c060751b6905808e8c11a2aec33bcf7183ff4b784ddd0f1a6ce245bdfd86b047372a3d79ab1ba2fe07111072483fa6aa1151b2fa2af74f52496a354d126d4c9604ff408540c074bdb9ceeff08c8c7ff10f08cc2381810203010001a35a305830130603551d25040c300a06082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e041604140f1a7fe2196308828b7d844c3df17dc59f4a53d5300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101001f6d1f5ae81f454c745767e8601c75795321f574c29705dc9b5cf3c334ed067e14a8b6069b7636a1df63897924612c0fe8a5fb3346bbbea7d76414dba1d3e7f5d35fff024a7d43fc24bb18a3c06cac4f8383a5af19ab90d26a0188172e3453e6043c6f1a0ec54c77afc62f531ba71de5456431aca937a0f2592df91e59939eb4e71d88ba7a3d28b720cb77d3c4864cd65b3082c5ecababcd956464ee9d1c70bf19edf9533f90e2b669109df4c0b1cebd91ef39e2ba7c616852053eed6bb6064d26c738eccbc930f38b088ae5ea1509b1f0ad8fb3fb0a4439ad14686cec8385f326a7481202931c9b668f8c32af371d6304aa8c2cbf7d20c81323f42b25690865	Fiddler.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C034123C9B136D8B4A32B0C41138532F0748A6AE\Blob = 030000000100000014000000c034123c9b136d8b4a32b0c41138532f0748a6ae2000000001000000b6030000308203b23082029aa00302010202105648ecbaa712a5a048c96a9d5956c65f300d06092a864886f70d01010b05003067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3234313232393130303634325a170d3237303332393130303634325a3067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b602ead95e26a252b2a969bcabc261c409b5f7012817e1481fc88bbddd377c1e37fececfb1658dbff31c7aa18b26d86b7e552c31558a404bea60c4331e2486a390c18ec41c367522c1a413238984f17356bd897df0660d9ccecf9d95aff0c28fa83ee019c2dea038fedcb1b1f4cfe704ffc1ddbb1c987f18cc65c191093a3c8e8b2052b78c2a9060bbfe290d298b7ecc5ad38ce80f4b56ee5a5da4fd784e56d0b5e7bfb0ffe143b65313c060751b6905808e8c11a2aec33bcf7183ff4b784ddd0f1a6ce245bdfd86b047372a3d79ab1ba2fe07111072483fa6aa1151b2fa2af74f52496a354d126d4c9604ff408540c074bdb9ceeff08c8c7ff10f08cc2381810203010001a35a305830130603551d25040c300a06082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e041604140f1a7fe2196308828b7d844c3df17dc59f4a53d5300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101001f6d1f5ae81f454c745767e8601c75795321f574c29705dc9b5cf3c334ed067e14a8b6069b7636a1df63897924612c0fe8a5fb3346bbbea7d76414dba1d3e7f5d35fff024a7d43fc24bb18a3c06cac4f8383a5af19ab90d26a0188172e3453e6043c6f1a0ec54c77afc62f531ba71de5456431aca937a0f2592df91e59939eb4e71d88ba7a3d28b720cb77d3c4864cd65b3082c5ecababcd956464ee9d1c70bf19edf9533f90e2b669109df4c0b1cebd91ef39e2ba7c616852053eed6bb6064d26c738eccbc930f38b088ae5ea1509b1f0ad8fb3fb0a4439ad14686cec8385f326a7481202931c9b668f8c32af371d6304aa8c2cbf7d20c81323f42b25690865	TrustCert.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\C034123C9B136D8B4A32B0C41138532F0748A6AE\Blob = 0f000000010000002000000067312db3547f23d201d4ece7e2a4ade23b16fd7b44097f684ae2156a42bada7e030000000100000014000000c034123c9b136d8b4a32b0c41138532f0748a6ae0b000000010000003800000044004f005f004e004f0054005f00540052005500530054005f0046006900640064006c006500720052006f006f0074002d004300450000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000020000007b00380038003800450042003600370045002d0041004500370045002d0034004200300034002d0041004400340042002d004500440042003400300032004400320035003700330030007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000002000000001000000b6030000308203b23082029aa00302010202105648ecbaa712a5a048c96a9d5956c65f300d06092a864886f70d01010b05003067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3234313232393130303634325a170d3237303332393130303634325a3067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b602ead95e26a252b2a969bcabc261c409b5f7012817e1481fc88bbddd377c1e37fececfb1658dbff31c7aa18b26d86b7e552c31558a404bea60c4331e2486a390c18ec41c367522c1a413238984f17356bd897df0660d9ccecf9d95aff0c28fa83ee019c2dea038fedcb1b1f4cfe704ffc1ddbb1c987f18cc65c191093a3c8e8b2052b78c2a9060bbfe290d298b7ecc5ad38ce80f4b56ee5a5da4fd784e56d0b5e7bfb0ffe143b65313c060751b6905808e8c11a2aec33bcf7183ff4b784ddd0f1a6ce245bdfd86b047372a3d79ab1ba2fe07111072483fa6aa1151b2fa2af74f52496a354d126d4c9604ff408540c074bdb9ceeff08c8c7ff10f08cc2381810203010001a35a305830130603551d25040c300a06082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e041604140f1a7fe2196308828b7d844c3df17dc59f4a53d5300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101001f6d1f5ae81f454c745767e8601c75795321f574c29705dc9b5cf3c334ed067e14a8b6069b7636a1df63897924612c0fe8a5fb3346bbbea7d76414dba1d3e7f5d35fff024a7d43fc24bb18a3c06cac4f8383a5af19ab90d26a0188172e3453e6043c6f1a0ec54c77afc62f531ba71de5456431aca937a0f2592df91e59939eb4e71d88ba7a3d28b720cb77d3c4864cd65b3082c5ecababcd956464ee9d1c70bf19edf9533f90e2b669109df4c0b1cebd91ef39e2ba7c616852053eed6bb6064d26c738eccbc930f38b088ae5ea1509b1f0ad8fb3fb0a4439ad14686cec8385f326a7481202931c9b668f8c32af371d6304aa8c2cbf7d20c81323f42b25690865	Fiddler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\C034123C9B136D8B4A32B0C41138532F0748A6AE\Blob = 040000000100000010000000060bca29818b1476b921b3fcc84b1a7b0f000000010000002000000067312db3547f23d201d4ece7e2a4ade23b16fd7b44097f684ae2156a42bada7e030000000100000014000000c034123c9b136d8b4a32b0c41138532f0748a6ae0b000000010000003800000044004f005f004e004f0054005f00540052005500530054005f0046006900640064006c006500720052006f006f0074002d004300450000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000020000007b00380038003800450042003600370045002d0041004500370045002d0034004200300034002d0041004400340042002d004500440042003400300032004400320035003700330030007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000001400000001000000140000000f1a7fe2196308828b7d844c3df17dc59f4a53d52000000001000000b6030000308203b23082029aa00302010202105648ecbaa712a5a048c96a9d5956c65f300d06092a864886f70d01010b05003067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3234313232393130303634325a170d3237303332393130303634325a3067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b602ead95e26a252b2a969bcabc261c409b5f7012817e1481fc88bbddd377c1e37fececfb1658dbff31c7aa18b26d86b7e552c31558a404bea60c4331e2486a390c18ec41c367522c1a413238984f17356bd897df0660d9ccecf9d95aff0c28fa83ee019c2dea038fedcb1b1f4cfe704ffc1ddbb1c987f18cc65c191093a3c8e8b2052b78c2a9060bbfe290d298b7ecc5ad38ce80f4b56ee5a5da4fd784e56d0b5e7bfb0ffe143b65313c060751b6905808e8c11a2aec33bcf7183ff4b784ddd0f1a6ce245bdfd86b047372a3d79ab1ba2fe07111072483fa6aa1151b2fa2af74f52496a354d126d4c9604ff408540c074bdb9ceeff08c8c7ff10f08cc2381810203010001a35a305830130603551d25040c300a06082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e041604140f1a7fe2196308828b7d844c3df17dc59f4a53d5300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101001f6d1f5ae81f454c745767e8601c75795321f574c29705dc9b5cf3c334ed067e14a8b6069b7636a1df63897924612c0fe8a5fb3346bbbea7d76414dba1d3e7f5d35fff024a7d43fc24bb18a3c06cac4f8383a5af19ab90d26a0188172e3453e6043c6f1a0ec54c77afc62f531ba71de5456431aca937a0f2592df91e59939eb4e71d88ba7a3d28b720cb77d3c4864cd65b3082c5ecababcd956464ee9d1c70bf19edf9533f90e2b669109df4c0b1cebd91ef39e2ba7c616852053eed6bb6064d26c738eccbc930f38b088ae5ea1509b1f0ad8fb3fb0a4439ad14686cec8385f326a7481202931c9b668f8c32af371d6304aa8c2cbf7d20c81323f42b25690865	Fiddler.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	Fiddler.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	Fiddler.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\SystemCertificates\REQUEST	Fiddler.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\C034123C9B136D8B4A32B0C41138532F0748A6AE\Blob = 040000000100000010000000060bca29818b1476b921b3fcc84b1a7b0f000000010000002000000067312db3547f23d201d4ece7e2a4ade23b16fd7b44097f684ae2156a42bada7e1400000001000000140000000f1a7fe2196308828b7d844c3df17dc59f4a53d5190000000100000010000000ce008bb016fe41819b69b3c5b4a3d3af030000000100000014000000c034123c9b136d8b4a32b0c41138532f0748a6ae5c0000000100000004000000000800002000000001000000b6030000308203b23082029aa00302010202105648ecbaa712a5a048c96a9d5956c65f300d06092a864886f70d01010b05003067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f74301e170d3234313232393130303634325a170d3237303332393130303634325a3067312b3029060355040b0c224372656174656420627920687474703a2f2f7777772e666964646c6572322e636f6d31153013060355040a0c0c444f5f4e4f545f54525553543121301f06035504030c18444f5f4e4f545f54525553545f466964646c6572526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b602ead95e26a252b2a969bcabc261c409b5f7012817e1481fc88bbddd377c1e37fececfb1658dbff31c7aa18b26d86b7e552c31558a404bea60c4331e2486a390c18ec41c367522c1a413238984f17356bd897df0660d9ccecf9d95aff0c28fa83ee019c2dea038fedcb1b1f4cfe704ffc1ddbb1c987f18cc65c191093a3c8e8b2052b78c2a9060bbfe290d298b7ecc5ad38ce80f4b56ee5a5da4fd784e56d0b5e7bfb0ffe143b65313c060751b6905808e8c11a2aec33bcf7183ff4b784ddd0f1a6ce245bdfd86b047372a3d79ab1ba2fe07111072483fa6aa1151b2fa2af74f52496a354d126d4c9604ff408540c074bdb9ceeff08c8c7ff10f08cc2381810203010001a35a305830130603551d25040c300a06082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e041604140f1a7fe2196308828b7d844c3df17dc59f4a53d5300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101001f6d1f5ae81f454c745767e8601c75795321f574c29705dc9b5cf3c334ed067e14a8b6069b7636a1df63897924612c0fe8a5fb3346bbbea7d76414dba1d3e7f5d35fff024a7d43fc24bb18a3c06cac4f8383a5af19ab90d26a0188172e3453e6043c6f1a0ec54c77afc62f531ba71de5456431aca937a0f2592df91e59939eb4e71d88ba7a3d28b720cb77d3c4864cd65b3082c5ecababcd956464ee9d1c70bf19edf9533f90e2b669109df4c0b1cebd91ef39e2ba7c616852053eed6bb6064d26c738eccbc930f38b088ae5ea1509b1f0ad8fb3fb0a4439ad14686cec8385f326a7481202931c9b668f8c32af371d6304aa8c2cbf7d20c81323f42b25690865	Fiddler.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1112	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3684	FiddlerSetup.exe
3684	FiddlerSetup.exe
1088	msedge.exe
1088	msedge.exe
1656	msedge.exe
1656	msedge.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
6112	msedge.exe
6112	msedge.exe
3224	msedge.exe
3224	msedge.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe
1908	Fiddler.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4660	7zFM.exe
1908	Fiddler.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4660	7zFM.exe
Token: 35	4660	7zFM.exe
Token: SeSecurityPrivilege	4660	7zFM.exe
Token: SeSecurityPrivilege	4660	7zFM.exe
Token: SeSecurityPrivilege	4660	7zFM.exe
Token: SeDebugPrivilege	1908	Fiddler.exe
Token: SeDebugPrivilege	6080	FSE2.exe
Token: 33	4452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4452	AUDIODG.EXE
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe
Token: SeCreatePagefilePrivilege	6024	chrome.exe
Token: SeShutdownPrivilege	6024	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4660	7zFM.exe
4660	7zFM.exe
4660	7zFM.exe
4660	7zFM.exe
4660	7zFM.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
1908	Fiddler.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
3224	msedge.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe
6024	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 3684	2460	FiddlerSetup.5.0.20245.10105-latest.exe	98
PID 2460 wrote to memory of 3684	2460	FiddlerSetup.5.0.20245.10105-latest.exe	98
PID 2460 wrote to memory of 3684	2460	FiddlerSetup.5.0.20245.10105-latest.exe	98
PID 3684 wrote to memory of 2576	3684	FiddlerSetup.exe	103
PID 3684 wrote to memory of 2576	3684	FiddlerSetup.exe	103
PID 3684 wrote to memory of 2576	3684	FiddlerSetup.exe	103
PID 3684 wrote to memory of 2516	3684	FiddlerSetup.exe	105
PID 3684 wrote to memory of 2516	3684	FiddlerSetup.exe	105
PID 3684 wrote to memory of 2516	3684	FiddlerSetup.exe	105
PID 3684 wrote to memory of 100	3684	FiddlerSetup.exe	107
PID 3684 wrote to memory of 100	3684	FiddlerSetup.exe	107
PID 3684 wrote to memory of 1436	3684	FiddlerSetup.exe	109
PID 3684 wrote to memory of 1436	3684	FiddlerSetup.exe	109
PID 3684 wrote to memory of 2756	3684	FiddlerSetup.exe	111
PID 3684 wrote to memory of 2756	3684	FiddlerSetup.exe	111
PID 3684 wrote to memory of 2756	3684	FiddlerSetup.exe	111
PID 3684 wrote to memory of 1656	3684	FiddlerSetup.exe	114
PID 3684 wrote to memory of 1656	3684	FiddlerSetup.exe	114
PID 1656 wrote to memory of 3520	1656	msedge.exe	115
PID 1656 wrote to memory of 3520	1656	msedge.exe	115
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 3964	1656	msedge.exe	119
PID 1656 wrote to memory of 1088	1656	msedge.exe	120
PID 1656 wrote to memory of 1088	1656	msedge.exe	120
PID 1656 wrote to memory of 3252	1656	msedge.exe	121
PID 1656 wrote to memory of 3252	1656	msedge.exe	121

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Fiddler Triage shit.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4660

C:\Users\Admin\Desktop\FiddlerSetup.5.0.20245.10105-latest.exe
"C:\Users\Admin\Desktop\FiddlerSetup.5.0.20245.10105-latest.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\nsj29C.tmp\FiddlerSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj29C.tmp\FiddlerSetup.exe" /D=
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2576
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2516
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
    3⤵
    PID:100
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1e4 -Comment "NGen Worker Process"
      4⤵
      PID:2996
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 1f8 -Pipe 280 -Comment "NGen Worker Process"
      4⤵
      PID:8
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 270 -Pipe 29c -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:5100
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 1f8 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:1964
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2c4 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:3132
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 2c8 -Pipe 288 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:5040
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2bc -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:5216
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2f4 -Pipe 2d8 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:5360
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 0 -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      PID:5784
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 2cc -Pipe 2fc -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:5920
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 2f8 -Pipe 2c0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:5332
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 2d4 -Pipe 1f8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:5452
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 0 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:5496
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2e8 -Pipe 310 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:5676
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 0 -NGENProcess 2d0 -Pipe 330 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:5616
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 308 -Pipe 2f8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:5588
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
    3⤵
    PID:1436
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1dc -Pipe 1e4 -Comment "NGen Worker Process"
      4⤵
      PID:5968
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 288 -Pipe 1f8 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:3668
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 298 -Pipe 2a8 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:1544
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 2e0 -Pipe 2e8 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:5828
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2d0 -Pipe 29c -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:6116
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 270 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:4940
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 0 -NGENProcess 2dc -Pipe 2fc -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:5392
- - C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
    "C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff6e0846f8,0x7fff6e084708,0x7fff6e084718
      4⤵
      PID:3520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,2841664155305879645,8725042539202141027,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
      4⤵
      PID:3964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,2841664155305879645,8725042539202141027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,2841664155305879645,8725042539202141027,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:8
      4⤵
      PID:3252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,2841664155305879645,8725042539202141027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      PID:3436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,2841664155305879645,8725042539202141027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:1368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,2841664155305879645,8725042539202141027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
      4⤵
      PID:1992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4852

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://api.getfiddler.com/r/?Win8EL
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff6e0846f8,0x7fff6e084708,0x7fff6e084718
    3⤵
    PID:5588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,14461223948946105374,12705905567282050350,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:6096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,14461223948946105374,12705905567282050350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,14461223948946105374,12705905567282050350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
    3⤵
    PID:5560
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14461223948946105374,12705905567282050350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:2780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14461223948946105374,12705905567282050350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:5876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14461223948946105374,12705905567282050350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
    3⤵
    PID:4412
- C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe
  "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5916
- C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\FSE2.exe
  "C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\FSE2.exe" "C:\Users\Admin\Documents\Fiddler2\Scripts\CustomRules.js"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6080
- C:\Users\Admin\AppData\Local\Programs\Fiddler\TrustCert.exe
  "C:\Users\Admin\AppData\Local\Programs\Fiddler\TrustCert.exe" -noprompt -path="C:\Users\Admin\Documents\Fiddler2\FiddlerRoot.cer"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:1464

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1528

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\fid.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1112

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4552

C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe
"C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:1192

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1272

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_RElease-x64.zip\README.txt
1⤵
PID:4208

C:\Users\Admin\Desktop\RElease-x64\Release\Bootstrapp.exe
"C:\Users\Admin\Desktop\RElease-x64\Release\Bootstrapp.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1184
  2⤵
  - Program crash
  PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1440 -ip 1440
1⤵
PID:4920

C:\Users\Admin\Desktop\RElease-x64\Release\Bootstrapp.exe
"C:\Users\Admin\Desktop\RElease-x64\Release\Bootstrapp.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 1316
  2⤵
  - Program crash
  PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5128 -ip 5128
1⤵
PID:60

C:\Users\Admin\Desktop\RElease-x64\Release\Bootstrapp.exe
"C:\Users\Admin\Desktop\RElease-x64\Release\Bootstrapp.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 1404
  2⤵
  - Program crash
  PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5368 -ip 5368
1⤵
PID:676

C:\Users\Admin\Desktop\RElease-x64\Release\Bootstrapp.exe
"C:\Users\Admin\Desktop\RElease-x64\Release\Bootstrapp.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 1368
  2⤵
  - Program crash
  PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3344 -ip 3344
1⤵
PID:2876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff75fecc40,0x7fff75fecc4c,0x7fff75fecc58
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1748,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:3
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:5560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3720,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5144,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4988,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4244,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4532,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5212 /prefetch:2
  2⤵
  PID:5260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5488,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4968,i,17358607125151176162,906912817436196292,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:2068

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:6072

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x500
1⤵
PID:1116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\USERS\ADMIN\APPDATA\LOCAL\PROGRAMS\FIDDLER\PLUGINS\NETWORKCONNECTIONS\TELERIK.NETWORKCONNECTIONS.WINDOWS.DLL

Filesize
33KB

MD5
5889357424d717c8629c8bfabcd0be50

SHA1
87e7047a40e24bd5ac23f89e072ee39a14a53023

SHA256
3564b25b24569b8d8a0128f2f4bddec89c0b8986da7542d9c64aac730360a600

SHA512
1af458742cefd4730d64b19ecc05460354f0e47a79cdcd7794877aa0f6c56cfb92f37a0daf66fedaec2a579eb0187d774b7d5ba1fff65d6ab1504df4c3668fad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\3ebe3fed-17b5-4e0b-8471-1c1a824ee227.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\579fa8af-67c9-46f3-a862-3e8a2cc1a415.tmp

Filesize
9KB

MD5
70ab0e8a0d0bcb18b4f58e4713ee309b

SHA1
4848a781f62d3141e8d57eeb6e8fc936d4f10436

SHA256
1d4c9a1ae8b7f8b8b7d9e39ab1f227eb77eaaea0b3a2a167fe1275c4c93c627d

SHA512
75b9a24bd24954076578e98a75ad9a36ef02e11ce963f15c8ce5cafb7d962dd88d4eb2f3f81474d5dbb0ea531d6577190826d9c348363c8495294ab8285da202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
90785030a502b2d1df1b8fe82ba52003

SHA1
dc9bf17ca6298878cf85c3371f25f82305c60a09

SHA256
d71cbd4dece53c10cc24e23ccb22c97f87ce1b69f8da05ed5a03d466be28913f

SHA512
3a917a89872331ac73411db9441304f4a7b584402da9e61ca7711c4bc9028fd27679fc63e61a3707ed6c1a2f22559083b33f6fd0ecdf5c2718cda44abecd2a8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
9850d3970a94a29ad7a358510c59aa6d

SHA1
ac92fae413b48ee696b6a432ea7d1e0517371d93

SHA256
4f033939cf1aa0f91bbd24377fffe0451b73e00f2ef754306efbdadb549fa002

SHA512
2f7260da9dc81e0a5e54ef6366a54820b614ad5bfbd872ee0917bd0db43305c23e99fb87923eae3bf39fa71c6d5418bc11cb42645683588e1a69e57e08b55120

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
4dd8867f496eadf29e47ddfb1179e80b

SHA1
2f1547e5721690ea565596ec0c4d47f8f1bfcf17

SHA256
2c5f703b8ccdf4b8c0a15c103cf07555dfdc3be5f869a2134db7761583011b61

SHA512
ffcf6a453e85f34ac013386b7251b59af1832a37912dfa8731a1ea7df736df7bdfad5940fe99414b898e6820d90a27c0234d866be43db3e0c966a67b51750f6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ed11a57856abe978e4a7b1f795d03fb3

SHA1
3dea4c0b05b78cd35142585c77e6c61f84896f17

SHA256
c3c171c65f8d601dc1cf3c4cdf6e30464bf9e54bb8db5f48178f0f9941988b2d

SHA512
e763c0138ae5553c27a9e68b6f404144fffbf711049a4361ab29633d55352be48b315006a4f4a6a9feeed3700e26e624f0ffcfc604f35c8aeb94fe6c09fe9afc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
32da73f426d69dafc94f90b99b8fbe4a

SHA1
ffd01738d1e5a584068e62df347eec3741cbfd1a

SHA256
39b8762a2f3798d4c431e37ee09ab4bda5e6ebe3fd6ba5e57ae1c3b33a42c21d

SHA512
ccea2d7671943f109ddb636faebc2a4ee8b5bfd2253ede5521672ee8f581b2ce4988d2ca69d05c4286eac9352ec55d58a54fb63fead54e8b2097c2e0cac106bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d507950b5e9b760f91e3fc948fb2ea6d

SHA1
04e308fa2249a45ecc6e58ef17e8dd44223254a8

SHA256
bd37c63190a788dc7db81e13680efc3513d1b579a0a4db9bfebfc2d118d0107f

SHA512
c3fef1beb8cca918d6c83a755818bbbb7b3b6fa0d1986e030b928416803f638c49cc78881acafa3a17ab11571a9e095a821caf5c2a17533bc5b34d5412dfffcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ff979c1638d39fb31163923beabb9ccd

SHA1
0f7b90efed5ec4a86d9ea49f1beca0ea4ca21c3d

SHA256
5de7e4aecb29aa3abb71a4b1f3e19f8815deb2538532ae14b1377cafdff369f2

SHA512
2a0f9774b382faf2fb2f41b13f137296c0463b12525df4cf2bdc47b6e5329610d0673691428ab9acc049f090d82245de90e1ad03d51dca84f6449895cabd6ef6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
26d9f976f5260024904cd3f5fce6a229

SHA1
57cc8c51149380bdd82119d2799564cc362bd06c

SHA256
68587d28d375673537c0836aa84fdb0196801b8fdcf05e396a41eb2a1344824f

SHA512
bbb060bcd597a990aa286bd76df25a15400728ff3f68d74958127b33006472d054229aadaab0209b0834f983315c35ed8e99d27f47e5437b3087be8cd5322088

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
864db8add049dd4379425d0c81c5bdca

SHA1
7ba418c48f4abefee20776a5d1ea01c523058c89

SHA256
35bb6539d8274e0bbca2e2b75ef8d93882957a9b1b3cd872cc2cab73a8573112

SHA512
4dca5b445830ec7d096c6f8bf9b876ac6f826d6981e9a7ef1194ba8a8123f666d564e30d3f95b113f7e16917bb9a1d29a0630cea72de5e5bbd32848e5ce54168

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7e6065924e22edc78cae6413343fde5f

SHA1
232b79c406ea76ce6687e476766f3f89c52c655e

SHA256
dd946bb052d73368d1a4f4f18d2ac055a8a0654b8cd10f88e4694054714dda26

SHA512
2cd1638f2ec42658be284bd2cb28b9edc36ba5c41192fcafe524a8aaadcfa5e6ac059903413387198a49a680dd5f8c796a08954d2fc53393a4cc700d61ab6048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
499660be5fcdb933a95e37ff193468b4

SHA1
ad0ae6ee319f35260f797bdb9d454a1ed6283194

SHA256
d55a61be0319cc283c5be8bfbae88c7a1ca7553a5b22fb3c512bd155e2325705

SHA512
575092cc2e6907ff77b808fc4432de460a65aba98c4cc2b5ec08b7f7b2fadce65570a19d6fcc51e2f0580c6d6a8ff5ac42d87174c3a474ed8e1c617edb1bb8a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c54c668443a01c2656103d1bb2a68e1d

SHA1
9c26a056712d6026c7adfa73a7301787942ef01a

SHA256
dc10da5c44b528ca37f277602b98ac682a9613555f6c1df2a15b1d1f4daac691

SHA512
7d29ff9e67b701e63be688f68e466617bc2905631384458cedad7550acdd8e6b1feb5f74c7ac5db0e237f15cb509593deef683439376a891d6847d1d7963d19f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6f0b21d329bfa8094403639449b45428

SHA1
0053055fa8dd1b301e2dd793a792e4bc2d1b8e95

SHA256
33aff1a763557132cc3b232a227f4ef72fe77adedaab84ecf94cf7c0b6e9080e

SHA512
1b4dc6a8ffd6142f46c403a89a8e4a6332e90382088d5672da9c561a6b629281c113c73c30cc30200a3e33df4f658575add1f44b06d9f76d2545227ca47741da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cd8d85da59433bd1ef0ae77c036819bd

SHA1
5d195766088798db505d6c164e5e2e6f087bba23

SHA256
ee735da2de46ac0672629ea725e6a9592e4efcf962a00013d6b2636efb72669b

SHA512
022513a38666540fafed0a3c588fdfca64379688aec9d6487be78abd75cf1c7a28cc303a4ce6754aedc9ad5db3126ea4f17ac0d800ef3a2242b948cad2a5fb93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9e3e744276b590f160e3f8eee758a90d

SHA1
490f5163693dd96a71c009fc7803d313af6244c0

SHA256
1512520619fa841f7dd146d18cfec9b0c3a73a3d0fef60742e002b9fdf902554

SHA512
7654637b04c5fa440267d7ffd5d7230ebfff05ecbb4400f726c8f87f96ce0f6ed15903bcbb4f595ab094c0274a7c85a057e5dc76d26858b85e54491dbaa37b3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6119b7be26c901989dc4f759064135c8

SHA1
206bc490cba509da1612f6ea9eef13d783c1c51d

SHA256
850ddc268f6203112a58f7459750bf51af5c1dca1e65df777e2945358d0e8e79

SHA512
8ac9a312cccf83bcf2674a7a48482211e8a41848e4305b68c48100b38cd6ad85351c0907eff303b7e88600be3a68d4f53bdaa75a66603ac2e3a0ad6d4f4328cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
70d2499a0a2da38e251f826d2f5296a3

SHA1
247fb567bfa3347e81e66c62c8c996d4c423dcb5

SHA256
03d6f01f95e66761e623e0593c6dfd3fda8114cb4e9f25b8d9e08c0dcb80c630

SHA512
1c530423f7aa04e58359a1b06ba55906292dc4cd2b49725f0f6ea2eb7f2281c1bd4cbd74fc5b434044467c39398c15ff24b8fd83880a42386fa7d2d1be66e314

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9a833393c9ddcf2f6e1ea9915c9b2268

SHA1
5d506f75a63a1fd639a3adc41c9b37a5a8bee222

SHA256
40419ab3fad85f96e396f97c535b871c855fbda281cb3748fbb61b7228a8ad0c

SHA512
4a177712e76c826e7295994913f29da9b790a0937ddd7084fd166c022d858e8206eed95f6f7da053496123e81c73abfa9f534831f5278e906d28d0def2ba973e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e5c8e14005ca6ed105494402142bff8b

SHA1
3f2d536c522f23eaf4ec2f73ab4300e87900492d

SHA256
a689caeb5639d415e421e104cb6b2ecb36666dfb302d662dbfe338781f357af3

SHA512
bcb96debba2242f45d065d2a44758ea20d2760d1c3ed227c889916f5be921506a201e5b78057239f370053ac23fc970e2969ca0174faa5bb2f09c53be303cba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
98e6d5b52743ff855974fed5721b8685

SHA1
5a82b4b24be3ac3bbe25e82744ef0c7e504bd21d

SHA256
470c9701caefe53660fd79f1349f358d053dcc464ef66aeb7f79ff11188d8672

SHA512
7bdc64faf025e010d5bd3db6d7a53a6ea682018a1c222756d04ba7f2bcaba50b118bb2c506449f8cacfefab74d31710f041e017ec0bfe91ca36d318ec24f54a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
798995bc2057a85f48250f191691cd20

SHA1
c2aff55f835322487c8d8e3cffd15d18fc419c50

SHA256
87fda68243a183419f165f47bc738f95fe25be7c7b8188bbec8cdf009251bb71

SHA512
2ca773a02d7e2ef827b8d220929650b1db60c53fff52a77ca26269e128dfbdcb18bd8bc4e09197b65887db2ecf5feaf37c7b8a6c8d66a8ef8a81894eb97c06dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
0210d8393002ed3167d557bb026289d5

SHA1
c94b3bdaf2b8482f19c74a5d80b322a01afc8cbd

SHA256
db2b0405b41a72d770ac6ee6840d41c1002b6fc42e663ac1ba05c8d517984805

SHA512
deefdb8085b073805f45401283fd525aac80bc8abd4866fbecc3fb93dca7e1d961d0d2499a565819ebf190bbe92d3247cbbdbb6d1b5726563e2bf7afba254e1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
f3333143d2f9d8e8d2fb80005527421f

SHA1
2461c7dcbe28f5fbd3eb20f7fb08fb768bd04135

SHA256
2dd550ebf923c8257de3ceeabe7393bebe6a2924e8031edf1733af7c5e5d9bf7

SHA512
9eb3869aacbc00bf0c6235caffeb5a68fd76b8bfb911ba29c6a8174c995f1c3b859d3770620909ea1c401225f0a5d16d40139d3b11907574f3f5afd58379cca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
9f1c1e9c757ec7018b9171dac99b9bc7

SHA1
32dd732101f90636484986da70cfa074e704f84f

SHA256
81c7cab1475271db8042c665992bc22cf76306a3074bed9607b82fd0af3e5506

SHA512
0c88015a16310acf5e4020242b9ccf2277b981578b6b16921ece3d2bdae2a1cf655855162a9fed418baf5581591157cf8564dbced15b6a4a80091912e43338fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e3b416dff51ae4c43d04dfe53a1cfb93

SHA1
ca5c9dac3fe3c94ebaea963626bf0682c074f8c1

SHA256
dfc8600408427b9d6c23235af513905c9154530670ce75ded3cde42bc7df9993

SHA512
cd7432270e7e154cf4297139bb40af4239dcba456aaf8b1c8ca8ce8b9228dc7f3f2f9833aa54e583af7f98c2349ad1e6c8bfb71cbe0be4fc3b11c11e6825d02a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
637bb1a02e76d05efb9a2015b602e35c

SHA1
219bc46b8532e8cb57e687c8dca32c6987da37d0

SHA256
cbce373432fa17352ffc8ef27ff241f3b1e606c7e0b03b235a3b3c779c35dc35

SHA512
beddc55a4d300a2de7f26925d8744a9d8a7e35ac6939154618f02a8f8a0a105089f2154f0c822938b19c4bccbae188ad42d774e24a1ce0298156c6a8ab26b7ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
f188af13abaf3e8e6e36042991c093ea

SHA1
90744ffab53f1d968b5febfb9524dd4c04e054df

SHA256
d9043cc24613da9102fda016f06e3fb3af8eb39bb0f1a411d26a6661df3f5866

SHA512
025b8b35ac3213089bc9b25d74656d11e00dd6fb578eb2989913c8bad4de5a5d1ca5204ca55bc3e7f3a38f2c39cc7eb52fedadd10a79ad59b1a6c0230f86251c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
678B

MD5
c353dc14cf8c399be69b0c1d6bdde754

SHA1
5e49924cbc477c110b7c5f48abfca62601548ace

SHA256
84a30a92d8c21af2d5eeacbc4cead2fc2218be046c99a040530a1c8986425e19

SHA512
2dd85be3146a75a9bae5ebf6ee55321db100ee7d9ec9a5933676cc18350a986e42f4da79c38dad4c5b620b48ea6b0da54e0508a2cbceca1aca9b0bdcb603778f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
386300d0e463fbbad72350af7ea6f813

SHA1
6864f59b889280a33b7a6f838cde2d1cb0a957b7

SHA256
ccfa155d78877de688232f1b86350d17e86e586108bf362c2963f4f52155eab3

SHA512
5f444f071cde729d528ab545b7a5110cad87326d598b72c5603b50345ca7e6cbf1f6b50d9f13b535c021b03492653e7c8c8a12e3f5cace390df89be67abce03e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b38741796d4c257a6f006278e600bf70

SHA1
c661c2900f7ac26656ada6aa53e8cbc5400611d0

SHA256
31928f5b280a8ab55f944940bc07c0c70effe08513d57c5ecc71300e8065fa22

SHA512
6a9596bf07bc216e7683930a6c90938284a8f2d93ed28276058e32009db5dae2a4a12e659f0602f85f4ecfbd9d69eabb9e93df394b94ffcabba231d51bbb4c9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6d16f983522efa3a1a0692682b820787

SHA1
80a9f38638cb78edc8f2a3b6b1950ae83e49f568

SHA256
47c6d0f7bb9b84e46c252985ad31a60f2580d0f9139561a5a0f7a318fb64f706

SHA512
1de636e3efe67384a6f05fa2a9fd9255b5991a391123bf1904c43a322826c7e09ad729dd32a903c893230b01dc8d314743826b774450c3a1fc6dcd65ac245c15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1bc7cc16e60c9ae4da212b72925c1059

SHA1
49630960fa62af0b766bb2e1ef3ca45fda1530a7

SHA256
fd5ba110e42a0603b2d5598241aaac7ee32340ba936496863b3568f125b3ffad

SHA512
e7a21ebdce48646e9031d09afe3a661deec00abaa83e5d9b87c9e922de8420f43d0e78c4e47c7c64200d9703979998ac881fa6bc808c16d590e56de9547bb413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93ff53c0fff9d7aa7034d75307b4fbaa

SHA1
b2614b1c07d6225c142df1d16a0d01f33ab377d4

SHA256
b9c0deb4e7cecf228606a4e3c6840e9d4ef37742b99ed531e9cf94b58af4fd74

SHA512
bf14c031dc8cb581ae108bd0841789d3be5f2ae17043b92e764cf5086f803935057008ae598a97e5b82073d815da4150f61f84bf903f52a082cc5ab0a02a170e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
187ac782b8141ad52b17672399521086

SHA1
ced7ed768c0b601cd012787f658ce59ad5be173a

SHA256
0c37ca980342b3899717e77521de0c004b14e6f1faa5ea1b6e130a39cd529a6e

SHA512
a32c9dbf4c3133277a36cd304d20bd1ca6409c6b23c02876f1c6fe69d65986276a84b9caa79edb461c3ceea92ffa2fbd205f09416944995794b867b274eff4f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a9cef872c9180894ca5c28db2022727e

SHA1
7dd1e4988e7074d882fa4a6df1d7b61bc7953082

SHA256
f6936cc100909d7f3a2570a7ada66092d3eeb1ab4d090919001ca7ffec3e7218

SHA512
a4265cb3cced848da83c00e3e32399b743b3e23bf557c74bd170abfa3b8d2396a14936000182f7f82f74b8e4ed32fd586b91929533ee3b55a2c95f2bb37b09c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
120b4252ab4d9d6354c4846a57e18424

SHA1
8eaca2a9a4402f44fee154ea743622f67b1fec2a

SHA256
e2b44dbe732e44f833d1faca96e1cdb5064e255885b037027bc630358d42db64

SHA512
01cb822d11f6297c6483a0ff30c661bc2763f7237afacdf7bee21c40763fc35908211d41699d0559b1e1e85c44d4bd9859350bf47afb2717e795ac2cbda81742

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Analytics.dll

Filesize
32KB

MD5
1c2bd080b0e972a3ee1579895ea17b42

SHA1
a09454bc976b4af549a6347618f846d4c93b769b

SHA256
166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29

SHA512
946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\DotNetZip.dll

Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe

Filesize
82KB

MD5
81564947d42846910eec2d08310e0d25

SHA1
b7a167dcd3afb29c8a0e18c943d634e3fc58a44c

SHA256
543f16b73f7d40177585332f433ce76dddc1526e12bcd62cb73edd11eb002341

SHA512
8f06409517697b022787bc9e2ed7e73100018422177aa3f63ecb406c3bdb6b021624f909a16fca0430002bfa7d35a461b38750c79c0273a154f63316b4e13037

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe

Filesize
3.5MB

MD5
87bc17f56e744e74408e6ae8bb28b724

SHA1
3aa572388083ff00a95405d34d1189c99c7ff5be

SHA256
ffb24fc36ade87988f9908e848d0333ce7ffb2b4e4d0ffb43f6556246069d057

SHA512
cbeee155c97b87a22b92b808f86fee25c18db51ab43a36b657d532d2d47d3a7db2f4507a699b72af904bf6d5ed851d1ae1fcfb4833a57096e6c7787211c0f35d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe.config

Filesize
261B

MD5
c2edc7b631abce6db98b978995561e57

SHA1
5b1e7a3548763cb6c30145065cfa4b85ed68eb31

SHA256
e59afc2818ad61c1338197a112c936a811c5341614f4ad9ad33d35c8356c0b14

SHA512
5bef4b5487ecb4226544ef0f68d17309cf64bfe52d5c64732480a10f94259b69d2646e4c1b22aa5c80143a4057ee17b06239ec131d5fe0af6c4ab30e351faba2

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\GA.Analytics.Monitor.dll

Filesize
52KB

MD5
6f9e5c4b5662c7f8d1159edcba6e7429

SHA1
c7630476a50a953dab490931b99d2a5eca96f9f6

SHA256
e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790

SHA512
78fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Inspectors\Standard.dll

Filesize
246KB

MD5
2f2dcf9a8bea903a95abb95808066201

SHA1
98b473a015e874638d35731710b5790fe8ec9df9

SHA256
e7f653b706f4d083d089670b8862b579f888450d3184085bc970daa3ff040012

SHA512
228f56acea5ac941dcb192775f8e8e8230c0b0e24487f135bfb5025b1a1bf64ee8cc733c44f5dcdc8eb2f63a9040e9a8ec251ec3e105f81e3007d31a15608344

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Inspectors\SyntaxView.dll

Filesize
68KB

MD5
49c71e4f9141cc77798718e41ec8a0d3

SHA1
84bf7e9f3a462dbbe7ee3e627a83422cf0df4d08

SHA256
9c5178b2aab92a79be9e4b31e2214d6650961b53bbdc48d952d20725e473b2fe

SHA512
ed7d35e6929670cd181a398b4c09fdf444b7eacff147a9be3bc783944e65541ebf883629fc23d6c6b642eb6719e8e9fa8a4d1c4c9ef65ba78d1ea5539f9f4843

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dll

Filesize
192KB

MD5
ac80e3ca5ec3ed77ef7f1a5648fd605a

SHA1
593077c0d921df0819d48b627d4a140967a6b9e0

SHA256
93b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5

SHA512
3ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dll

Filesize
816KB

MD5
eaa268802c633f27fcfc90fd0f986e10

SHA1
21f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f

SHA256
fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54

SHA512
c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dll

Filesize
228KB

MD5
3be64186e6e8ad19dc3559ee3c307070

SHA1
2f9e70e04189f6c736a3b9d0642f46208c60380a

SHA256
79a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c

SHA512
7d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\FiddlerOrchestra.Addon.dll

Filesize
47KB

MD5
465761effbd26e70fb83595cb5f8a20a

SHA1
9b98750ebbc7ce144a2f8150f3b1d8201a53a2af

SHA256
38a7fa0c13d5700eec8178db2116a51c7e23d97871dbd159fb16104f91c0bfee

SHA512
063c93d8cfc0dd17d56abccb25c00c430066a117e993205ceb0161260214a104627672eaac0ea2ec6c8be488cd2056b92cf002c94c873efcf464efe35efbda7c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\FiddlerOrchestra.Connection.dll

Filesize
1.8MB

MD5
19d00193a0df0b4d0734d209989f594c

SHA1
1adaabf30ef7350df16b7fed023bd980809f4086

SHA256
7a041deb6934864bc3c057d1440f00e2e56104018069e57201f0fc877ef78713

SHA512
6402fa43a1b0e5a96f3270751f18be7b22774fa59a1a6737a0c1549642ef4f148765eaf30776c46f371d5dff69a164454b908ad00fc371d8bdeeddc52f7c9789

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\FiddlerOrchestra.Protocol.dll

Filesize
23KB

MD5
d045d2bebb047748dcc73d2bb50ab6d1

SHA1
1a793331a1724a82d25a989006530461b2311955

SHA256
cbcbffd8cd89ddcf1e4d6a4ab6f0d3c14112cac8e03e3f8f2236bab96977ebe2

SHA512
1359f51a80204d0a8c100dc24dcf473f494f871ff430599779c20a9f747428074387dd607a3c594993179e2b46269fb97409a486f02e5f3ae9f6a36c1354df01

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\FiddlerOrchestra.Utilities.dll

Filesize
18KB

MD5
0bd9f14a40e05bdac2c6e79ae92f3081

SHA1
049c44cefb7789d93796f6ed3415476f4c3be6b9

SHA256
da9ba58734468c70efd57a7da7cf6d9f5405bc563eb2136b7a6e7b1b07fe6f3e

SHA512
d759dd46e2d47a1a18a04c8f44f91390ffd917ff76ec1d4898dec93512ef7b6f33b045f22835e8225f4f679c09210df3fca6649143fd507edf7cc3002b40be4e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Scripts\RulesTab2.dll

Filesize
34KB

MD5
042541ff2925d654930906b654b724aa

SHA1
ece609e7b1871530473cedb77c375535ab15044a

SHA256
dac4bf7e1eb765e462a43e6567602d35f512118bab9f75a0a4da972966972941

SHA512
25879cc5ee5bfdb43ef044d449d6f636a0d330480750dd4e4b9243fb702ea978d667e7c64f5080ce95e540411bbdae34f29ae6533be81002dea7dd9cc6c9a965

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper

Filesize
18KB

MD5
b1827fca38a5d49fb706a4a7eee4a778

SHA1
95e342f3b6ee3ebc34f98bbb14ca042bca3d779f

SHA256
77523d1504ab2c0a4cde6fcc2c8223ca1172841e2fd9d59d18e5fc132e808ae2

SHA512
41be41372fe3c12dd97f504ebabb70ce899473c0c502ff7bfeaddc748b223c4a78625b6481dbab9cb54c10615e62b8b2dbe9a9c08eb2f69c54ebf5933efbeb1b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Telerik.NetworkConnections.dll

Filesize
34KB

MD5
798d6938ceab9271cdc532c0943e19dc

SHA1
5f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3

SHA256
fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2

SHA512
644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31

Download Submit
C:\Users\Admin\AppData\Local\Progress_Software_Corpora\Fiddler.exe_Url_gn2suaigfhhkewccgutguryxxqm34vvg\5.0.20245.10105\user.config

Filesize
966B

MD5
6d16e3766c07bde9cb1792b9c9a045c0

SHA1
9dca76e089b6a7e5b7e606e067a828ef06258023

SHA256
cbb49fa4f9099f750dd9aaba55aa9bd36346490516a71d1d10efb2f51df26b07

SHA512
80602dc5b0c48daa6e89f23d21e09c337db95d454a519f37f88a7cb299a6bdd79b0be74a1331c0d0b40aa9435f216b2112da950087d532451f745f471af2bb99

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpF88A.tmp

Filesize
2KB

MD5
0f44cea5718cdfb75bd0d0b4c9972afa

SHA1
97d818f2c31ed3f32fc542cf24658fa71305525d

SHA256
ce61caee2f4e431ee3bd5ea7ed775e23f8b0ec13acf4daf53fdbd700fc9fb401

SHA512
98ab11da92a6ea41f471162962e19d5b12982714c538b2cf4492ffd4921fa3fc02e59981fac0ecbe3d90b28eae940959bddafcace1f8d7a5927c9aa14ac4afae

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf11A1.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj29C.tmp\FiddlerSetup.exe

Filesize
4.4MB

MD5
c2a0eb6f104eacec3f39581451ee208f

SHA1
9ae7d02aeb640fbd090dfc01885b98dd5dd0b6cc

SHA256
1f926cc353301e547e76c6d2eff23fcbe85495ba0292174cc6344fac26457af8

SHA512
8b062e4f0af1dce3a12b5776646fe8c235f30de6772f579da1a6ab2bb559ed69b3bd32af95eee248c48008ddcbd40a7e49eae722a44bc9b49dd13fe38113a3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir6024_2078801024\431c0e9b-468a-4756-861d-a5e20161570c.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir6024_2078801024\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2878641211-696417878-3864914810-1000\11a9b9619830c47f1babda9a76239fd8_4fc725d8-4f7d-4884-b878-08bb0ce6c800

Filesize
2KB

MD5
bb82802e8ce54fdadc6a46cd485778f2

SHA1
078bc4c3d74dddfaf3345813045ef07c7defc123

SHA256
efb57bd5aeb020bd36d81656b03e44371c4e9b5d44657e48959509b756f2b0a3

SHA512
7e12fa694ed954f6c7c46e92dcbf973e8018c503fc411bb6de16755f6c1aab8e4859a653da235b5272281f9c725efaac6de97e599bb77fe6356956dd32e3390c

Download Submit
C:\Users\Admin\Desktop\FiddlerSetup.5.0.20245.10105-latest.exe

Filesize
4.4MB

MD5
c1980b018489df28be8809eb32519001

SHA1
e860439703d7b6665af4507b20bbef2bbb7b73f4

SHA256
588024037b1e5929b1f2a741fff52a207bcab17f0650ec7cb0cd3cb78051998d

SHA512
f70d419e869e56700a9e23350a9779f5dd56bb78adb9a1b0d5039287a24f20004db20f842294d234d4717feaa3184a5e6d90f0ee3666208bad2ea518d37b0a35

Download Submit
C:\Users\Admin\Documents\Fiddler2\Scripts\CustomRules.js

Filesize
22KB

MD5
cb7bf8b2d0e15c0ecc290a242b9f743a

SHA1
f1215262c0729dc6700fd5158ef6e437e64a4821

SHA256
69cc5397e0fa9f99a0d21476da21147631a213f9f15652f8f182f34025abb500

SHA512
49202347079e366477ba67372b086f5064b108c0c40aa52dfd833dee821b87cc37d9929d5da4fefdd62a824ebf34c161107f08ea7b33d866d21c266ce99972fe

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\59301724925cee80b0409b0c7e65aad8\EnableLoopback.ni.exe

Filesize
160KB

MD5
cc709e3e9e13b9ce4db0f56c85e0ac89

SHA1
061131c1a6ece34afbec4945f50c054d9d5ee95a

SHA256
010e768a05ce3fcc09814918e1a5099f644fc562fe3c87f069114fa8a54e1e26

SHA512
0a59caf920753cc09543d3b097571cbb5faefa3c6b5c6085dcf61ef44b182a195776a349aee39714555090fb84b33b5a407e9880b5da62a59f2dc70ba3b056ab

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll

Filesize
2.7MB

MD5
89bedf9727f90a9f8e15826df509d7b9

SHA1
f0c590abc08815c38aa522afee4438d69a78c490

SHA256
224851ed49ed39bd526910bd252a6f53cc32c0067d80066a30f84329500ba929

SHA512
4d300c96062d5853e644675059afb4687246a610d5c86cfe1aa7380e4d69da255e743009339d59b4d00e79991cd8251330a99064447cde28f08821c3dbe448b9

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
3.0MB

MD5
b0bd1b2c367441f420d9cc270cf7fab6

SHA1
bdd65767f9c8047125a86b66b5678d8d72a76911

SHA256
447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa

SHA512
551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux

Filesize
708B

MD5
688ac15ac387cbac93d705be85b08492

SHA1
a4fabce08bbe0fee991a8a1a8e8e62230f360ff2

SHA256
ce64b26c005cfc1bcf6ac0153f1dbcae07f25934eab3363ff05a72a754992470

SHA512
a756ea603d86a66b67163e3aa5d2325174a2748caf6b0eaa9f0600d42c297daa35aa5bfaf4962a1dedbae9437308d19571818cbd3e1542d7a7a26a4d20796074

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll

Filesize
3.0MB

MD5
3385fdacfda1fc77da651550a705936d

SHA1
207023bf3b3ff2c93e9368ba018d32bb11e47a8a

SHA256
44a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec

SHA512
bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll

Filesize
314KB

MD5
50b28be2b84f9dd1258a346525f8c2e5

SHA1
203abebaa5c22c9f6ac099d020711669e6655ed8

SHA256
6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

SHA512
d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux

Filesize
300B

MD5
5052a26ae1334e99f9c993f0ac477f5b

SHA1
941e82d2397f79faf7707569927bb3dbea9ea34c

SHA256
ec432d36bb95dcdb1876836b09ba1829c03a83c9b53afbb195c6fa0d7d91375f

SHA512
eb5dce71049b099c5764fe449f529b5813aab3d86150331ae384c08973f0487f9a25e1f11498203baa0a093dc2961f6bb0f5d03a86ff9c39f050524c9d32ede2

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll

Filesize
345KB

MD5
35738b026183e92c1f7a6344cfa189fd

SHA1
ccc1510ef4a88a010087321b8af89f0c0c29b6d8

SHA256
4075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb

SHA512
ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

Filesize
986KB

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux

Filesize
912B

MD5
255a843ca54e88fd16d2befcc1bafb7a

SHA1
aee7882de50a5cea1e4c2c2ddfaa4476f20a9be9

SHA256
8cd849585fe99e63f28b49f1dae2d1b47a406268dcc5a161e58331a6a3cba3ed

SHA512
666866c0d25d61dc04341cf95eb61969698cfafce232097e60cb0537ea2a35635e1e4986036e413fb51927187183aa2e64ecac7fbc26bac46998c0bd84f69e45

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll

Filesize
16.2MB

MD5
b5840712456c7cb4de53695522e2a41c

SHA1
c8fa753ff825f929d5e78d6f6059fc6806951a69

SHA256
3cd39a70525ab32c60ed04b3791d692106afc322f399561cc7bc5b5a8e8d2a64

SHA512
02220870c1c06a15352f7cc75deea2645a58d93ec40f3a465cc0373d9aa98746f8739eb9120ddf8b5a3acafc6db617d3c77c7825eb7a11abab81e1fa466dcd1e

Download Submit
C:\Windows\assembly\temp\7WAJY5W6YY\System.Deployment.ni.dll.aux

Filesize
1KB

MD5
b019b58a1fc23042c21fa5518b2c18d5

SHA1
a594de6ae6ef0a22c44a5cfacb8e35891f5e557b

SHA256
2014e4b8b8183db7940c5dbb1e27fbe3a3993d13b90c04f6286dbe17174e1a1e

SHA512
26f9e8ace5821ae91f8a72ad0df19b9dc45f2b6028421f0fbaa7e8de8c65651792bc75d475d8098dde8150440ce14201aa418c91b1c4ad172286f93716d23837

Download Submit
C:\Windows\assembly\temp\812ZVS5E4R\Microsoft.JScript.ni.dll.aux

Filesize
580B

MD5
15d9528aaa8f3ef914a4ae5662f138eb

SHA1
944e083df6082e372e81a5dfa7979f4d5e519ed3

SHA256
5bcc2ba91c42bb47333af2d30a23d9009475e8710e06f82492e377aa6fe29d4e

SHA512
fc22d60f9dc0feadae1a6ee296129abab2d6dd963df35416d6b9d36d00d22f4b2e7dfc2f111cec5d28c8625fec75b68f68ed4ab3fffb86a1c94b8f322a65049c

Download Submit
C:\Windows\assembly\temp\LM48JGQ557\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux

Filesize
644B

MD5
caba9e7248016ec410e8346b3cf4f51b

SHA1
f9e23982f25f1977b0f668090c92cedc783efc89

SHA256
638feb99f77dec41e6acd96a76d0b48bbd710a3c25df09d20e226730517c5149

SHA512
4577677bd631c76d33521a45de97f4d3e51badb6f859525f91f93abf8bdc86de9b1e27736636aaa5d1bbe677cc98b6d3aac93f873aaf6621fcf186c1274691e4

Download Submit
memory/1464-820-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/1908-625-0x0000025972BB0000-0x0000025972BBE000-memory.dmp

Filesize
56KB

Download
memory/1908-616-0x0000025973890000-0x0000025973A6A000-memory.dmp

Filesize
1.9MB

Download
memory/1908-621-0x0000025972B70000-0x0000025972B78000-memory.dmp

Filesize
32KB

Download
memory/1908-623-0x0000025972BA0000-0x0000025972BAC000-memory.dmp

Filesize
48KB

Download
memory/1908-619-0x0000025972B60000-0x0000025972B6A000-memory.dmp

Filesize
40KB

Download
memory/1908-624-0x0000025972BE0000-0x0000025972C06000-memory.dmp

Filesize
152KB

Download
memory/1908-626-0x0000025974020000-0x00000259745C4000-memory.dmp

Filesize
5.6MB

Download
memory/1908-627-0x0000025972BC0000-0x0000025972BC8000-memory.dmp

Filesize
32KB

Download
memory/1908-610-0x0000025973660000-0x00000259736A2000-memory.dmp

Filesize
264KB

Download
memory/1908-617-0x0000025972B80000-0x0000025972B9A000-memory.dmp

Filesize
104KB

Download
memory/1908-606-0x00000259546D0000-0x0000025954A54000-memory.dmp

Filesize
3.5MB

Download
memory/1908-614-0x0000025972AB0000-0x0000025972AC0000-memory.dmp

Filesize
64KB

Download
memory/1908-767-0x0000025974080000-0x0000025974150000-memory.dmp

Filesize
832KB

Download
memory/1908-608-0x0000025972A80000-0x0000025972A8C000-memory.dmp

Filesize
48KB

Download
memory/1908-769-0x0000025970710000-0x000002597074C000-memory.dmp

Filesize
240KB

Download
memory/1908-612-0x0000025973610000-0x0000025973622000-memory.dmp

Filesize
72KB

Download
memory/1908-770-0x0000025974370000-0x0000025974498000-memory.dmp

Filesize
1.2MB

Download
memory/1908-768-0x00000259706D0000-0x0000025970704000-memory.dmp

Filesize
208KB

Download
memory/1964-272-0x0000064449A20000-0x0000064449B18000-memory.dmp

Filesize
992KB

Download
memory/2756-117-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/2996-230-0x000001FA5CEF0000-0x000001FA5CF02000-memory.dmp

Filesize
72KB

Download
memory/2996-216-0x000001FA5CBB0000-0x000001FA5CBEA000-memory.dmp

Filesize
232KB

Download
memory/2996-114-0x000001FA5C760000-0x000001FA5CAE4000-memory.dmp

Filesize
3.5MB

Download
memory/2996-116-0x000001FA5C590000-0x000001FA5C64A000-memory.dmp

Filesize
744KB

Download
memory/2996-118-0x000001FA5D020000-0x000001FA5D548000-memory.dmp

Filesize
5.2MB

Download
memory/2996-120-0x000001FA5C4D0000-0x000001FA5C54A000-memory.dmp

Filesize
488KB

Download
memory/2996-125-0x000001FA5CAF0000-0x000001FA5CBA2000-memory.dmp

Filesize
712KB

Download
memory/2996-127-0x000001FA44340000-0x000001FA4434C000-memory.dmp

Filesize
48KB

Download
memory/2996-129-0x000001FA5C6A0000-0x000001FA5C6F0000-memory.dmp

Filesize
320KB

Download
memory/2996-131-0x000001FA44380000-0x000001FA443A2000-memory.dmp

Filesize
136KB

Download
memory/2996-132-0x000001FA5CC70000-0x000001FA5CD22000-memory.dmp

Filesize
712KB

Download
memory/2996-215-0x000001FA5C550000-0x000001FA5C572000-memory.dmp

Filesize
136KB

Download
memory/2996-130-0x000001FA5CD40000-0x000001FA5CEC6000-memory.dmp

Filesize
1.5MB

Download
memory/2996-123-0x000001FA5C650000-0x000001FA5C69A000-memory.dmp

Filesize
296KB

Download
memory/2996-122-0x000001FA44330000-0x000001FA4433C000-memory.dmp

Filesize
48KB

Download
memory/2996-217-0x000001FA5C6F0000-0x000001FA5C70C000-memory.dmp

Filesize
112KB

Download
memory/2996-218-0x000001FA5DA20000-0x000001FA5DEEC000-memory.dmp

Filesize
4.8MB

Download
memory/2996-219-0x000001FA5C710000-0x000001FA5C722000-memory.dmp

Filesize
72KB

Download
memory/2996-220-0x000001FA5C730000-0x000001FA5C750000-memory.dmp

Filesize
128KB

Download
memory/2996-221-0x000001FA5CC30000-0x000001FA5CC62000-memory.dmp

Filesize
200KB

Download
memory/2996-224-0x000001FA5CBF0000-0x000001FA5CC0E000-memory.dmp

Filesize
120KB

Download
memory/2996-225-0x000001FA5CC10000-0x000001FA5CC2A000-memory.dmp

Filesize
104KB

Download
memory/2996-226-0x000001FA5D680000-0x000001FA5D7A2000-memory.dmp

Filesize
1.1MB

Download
memory/2996-223-0x000001FA5CF20000-0x000001FA5CF64000-memory.dmp

Filesize
272KB

Download
memory/2996-237-0x000001FA44350000-0x000001FA44360000-memory.dmp

Filesize
64KB

Download
memory/2996-229-0x000001FA5D590000-0x000001FA5D5CC000-memory.dmp

Filesize
240KB

Download
memory/2996-227-0x000001FA5CF70000-0x000001FA5CFEE000-memory.dmp

Filesize
504KB

Download
memory/2996-228-0x000001FA5CED0000-0x000001FA5CEF0000-memory.dmp

Filesize
128KB

Download
memory/3132-287-0x0000064443EC0000-0x0000064443F11000-memory.dmp

Filesize
324KB

Download
memory/3668-509-0x0000064488000000-0x000006448802B000-memory.dmp

Filesize
172KB

Download
memory/5040-308-0x0000064445320000-0x000006444561E000-memory.dmp

Filesize
3.0MB

Download
memory/5100-254-0x00000644451A0000-0x00000644454A4000-memory.dmp

Filesize
3.0MB

Download
memory/5216-329-0x0000064449980000-0x00000644499D8000-memory.dmp

Filesize
352KB

Download
memory/5360-428-0x000006443CC40000-0x000006443CEF8000-memory.dmp

Filesize
2.7MB

Download
memory/5916-765-0x0000000005550000-0x000000000555A000-memory.dmp

Filesize
40KB

Download
memory/5916-764-0x0000000004FC0000-0x0000000005052000-memory.dmp

Filesize
584KB

Download
memory/5916-763-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/5916-762-0x0000000000710000-0x0000000000728000-memory.dmp

Filesize
96KB

Download
memory/5920-488-0x00000644C00C0000-0x00000644C10E9000-memory.dmp

Filesize
16.2MB

Download
memory/5920-485-0x000001E4F3CD0000-0x000001E4F3CF6000-memory.dmp

Filesize
152KB

Download
memory/5968-508-0x00000186BEB30000-0x00000186BEB48000-memory.dmp

Filesize
96KB

Download
memory/6080-783-0x0000000008EE0000-0x0000000008F30000-memory.dmp

Filesize
320KB

Download
memory/6080-779-0x0000000007290000-0x00000000073B8000-memory.dmp

Filesize
1.2MB

Download
memory/6080-778-0x0000000005D80000-0x0000000005D90000-memory.dmp

Filesize
64KB

Download
memory/6080-777-0x0000000005980000-0x000000000598C000-memory.dmp

Filesize
48KB

Download
memory/6080-780-0x00000000071B0000-0x00000000071EC000-memory.dmp

Filesize
240KB

Download
memory/6080-775-0x00000000064E0000-0x0000000006864000-memory.dmp

Filesize
3.5MB

Download
memory/6080-773-0x0000000000FB0000-0x0000000000FC2000-memory.dmp

Filesize
72KB

Download
memory/6080-781-0x00000000071F0000-0x0000000007224000-memory.dmp

Filesize
208KB

Download
memory/6080-782-0x0000000007850000-0x0000000007920000-memory.dmp

Filesize
832KB

Download
memory/6080-784-0x00000000091B0000-0x000000000926A000-memory.dmp

Filesize
744KB

Download