5ee772e7a7658a404f63523ab01ad2c233d5c3158ec9651b97ad8763e8212a0d

Analysis

max time kernel
856s
max time network
875s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/FiddlerSetup.exe
Size

4.4MB
MD5

c2a0eb6f104eacec3f39581451ee208f
SHA1

9ae7d02aeb640fbd090dfc01885b98dd5dd0b6cc
SHA256

1f926cc353301e547e76c6d2eff23fcbe85495ba0292174cc6344fac26457af8
SHA512

8b062e4f0af1dce3a12b5776646fe8c235f30de6772f579da1a6ab2bb559ed69b3bd32af95eee248c48008ddcbd40a7e49eae722a44bc9b49dd13fe38113a3ca
SSDEEP

98304:KgxyUnSAaB1eXq8yOkLiGXv72Qomw6pvtFIAwdaRdAM:KoWvePjqHv72Qo96pvtF5wHM

Score

9^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
defense_evasion

Software Discovery
T1518

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4420	netsh.exe
4848	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	FiddlerSetup.exe

Executes dropped EXE 1 IoCs

pid	Process
2260	SetupHelper

Loads dropped DLL 20 IoCs

pid	Process
5088	FiddlerSetup.exe
4684	mscorsvw.exe
3900	mscorsvw.exe
3900	mscorsvw.exe
1808	mscorsvw.exe
5036	mscorsvw.exe
2636	mscorsvw.exe
5036	mscorsvw.exe
5180	mscorsvw.exe
5376	mscorsvw.exe
5508	mscorsvw.exe
5508	mscorsvw.exe
5508	mscorsvw.exe
5712	mscorsvw.exe
4612	mscorsvw.exe
5536	mscorsvw.exe
5572	mscorsvw.exe
5764	mscorsvw.exe
5788	mscorsvw.exe
5764	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 38 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\13ac-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\8FKMLX8OKQ\Microsoft.JScript.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\JQCWBXH2BW\System.Numerics.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\169c-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\0ZHII1ZQLA\System.Runtime.Serialization.Formatters.Soap.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\YNWDTHW2DH\System.Deployment.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\YNWDTHW2DH\System.Deployment.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\BKN9LYAFDA\System.Data.SqlXml.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1204-0\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\710-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1584-0\System.Web.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\0ZHII1ZQLA\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1650-0\EnableLoopback.exe	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15a0-0\System.Numerics.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\143c-0\System.Runtime.Serialization.Formatters.Soap.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\f3c-0\System.Security.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\JQCWBXH2BW\System.Numerics.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1684-0\System.Deployment.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll.aux.tmp	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\8FKMLX8OKQ\Microsoft.JScript.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\BKN9LYAFDA\System.Data.SqlXml.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\124c-0\System.Data.SqlXml.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\L0O8TSO2KW\System.Security.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1500-0\Microsoft.JScript.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\temp\L0O8TSO2KW\System.Security.ni.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\59301724925cee80b0409b0c7e65aad8\EnableLoopback.ni.exe.aux.tmp	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\15c4-0\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux.tmp	mscorsvw.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FiddlerSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupHelper

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "0"	FiddlerSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Fiddler.exe = "9999"	FiddlerSetup.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\DefaultIcon	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\SAZ.ico"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Shell\Open	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -noattach \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Shell\Open\command	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Shell	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\Fiddler\\Fiddler.exe\" -viewer \"%1\""	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.saz	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\.saz\ = "Fiddler.ArchiveZip"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\PerceivedType = "compressed"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer\command	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\ = "Fiddler Session Archive"	FiddlerSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Content Type = "application/vnd.telerik-fiddler.SessionArchive"	FiddlerSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Fiddler.ArchiveZip\Shell\Open &in Viewer	FiddlerSetup.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5088	FiddlerSetup.exe
5088	FiddlerSetup.exe
1420	msedge.exe
1420	msedge.exe
516	msedge.exe
516	msedge.exe
5972	identity_helper.exe
5972	identity_helper.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe
5592	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 4848	5088	FiddlerSetup.exe	97
PID 5088 wrote to memory of 4848	5088	FiddlerSetup.exe	97
PID 5088 wrote to memory of 4848	5088	FiddlerSetup.exe	97
PID 5088 wrote to memory of 4420	5088	FiddlerSetup.exe	99
PID 5088 wrote to memory of 4420	5088	FiddlerSetup.exe	99
PID 5088 wrote to memory of 4420	5088	FiddlerSetup.exe	99
PID 5088 wrote to memory of 4352	5088	FiddlerSetup.exe	101
PID 5088 wrote to memory of 4352	5088	FiddlerSetup.exe	101
PID 5088 wrote to memory of 4112	5088	FiddlerSetup.exe	102
PID 5088 wrote to memory of 4112	5088	FiddlerSetup.exe	102
PID 5088 wrote to memory of 2260	5088	FiddlerSetup.exe	104
PID 5088 wrote to memory of 2260	5088	FiddlerSetup.exe	104
PID 5088 wrote to memory of 2260	5088	FiddlerSetup.exe	104
PID 5088 wrote to memory of 516	5088	FiddlerSetup.exe	108
PID 5088 wrote to memory of 516	5088	FiddlerSetup.exe	108
PID 516 wrote to memory of 3508	516	msedge.exe	111
PID 516 wrote to memory of 3508	516	msedge.exe	111
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 2600	516	msedge.exe	114
PID 516 wrote to memory of 1420	516	msedge.exe	115
PID 516 wrote to memory of 1420	516	msedge.exe	115
PID 516 wrote to memory of 1752	516	msedge.exe	117
PID 516 wrote to memory of 1752	516	msedge.exe	117
PID 516 wrote to memory of 1752	516	msedge.exe	117
PID 516 wrote to memory of 1752	516	msedge.exe	117
PID 516 wrote to memory of 1752	516	msedge.exe	117

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FiddlerSetup.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\FiddlerSetup.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4848
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"
  2⤵
  PID:4352
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 168 -Pipe 1c8 -Comment "NGen Worker Process"
    3⤵
    PID:1368
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 278 -Pipe 280 -Comment "NGen Worker Process"
    3⤵
    PID:3672
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 0 -NGENProcess 1dc -Pipe 258 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4684
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 27c -Pipe 2c4 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3900
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1808
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 2cc -Pipe 2b8 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:5036
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 0 -NGENProcess 2d4 -Pipe 2dc -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    PID:2636
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 0 -NGENProcess 300 -Pipe 2f8 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:5180
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 2fc -Pipe 304 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:5376
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 2fc -Pipe 300 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:5508
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 2fc -Pipe 2f0 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:3688
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 31c -Pipe 2a4 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:5200
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 0 -NGENProcess 2f4 -Pipe 278 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:5404
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 314 -Pipe 2d4 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:5452
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 2cc -Pipe 328 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:5428
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 324 -Pipe 2f4 -Comment "NGen Worker Process"
    3⤵
    - Drops file in Windows directory
    PID:2960
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"
  2⤵
  PID:4112
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1bc -Pipe 1c8 -Comment "NGen Worker Process"
    3⤵
    PID:5684
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 0 -NGENProcess 264 -Pipe 1c4 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:5712
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 280 -Pipe 290 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:5572
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2cc -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4612
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:5536
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 0 -NGENProcess 280 -Pipe 26c -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:5764
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 264 -Pipe 258 -Comment "NGen Worker Process"
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:5788
- C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper
  "C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffee61346f8,0x7ffee6134708,0x7ffee6134718
    3⤵
    PID:3508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,16459874572726470355,16652934452600025167,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
    3⤵
    PID:2600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,16459874572726470355,16652934452600025167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,16459874572726470355,16652934452600025167,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
    3⤵
    PID:1752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,16459874572726470355,16652934452600025167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:2300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,16459874572726470355,16652934452600025167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
    3⤵
    PID:1192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,16459874572726470355,16652934452600025167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
    3⤵
    PID:2016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,16459874572726470355,16652934452600025167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
    3⤵
    PID:4476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,16459874572726470355,16652934452600025167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
    3⤵
    PID:5556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,16459874572726470355,16652934452600025167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
    3⤵
    PID:5564
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,16459874572726470355,16652934452600025167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:8
    3⤵
    PID:5840
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,16459874572726470355,16652934452600025167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,16459874572726470355,16652934452600025167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
    3⤵
    PID:5988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,16459874572726470355,16652934452600025167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
    3⤵
    PID:5996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,16459874572726470355,16652934452600025167,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3508 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
b0861e03c35d121047f64964fec21b36

SHA1
8c7fcadd7d226ea36751deede856c5234e17e441

SHA256
bc4eabb4931abab63b68f057a7a57f35a53d15f34bada82512d4f1542cf1fba0

SHA512
42397919aa37f0a59faab7b640daa007469b73cd352160caef68f310204fe472557ada9087363052fa28d9d30be6e0fa57a987ed08d749efad18ac6cab5eb07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d7cf882e3a158a91040643f4837af8e1

SHA1
6b9f36bf0060b37f917449b36eba71861d9370b6

SHA256
ac6a942254ab4c61f62e1e86e00c017580046bf2a9d13a0516d0863cce5ad282

SHA512
1c587358ecaa32abfb28f54a0f4bb0ea046cfe9aa03daf26137b83162755e5027fcdfae7da6aed2f9f2157acb5278309c1b34981685174bfa2f147f7467e3055

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
19bef7aa4be5b72f8768317295c0dddf

SHA1
ccf081ce8e304cd0e51531d78072ba704c3fa14e

SHA256
898e3d73b8c502f2a5a72e73d3053abce15dfa25224d4915d438b801cce698d2

SHA512
9590adfc75ff0c6ce6f24b53b5eeb41f9b7244aeda1010e1f506ca8aee4f841d077336eb4fbf91046c69d136391d983da12cf307d0f2899b08f4bacbb4838525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
037662455bb9770414b2b8e7e1a6c814

SHA1
f3e8a03e5ec56e3f049b6437f3c26daa419f59b1

SHA256
290a79c1362a318ba223118ab1d839ff7483012d6f6b77e6662d6aaa8f6a8f1d

SHA512
953a1be99fc581579dddcfb9de34ce78a4dfde2201d333f4c70116dfad64dd04976f4bd5a8907a8ad48390091a8482030cba1ac229e800fc1691b232107b2ff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e5e7f2c28bd021421553fc77e66f2e4b

SHA1
929315b4c5aea792ce6e6aa6533157af0925e81a

SHA256
c0f1c7ad30fdb2ca948c8aa5a9dd1919ec0f4a35486a6d960291ecb7a0e34a74

SHA512
dc5e074aaca1ab4d87757f04b97d100e523c4ecd4b0ab44b0d79cd43b96f61785ff5fc5e0b11665f6a8503b59af045ae4d5522df1b38033855d62eb0aea60d7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe585752.TMP

Filesize
48B

MD5
28bed5644cf1bae0874bbedbfa73c3cd

SHA1
70b70a56bf5264c1ed2d625b26d5e1ef8ed4b4f8

SHA256
303d05c733db64faf7e91940e52bbc9f2501fd0f05cbd2f1e33a06f0e79afee5

SHA512
ff2a0d388ef2125040a04b8348a443bc9ac8167f306c8ae8630f8cdbd3e7d5a536384d46e7cffda359dce595f8d413e8dcdf0f2cf373a799045d8b2a5e5a48e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
35c9d4e0bbcc2e01a59845daddbe0e4b

SHA1
97dcb16cc789fbd6039b403caff512f327d021ba

SHA256
3e8df07d09b7e20d980d4a37f825863f68ee4f56186d36355f2acd720b6bf1b3

SHA512
0843c3a890f30337149b12f78dfcc05bc798e36e5d805060f0ee50a3a27bcfac41dd1e64faaca0986f04efdef09e6a2802dfda700d8f2eb70432cbed789d7cb7

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Analytics.dll

Filesize
32KB

MD5
1c2bd080b0e972a3ee1579895ea17b42

SHA1
a09454bc976b4af549a6347618f846d4c93b769b

SHA256
166e1a6cf86b254525a03d1510fe76da574f977c012064df39dd6f4af72a4b29

SHA512
946e56d543a6d00674d8fa17ecd9589cba3211cfa52c978e0c9dab0fa45cdfc7787245d14308f5692bd99d621c0caca3c546259fcfa725fff9171b144514b6e0

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\DotNetZip.dll

Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe

Filesize
82KB

MD5
81564947d42846910eec2d08310e0d25

SHA1
b7a167dcd3afb29c8a0e18c943d634e3fc58a44c

SHA256
543f16b73f7d40177585332f433ce76dddc1526e12bcd62cb73edd11eb002341

SHA512
8f06409517697b022787bc9e2ed7e73100018422177aa3f63ecb406c3bdb6b021624f909a16fca0430002bfa7d35a461b38750c79c0273a154f63316b4e13037

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe

Filesize
3.5MB

MD5
87bc17f56e744e74408e6ae8bb28b724

SHA1
3aa572388083ff00a95405d34d1189c99c7ff5be

SHA256
ffb24fc36ade87988f9908e848d0333ce7ffb2b4e4d0ffb43f6556246069d057

SHA512
cbeee155c97b87a22b92b808f86fee25c18db51ab43a36b657d532d2d47d3a7db2f4507a699b72af904bf6d5ed851d1ae1fcfb4833a57096e6c7787211c0f35d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe.config

Filesize
261B

MD5
c2edc7b631abce6db98b978995561e57

SHA1
5b1e7a3548763cb6c30145065cfa4b85ed68eb31

SHA256
e59afc2818ad61c1338197a112c936a811c5341614f4ad9ad33d35c8356c0b14

SHA512
5bef4b5487ecb4226544ef0f68d17309cf64bfe52d5c64732480a10f94259b69d2646e4c1b22aa5c80143a4057ee17b06239ec131d5fe0af6c4ab30e351faba2

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\GA.Analytics.Monitor.dll

Filesize
52KB

MD5
6f9e5c4b5662c7f8d1159edcba6e7429

SHA1
c7630476a50a953dab490931b99d2a5eca96f9f6

SHA256
e3261a13953f4bedec65957b58074c71d2e1b9926529d48c77cfb1e70ec68790

SHA512
78fd28a0b19a3dae1d0ae151ce09a42f7542de816222105d4dafe1c0932586b799b835e611ce39a9c9424e60786fbd2949cabac3f006d611078e85b345e148c8

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dll

Filesize
192KB

MD5
ac80e3ca5ec3ed77ef7f1a5648fd605a

SHA1
593077c0d921df0819d48b627d4a140967a6b9e0

SHA256
93b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5

SHA512
3ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dll

Filesize
816KB

MD5
eaa268802c633f27fcfc90fd0f986e10

SHA1
21f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f

SHA256
fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54

SHA512
c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dll

Filesize
228KB

MD5
3be64186e6e8ad19dc3559ee3c307070

SHA1
2f9e70e04189f6c736a3b9d0642f46208c60380a

SHA256
79a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c

SHA512
7d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper

Filesize
18KB

MD5
b1827fca38a5d49fb706a4a7eee4a778

SHA1
95e342f3b6ee3ebc34f98bbb14ca042bca3d779f

SHA256
77523d1504ab2c0a4cde6fcc2c8223ca1172841e2fd9d59d18e5fc132e808ae2

SHA512
41be41372fe3c12dd97f504ebabb70ce899473c0c502ff7bfeaddc748b223c4a78625b6481dbab9cb54c10615e62b8b2dbe9a9c08eb2f69c54ebf5933efbeb1b

Download Submit
C:\Users\Admin\AppData\Local\Programs\Fiddler\Telerik.NetworkConnections.dll

Filesize
34KB

MD5
798d6938ceab9271cdc532c0943e19dc

SHA1
5f86b4cd45d2f1ffae1153683ce50bc1fb0cd2e3

SHA256
fb90b6e76fdc617ec4ebf3544da668b1f6b06c1debdba369641c3950cab73dd2

SHA512
644fde362f032e6e479750696f62e535f3e712540840c4ca27e10bdfb79b2e5277c82a6d8f55f678e223e45f883776e7f39264c234bc6062fc1865af088c0c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnE783.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\59301724925cee80b0409b0c7e65aad8\EnableLoopback.ni.exe

Filesize
160KB

MD5
cc709e3e9e13b9ce4db0f56c85e0ac89

SHA1
061131c1a6ece34afbec4945f50c054d9d5ee95a

SHA256
010e768a05ce3fcc09814918e1a5099f644fc562fe3c87f069114fa8a54e1e26

SHA512
0a59caf920753cc09543d3b097571cbb5faefa3c6b5c6085dcf61ef44b182a195776a349aee39714555090fb84b33b5a407e9880b5da62a59f2dc70ba3b056ab

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\3b5383dd37da6f390d4d4ad42fcb5b32\Microsoft.JScript.ni.dll

Filesize
2.7MB

MD5
89bedf9727f90a9f8e15826df509d7b9

SHA1
f0c590abc08815c38aa522afee4438d69a78c490

SHA256
224851ed49ed39bd526910bd252a6f53cc32c0067d80066a30f84329500ba929

SHA512
4d300c96062d5853e644675059afb4687246a610d5c86cfe1aa7380e4d69da255e743009339d59b4d00e79991cd8251330a99064447cde28f08821c3dbe448b9

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll

Filesize
3.0MB

MD5
b0bd1b2c367441f420d9cc270cf7fab6

SHA1
bdd65767f9c8047125a86b66b5678d8d72a76911

SHA256
447bfc33e8f3bc3d661200891933fed1bb28c402d1063e6838f55096ec9833aa

SHA512
551becf8035964921fca26458e46cd32fadf1703e66724df5cc868447bb0b0c181f87eba1c3df1bece2a9a127aea78bcc2f00ad38ecd05d438119cd1a9ce8324

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.aux

Filesize
708B

MD5
688ac15ac387cbac93d705be85b08492

SHA1
a4fabce08bbe0fee991a8a1a8e8e62230f360ff2

SHA256
ce64b26c005cfc1bcf6ac0153f1dbcae07f25934eab3363ff05a72a754992470

SHA512
a756ea603d86a66b67163e3aa5d2325174a2748caf6b0eaa9f0600d42c297daa35aa5bfaf4962a1dedbae9437308d19571818cbd3e1542d7a7a26a4d20796074

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\18271de25c06b49b2aaa391461de2df6\System.Deployment.ni.dll

Filesize
3.0MB

MD5
3385fdacfda1fc77da651550a705936d

SHA1
207023bf3b3ff2c93e9368ba018d32bb11e47a8a

SHA256
44a217d721c0fb7de3f52123ace1eeaf62f48f40f55bd816bb32c422d0939eec

SHA512
bb8f38dc08b1983a5b5b1b6dac069364cec4f3a9a88fcf277cfdefac376a8c6207078938f064aacef1032f9a15cf9d21174aef4b94a89513fd65a2cfaaab5174

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll

Filesize
314KB

MD5
50b28be2b84f9dd1258a346525f8c2e5

SHA1
203abebaa5c22c9f6ac099d020711669e6655ed8

SHA256
6c51e5a928f227bb64a7eb9e48089bca5e9bbef0d0329b971ebbf918335ee1ac

SHA512
d5336827cdb202ab51583c32a45960ae43c56499dbe149ec0edb907f8f33e12800c7aa187a52a3c93e3f2ebcb677bed4e7e829e1df3fee05fe3fdc21948f571d

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ba90284a07d8bc0ce7e6273afa79210f\System.Numerics.ni.dll.aux

Filesize
300B

MD5
5052a26ae1334e99f9c993f0ac477f5b

SHA1
941e82d2397f79faf7707569927bb3dbea9ea34c

SHA256
ec432d36bb95dcdb1876836b09ba1829c03a83c9b53afbb195c6fa0d7d91375f

SHA512
eb5dce71049b099c5764fe449f529b5813aab3d86150331ae384c08973f0487f9a25e1f11498203baa0a093dc2961f6bb0f5d03a86ff9c39f050524c9d32ede2

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt9064068c#\f85535a7092741215f67fdedf2846499\System.Runtime.Serialization.Formatters.Soap.ni.dll

Filesize
345KB

MD5
35738b026183e92c1f7a6344cfa189fd

SHA1
ccc1510ef4a88a010087321b8af89f0c0c29b6d8

SHA256
4075d88d2ba1cff2a8ab9be66176045628d24cae370428e0128f8af3a77639fb

SHA512
ab7100c26f60ae30a84ba3de31ca96c530e86e052ffc997fd7fd3144e2049fc0d188a3d075a123b6f728dc882beee3d6a35a086d19d7dad4d385e101382fc436

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll

Filesize
986KB

MD5
e4b53e736786edcfbfc70f87c5ef4aad

SHA1
62cdd43c2d1f8ae9b28c484344e3fb7135a4e4d5

SHA256
9ac6d5445caaacae6813243c787e8d67c974988acd1a4a5f564503fd36e91e46

SHA512
42a3b1cc0b805674f48a8d7891ab5ecae33d5a2205059317ca5441e7de52f26eabb32e79a3040d7aa0e0333b19f80d93d25e1faa1dfe5cfb0ea39efba5767fde

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Security\7355af105ad86679d6c9070a9b4dc0c3\System.Security.ni.dll.aux

Filesize
912B

MD5
255a843ca54e88fd16d2befcc1bafb7a

SHA1
aee7882de50a5cea1e4c2c2ddfaa4476f20a9be9

SHA256
8cd849585fe99e63f28b49f1dae2d1b47a406268dcc5a161e58331a6a3cba3ed

SHA512
666866c0d25d61dc04341cf95eb61969698cfafce232097e60cb0537ea2a35635e1e4986036e413fb51927187183aa2e64ecac7fbc26bac46998c0bd84f69e45

Download Submit
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\44d302d3062a00a6bd5a39f743bdb4ef\System.Web.ni.dll

Filesize
16.2MB

MD5
b5840712456c7cb4de53695522e2a41c

SHA1
c8fa753ff825f929d5e78d6f6059fc6806951a69

SHA256
3cd39a70525ab32c60ed04b3791d692106afc322f399561cc7bc5b5a8e8d2a64

SHA512
02220870c1c06a15352f7cc75deea2645a58d93ec40f3a465cc0373d9aa98746f8739eb9120ddf8b5a3acafc6db617d3c77c7825eb7a11abab81e1fa466dcd1e

Download Submit
C:\Windows\assembly\temp\0ZHII1ZQLA\System.Runtime.Serialization.Formatters.Soap.ni.dll.aux

Filesize
644B

MD5
caba9e7248016ec410e8346b3cf4f51b

SHA1
f9e23982f25f1977b0f668090c92cedc783efc89

SHA256
638feb99f77dec41e6acd96a76d0b48bbd710a3c25df09d20e226730517c5149

SHA512
4577677bd631c76d33521a45de97f4d3e51badb6f859525f91f93abf8bdc86de9b1e27736636aaa5d1bbe677cc98b6d3aac93f873aaf6621fcf186c1274691e4

Download Submit
C:\Windows\assembly\temp\8FKMLX8OKQ\Microsoft.JScript.ni.dll.aux

Filesize
580B

MD5
15d9528aaa8f3ef914a4ae5662f138eb

SHA1
944e083df6082e372e81a5dfa7979f4d5e519ed3

SHA256
5bcc2ba91c42bb47333af2d30a23d9009475e8710e06f82492e377aa6fe29d4e

SHA512
fc22d60f9dc0feadae1a6ee296129abab2d6dd963df35416d6b9d36d00d22f4b2e7dfc2f111cec5d28c8625fec75b68f68ed4ab3fffb86a1c94b8f322a65049c

Download Submit
C:\Windows\assembly\temp\YNWDTHW2DH\System.Deployment.ni.dll.aux

Filesize
1KB

MD5
b019b58a1fc23042c21fa5518b2c18d5

SHA1
a594de6ae6ef0a22c44a5cfacb8e35891f5e557b

SHA256
2014e4b8b8183db7940c5dbb1e27fbe3a3993d13b90c04f6286dbe17174e1a1e

SHA512
26f9e8ace5821ae91f8a72ad0df19b9dc45f2b6028421f0fbaa7e8de8c65651792bc75d475d8098dde8150440ce14201aa418c91b1c4ad172286f93716d23837

Download Submit
memory/1368-205-0x00000217AAA10000-0x00000217AAAC2000-memory.dmp

Filesize
712KB

Download
memory/1368-201-0x0000021790430000-0x000002179043C000-memory.dmp

Filesize
48KB

Download
memory/1368-226-0x00000217AAD30000-0x00000217AAD6C000-memory.dmp

Filesize
240KB

Download
memory/1368-229-0x0000021791AD0000-0x0000021791AE0000-memory.dmp

Filesize
64KB

Download
memory/1368-225-0x00000217AA5B0000-0x00000217AA5D0000-memory.dmp

Filesize
128KB

Download
memory/1368-224-0x00000217AAAD0000-0x00000217AAB4E000-memory.dmp

Filesize
504KB

Download
memory/1368-102-0x00000217AA680000-0x00000217AAA04000-memory.dmp

Filesize
3.5MB

Download
memory/1368-215-0x00000217AA600000-0x00000217AA644000-memory.dmp

Filesize
272KB

Download
memory/1368-218-0x00000217AB470000-0x00000217AB592000-memory.dmp

Filesize
1.1MB

Download
memory/1368-105-0x00000217AA2F0000-0x00000217AA3AA000-memory.dmp

Filesize
744KB

Download
memory/1368-216-0x00000217AA530000-0x00000217AA54E000-memory.dmp

Filesize
120KB

Download
memory/1368-197-0x00000217920A0000-0x00000217920EA000-memory.dmp

Filesize
296KB

Download
memory/1368-217-0x00000217AA550000-0x00000217AA56A000-memory.dmp

Filesize
104KB

Download
memory/1368-211-0x00000217AB940000-0x00000217ABE0C000-memory.dmp

Filesize
4.8MB

Download
memory/1368-214-0x00000217AA570000-0x00000217AA5A2000-memory.dmp

Filesize
200KB

Download
memory/1368-196-0x0000021790420000-0x000002179042C000-memory.dmp

Filesize
48KB

Download
memory/1368-212-0x0000021792070000-0x0000021792082000-memory.dmp

Filesize
72KB

Download
memory/1368-194-0x0000021792210000-0x000002179228A000-memory.dmp

Filesize
488KB

Download
memory/1368-213-0x00000217AA450000-0x00000217AA470000-memory.dmp

Filesize
128KB

Download
memory/1368-188-0x00000217AAF40000-0x00000217AB468000-memory.dmp

Filesize
5.2MB

Download
memory/1368-209-0x0000021792050000-0x000002179206C000-memory.dmp

Filesize
112KB

Download
memory/1368-208-0x00000217AA410000-0x00000217AA44A000-memory.dmp

Filesize
232KB

Download
memory/1368-204-0x00000217AA3B0000-0x00000217AA3D2000-memory.dmp

Filesize
136KB

Download
memory/1368-206-0x00000217AA3E0000-0x00000217AA402000-memory.dmp

Filesize
136KB

Download
memory/1368-203-0x00000217AABA0000-0x00000217AAD26000-memory.dmp

Filesize
1.5MB

Download
memory/1368-199-0x00000217AA470000-0x00000217AA522000-memory.dmp

Filesize
712KB

Download
memory/1368-227-0x00000217AA5D0000-0x00000217AA5E2000-memory.dmp

Filesize
72KB

Download
memory/1368-202-0x0000021792290000-0x00000217922E0000-memory.dmp

Filesize
320KB

Download
memory/1808-317-0x0000064443EC0000-0x0000064443F11000-memory.dmp

Filesize
324KB

Download
memory/2260-101-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/3900-299-0x0000064449A20000-0x0000064449B18000-memory.dmp

Filesize
992KB

Download
memory/4684-250-0x00000644451A0000-0x00000644454A4000-memory.dmp

Filesize
3.0MB

Download
memory/5036-369-0x0000064445320000-0x000006444561E000-memory.dmp

Filesize
3.0MB

Download
memory/5180-386-0x0000064449980000-0x00000644499D8000-memory.dmp

Filesize
352KB

Download
memory/5376-405-0x000006443CC40000-0x000006443CEF8000-memory.dmp

Filesize
2.7MB

Download
memory/5508-457-0x00000644C00C0000-0x00000644C10E9000-memory.dmp

Filesize
16.2MB

Download
memory/5508-456-0x000002B3F90C0000-0x000002B3F90E6000-memory.dmp

Filesize
152KB

Download
memory/5684-486-0x000002592A410000-0x000002592A428000-memory.dmp

Filesize
96KB

Download
memory/5712-487-0x0000064488000000-0x000006448802B000-memory.dmp

Filesize
172KB

Download