File name:

FiddlerSetup.5.0.20245.10105-latest.exe

Full analysis: https://app.any.run/tasks/c09d01ee-28e4-4dcf-b3f3-fa8eb229f591
Verdict: Malicious activity
Analysis date: October 28, 2024, 06:54:48
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

C1980B018489DF28BE8809EB32519001

SHA1:

E860439703D7B6665AF4507B20BBEF2BBB7B73F4

SHA256:

588024037B1E5929B1F2A741FFF52A207BCAB17F0650EC7CB0CD3CB78051998D

SSDEEP:

98304:XWH7Ul7d3LAXiwKUMflextp+k6+IA2oSfIVhlnjxRo0Qzp4f42W7/MjenFuihE55:tQO9ALRx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • FiddlerSetup.5.0.20245.10105-latest.exe (PID: 6668)
      • FiddlerSetup.exe (PID: 3128)
      • mscorsvw.exe (PID: 6560)
      • mscorsvw.exe (PID: 6136)
      • mscorsvw.exe (PID: 3004)
      • mscorsvw.exe (PID: 6692)
      • mscorsvw.exe (PID: 3644)
      • mscorsvw.exe (PID: 6320)
      • mscorsvw.exe (PID: 7320)
      • mscorsvw.exe (PID: 7520)
      • mscorsvw.exe (PID: 7944)
      • mscorsvw.exe (PID: 7568)
      • mscorsvw.exe (PID: 7328)
      • mscorsvw.exe (PID: 7860)
      • mscorsvw.exe (PID: 7668)
      • mscorsvw.exe (PID: 7728)
      • mscorsvw.exe (PID: 7992)
      • mscorsvw.exe (PID: 8044)
      • mscorsvw.exe (PID: 8096)
      • mscorsvw.exe (PID: 6632)
      • mscorsvw.exe (PID: 7620)
      • mscorsvw.exe (PID: 8144)
      • mscorsvw.exe (PID: 4308)
      • mscorsvw.exe (PID: 2928)
      • mscorsvw.exe (PID: 7312)
      • mscorsvw.exe (PID: 7456)
      • mscorsvw.exe (PID: 7544)
      • mscorsvw.exe (PID: 4868)
      • mscorsvw.exe (PID: 7676)
      • mscorsvw.exe (PID: 7612)
      • mscorsvw.exe (PID: 7504)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • FiddlerSetup.exe (PID: 3128)

    • Process drops legitimate windows executable

      • FiddlerSetup.exe (PID: 3128)
      • mscorsvw.exe (PID: 6560)
      • mscorsvw.exe (PID: 6136)
      • mscorsvw.exe (PID: 6692)
      • mscorsvw.exe (PID: 3644)
      • mscorsvw.exe (PID: 6320)
      • mscorsvw.exe (PID: 7328)
      • mscorsvw.exe (PID: 7520)
      • mscorsvw.exe (PID: 7568)
      • mscorsvw.exe (PID: 7668)
      • mscorsvw.exe (PID: 7728)
      • mscorsvw.exe (PID: 7860)
      • mscorsvw.exe (PID: 7992)
      • mscorsvw.exe (PID: 7320)
      • mscorsvw.exe (PID: 8044)
      • mscorsvw.exe (PID: 8096)
      • mscorsvw.exe (PID: 7620)
      • mscorsvw.exe (PID: 8144)
      • mscorsvw.exe (PID: 6632)
      • mscorsvw.exe (PID: 2928)
      • mscorsvw.exe (PID: 7544)
      • mscorsvw.exe (PID: 7312)
      • mscorsvw.exe (PID: 4868)
      • mscorsvw.exe (PID: 7944)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • FiddlerSetup.exe (PID: 3128)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • FiddlerSetup.exe (PID: 3128)

    • Starts application with an unusual extension

      • FiddlerSetup.exe (PID: 3128)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 3648)
      • msedge.exe (PID: 1156)

    • Manual execution by a user

      • msedge.exe (PID: 1156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:15+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x351c
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.0.20245.10105
ProductVersionNumber: 5.0.20245.10105
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: http://www.telerik.com/fiddler
CompanyName: Progress Software Corporation
FileDescription: Installer for Progress Telerik Fiddler Classic
FileVersion: 5.0.20245.10105
LegalCopyright: Copyright ©2003 - 2024 Progress Software Corporation. All rights reserved.
ProductName: Progress Telerik Fiddler Classic Setup
ProductVersion: 5.0.20245.10105
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
245
Monitored processes
118
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start fiddlersetup.5.0.20245.10105-latest.exe fiddlersetup.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs ngen.exe no specs conhost.exe no specs ngen.exe no specs setuphelper no specs conhost.exe no specs conhost.exe no specs mscorsvw.exe no specs mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs mscorsvw.exe no specs msedge.exe no specs msedge.exe no specs mscorsvw.exe no specs mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe msedge.exe no specs msedge.exe no specs mscorsvw.exe msedge.exe no specs mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe mscorsvw.exe msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs mscorsvw.exe no specs msedge.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs mscorsvw.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs fiddlersetup.5.0.20245.10105-latest.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
884"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2352 --field-trial-handle=2356,i,1612474581785214139,3816620185463148059,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
1156"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --do-not-de-elevate --single-argument http://fiddler2.com/r/?Fiddler2FirstRunC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
1204\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exengen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 0 -NGENProcess 378 -Pipe 32c -Comment "NGen Worker Process"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exengen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
.NET Runtime Optimization Service
Exit code:
0
Version:
4.8.9093.0 built by: NET481REL1LAST_C
1792C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 0 -NGENProcess 1f4 -Pipe 208 -Comment "NGen Worker Process"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exengen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
.NET Runtime Optimization Service
Exit code:
0
Version:
4.8.9093.0 built by: NET481REL1LAST_C
1804\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exengen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1884"C:\Users\admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\admin\AppData\Local\Programs\Fiddler"C:\Users\admin\AppData\Local\Programs\Fiddler\SetupHelperFiddlerSetup.exe
User:
admin
Company:
Progress Software Corporation
Integrity Level:
HIGH
Description:
Fiddler.SetupHelper
Exit code:
0
Version:
1.0.0.0
2132"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=6152 --field-trial-handle=2356,i,1612474581785214139,3816620185463148059,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
2692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 0 -NGENProcess 214 -Pipe 358 -Comment "NGen Worker Process"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exengen.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
.NET Runtime Optimization Service
Exit code:
0
Version:
4.8.9093.0 built by: NET481REL1LAST_C
2796"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=7060 --field-trial-handle=2356,i,1612474581785214139,3816620185463148059,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Total events
228
Read events
228
Write events
0
Delete events
0

Modification events

No data
Executable files
109
Suspicious files
290
Text files
63
Unknown types
3

Dropped files

PID
Process
Filename
Type
3128FiddlerSetup.exeC:\Users\admin\AppData\Local\Programs\Fiddler\Fiddler.exeexecutable
MD5:87BC17F56E744E74408E6AE8BB28B724
SHA256:FFB24FC36ADE87988F9908E848D0333CE7FFB2B4E4D0FFB43F6556246069D057
6668FiddlerSetup.5.0.20245.10105-latest.exeC:\Users\admin\AppData\Local\Temp\nssCDD9.tmp\FiddlerSetup.exeexecutable
MD5:C2A0EB6F104EACEC3F39581451EE208F
SHA256:1F926CC353301E547E76C6D2EFF23FCBE85495BA0292174CC6344FAC26457AF8
3128FiddlerSetup.exeC:\Users\admin\AppData\Local\Programs\Fiddler\Fiddler.pdbbinary
MD5:5C43B7F1CFF2F8F74D0C75721DD34797
SHA256:9C50823F84CE09AF60ED760C95CE73DA559505DBF411EF7797F4CE65FC0BF1BB
3128FiddlerSetup.exeC:\Users\admin\AppData\Local\Programs\Fiddler\TrustCert.exeexecutable
MD5:AEAAFB82C9DA482EBD353FEDE1DA1C59
SHA256:0AAD2EF66EAF23C20B46E129E8E6B84B4920C910BB3070242BC2031A71A0BBC4
3128FiddlerSetup.exeC:\Users\admin\AppData\Local\Programs\Fiddler\TrustCert.pdbbinary
MD5:546D55D915E55FF503C3FE6082C7EF98
SHA256:64C9312EED203CDCBC621BF97A8D2406152010ECAF53296740B455210BB09B6C
3128FiddlerSetup.exeC:\Users\admin\AppData\Local\Programs\Fiddler\Analytics.dllexecutable
MD5:1C2BD080B0E972A3EE1579895EA17B42
SHA256:166E1A6CF86B254525A03D1510FE76DA574F977C012064DF39DD6F4AF72A4B29
3128FiddlerSetup.exeC:\Users\admin\AppData\Local\Programs\Fiddler\GA.Analytics.Monitor.pdbbinary
MD5:DF9591879A5AF2A8458FB9148E197313
SHA256:6C19EC08FFB13998ACE51E1B531128AF12CD47CCADFF5E346176C6992C00A843
3128FiddlerSetup.exeC:\Users\admin\AppData\Local\Programs\Fiddler\SetupHelperexecutable
MD5:B1827FCA38A5D49FB706A4A7EEE4A778
SHA256:77523D1504AB2C0A4CDE6FCC2C8223CA1172841E2FD9D59D18E5FC132E808AE2
3128FiddlerSetup.exeC:\Users\admin\AppData\Local\Programs\Fiddler\Be.Windows.Forms.HexBox.dllexecutable
MD5:E6F7B8C5EC4D1543EAA7F5D148C6327C
SHA256:BBFD21490A4BE96E1A44A92E39406E87978AEA1FC58B603702E4E21A143DD89E
3128FiddlerSetup.exeC:\Users\admin\AppData\Local\Programs\Fiddler\EnableLoopback.exeexecutable
MD5:81564947D42846910EEC2D08310E0D25
SHA256:543F16B73F7D40177585332F433CE76DDDC1526E12BCD62CB73EDD11EB002341
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
249
TCP/UDP connections
215
DNS requests
232
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
401
13.107.6.158:443
https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox
unknown
GET
50.56.19.112:443
https://fiddler2.com/r/?Fiddler2FirstRun
unknown
GET
301
50.56.19.116:80
http://fiddler2.com/r/?Fiddler2FirstRun
unknown
whitelisted
OPTIONS
503
23.50.131.78:443
https://bzib.nelreports.net/api/report?cat=bingbusiness
unknown
GET
50.56.19.112:443
https://www.telerik.com/download/fiddler/first-run
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.23
  • 23.216.77.36
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
www.bing.com
  • 2.23.209.180
  • 2.23.209.176
  • 2.23.209.173
  • 2.23.209.177
  • 2.23.209.169
  • 2.23.209.182
  • 2.23.209.166
  • 2.23.209.167
  • 2.23.209.181
  • 2.23.209.141
  • 2.23.209.135
  • 2.23.209.183
  • 2.23.209.185
  • 2.23.209.193
  • 2.23.209.192
  • 2.23.209.191
  • 2.23.209.140
  • 2.23.209.143
  • 2.23.209.144
  • 2.23.209.133
  • 2.23.209.148
  • 2.23.209.131
  • 2.23.209.189
  • 2.23.209.179
  • 2.23.209.171
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
fiddler2.com
  • 50.56.19.116
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FiddlerSetup.5.0.20245.10105-latest.exe