Analysis
-
max time kernel
87s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
18-04-2023 07:33
General
-
Target
WinSCP-5.21.7-Setup.exe
-
Size
10.9MB
-
MD5
4b6dcc18e7ea50caab02f11d9abb3dee
-
SHA1
fd36c8ff64d2cabb7c35bb2e9100f5245544ecf2
-
SHA256
6f8ba50c67083504a4dbc064f0d7e172ee9205db65557a12fd3193749fb8651b
-
SHA512
ef9c0dbfb52919c3d420320406e3487892a5be30aa275d32981e799cb4711abe54e11085c3c9131073a0e012763db994acd0039c36475b0c35ebe54fe84a8a63
-
SSDEEP
196608:wCIA4//b/VVVLXx1is5RFZ06uhRrvh311cJGB/NP9AhXxtJUyT5:rO/r5fltZBQN5l1lB18X/JUy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 2 IoCs
-
Registers COM server for autorun 1 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 61 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.7-Setup.exe"C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.7-Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-61JFH.tmp\WinSCP-5.21.7-Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-61JFH.tmp\WinSCP-5.21.7-Setup.tmp" /SL5="$501CA,10341314,864768,C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.7-Setup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\WinSCP\DragExt64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\WinSCP\DragExt64.dll"4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Program Files (x86)\WinSCP\WinSCP.exe"C:\Program Files (x86)\WinSCP\WinSCP.exe" /RegisterForDefaultProtocols3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\WinSCP\WinSCP.exe"C:\Program Files (x86)\WinSCP\WinSCP.exe" /ImportSitesIfAny3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\WinSCP\WinSCP.exe"C:\Program Files (x86)\WinSCP\WinSCP.exe" /Usage=TypicalInstallation:1,InstallationsUser+,InstallationParentProcess@,InstallationsFirstTypical+,LastInstallationAutomaticUpgrade:0,InstallationsGettingStarted+,InstallationsLaunch+,3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://winscp.net/eng/installed.php?ver=5.21.7&lang=en&utm_source=winscp&utm_medium=setup&utm_campaign=5.21.7&prevver=&automatic=03⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd9fbc46f8,0x7ffd9fbc4708,0x7ffd9fbc47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10870263280102868610,7579400890674442125,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,10870263280102868610,7579400890674442125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,10870263280102868610,7579400890674442125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10870263280102868610,7579400890674442125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10870263280102868610,7579400890674442125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10870263280102868610,7579400890674442125,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10870263280102868610,7579400890674442125,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:14⤵
-
C:\Program Files (x86)\WinSCP\WinSCP.exe"C:\Program Files (x86)\WinSCP\WinSCP.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WinSCP\DragExt64.dllFilesize
479KB
MD55aa9eb658328c2a51dade7dae59aecf7
SHA1f6718e0fc2abd4bcbf4dc248aacd4a1b383aaaf0
SHA25686361a2499566dd1b06a713a790e32c59876bebcec6b0ece7b54fe871f43d4f5
SHA51278f421fbe84e641d3f787cf4b17221aa45a714c33abe4b4177c13b0acd9f8d057e49852adb79d6573b11dd1ca276b966cb2266fe410de6a00e657d45493c79fd
-
C:\Program Files (x86)\WinSCP\DragExt64.dllFilesize
479KB
MD55aa9eb658328c2a51dade7dae59aecf7
SHA1f6718e0fc2abd4bcbf4dc248aacd4a1b383aaaf0
SHA25686361a2499566dd1b06a713a790e32c59876bebcec6b0ece7b54fe871f43d4f5
SHA51278f421fbe84e641d3f787cf4b17221aa45a714c33abe4b4177c13b0acd9f8d057e49852adb79d6573b11dd1ca276b966cb2266fe410de6a00e657d45493c79fd
-
C:\Program Files (x86)\WinSCP\DragExt64.dllFilesize
479KB
MD55aa9eb658328c2a51dade7dae59aecf7
SHA1f6718e0fc2abd4bcbf4dc248aacd4a1b383aaaf0
SHA25686361a2499566dd1b06a713a790e32c59876bebcec6b0ece7b54fe871f43d4f5
SHA51278f421fbe84e641d3f787cf4b17221aa45a714c33abe4b4177c13b0acd9f8d057e49852adb79d6573b11dd1ca276b966cb2266fe410de6a00e657d45493c79fd
-
C:\Program Files (x86)\WinSCP\Extensions\ArchiveDownload.WinSCPextension.ps1Filesize
6KB
MD5b16082ceeb34da39af1d52adc88be7db
SHA1b7719fec4c89fe09904ae5fecf96aa364914e57e
SHA256beee09ea768f58f29f03025984e0ce8fe4f8fd8c9cc454d9fa3869ba679f5356
SHA512bb6509a92048f4a8219ec91c9b7e75d0453ee026f91e38daab33ff7af8022f690f2e31c6b6767010ae3ae0530c854ed92a458e2c1f42d11905bb1231e32fcdf5
-
C:\Program Files (x86)\WinSCP\Extensions\BatchRename.WinSCPextension.ps1Filesize
4KB
MD52ed11efbb12a1e8de4197b5432321958
SHA1ed6add9f956866895ed2d55115f74061d8dd9b39
SHA2567e605503bc77f9fec8f5b10ee6fd1e5da273ca8b8c213985e75069a66deee649
SHA512acfbcad5dfa662f336f57db7d6975df53194faf985d1c8e874936885926fe846665c1e654026a91e6a6bec2f0ace2efc1680a17212f4278136009c5a721230c0
-
C:\Program Files (x86)\WinSCP\Extensions\CompareFiles.WinSCPextension.ps1Filesize
2KB
MD55658e87d86c7e1f4a375e65075c73f27
SHA11928b74fa34e139051bf8a8414a45ca84e6dc070
SHA25671e5fb801d2132f44cda67c65fba980347b891b138a43d2e8ded6a1825a9a510
SHA512b564a2588727762a34cedb5d0b39df6477da95784bfa1dd4b97f3603c3bff0261e10409c7caad10ca364dfe76e3236c839e61213c230d4e8b4864fdcb1f0a061
-
C:\Program Files (x86)\WinSCP\Extensions\GenerateHttpUrl.WinSCPextension.ps1Filesize
3KB
MD57b02c62423d08d7c340a530f85261534
SHA1f57fc70cac8655e1ac75abfcd83d623f83778b89
SHA256737c824e719e9e5cc43048383f8d7c7717bcb35ba37e07624c855e258d3753cf
SHA5121cee9e7ac2eea1e47dfa6d8a81b5d6ed0540db83d5280b9a4983f4dd23fba8de79a5833afba413f1bfa0189aae860079a671e18f37716b48b4d1a4f39038f663
-
C:\Program Files (x86)\WinSCP\Extensions\KeepLocalUpToDate.WinSCPextension.ps1Filesize
5KB
MD56f10dd9ca31373018e319ba80abb5532
SHA11325eab389ec9961120e0cd569b37f566a764fe7
SHA25679c87ff4a8cd2a2613a22f1e0dd4c3708b652e42fc92200b50e6d4adf91e561d
SHA5128f272cf4de55bd6e3d563ae5c87df035b3684c008bf64152bca1480f411413ff0999dd14dc802fcc72372313d19aff8159ccd4be48528c54963c59deba49c726
-
C:\Program Files (x86)\WinSCP\Extensions\SearchText.WinSCPextension.ps1Filesize
3KB
MD5d26c1a56f63d3682da6e676b606894af
SHA1e18ed1d358dc0026ecf64f49cc5f7b4c687523c3
SHA2566b9f82c04625443346c74b907fb96d8319d22bc5a6d946fcc7a7c19c67b0757c
SHA512dffbba900e510deca45f24af1786a0cd4d5f97b6c6bd6a219bdaf74d773ed42fdbbc9490dcb457063e879d46eba047225ebf40f1110e18195d53de607b4baf07
-
C:\Program Files (x86)\WinSCP\Extensions\SynchronizeAnotherServer.WinSCPextension.ps1Filesize
10KB
MD5680bbba778a319ba57ccc5c5c9f50c03
SHA112705a80f1be125f12a5c6e8511deccdba8bbec6
SHA256e73b3b68425691605d643e53ac729426b52168585d4b06234cfd8d592828b019
SHA51294983f38ecbc271b5452dee0777d0b669a106a0f8a9f23bfe528412ec0c75f2d249e2fb964f71d21d5bebf0f79952bf4bdc3af18f2678a2dbb32511d1259c84b
-
C:\Program Files (x86)\WinSCP\Extensions\VerifyFileChecksum.WinSCPextension.ps1Filesize
2KB
MD5e4eb33335b663fc23aa03ab6ef80cb8d
SHA10db1095d82e27ef352d96a8f36ac022f035ce90d
SHA256dbdf82b86dd366dcc71edbae46f7008910e2be3f420b79e34159a81df1b39534
SHA5124f9df209721f293896c59a4db390ca2875d705625a1151f0b1481e37db6537480cf29ea1e8311dcea0643ae8e4f130efcda27d9246f8058b2765ef1b3a98138b
-
C:\Program Files (x86)\WinSCP\Extensions\ZipUpload.WinSCPextension.ps1Filesize
5KB
MD53963399fcb03e28453f38d93755795a0
SHA1384abd9957a9ac16805c36a44bc49de9bf757644
SHA256a62d0af7080942304a27883fb986d3a3f2fa9fcefc73108a1142f968649cc872
SHA5125944a51ac0bc1e6cb8e041853b2720e2790f6b0f3a69ede16eba499645b62f703fd4145ef7107ef4b64b818bc44349e3af71c0e9d8586693dacde2042c527051
-
C:\Program Files (x86)\WinSCP\WinSCP.exeFilesize
25.9MB
MD5f787cf4c084f5143c7de0dec3505af58
SHA172a19bea7ac2937497738cdf46b76827a1ec11c8
SHA256366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c
SHA51216111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e
-
C:\Program Files (x86)\WinSCP\WinSCP.exeFilesize
25.9MB
MD5f787cf4c084f5143c7de0dec3505af58
SHA172a19bea7ac2937497738cdf46b76827a1ec11c8
SHA256366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c
SHA51216111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e
-
C:\Program Files (x86)\WinSCP\WinSCP.exeFilesize
25.9MB
MD5f787cf4c084f5143c7de0dec3505af58
SHA172a19bea7ac2937497738cdf46b76827a1ec11c8
SHA256366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c
SHA51216111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e
-
C:\Program Files (x86)\WinSCP\WinSCP.exeFilesize
25.9MB
MD5f787cf4c084f5143c7de0dec3505af58
SHA172a19bea7ac2937497738cdf46b76827a1ec11c8
SHA256366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c
SHA51216111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e
-
C:\Program Files (x86)\WinSCP\WinSCP.exeFilesize
25.9MB
MD5f787cf4c084f5143c7de0dec3505af58
SHA172a19bea7ac2937497738cdf46b76827a1ec11c8
SHA256366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c
SHA51216111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD578c7656527762ed2977adf983a6f4766
SHA121a66d2eefcb059371f4972694057e4b1f827ce6
SHA256e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296
SHA5120a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5099b4ba2787e99b696fc61528100f83f
SHA106e1f8b7391e1d548e49a1022f6ce6e7aa61f292
SHA256cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8
SHA5124309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\64e36dcb-4fb9-40fa-9867-787c94bda45b.tmpFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
456B
MD5be98ab0dc9544a112b4b3b97a51a2afd
SHA110b054990903baeaba2920ced0a437b214ef2131
SHA256e6d9409aad436f0b4b3d098aab1e75048a6fd05badc61aa5c37da44721b0b835
SHA5125fdd519a7a566be94dacddc51125c5da10b148541446161f446d285af2aa0369efd95ee6b2a0c5d866e54c94c0a5fad6d2655c141178d7128b79e0b9cd30ef3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD59de805f3801e7042796c4a3dd98556d6
SHA15dd958fb9c30456315c1b81b16fb70915d8c3743
SHA256537b4bb9dd792f7601b044593d8bccea78a5d571e3f042267a52f0d1b7caa26c
SHA5121eb3385a0631c0b4b88456a13f7dea9d6c0d0fc8533a0a569eb703008aacb449e652036e6943f89701ed3a750fefe6bf1e71448bfbf110a5e96530ab59587883
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD588c47e2c48fcc9fb516a0470b746147a
SHA167718fcb2e4fac09f702cd69ba7d6f7301f77dfb
SHA25622ba914e2b092e617b66795840d82b7244fbc69ba11ece37fcd2b34095aa3234
SHA512f33c46fa7496d71e0928e5c23d61e0b6f1bc382ad733dfdc172f03612c4485dcc3d890a98dac9035b7ec2eb000b0d9a183bd0453e7bdb799230630380be8a4e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5f0935bdeb41a8bcaac81b3de6c00ec00
SHA1380062f742a2e640f39ee4169332993ad5b2b853
SHA25682503a86cfcde151c4e2beeaa5228846aad6776c033ded639fc121b949823b0a
SHA512fb556a9402094307eba46e0065a83c3e74bede0576591680168f2210fbe29582ce6f75c322b7d7853d919dd485dd02de28cc2cb8b37f98298b0433279a21cf38
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5fe7f6c49fb60970afe45c79183080839
SHA15fd0442cf7dd83874ce95e186c27d3f4cfe2095b
SHA256fd2ab8efd735654f45c932e517292e752fac334ad6416f14a8517616c2532145
SHA51254814095024d3e6da9dbce1cca0b10548f9441f4c684493736fcac5e2cc28b8b13152f27fbe7304feaee9da66fba269a7c98a7fbef70b2e4eaadc4c53b145d83
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD54d16696627be936c4475cc4c5083cde1
SHA19ebc1acc10aaf16827032ae7fce79f0981005b00
SHA256f6063ee8b8eb0bb206a723f745c0f56943d369413ec95f6e4d9c5d09c8271c9e
SHA51281c2b63302c5d39ecde7b2d1d7899e5814d38cc79323919bae055d98e48ed858b8ca9396f20c2b75c40a4dfe948d661c90727f082d873af8625f793d8a1b50cf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD502ee7addc9e8a2d07af55556ebf0ff5c
SHA1020161bb64ecb7c6e6886ccc055908984dc651d8
SHA256552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc
SHA512567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD58ca9c1d4158a1806e9a1ddedbd218822
SHA1db8e9527e082087b75032ec66db6c8498b6e5818
SHA256956ba084952de1029eb0794a47c302d27f94b59d294595e9bccf797b22c0f24e
SHA512bbadf21a79d1034d4469fd96c50593fb519591432d08c4a2128450e51221685b170342d86b8008eee0ec8bbff29cda4fa2b7bc90056798e8ce57de2968f088c1
-
C:\Users\Admin\AppData\Local\Temp\is-61JFH.tmp\WinSCP-5.21.7-Setup.tmpFilesize
3.1MB
MD5cbc9e059de252e52ad2f1d6c3b215e78
SHA14111f1543d22077afa12376e3b358c14b6a4ed36
SHA2565cf4783828639fd8f11310c5afcdec98566b7b041bc1ee18c554dd78faf03c96
SHA512e9c306bd563e848ed9d5030e480fb992a677212883a857e7575f5fa490f98a210eae3516306e11b51e2c3931cd4105cadac8194045a299aa35cad16a17851117
-
C:\Users\Admin\AppData\Local\Temp\is-61JFH.tmp\WinSCP-5.21.7-Setup.tmpFilesize
3.1MB
MD5cbc9e059de252e52ad2f1d6c3b215e78
SHA14111f1543d22077afa12376e3b358c14b6a4ed36
SHA2565cf4783828639fd8f11310c5afcdec98566b7b041bc1ee18c554dd78faf03c96
SHA512e9c306bd563e848ed9d5030e480fb992a677212883a857e7575f5fa490f98a210eae3516306e11b51e2c3931cd4105cadac8194045a299aa35cad16a17851117
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-msFilesize
12B
MD5e4a1661c2c886ebb688dec494532431c
SHA1a2ae2a7db83b33dc95396607258f553114c9183c
SHA256b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5
SHA512efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-msFilesize
12B
MD5e4a1661c2c886ebb688dec494532431c
SHA1a2ae2a7db83b33dc95396607258f553114c9183c
SHA256b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5
SHA512efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-msFilesize
12B
MD5e4a1661c2c886ebb688dec494532431c
SHA1a2ae2a7db83b33dc95396607258f553114c9183c
SHA256b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5
SHA512efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QG6GUE67YTV818QQWO2E.tempFilesize
12B
MD5e4a1661c2c886ebb688dec494532431c
SHA1a2ae2a7db83b33dc95396607258f553114c9183c
SHA256b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5
SHA512efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c
-
\??\pipe\LOCAL\crashpad_1612_JCPMMMCQLCNXTDOVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/968-330-0x0000000000F80000-0x0000000002A0C000-memory.dmpFilesize
26.5MB
-
memory/968-333-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/968-340-0x0000000000F80000-0x0000000002A0C000-memory.dmpFilesize
26.5MB
-
memory/1144-140-0x0000000000400000-0x000000000071B000-memory.dmpFilesize
3.1MB
-
memory/1144-345-0x0000000000400000-0x000000000071B000-memory.dmpFilesize
3.1MB
-
memory/1144-138-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/1144-327-0x0000000000400000-0x000000000071B000-memory.dmpFilesize
3.1MB
-
memory/1144-161-0x0000000000400000-0x000000000071B000-memory.dmpFilesize
3.1MB
-
memory/1144-310-0x0000000000400000-0x000000000071B000-memory.dmpFilesize
3.1MB
-
memory/1820-325-0x0000000000F80000-0x0000000002A0C000-memory.dmpFilesize
26.5MB
-
memory/1820-323-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/1820-315-0x0000000000F80000-0x0000000002A0C000-memory.dmpFilesize
26.5MB
-
memory/3852-306-0x0000000000A00000-0x0000000000A01000-memory.dmpFilesize
4KB
-
memory/3852-312-0x0000000000F80000-0x0000000002A0C000-memory.dmpFilesize
26.5MB
-
memory/3852-295-0x0000000000F80000-0x0000000002A0C000-memory.dmpFilesize
26.5MB
-
memory/4128-349-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/4128-344-0x0000000000F80000-0x0000000002A0C000-memory.dmpFilesize
26.5MB
-
memory/4128-528-0x0000000000F80000-0x0000000002A0C000-memory.dmpFilesize
26.5MB
-
memory/4128-626-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/4660-133-0x0000000000400000-0x00000000004E0000-memory.dmpFilesize
896KB
-
memory/4660-347-0x0000000000400000-0x00000000004E0000-memory.dmpFilesize
896KB
-
memory/4660-139-0x0000000000400000-0x00000000004E0000-memory.dmpFilesize
896KB