Malware analysis FiddlerSetup.5.0.20253.3311-latest.exe Malicious activity

Add for printing

File name:	FiddlerSetup.5.0.20253.3311-latest.exe
Full analysis:	https://app.any.run/tasks/e6a654e4-f861-43fd-807e-7333422e3e36
Verdict:	Malicious activity
Analysis date:	May 29, 2025, 04:18:10
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	5E326A700AE3CD9EE6FD7312B40302E1
SHA1:	2894AAB4A47353B531F031B87048BD3CA0495F65
SHA256:	D43CEBEE2F9783E16267D2DB2362A56714CB19943AE192C498C3F48924DF6265
SSDEEP:	98304:wc42QCb8Q/VNkrjf1EY67WrZtsUHimy//9QoONP+gtBQCJX+yKW2LVJ+9Gpw7DAd:xmwWfDIJJjhcsp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Process drops legitimate windows executable
  - FiddlerSetup.exe (PID: 7732)
  - mscorsvw.exe (PID: 3884)
  - mscorsvw.exe (PID: 4112)
  - mscorsvw.exe (PID: 7916)
  - mscorsvw.exe (PID: 3308)
  - mscorsvw.exe (PID: 6656)
  - mscorsvw.exe (PID: 7252)
  - mscorsvw.exe (PID: 5592)
  - mscorsvw.exe (PID: 6768)
  - mscorsvw.exe (PID: 1272)
  - mscorsvw.exe (PID: 1680)
  - mscorsvw.exe (PID: 8144)
  - mscorsvw.exe (PID: 8152)
  - mscorsvw.exe (PID: 8116)
  - mscorsvw.exe (PID: 7284)
  - mscorsvw.exe (PID: 4244)
  - mscorsvw.exe (PID: 4112)
  - mscorsvw.exe (PID: 3096)
  - mscorsvw.exe (PID: 7864)
  - mscorsvw.exe (PID: 7592)
  - mscorsvw.exe (PID: 1760)
  - mscorsvw.exe (PID: 7328)
  - mscorsvw.exe (PID: 8504)
  - mscorsvw.exe (PID: 8448)
  - mscorsvw.exe (PID: 8664)
  - mscorsvw.exe (PID: 8260)
  - mscorsvw.exe (PID: 8444)
- Executable content was dropped or overwritten
  - FiddlerSetup.exe (PID: 7732)
  - FiddlerSetup.5.0.20253.3311-latest.exe (PID: 7696)
  - mscorsvw.exe (PID: 4112)
  - mscorsvw.exe (PID: 3884)
  - mscorsvw.exe (PID: 7916)
  - mscorsvw.exe (PID: 3308)
  - mscorsvw.exe (PID: 6656)
  - mscorsvw.exe (PID: 8144)
  - mscorsvw.exe (PID: 8100)
  - mscorsvw.exe (PID: 7252)
  - mscorsvw.exe (PID: 5592)
  - mscorsvw.exe (PID: 6768)
  - mscorsvw.exe (PID: 1272)
  - mscorsvw.exe (PID: 8152)
  - mscorsvw.exe (PID: 1680)
  - mscorsvw.exe (PID: 7284)
  - mscorsvw.exe (PID: 8116)
  - mscorsvw.exe (PID: 4244)
  - mscorsvw.exe (PID: 3096)
  - mscorsvw.exe (PID: 4112)
  - mscorsvw.exe (PID: 7864)
  - mscorsvw.exe (PID: 7328)
  - mscorsvw.exe (PID: 1760)
  - mscorsvw.exe (PID: 8416)
  - mscorsvw.exe (PID: 8504)
  - mscorsvw.exe (PID: 8448)
  - mscorsvw.exe (PID: 7592)
  - mscorsvw.exe (PID: 8664)
  - mscorsvw.exe (PID: 8260)
  - mscorsvw.exe (PID: 8444)
- Malware-specific behavior (creating "System.dll" in Temp)
  - FiddlerSetup.exe (PID: 7732)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - FiddlerSetup.exe (PID: 7732)
- Reads security settings of Internet Explorer
  - FiddlerSetup.exe (PID: 7732)
- The process creates files with name similar to system file names
  - FiddlerSetup.exe (PID: 7732)
  - mscorsvw.exe (PID: 7252)
  - mscorsvw.exe (PID: 1680)
- Starts application with an unusual extension
  - FiddlerSetup.exe (PID: 7732)
- Creates a software uninstall entry
  - FiddlerSetup.exe (PID: 7732)
- Uses NETSH.EXE to delete a firewall rule or allowed programs
  - FiddlerSetup.exe (PID: 7732)
INFO
- The sample compiled with english language support
  - FiddlerSetup.5.0.20253.3311-latest.exe (PID: 7696)
  - FiddlerSetup.exe (PID: 7732)
  - mscorsvw.exe (PID: 3884)
  - mscorsvw.exe (PID: 4112)
  - mscorsvw.exe (PID: 7916)
  - mscorsvw.exe (PID: 3308)
  - mscorsvw.exe (PID: 7252)
  - mscorsvw.exe (PID: 5592)
  - mscorsvw.exe (PID: 6768)
  - mscorsvw.exe (PID: 1272)
  - mscorsvw.exe (PID: 7284)
  - mscorsvw.exe (PID: 4244)
  - mscorsvw.exe (PID: 3096)
  - mscorsvw.exe (PID: 7864)
  - mscorsvw.exe (PID: 4112)
  - mscorsvw.exe (PID: 7328)
  - mscorsvw.exe (PID: 1760)
  - mscorsvw.exe (PID: 8152)
  - mscorsvw.exe (PID: 6656)
  - mscorsvw.exe (PID: 8504)
  - mscorsvw.exe (PID: 8448)
  - mscorsvw.exe (PID: 8664)
  - mscorsvw.exe (PID: 8260)
  - mscorsvw.exe (PID: 8444)
- Checks supported languages
  - FiddlerSetup.exe (PID: 7732)
  - FiddlerSetup.5.0.20253.3311-latest.exe (PID: 7696)
  - ngen.exe (PID: 7216)
  - mscorsvw.exe (PID: 5568)
  - SetupHelper (PID: 6392)
  - ngen.exe (PID: 8180)
  - mscorsvw.exe (PID: 5960)
  - mscorsvw.exe (PID: 3308)
  - mscorsvw.exe (PID: 4112)
  - mscorsvw.exe (PID: 3884)
  - mscorsvw.exe (PID: 7916)
  - mscorsvw.exe (PID: 6656)
  - mscorsvw.exe (PID: 5592)
  - mscorsvw.exe (PID: 8100)
  - mscorsvw.exe (PID: 8144)
  - mscorsvw.exe (PID: 7252)
  - mscorsvw.exe (PID: 7328)
  - mscorsvw.exe (PID: 6768)
  - mscorsvw.exe (PID: 1272)
  - mscorsvw.exe (PID: 4112)
  - mscorsvw.exe (PID: 8152)
  - mscorsvw.exe (PID: 1680)
  - mscorsvw.exe (PID: 8116)
  - mscorsvw.exe (PID: 7964)
  - mscorsvw.exe (PID: 7284)
  - mscorsvw.exe (PID: 3096)
  - mscorsvw.exe (PID: 4244)
  - mscorsvw.exe (PID: 7864)
  - mscorsvw.exe (PID: 7592)
  - mscorsvw.exe (PID: 1760)
  - mscorsvw.exe (PID: 4428)
  - mscorsvw.exe (PID: 8412)
  - mscorsvw.exe (PID: 8272)
  - mscorsvw.exe (PID: 8648)
  - mscorsvw.exe (PID: 8816)
  - mscorsvw.exe (PID: 8728)
  - mscorsvw.exe (PID: 8768)
  - mscorsvw.exe (PID: 8484)
  - mscorsvw.exe (PID: 8576)
  - mscorsvw.exe (PID: 9120)
  - mscorsvw.exe (PID: 9036)
  - mscorsvw.exe (PID: 7860)
  - mscorsvw.exe (PID: 9168)
  - mscorsvw.exe (PID: 7400)
  - mscorsvw.exe (PID: 8876)
  - mscorsvw.exe (PID: 8920)
  - mscorsvw.exe (PID: 684)
  - mscorsvw.exe (PID: 8244)
  - mscorsvw.exe (PID: 4428)
  - mscorsvw.exe (PID: 7864)
  - mscorsvw.exe (PID: 7344)
  - mscorsvw.exe (PID: 8404)
  - mscorsvw.exe (PID: 8416)
  - mscorsvw.exe (PID: 8448)
  - mscorsvw.exe (PID: 8444)
  - mscorsvw.exe (PID: 8504)
  - mscorsvw.exe (PID: 8664)
  - mscorsvw.exe (PID: 8260)
  - identity_helper.exe (PID: 8884)
- Creates files or folders in the user directory
  - FiddlerSetup.exe (PID: 7732)
- Create files in a temporary directory
  - FiddlerSetup.5.0.20253.3311-latest.exe (PID: 7696)
  - FiddlerSetup.exe (PID: 7732)
- NGen native .NET image generation
  - ngen.exe (PID: 8180)
  - ngen.exe (PID: 7216)
- Reads the computer name
  - FiddlerSetup.exe (PID: 7732)
  - ngen.exe (PID: 8180)
  - ngen.exe (PID: 7216)
  - SetupHelper (PID: 6392)
  - mscorsvw.exe (PID: 3308)
  - mscorsvw.exe (PID: 5960)
  - mscorsvw.exe (PID: 3884)
  - mscorsvw.exe (PID: 4112)
  - mscorsvw.exe (PID: 6656)
  - mscorsvw.exe (PID: 7916)
  - mscorsvw.exe (PID: 5592)
  - mscorsvw.exe (PID: 8100)
  - mscorsvw.exe (PID: 8144)
  - mscorsvw.exe (PID: 5568)
  - mscorsvw.exe (PID: 7252)
  - mscorsvw.exe (PID: 7328)
  - mscorsvw.exe (PID: 6768)
  - mscorsvw.exe (PID: 4112)
  - mscorsvw.exe (PID: 1272)
  - mscorsvw.exe (PID: 8152)
  - mscorsvw.exe (PID: 1680)
  - mscorsvw.exe (PID: 7964)
  - mscorsvw.exe (PID: 7284)
  - mscorsvw.exe (PID: 4244)
  - mscorsvw.exe (PID: 3096)
  - mscorsvw.exe (PID: 7864)
  - mscorsvw.exe (PID: 1760)
  - mscorsvw.exe (PID: 4428)
  - mscorsvw.exe (PID: 8272)
  - mscorsvw.exe (PID: 8412)
  - mscorsvw.exe (PID: 8484)
  - mscorsvw.exe (PID: 8876)
  - mscorsvw.exe (PID: 8728)
  - mscorsvw.exe (PID: 8768)
  - mscorsvw.exe (PID: 8816)
  - mscorsvw.exe (PID: 8576)
  - mscorsvw.exe (PID: 8648)
  - mscorsvw.exe (PID: 8920)
  - mscorsvw.exe (PID: 9120)
  - mscorsvw.exe (PID: 9168)
  - mscorsvw.exe (PID: 7860)
  - mscorsvw.exe (PID: 684)
  - mscorsvw.exe (PID: 9036)
  - mscorsvw.exe (PID: 4428)
  - mscorsvw.exe (PID: 8244)
  - mscorsvw.exe (PID: 7864)
  - mscorsvw.exe (PID: 7400)
  - mscorsvw.exe (PID: 7344)
  - mscorsvw.exe (PID: 8448)
  - mscorsvw.exe (PID: 8416)
  - mscorsvw.exe (PID: 8116)
  - mscorsvw.exe (PID: 8404)
  - mscorsvw.exe (PID: 8504)
  - mscorsvw.exe (PID: 8444)
  - mscorsvw.exe (PID: 8260)
  - mscorsvw.exe (PID: 8664)
  - identity_helper.exe (PID: 8884)
  - mscorsvw.exe (PID: 7592)
- Process checks computer location settings
  - FiddlerSetup.exe (PID: 7732)
- Reads the machine GUID from the registry
  - mscorsvw.exe (PID: 5568)
  - mscorsvw.exe (PID: 5960)
  - mscorsvw.exe (PID: 3884)
  - mscorsvw.exe (PID: 3308)
  - mscorsvw.exe (PID: 8100)
  - mscorsvw.exe (PID: 8144)
  - mscorsvw.exe (PID: 7328)
  - mscorsvw.exe (PID: 7252)
  - mscorsvw.exe (PID: 6768)
  - mscorsvw.exe (PID: 4112)
  - mscorsvw.exe (PID: 1272)
  - mscorsvw.exe (PID: 4112)
  - mscorsvw.exe (PID: 8116)
  - mscorsvw.exe (PID: 7964)
  - mscorsvw.exe (PID: 4244)
  - mscorsvw.exe (PID: 3096)
  - mscorsvw.exe (PID: 1680)
  - mscorsvw.exe (PID: 8504)
  - mscorsvw.exe (PID: 8448)
  - mscorsvw.exe (PID: 8444)
- Creates files in the program directory
  - mscorsvw.exe (PID: 5568)
- Application launched itself
  - msedge.exe (PID: 7152)
  - msedge.exe (PID: 8148)
- Manual execution by a user
  - msedge.exe (PID: 8148)
  - Fiddler.exe (PID: 7384)
- Reads Environment values
  - identity_helper.exe (PID: 8884)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:03:30 16:55:15+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	26112
InitializedDataSize:	139776
UninitializedDataSize:	2048
EntryPoint:	0x351c
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	5.0.20253.3311
ProductVersionNumber:	5.0.20253.3311
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	http://www.telerik.com/fiddler
CompanyName:	Progress Software Corporation
FileDescription:	Installer for Progress Telerik Fiddler Classic
FileVersion:	5.0.20253.3311
LegalCopyright:	Copyright ©2003 - 2025 Progress Software Corporation. All rights reserved.
ProductName:	Progress Telerik Fiddler Classic Setup
ProductVersion:	5.0.20253.3311

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

240

Monitored processes

105

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 0 -NGENProcess 3e0 -Pipe 38c -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

—

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.9093.0 built by: NET481REL1LAST_C

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1052

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5756 --field-trial-handle=2508,i,12792230284618784063,10706932272975871293,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1272

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 0 -NGENProcess 2e8 -Pipe 370 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.9093.0 built by: NET481REL1LAST_C

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll

1680

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 0 -NGENProcess 37c -Pipe 350 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.9093.0 built by: NET481REL1LAST_C

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll

1760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 0 -NGENProcess 3c4 -Pipe 394 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.9093.0 built by: NET481REL1LAST_C

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll

2660

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=5616 --field-trial-handle=2508,i,12792230284618784063,10706932272975871293,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3096

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ac -InterruptEvent 0 -NGENProcess 3c4 -Pipe 3bc -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.9093.0 built by: NET481REL1LAST_C

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll

3308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 2cc -Pipe 2b4 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.9093.0 built by: NET481REL1LAST_C

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ucrtbase_clr0400.dll
c:\windows\system32\oleaut32.dll

3884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2d0 -Comment "NGen Worker Process"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

ngen.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

.NET Runtime Optimization Service

Exit code:

Version:

4.8.9093.0 built by: NET481REL1LAST_C

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll

4020

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3520 --field-trial-handle=2508,i,12792230284618784063,10706932272975871293,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

24 881

Read events

24 764

Write events

114

Delete events

Modification events


(PID) Process:	(7732) FiddlerSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fiddler2\InstallerSettings
Operation:	write	Name:	InstallPath
Value: C:\Users\admin\AppData\Local\Programs\Fiddler\
(PID) Process:	(7732) FiddlerSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fiddler2\InstallerSettings
Operation:	write	Name:	PluginPath
Value: "C:\Users\admin\AppData\Local\Programs\Fiddler\Inspectors\"
(PID) Process:	(7732) FiddlerSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fiddler2\InstallerSettings
Operation:	write	Name:	ScriptPath
Value: "C:\Users\admin\AppData\Local\Programs\Fiddler\Scripts\"
(PID) Process:	(7732) FiddlerSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fiddler2\InstallerSettings
Operation:	write	Name:	InstalledVersion
Value: 5.0.20253.3311
(PID) Process:	(7732) FiddlerSetup.exe	Key:	HKEY_CLASSES_ROOT\Fiddler.ArchiveZip
Operation:	write	Name:	PerceivedType
Value: compressed
(PID) Process:	(7732) FiddlerSetup.exe	Key:	HKEY_CLASSES_ROOT\Fiddler.ArchiveZip
Operation:	write	Name:	Content Type
Value: application/vnd.telerik-fiddler.SessionArchive
(PID) Process:	(7732) FiddlerSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fiddler2
Operation:	write	Name:	UpdatePending
Value: False
(PID) Process:	(7732) FiddlerSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fiddler2\UI
Operation:	write	Name:	frmViewer_WState
Value: 2
(PID) Process:	(7732) FiddlerSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fiddler2
Operation:	write	Name:	JSEditor
Value: C:\Users\admin\AppData\Local\Programs\Fiddler\ScriptEditor\FSE2.exe
(PID) Process:	(7732) FiddlerSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Fiddler2\MenuExt\&Sandbox
Operation:	write	Name:	Command
Value: iexplore.exe

Add for printing

Executable files

117

Suspicious files

175

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7696	FiddlerSetup.5.0.20253.3311-latest.exe	C:\Users\admin\AppData\Local\Temp\nsgAB95.tmp\FiddlerSetup.exe		executable
		MD5:78E0CB1B7F2D95BF3DFB02F6E1EE1610	SHA256:BBF1DAEA4B83086FD8163130E5907CBA3E4C659E78449F8796660D8D9FE61789
7732	FiddlerSetup.exe	C:\Users\admin\AppData\Local\Programs\Fiddler\ICSharpCode.SharpZipLib.dll		executable
		MD5:9E9E0A210297968AAF2E00D13958C0B4	SHA256:CB9C05B5A1E1DB26FF43490EE26F2E02ABAE3F321D2DD5DDD43A68DA48EAB83D
7732	FiddlerSetup.exe	C:\Users\admin\AppData\Local\Programs\Fiddler\System.Buffers.dll		executable
		MD5:ECDFE8EDE869D2CCC6BF99981EA96400	SHA256:ACCCCFBE45D9F08FFEED9916E37B33E98C65BE012CFFF6E7FA7B67210CE1FEFB
7732	FiddlerSetup.exe	C:\Users\admin\AppData\Local\Programs\Fiddler\System.Threading.Tasks.Extensions.dll		executable
		MD5:0F384AFCF671483188B9019D3B7457A7	SHA256:2C9CAD6410E37E44FA73CCCB576F418184F1AE5A0A257E165A136BDAA941A0C6
7732	FiddlerSetup.exe	C:\Users\admin\AppData\Local\Programs\Fiddler\System.Security.Cryptography.Primitives.dll		executable
		MD5:A60084F9988C7907F7092C143C8D3818	SHA256:B755D0B55A465D07C9DD3FC11822487D1E649B684AEF91A4CE9B935B416A01B9
7732	FiddlerSetup.exe	C:\Users\admin\AppData\Local\Programs\Fiddler\SetupHelper		executable
		MD5:2BF2D9F137E964142370BA42CAB231E4	SHA256:C956F8D9C65E46576D6FC436A0D214E8C036CF2DCECAC5CDB0477922F3DBD365
7732	FiddlerSetup.exe	C:\Users\admin\AppData\Local\Programs\Fiddler\Be.Windows.Forms.HexBox.dll		executable
		MD5:E6F7B8C5EC4D1543EAA7F5D148C6327C	SHA256:BBFD21490A4BE96E1A44A92E39406E87978AEA1FC58B603702E4E21A143DD89E
7732	FiddlerSetup.exe	C:\Users\admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe		executable
		MD5:D6D0EEB5A95606DDDE1AB29BFB66969E	SHA256:72E31071E949C602053A0830F664BFF660659986DB961D1D9B038065A9408371
7732	FiddlerSetup.exe	C:\Users\admin\AppData\Local\Programs\Fiddler\System.Security.Cryptography.Algorithms.dll		executable
		MD5:E4A1681E09AEC6EFB00FB2A9355A1296	SHA256:967DDDBFE7F1CEB933B5875D65C59CDB835BB063F287A361E8B35DD814A9B14D
7732	FiddlerSetup.exe	C:\Users\admin\AppData\Local\Programs\Fiddler\App.ico		image
		MD5:2D49CDB07BAAD04A2BC9F50547783C6A	SHA256:FBE4D11CA28371BF36D48378A9E1DA29DCE0EFC373FF4E092E47B656505FC4C4

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

108

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	QA	binary	868 b	whitelisted
9180	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	DE	binary	419 b	whitelisted
9180	SIHClient.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	DE	binary	407 b	whitelisted
7784	backgroundTaskHost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	DE	binary	471 b	whitelisted
2924	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	DE	binary	313 b	whitelisted
7384	Fiddler.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Public%20RSA%20Timestamping%20CA%202020.crl	DE	binary	784 b	whitelisted
2924	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	DE	binary	471 b	whitelisted
2924	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	DE	binary	471 b	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	DE	binary	471 b	whitelisted
7384	Fiddler.exe	GET	200	2.23.181.156:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Identity%20Verification%20Root%20Certificate%20Authority%202020.crl	DE	binary	913 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6792	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5496	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.132:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
5360	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
crl.microsoft.com	2.20.245.137 2.20.245.139	whitelisted
www.microsoft.com	2.23.246.101 2.23.181.156	whitelisted
google.com	216.58.206.78	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
login.live.com	20.190.160.132 20.190.160.3 40.126.32.74 20.190.160.130 20.190.160.128 20.190.160.17 40.126.32.138 40.126.32.140	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
api.getfiddler.com	108.138.7.27 108.138.7.101 108.138.7.87 108.138.7.118	unknown
edge.microsoft.com	150.171.28.11 150.171.27.11	whitelisted

Threats

PID	Process	Class	Message
5360	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
5360	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
5360	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5360	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5360	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5360	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5360	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
5360	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
5360	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
5360	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)

Add for printing

No debug info

General Info

FiddlerSetup.5.0.20253.3311-latest.exe

5E326A700AE3CD9EE6FD7312B40302E1

2894AAB4A47353B531F031B87048BD3CA0495F65

D43CEBEE2F9783E16267D2DB2362A56714CB19943AE192C498C3F48924DF6265

98304:wc42QCb8Q/VNkrjf1EY67WrZtsUHimy//9QoONP+gtBQCJX+yKW2LVJ+9Gpw7DAd:xmwWfDIJJjhcsp

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

Malware-specific behavior (creating "System.dll" in Temp)

Uses NETSH.EXE to add a firewall rule or allowed programs

Reads security settings of Internet Explorer

The process creates files with name similar to system file names

Starts application with an unusual extension

Creates a software uninstall entry

Uses NETSH.EXE to delete a firewall rule or allowed programs

INFO

The sample compiled with english language support

Checks supported languages

Creates files or folders in the user directory

Create files in a temporary directory

NGen native .NET image generation

Reads the computer name

Process checks computer location settings

Reads the machine GUID from the registry

Creates files in the program directory

Application launched itself

Manual execution by a user

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings