28327d9e90781c714d6951c767b3fa88396048b81178e9b691ab8edef0e59cf7

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2025, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FiddlerSetup.5.0.20245.10105-latest.exe
Size

4.4MB
MD5

c1980b018489df28be8809eb32519001
SHA1

e860439703d7b6665af4507b20bbef2bbb7b73f4
SHA256

588024037b1e5929b1f2a741fff52a207bcab17f0650ec7cb0cd3cb78051998d
SHA512

f70d419e869e56700a9e23350a9779f5dd56bb78adb9a1b0d5039287a24f20004db20f842294d234d4717feaa3184a5e6d90f0ee3666208bad2ea518d37b0a35
SSDEEP

98304:qMgxyUnSAaB1eXq8yOkLiGXv72Qomw6pvtFIAwdaRdA:qMoWvePjqHv72Qo96pvtF5wH

Score

9^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1228	netsh.exe
3624	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	FiddlerSetup.exe

Executes dropped EXE 2 IoCs

pid	Process
3252	FiddlerSetup.exe
4828	SetupHelper

Loads dropped DLL 20 IoCs

pid	Process
3252	FiddlerSetup.exe
1748	mscorsvw.exe
3408	mscorsvw.exe
3408	mscorsvw.exe
4108	mscorsvw.exe
1000	mscorsvw.exe
1000	mscorsvw.exe
4976	mscorsvw.exe
5200	mscorsvw.exe
5488	mscorsvw.exe
5700	mscorsvw.exe
5700	mscorsvw.exe
5700	mscorsvw.exe
1496	mscorsvw.exe
5324	mscorsvw.exe
1976	mscorsvw.exe
6012	mscorsvw.exe
5728	mscorsvw.exe
5804	mscorsvw.exe
6012	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 38 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d50-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\5237ZYN0QA\System.Numerics.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\O62RF05QJO\System.Security.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\7b8-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1570-0\Microsoft.JScript.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\I8BKBZCASU\Microsoft.JScript.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\5237ZYN0QA\System.Numerics.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\100c-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1644-0\System.Web.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1660-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\16ac-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1450-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\G13XGEJ048\System.Deployment.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\592AFQE51N\System.Data.SqlXml.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\14cc-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\6d4-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\I8BKBZCASU\Microsoft.JScript.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\YNPVVBO4U9\System.Runtime.Serialization.Formatters.Soap.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\592AFQE51N\System.Data.SqlXml.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\YNPVVBO4U9\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\G13XGEJ048\System.Deployment.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\O62RF05QJO\System.Security.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\5d8-0\EnableLoopback.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\177c-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\59301724925cee80b0409b0c7e65aad8\EnableLoopback.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\3e8-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FiddlerSetup.5.0.20245.10105-latest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FiddlerSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupHelper

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.saz	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Fiddler.ArchiveZip	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Fiddler.ArchiveZip\Shell	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3252	FiddlerSetup.exe
3252	FiddlerSetup.exe
2896	msedge.exe
2896	msedge.exe
4180	msedge.exe
4180	msedge.exe
5284	identity_helper.exe
5284	identity_helper.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 3252	3016	FiddlerSetup.5.0.20245.10105-latest.exe	82
PID 3016 wrote to memory of 3252	3016	FiddlerSetup.5.0.20245.10105-latest.exe	82
PID 3016 wrote to memory of 3252	3016	FiddlerSetup.5.0.20245.10105-latest.exe	82
PID 3252 wrote to memory of 3624	3252	FiddlerSetup.exe	95
PID 3252 wrote to memory of 3624	3252	FiddlerSetup.exe	95
PID 3252 wrote to memory of 3624	3252	FiddlerSetup.exe	95
PID 3252 wrote to memory of 1228	3252	FiddlerSetup.exe	97
PID 3252 wrote to memory of 1228	3252	FiddlerSetup.exe	97
PID 3252 wrote to memory of 1228	3252	FiddlerSetup.exe	97
PID 3252 wrote to memory of 2080	3252	FiddlerSetup.exe	99
PID 3252 wrote to memory of 2080	3252	FiddlerSetup.exe	99
PID 3252 wrote to memory of 5072	3252	FiddlerSetup.exe	100
PID 3252 wrote to memory of 5072	3252	FiddlerSetup.exe	100
PID 3252 wrote to memory of 4828	3252	FiddlerSetup.exe	101
PID 3252 wrote to memory of 4828	3252	FiddlerSetup.exe	101
PID 3252 wrote to memory of 4828	3252	FiddlerSetup.exe	101
PID 3252 wrote to memory of 4180	3252	FiddlerSetup.exe	106
PID 3252 wrote to memory of 4180	3252	FiddlerSetup.exe	106
PID 4180 wrote to memory of 1908	4180	msedge.exe	109
PID 4180 wrote to memory of 1908	4180	msedge.exe	109
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 4596	4180	msedge.exe	114
PID 4180 wrote to memory of 2896	4180	msedge.exe	115
PID 4180 wrote to memory of 2896	4180	msedge.exe	115
PID 4180 wrote to memory of 4492	4180	msedge.exe	116
PID 4180 wrote to memory of 4492	4180	msedge.exe	116

C:\Users\Admin\AppData\Local\Temp\FiddlerSetup.5.0.20245.10105-latest.exe
"C:\Users\Admin\AppData\Local\Temp\FiddlerSetup.5.0.20245.10105-latest.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\nsiBFC7.tmp\FiddlerSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\nsiBFC7.tmp\FiddlerSetup.exe" /D=
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3624
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1228
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
    3⤵
    PID:2080
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
      4⤵
      PID:3912
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 0 -NGENProcess 274 -Pipe 268 -Comment "NGen Worker Process"
      4⤵
      PID:3752
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 280 -Pipe 288 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:1748
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 2d0 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:3408
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:4108
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 298 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:1000
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2d8 -Pipe 2d4 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      PID:4976
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 29c -Pipe 274 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:5200
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 270 -Pipe 290 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:5488
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 298 -Pipe 2c0 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:5700
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 0 -NGENProcess 2e4 -Pipe 2d8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:5472
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2f0 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:3620
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2e4 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:3408
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 0 -NGENProcess 2fc -Pipe 2c8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:5932
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 200 -Pipe 2b8 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:6124
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 28c -Pipe 2fc -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:4592
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
    3⤵
    PID:5072
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
      4⤵
      PID:4036
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 0 -NGENProcess 26c -Pipe 1dc -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:1496
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 258 -Pipe 260 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:1976
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:5324
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:5728
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2c8 -Pipe 25c -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:6012
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 28c -Pipe 2dc -Comment "NGen Worker Process"
      4⤵
      Loads dropped DLL
      Drops file in Windows directory
      PID:5804
- - C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
    "C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x120,0x124,0xf8,0x128,0x7ff84ff746f8,0x7ff84ff74708,0x7ff84ff74718
      4⤵
      PID:1908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,2825495545402968603,10129288304238506537,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:4596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,2825495545402968603,10129288304238506537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,2825495545402968603,10129288304238506537,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
      4⤵
      PID:4492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2825495545402968603,10129288304238506537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
      4⤵
      PID:2456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2825495545402968603,10129288304238506537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
      4⤵
      PID:2644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2825495545402968603,10129288304238506537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
      4⤵
      PID:4200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2825495545402968603,10129288304238506537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
      4⤵
      PID:5820
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2825495545402968603,10129288304238506537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
      4⤵
      PID:5968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2825495545402968603,10129288304238506537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
      4⤵
      PID:5976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,2825495545402968603,10129288304238506537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
      4⤵
      PID:5148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,2825495545402968603,10129288304238506537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2825495545402968603,10129288304238506537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
      4⤵
      PID:5348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2825495545402968603,10129288304238506537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
      4⤵
      PID:5356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,2825495545402968603,10129288304238506537,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4844 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
8d80f3e522a46fbb16910f1e7f0b4e87

SHA1
592b3ebcbdde9abb5b39be5899e2cf49f30f87b6

SHA256
7543fbb15404cafe04bea7b8480d7d0aeeed2cc13fef8e45cab2f31830892416

SHA512
e0da8f0728d5997755f246ecdf58e10fa21c7e5bde7c74429744eba21d9d675b5648d0ab86bd665e52e8cfad2a60ed12381d54cc8e4f7380c023fe69d5a8d71e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6d67c8a5f011e1fc61f35537858a290d

SHA1
5d7d764617df17dc94513600f68774ebff4e763a

SHA256
7ef5ef3566c612416e0b1e9ced15ffeb28aca6dd0846130085e3090687a8185c

SHA512
e401c5b45fcb7e8f8fd1504d9c32524714106fee69f39978fcd9050ba8e4ce35fb77db26825866398d286aedfa834ba6935535788a52428a39ddb46e6e01aa63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d534dab362607fe1c956a61f35126d6d

SHA1
66a288aad2eb7bfc3e349b0d33723d5628e2c56f

SHA256
93ba9cdadf6bec60dba60921ef540553618a5187299555db6dadad5b47080517

SHA512
9f07b3397f968cdabf6b0d301d87ed80bac29120142adcf434ba9a9a3b4e7789fca34e7d1c3becb102896c720436c454c949bdbe6ccd8548ec2b8dee31460790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
43228ad116d32f454169c8716c783c6a

SHA1
903ceb5e714ebaa6542e7f11ea873673becab4e3

SHA256
bd9e0d665a3c0921925a2e930aacca8e2e2d4881ea0f225137c01e48f986e1e0

SHA512
b26434585edd978418178ca5503a7b08708f5b19c58c782d517183dd8835f387a4d96a3be78a5052d059970b2cd2271024445b5bb1b3bd0329d1ccc9b29089f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c1967938eaae01ae9fa29f218dba1495

SHA1
ba2fbc48e5c08f605182240111b5afaa4bdd3c7d

SHA256
8a06f40ddc9bededbefd7fdb264aa492e28e778899d393e6b22aa0e64800c125

SHA512
0060c91d67d4a0cc0e8aea01d1efb70f0f9c2aea2b2925b1d8acc619413812a144793866da6ff0a1a65b14718e0b08393b5555e3297905acf0cda248905eb77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588008.TMP

Filesize
48B

MD5
b4f186718c38f972557574a0cb037cc5

SHA1
fddd8db0cfa487a640778c10849c2a78f6f5e0a9

SHA256
768ca3c0453b8e52ea3d6df02995885d66e86bc883a79230d2e3298914b4c25b

SHA512
b9ebec6769897f7b46c3435d720368db74017ad59de5328bcf2f4f5fb7ffe1b8a80fd1508f7b20201743031a3ec291b388fe4d5bebd1c99726082c7f06cbafbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e7a4f2f0d520ef89f8e8cbe256408d1b

SHA1
c2393230cb0139066916c8ad02a8123f756de394

SHA256
48aa6a496f62e5cdfb3764b7cad6cd6391091752c622be1fb826ca61e7034b52

SHA512
98e13417040f1a207807cceefbd351a345081c95927498cd6c776fe95b918d53f7ba253b9d130061e006e31c5dc4514cd2e4d28ebb75634ad009fcb284db02a6

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Analytics.dll

Filesize
32KB

MD5
1c2bd080b0e972a3ee1579895ea17b42

SHA1
a09454bc976b4af549a6347618f846d4c93b769b

SHA256
166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29

SHA512
946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\DotNetZip.dll

Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe

Filesize
82KB

MD5
81564947d42846910eec2d08310e0d25

SHA1
b7a167dcd3afb29c8a0e18c943d634e3fc58a44c

SHA256
543f16b73f7d40177585332f433ce76dddc1526e12bcd62cb73edd11eb002341

SHA512
8f06409517697b022787bc9e2ed7e73100018422177aa3f63ecb406c3bdb6b021624f909a16fca0430002bfa7d35a461b38750c79c0273a154f63316b4e13037

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe

Filesize
3.5MB

MD5
87bc17f56e744e74408e6ae8bb28b724

SHA1
3aa572388083ff00a95405d34d1189c99c7ff5be

SHA256
ffb24fc36ade87988f9908e848d0333ce7ffb2b4e4d0ffb43f6556246069d057

SHA512
cbeee155c97b87a22b92b808f86fee25c18db51ab43a36b657d532d2d47d3a7db2f4507a699b72af904bf6d5ed851d1ae1fcfb4833a57096e6c7787211c0f35d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe.config

Filesize
261B

MD5
c2edc7b631abce6db98b978995561e57

SHA1
5b1e7a3548763cb6c30145065cfa4b85ed68eb31

SHA256
e59afc2818ad61c1338197a112c936a811c5341614f4ad9ad33d35c8356c0b14

SHA512
5bef4b5487ecb4226544ef0f68d17309cf64bfe52d5c64732480a10f94259b69d2646e4c1b22aa5c80143a4057ee17b06239ec131d5fe0af6c4ab30e351faba2

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\GA.Analytics.Monitor.dll

Filesize
52KB

MD5
6f9e5c4b5662c7f8d1159edcba6e7429

SHA1
c7630476a50a953dab490931b99d2a5eca96f9f6

SHA256
e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790

SHA512
78fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dll

Filesize
192KB

MD5
ac80e3ca5ec3ed77ef7f1a5648fd605a

SHA1
593077c0d921df0819d48b627d4a140967a6b9e0

SHA256
93b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5

SHA512
3ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dll

Filesize
816KB

MD5
eaa268802c633f27fcfc90fd0f986e10

SHA1
21f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f

SHA256
fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54

SHA512
c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dll

Filesize
228KB

MD5
3be64186e6e8ad19dc3559ee3c307070

SHA1
2f9e70e04189f6c736a3b9d0642f46208c60380a

SHA256
79a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c

SHA512
7d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper

Filesize
18KB

MD5
b1827fca38a5d49fb706a4a7eee4a778

SHA1
95e342f3b6ee3ebc34f98bbb14ca042bca3d779f

SHA256
77523d1504ab2c0a4cde6fcc2c8223ca1172841e2fd9d59d18e5fc132e808ae2

SHA512
41be41372fe3c12dd97f504ebabb70ce899473c0c502ff7bfeaddc748b223c4a78625b6481dbab9cb54c10615e62b8b2dbe9a9c08eb2f69c54ebf5933efbeb1b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Telerik.NetworkConnections.dll

Filesize
34KB

MD5
798d6938ceab9271cdc532c0943e19dc

SHA1
5f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3

SHA256
fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2

SHA512
644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdF52F.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiBFC7.tmp\FiddlerSetup.exe

Filesize
4.4MB

MD5
c2a0eb6f104eacec3f39581451ee208f

SHA1
9ae7d02aeb640fbd090dfc01885b98dd5dd0b6cc

SHA256
1f926cc353301e547e76c6d2eff23fcbe85495ba0292174cc6344fac26457af8

SHA512
8b062e4f0af1dce3a12b5776646fe8c235f30de6772f579da1a6ab2bb559ed69b3bd32af95eee248c48008ddcbd40a7e49eae722a44bc9b49dd13fe38113a3ca

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\59301724925cee80b0409b0c7e65aad8\EnableLoopback.ni.exe

Filesize
160KB

MD5
cc709e3e9e13b9ce4db0f56c85e0ac89

SHA1
061131c1a6ece34afbec4945f50c054d9d5ee95a

SHA256
010e768a05ce3fcc09814918e1a5099f644fc562fe3c87f069114fa8a54e1e26

SHA512
0a59caf920753cc09543d3b097571cbb5faefa3c6b5c6085dcf61ef44b182a195776a349aee39714555090fb84b33b5a407e9880b5da62a59f2dc70ba3b056ab

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll

Filesize
2.7MB

MD5
89bedf9727f90a9f8e15826df509d7b9

SHA1
f0c590abc08815c38aa522afee4438d69a78c490

SHA256
224851ed49ed39bd526910bd252a6f53cc32c0067d80066a30f84329500ba929

SHA512
4d300c96062d5853e644675059afb4687246a610d5c86cfe1aa7380e4d69da255e743009339d59b4d00e79991cd8251330a99064447cde28f08821c3dbe448b9

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
3.0MB

MD5
b0bd1b2c367441f420d9cc270cf7fab6

SHA1
bdd65767f9c8047125a86b66b5678d8d72a76911

SHA256
447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa

SHA512
551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux

Filesize
708B

MD5
688ac15ac387cbac93d705be85b08492

SHA1
a4fabce08bbe0fee991a8a1a8e8e62230f360ff2

SHA256
ce64b26c005cfc1bcf6ac0153f1dbcae07f25934eab3363ff05a72a754992470

SHA512
a756ea603d86a66b67163e3aa5d2325174a2748caf6b0eaa9f0600d42c297daa35aa5bfaf4962a1dedbae9437308d19571818cbd3e1542d7a7a26a4d20796074

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll

Filesize
3.0MB

MD5
3385fdacfda1fc77da651550a705936d

SHA1
207023bf3b3ff2c93e9368ba018d32bb11e47a8a

SHA256
44a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec

SHA512
bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll

Filesize
314KB

MD5
50b28be2b84f9dd1258a346525f8c2e5

SHA1
203abebaa5c22c9f6ac099d020711669e6655ed8

SHA256
6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

SHA512
d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux

Filesize
300B

MD5
5052a26ae1334e99f9c993f0ac477f5b

SHA1
941e82d2397f79faf7707569927bb3dbea9ea34c

SHA256
ec432d36bb95dcdb1876836b09ba1829c03a83c9b53afbb195c6fa0d7d91375f

SHA512
eb5dce71049b099c5764fe449f529b5813aab3d86150331ae384c08973f0487f9a25e1f11498203baa0a093dc2961f6bb0f5d03a86ff9c39f050524c9d32ede2

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll

Filesize
345KB

MD5
35738b026183e92c1f7a6344cfa189fd

SHA1
ccc1510ef4a88a010087321b8af89f0c0c29b6d8

SHA256
4075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb

SHA512
ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

Filesize
986KB

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux

Filesize
912B

MD5
255a843ca54e88fd16d2befcc1bafb7a

SHA1
aee7882de50a5cea1e4c2c2ddfaa4476f20a9be9

SHA256
8cd849585fe99e63f28b49f1dae2d1b47a406268dcc5a161e58331a6a3cba3ed

SHA512
666866c0d25d61dc04341cf95eb61969698cfafce232097e60cb0537ea2a35635e1e4986036e413fb51927187183aa2e64ecac7fbc26bac46998c0bd84f69e45

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll

Filesize
16.2MB

MD5
b5840712456c7cb4de53695522e2a41c

SHA1
c8fa753ff825f929d5e78d6f6059fc6806951a69

SHA256
3cd39a70525ab32c60ed04b3791d692106afc322f399561cc7bc5b5a8e8d2a64

SHA512
02220870c1c06a15352f7cc75deea2645a58d93ec40f3a465cc0373d9aa98746f8739eb9120ddf8b5a3acafc6db617d3c77c7825eb7a11abab81e1fa466dcd1e

Download Submit
C:\Windows\assembly\temp\G13XGEJ048\System.Deployment.ni.dll.aux

Filesize
1KB

MD5
b019b58a1fc23042c21fa5518b2c18d5

SHA1
a594de6ae6ef0a22c44a5cfacb8e35891f5e557b

SHA256
2014e4b8b8183db7940c5dbb1e27fbe3a3993d13b90c04f6286dbe17174e1a1e

SHA512
26f9e8ace5821ae91f8a72ad0df19b9dc45f2b6028421f0fbaa7e8de8c65651792bc75d475d8098dde8150440ce14201aa418c91b1c4ad172286f93716d23837

Download Submit
C:\Windows\assembly\temp\I8BKBZCASU\Microsoft.JScript.ni.dll.aux

Filesize
580B

MD5
15d9528aaa8f3ef914a4ae5662f138eb

SHA1
944e083df6082e372e81a5dfa7979f4d5e519ed3

SHA256
5bcc2ba91c42bb47333af2d30a23d9009475e8710e06f82492e377aa6fe29d4e

SHA512
fc22d60f9dc0feadae1a6ee296129abab2d6dd963df35416d6b9d36d00d22f4b2e7dfc2f111cec5d28c8625fec75b68f68ed4ab3fffb86a1c94b8f322a65049c

Download Submit
C:\Windows\assembly\temp\YNPVVBO4U9\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux

Filesize
644B

MD5
caba9e7248016ec410e8346b3cf4f51b

SHA1
f9e23982f25f1977b0f668090c92cedc783efc89

SHA256
638feb99f77dec41e6acd96a76d0b48bbd710a3c25df09d20e226730517c5149

SHA512
4577677bd631c76d33521a45de97f4d3e51badb6f859525f91f93abf8bdc86de9b1e27736636aaa5d1bbe677cc98b6d3aac93f873aaf6621fcf186c1274691e4

Download Submit
memory/1000-304-0x0000064445320000-0x000006444561E000-memory.dmp

Filesize
3.0MB

Download
memory/1496-498-0x0000064488000000-0x000006448802B000-memory.dmp

Filesize
172KB

Download
memory/1748-233-0x00000644451A0000-0x00000644454A4000-memory.dmp

Filesize
3.0MB

Download
memory/3408-267-0x0000064449A20000-0x0000064449B18000-memory.dmp

Filesize
992KB

Download
memory/3912-216-0x0000023249250000-0x0000023249282000-memory.dmp

Filesize
200KB

Download
memory/3912-214-0x0000023230AF0000-0x0000023230B02000-memory.dmp

Filesize
72KB

Download
memory/3912-223-0x0000023249630000-0x000002324966C000-memory.dmp

Filesize
240KB

Download
memory/3912-224-0x00000232495F0000-0x0000023249602000-memory.dmp

Filesize
72KB

Download
memory/3912-221-0x0000023249570000-0x00000232495EE000-memory.dmp

Filesize
504KB

Download
memory/3912-222-0x00000232492E0000-0x0000023249300000-memory.dmp

Filesize
128KB

Download
memory/3912-106-0x0000023248EC0000-0x0000023249244000-memory.dmp

Filesize
3.5MB

Download
memory/3912-220-0x000002324A560000-0x000002324A682000-memory.dmp

Filesize
1.1MB

Download
memory/3912-218-0x0000023248D60000-0x0000023248D7E000-memory.dmp

Filesize
120KB

Download
memory/3912-219-0x0000023248D80000-0x0000023248D9A000-memory.dmp

Filesize
104KB

Download
memory/3912-217-0x0000023249290000-0x00000232492D4000-memory.dmp

Filesize
272KB

Download
memory/3912-171-0x0000023249780000-0x0000023249CA8000-memory.dmp

Filesize
5.2MB

Download
memory/3912-109-0x0000023248C30000-0x0000023248CEA000-memory.dmp

Filesize
744KB

Download
memory/3912-198-0x0000023230A70000-0x0000023230AEA000-memory.dmp

Filesize
488KB

Download
memory/3912-203-0x0000023248DB0000-0x0000023248E62000-memory.dmp

Filesize
712KB

Download
memory/3912-207-0x00000232493E0000-0x0000023249566000-memory.dmp

Filesize
1.5MB

Download
memory/3912-213-0x000002324AA30000-0x000002324AEFC000-memory.dmp

Filesize
4.8MB

Download
memory/3912-226-0x000002322EBC0000-0x000002322EBD0000-memory.dmp

Filesize
64KB

Download
memory/3912-215-0x0000023248D40000-0x0000023248D60000-memory.dmp

Filesize
128KB

Download
memory/3912-209-0x0000023249310000-0x00000232493C2000-memory.dmp

Filesize
712KB

Download
memory/3912-201-0x0000023230480000-0x00000232304CA000-memory.dmp

Filesize
296KB

Download
memory/3912-200-0x000002322EBA0000-0x000002322EBAC000-memory.dmp

Filesize
48KB

Download
memory/3912-211-0x0000023248E70000-0x0000023248EAA000-memory.dmp

Filesize
232KB

Download
memory/3912-212-0x0000023230460000-0x000002323047C000-memory.dmp

Filesize
112KB

Download
memory/3912-210-0x00000232304D0000-0x00000232304F2000-memory.dmp

Filesize
136KB

Download
memory/3912-208-0x0000023230430000-0x0000023230452000-memory.dmp

Filesize
136KB

Download
memory/3912-206-0x0000023248CF0000-0x0000023248D40000-memory.dmp

Filesize
320KB

Download
memory/3912-205-0x000002322EBB0000-0x000002322EBBC000-memory.dmp

Filesize
48KB

Download
memory/4036-497-0x000002A04BD70000-0x000002A04BD88000-memory.dmp

Filesize
96KB

Download
memory/4108-282-0x0000064443EC0000-0x0000064443F11000-memory.dmp

Filesize
324KB

Download
memory/4828-104-0x0000000000800000-0x0000000000808000-memory.dmp

Filesize
32KB

Download
memory/5200-348-0x0000064449980000-0x00000644499D8000-memory.dmp

Filesize
352KB

Download
memory/5488-380-0x000006443CC40000-0x000006443CEF8000-memory.dmp

Filesize
2.7MB

Download
memory/5700-465-0x00000644C00C0000-0x00000644C10E9000-memory.dmp

Filesize
16.2MB

Download
memory/5700-461-0x000001A0DD300000-0x000001A0DD326000-memory.dmp

Filesize
152KB

Download