6f8ba50c67083504a4dbc064f0d7e172ee9205db65557a12fd3193749fb8651b

Analysis

max time kernel
77s
max time network
84s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18-04-2023 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinSCP-5.21.7-Setup.exe
Size

10.9MB
MD5

4b6dcc18e7ea50caab02f11d9abb3dee
SHA1

fd36c8ff64d2cabb7c35bb2e9100f5245544ecf2
SHA256

6f8ba50c67083504a4dbc064f0d7e172ee9205db65557a12fd3193749fb8651b
SHA512

ef9c0dbfb52919c3d420320406e3487892a5be30aa275d32981e799cb4711abe54e11085c3c9131073a0e012763db994acd0039c36475b0c35ebe54fe84a8a63
SSDEEP

196608:wCIA4//b/VVVLXx1is5RFZ06uhRrvh311cJGB/NP9AhXxtJUyT5:rO/r5fltZBQN5l1lB18X/JUy

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

WinSCP-5.21.7-Setup.tmpWinSCP.exeWinSCP.exeWinSCP.exeWinSCP.exe

pid process

2016 WinSCP-5.21.7-Setup.tmp
900 WinSCP.exe
656 WinSCP.exe
1992 WinSCP.exe
580 WinSCP.exe

pid	process
2016	WinSCP-5.21.7-Setup.tmp
900	WinSCP.exe
656	WinSCP.exe
1992	WinSCP.exe
580	WinSCP.exe

Loads dropped DLL 6 IoCs

Processes:

WinSCP-5.21.7-Setup.exeWinSCP-5.21.7-Setup.tmpregsvr32.exeregsvr32.exe

pid	process
1060	WinSCP-5.21.7-Setup.exe
2016	WinSCP-5.21.7-Setup.tmp
2016	WinSCP-5.21.7-Setup.tmp
2016	WinSCP-5.21.7-Setup.tmp
1288	regsvr32.exe
1800	regsvr32.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32\ = "C:\\Program Files (x86)\\WinSCP\\DragExt64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WinSCP.exe

description	ioc	process
File opened (read-only)	\??\I:	WinSCP.exe
File opened (read-only)	\??\O:	WinSCP.exe
File opened (read-only)	\??\P:	WinSCP.exe
File opened (read-only)	\??\U:	WinSCP.exe
File opened (read-only)	\??\V:	WinSCP.exe
File opened (read-only)	\??\Y:	WinSCP.exe
File opened (read-only)	\??\E:	WinSCP.exe
File opened (read-only)	\??\F:	WinSCP.exe
File opened (read-only)	\??\Z:	WinSCP.exe
File opened (read-only)	\??\R:	WinSCP.exe
File opened (read-only)	\??\G:	WinSCP.exe
File opened (read-only)	\??\J:	WinSCP.exe
File opened (read-only)	\??\Q:	WinSCP.exe
File opened (read-only)	\??\W:	WinSCP.exe
File opened (read-only)	\??\X:	WinSCP.exe
File opened (read-only)	\??\A:	WinSCP.exe
File opened (read-only)	\??\H:	WinSCP.exe
File opened (read-only)	\??\L:	WinSCP.exe
File opened (read-only)	\??\M:	WinSCP.exe
File opened (read-only)	\??\N:	WinSCP.exe
File opened (read-only)	\??\S:	WinSCP.exe
File opened (read-only)	\??\T:	WinSCP.exe
File opened (read-only)	\??\B:	WinSCP.exe
File opened (read-only)	\??\K:	WinSCP.exe

Drops file in Program Files directory 61 IoCs

Processes:

WinSCP-5.21.7-Setup.tmp

description	ioc	process
File created	C:\Program Files (x86)\WinSCP\Translations\is-9EQRA.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-SVU1S.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-O1FAP.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-ULBCH.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-B3CKP.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-H585D.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-LHFGN.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-B3JSK.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-I0OUG.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-EIMG7.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-VG7RI.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-EBHR8.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-O58NT.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-LDA14.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\unins000.msg	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-VBT9P.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-8574S.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-UTA41.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-BFPIG.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-DTU51.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-BN66G.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\unins000.dat	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-5773D.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-DUJ3C.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-UM9NM.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-7021I.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-1AHEH.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-L31RO.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-J83BC.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-6FNF8.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-ESBDO.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-87LPJ.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-K4VIG.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-P6DB8.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-GI8OP.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-6NMU7.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-J6JLA.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-QDHVD.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-2TO43.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-U1CM1.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-OSVE1.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-RNJA0.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-D2AMN.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-M66BJ.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-SMT3V.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-NVRG8.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-QSLQ1.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-1JCCR.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-FHD0O.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-5K3VE.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-J9OKO.tmp	WinSCP-5.21.7-Setup.tmp
File opened for modification	C:\Program Files (x86)\WinSCP\unins000.dat	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-QTITM.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-UD7GS.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-SL13F.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-3VQUN.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-AI1QS.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-PHDLN.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-I3BQ4.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-AV1E9.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-Q0UFS.tmp	WinSCP-5.21.7-Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{81E22611-DDBB-11ED-97FC-F221FC82CB7E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 64 IoCs

Processes:

WinSCP.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sftp\shell	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\BrowserFlags = "8"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\BrowserFlags = "8"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\URL Protocol	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftpes\shell\open	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sftp\shell\open\command	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scp\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ftps	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SFTP\shell	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTPS\ = "URL: winscp-HTTPS Protocol"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SSH\BrowserFlags = "8"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\URL Protocol	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftps\URL Protocol	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ssh\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\davs\EditFlags = "2"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\s3\URL Protocol	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\shell\open	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sftp\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ssh\DefaultIcon	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\davs\ = "URL: davs Protocol"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAV\DefaultIcon	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\URL Protocol	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAV\URL Protocol	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTP\shell\open	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPES\EditFlags = "2"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\davs\DefaultIcon	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SFTP\EditFlags = "2"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAV\shell\open	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-S3\BrowserFlags = "8"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTPS\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftps\shell	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\shell	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\shell	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\DefaultIcon	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\shell	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\ = "WinSCP Shell Extension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftps\shell\open\command	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\winscp-HTTP	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTPS\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftpes\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scp\shell	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\s3\BrowserFlags = "8"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\s3\shell\open\command	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftpes\DefaultIcon	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\shell\open\command	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-S3\ = "URL: winscp-S3 Protocol"	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\winscp-SCP	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\DefaultIcon	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPES\DefaultIcon	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SSH\DefaultIcon	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\s3\ = "URL: s3 Protocol"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\EditFlags = "2"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-S3\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\BrowserFlags = "8"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\shell\open	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftpes\URL Protocol	WinSCP.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WinSCP.exeWinSCP.exeWinSCP.exeWinSCP.exe

pid process

900 WinSCP.exe
656 WinSCP.exe
1992 WinSCP.exe
1992 WinSCP.exe
580 WinSCP.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WinSCP-5.21.7-Setup.tmpiexplore.exe

pid process

2016 WinSCP-5.21.7-Setup.tmp
1484 iexplore.exe

pid	process
2016	WinSCP-5.21.7-Setup.tmp
1484	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WinSCP.exeWinSCP.exeWinSCP.exeWinSCP.exeiexplore.exeIEXPLORE.EXE

pid	process
900	WinSCP.exe
656	WinSCP.exe
1992	WinSCP.exe
580	WinSCP.exe
580	WinSCP.exe
580	WinSCP.exe
580	WinSCP.exe
1484	iexplore.exe
1484	iexplore.exe
556	IEXPLORE.EXE
556	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

WinSCP-5.21.7-Setup.exeWinSCP-5.21.7-Setup.tmpregsvr32.exeiexplore.exe

description	pid	process	target process
PID 1060 wrote to memory of 2016	1060	WinSCP-5.21.7-Setup.exe	WinSCP-5.21.7-Setup.tmp
PID 1060 wrote to memory of 2016	1060	WinSCP-5.21.7-Setup.exe	WinSCP-5.21.7-Setup.tmp
PID 1060 wrote to memory of 2016	1060	WinSCP-5.21.7-Setup.exe	WinSCP-5.21.7-Setup.tmp
PID 1060 wrote to memory of 2016	1060	WinSCP-5.21.7-Setup.exe	WinSCP-5.21.7-Setup.tmp
PID 1060 wrote to memory of 2016	1060	WinSCP-5.21.7-Setup.exe	WinSCP-5.21.7-Setup.tmp
PID 1060 wrote to memory of 2016	1060	WinSCP-5.21.7-Setup.exe	WinSCP-5.21.7-Setup.tmp
PID 1060 wrote to memory of 2016	1060	WinSCP-5.21.7-Setup.exe	WinSCP-5.21.7-Setup.tmp
PID 2016 wrote to memory of 1288	2016	WinSCP-5.21.7-Setup.tmp	regsvr32.exe
PID 2016 wrote to memory of 1288	2016	WinSCP-5.21.7-Setup.tmp	regsvr32.exe
PID 2016 wrote to memory of 1288	2016	WinSCP-5.21.7-Setup.tmp	regsvr32.exe
PID 2016 wrote to memory of 1288	2016	WinSCP-5.21.7-Setup.tmp	regsvr32.exe
PID 2016 wrote to memory of 1288	2016	WinSCP-5.21.7-Setup.tmp	regsvr32.exe
PID 2016 wrote to memory of 1288	2016	WinSCP-5.21.7-Setup.tmp	regsvr32.exe
PID 2016 wrote to memory of 1288	2016	WinSCP-5.21.7-Setup.tmp	regsvr32.exe
PID 1288 wrote to memory of 1800	1288	regsvr32.exe	regsvr32.exe
PID 1288 wrote to memory of 1800	1288	regsvr32.exe	regsvr32.exe
PID 1288 wrote to memory of 1800	1288	regsvr32.exe	regsvr32.exe
PID 1288 wrote to memory of 1800	1288	regsvr32.exe	regsvr32.exe
PID 1288 wrote to memory of 1800	1288	regsvr32.exe	regsvr32.exe
PID 1288 wrote to memory of 1800	1288	regsvr32.exe	regsvr32.exe
PID 1288 wrote to memory of 1800	1288	regsvr32.exe	regsvr32.exe
PID 2016 wrote to memory of 900	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 900	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 900	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 900	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 656	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 656	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 656	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 656	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 1992	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 1992	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 1992	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 1992	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 1484	2016	WinSCP-5.21.7-Setup.tmp	iexplore.exe
PID 2016 wrote to memory of 1484	2016	WinSCP-5.21.7-Setup.tmp	iexplore.exe
PID 2016 wrote to memory of 1484	2016	WinSCP-5.21.7-Setup.tmp	iexplore.exe
PID 2016 wrote to memory of 1484	2016	WinSCP-5.21.7-Setup.tmp	iexplore.exe
PID 2016 wrote to memory of 580	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 580	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 580	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2016 wrote to memory of 580	2016	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 1484 wrote to memory of 556	1484	iexplore.exe	IEXPLORE.EXE
PID 1484 wrote to memory of 556	1484	iexplore.exe	IEXPLORE.EXE
PID 1484 wrote to memory of 556	1484	iexplore.exe	IEXPLORE.EXE
PID 1484 wrote to memory of 556	1484	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.7-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.7-Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\is-AHD18.tmp\WinSCP-5.21.7-Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AHD18.tmp\WinSCP-5.21.7-Setup.tmp" /SL5="$80022,10341314,864768,C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.7-Setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\WinSCP\DragExt64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\WinSCP\DragExt64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1800

C:\Program Files (x86)\WinSCP\WinSCP.exe
"C:\Program Files (x86)\WinSCP\WinSCP.exe" /RegisterForDefaultProtocols
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:900

C:\Program Files (x86)\WinSCP\WinSCP.exe
"C:\Program Files (x86)\WinSCP\WinSCP.exe" /ImportSitesIfAny
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:656

C:\Program Files (x86)\WinSCP\WinSCP.exe
"C:\Program Files (x86)\WinSCP\WinSCP.exe" /Usage=TypicalInstallation:1,InstallationsUser+,InstallationParentProcess@,InstallationsFirstTypical+,LastInstallationAutomaticUpgrade:0,InstallationsGettingStarted+,InstallationsLaunch+,
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://winscp.net/eng/installed.php?ver=5.21.7&lang=en&utm_source=winscp&utm_medium=setup&utm_campaign=5.21.7&prevver=&automatic=0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1484

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:556

C:\Program Files (x86)\WinSCP\WinSCP.exe
"C:\Program Files (x86)\WinSCP\WinSCP.exe"
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinSCP\DragExt64.dll
Filesize
479KB

MD5
5aa9eb658328c2a51dade7dae59aecf7

SHA1
f6718e0fc2abd4bcbf4dc248aacd4a1b383aaaf0

SHA256
86361a2499566dd1b06a713a790e32c59876bebcec6b0ece7b54fe871f43d4f5

SHA512
78f421fbe84e641d3f787cf4b17221aa45a714c33abe4b4177c13b0acd9f8d057e49852adb79d6573b11dd1ca276b966cb2266fe410de6a00e657d45493c79fd

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\ArchiveDownload.WinSCPextension.ps1
Filesize
6KB

MD5
b16082ceeb34da39af1d52adc88be7db

SHA1
b7719fec4c89fe09904ae5fecf96aa364914e57e

SHA256
beee09ea768f58f29f03025984e0ce8fe4f8fd8c9cc454d9fa3869ba679f5356

SHA512
bb6509a92048f4a8219ec91c9b7e75d0453ee026f91e38daab33ff7af8022f690f2e31c6b6767010ae3ae0530c854ed92a458e2c1f42d11905bb1231e32fcdf5

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\BatchRename.WinSCPextension.ps1
Filesize
4KB

MD5
2ed11efbb12a1e8de4197b5432321958

SHA1
ed6add9f956866895ed2d55115f74061d8dd9b39

SHA256
7e605503bc77f9fec8f5b10ee6fd1e5da273ca8b8c213985e75069a66deee649

SHA512
acfbcad5dfa662f336f57db7d6975df53194faf985d1c8e874936885926fe846665c1e654026a91e6a6bec2f0ace2efc1680a17212f4278136009c5a721230c0

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\CompareFiles.WinSCPextension.ps1
Filesize
2KB

MD5
5658e87d86c7e1f4a375e65075c73f27

SHA1
1928b74fa34e139051bf8a8414a45ca84e6dc070

SHA256
71e5fb801d2132f44cda67c65fba980347b891b138a43d2e8ded6a1825a9a510

SHA512
b564a2588727762a34cedb5d0b39df6477da95784bfa1dd4b97f3603c3bff0261e10409c7caad10ca364dfe76e3236c839e61213c230d4e8b4864fdcb1f0a061

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\GenerateHttpUrl.WinSCPextension.ps1
Filesize
3KB

MD5
7b02c62423d08d7c340a530f85261534

SHA1
f57fc70cac8655e1ac75abfcd83d623f83778b89

SHA256
737c824e719e9e5cc43048383f8d7c7717bcb35ba37e07624c855e258d3753cf

SHA512
1cee9e7ac2eea1e47dfa6d8a81b5d6ed0540db83d5280b9a4983f4dd23fba8de79a5833afba413f1bfa0189aae860079a671e18f37716b48b4d1a4f39038f663

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\KeepLocalUpToDate.WinSCPextension.ps1
Filesize
5KB

MD5
6f10dd9ca31373018e319ba80abb5532

SHA1
1325eab389ec9961120e0cd569b37f566a764fe7

SHA256
79c87ff4a8cd2a2613a22f1e0dd4c3708b652e42fc92200b50e6d4adf91e561d

SHA512
8f272cf4de55bd6e3d563ae5c87df035b3684c008bf64152bca1480f411413ff0999dd14dc802fcc72372313d19aff8159ccd4be48528c54963c59deba49c726

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\SearchText.WinSCPextension.ps1
Filesize
3KB

MD5
d26c1a56f63d3682da6e676b606894af

SHA1
e18ed1d358dc0026ecf64f49cc5f7b4c687523c3

SHA256
6b9f82c04625443346c74b907fb96d8319d22bc5a6d946fcc7a7c19c67b0757c

SHA512
dffbba900e510deca45f24af1786a0cd4d5f97b6c6bd6a219bdaf74d773ed42fdbbc9490dcb457063e879d46eba047225ebf40f1110e18195d53de607b4baf07

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\SynchronizeAnotherServer.WinSCPextension.ps1
Filesize
10KB

MD5
680bbba778a319ba57ccc5c5c9f50c03

SHA1
12705a80f1be125f12a5c6e8511deccdba8bbec6

SHA256
e73b3b68425691605d643e53ac729426b52168585d4b06234cfd8d592828b019

SHA512
94983f38ecbc271b5452dee0777d0b669a106a0f8a9f23bfe528412ec0c75f2d249e2fb964f71d21d5bebf0f79952bf4bdc3af18f2678a2dbb32511d1259c84b

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\VerifyFileChecksum.WinSCPextension.ps1
Filesize
2KB

MD5
e4eb33335b663fc23aa03ab6ef80cb8d

SHA1
0db1095d82e27ef352d96a8f36ac022f035ce90d

SHA256
dbdf82b86dd366dcc71edbae46f7008910e2be3f420b79e34159a81df1b39534

SHA512
4f9df209721f293896c59a4db390ca2875d705625a1151f0b1481e37db6537480cf29ea1e8311dcea0643ae8e4f130efcda27d9246f8058b2765ef1b3a98138b

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\ZipUpload.WinSCPextension.ps1
Filesize
5KB

MD5
3963399fcb03e28453f38d93755795a0

SHA1
384abd9957a9ac16805c36a44bc49de9bf757644

SHA256
a62d0af7080942304a27883fb986d3a3f2fa9fcefc73108a1142f968649cc872

SHA512
5944a51ac0bc1e6cb8e041853b2720e2790f6b0f3a69ede16eba499645b62f703fd4145ef7107ef4b64b818bc44349e3af71c0e9d8586693dacde2042c527051

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
C:\Program Files (x86)\WinSCP\unins000.exe
Filesize
3.1MB

MD5
cbc9e059de252e52ad2f1d6c3b215e78

SHA1
4111f1543d22077afa12376e3b358c14b6a4ed36

SHA256
5cf4783828639fd8f11310c5afcdec98566b7b041bc1ee18c554dd78faf03c96

SHA512
e9c306bd563e848ed9d5030e480fb992a677212883a857e7575f5fa490f98a210eae3516306e11b51e2c3931cd4105cadac8194045a299aa35cad16a17851117

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86600A91A52E273EBC895EFEEA20227C
Filesize
503B

MD5
61eb4a99d7eb84dac849b397dc695da7

SHA1
7055af380a3a30e4dca3fe792b34ae920935183d

SHA256
578ce10a74befff4f91f7559fd830f7c1577a8164a488ed2ed5de4e8356c95a2

SHA512
6a06b64ad333a7c4383c6a0c303460356652f0da87164d60c98176af076d6c282d0faee7d65a07372374d881e2692605ce28e068db456e7722d97ce2990e93ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
e90dfc96b853fa7cdfc2d35cf64d6e31

SHA1
c62218faaf1e8c8f20ba32ff588a7e3dca9bc703

SHA256
eeca516014c26195d8bd9eba69d918534ee7ee790f6feb0f896f50e1fe4cb9c8

SHA512
031dfd63defb7f97d7b5b787c014fa7489c04afe39d04a06515b54788735bfa8d1d5bd4588b1b4f2ecabd97f0f51f4933839ab5b2fe8a8904ddb52afc9305419

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
0875e13c459cf0eb2acdb7247333b24c

SHA1
4bb80b276040ecaaed7c4e995b6f85f8a3f0e04e

SHA256
77a0586a3799d40a44589aee994bd4afc4a954dccabe295954debc484fce33cc

SHA512
ac69d6c0b1fba69a9333bec241207931fddb52c536f2806b42def30d36bc050b87ee8f336690bf0110543ef962b213b3605770579712d2f4046f273fafd8b667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\86600A91A52E273EBC895EFEEA20227C
Filesize
548B

MD5
85076824fa146cf88e894da7d400e905

SHA1
9be952a0971dd06aca0159bd7c7bec27e650c26a

SHA256
267b6dfcd59d5bf4eefcc484dd0fad2a8c26dd1c4c104cd7ec7852d48a83d5e5

SHA512
ddbf39a43794e00efe6566307d2dd140eaebdd80dd11ce0234c2b50a19969cb210dfe5acd09f1d04e7d2e6e98edbb791026d23eeddf4f75c6553e5bdcd552127

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0ae7baad2dc99182eceda9ab770c0b83

SHA1
ff9a61420b559d28d2f08c977633c1c3da278f90

SHA256
8b3f78bf068db6f1fb3691a920990e4247eec95dc3ede4021228e8137bb0d92c

SHA512
48fab47002172889d2f619190f31164b67196f6b4cdba50e378c07a1a1579989fe857ed6dca2ded44dd97a539d66bce7044de6fdd6c8586315ff217667705498

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
44847edb4032c373f7208b6e3bc543c6

SHA1
3c88a52dbe8295f9fe0896486021816f3024708a

SHA256
e541ffc3c9043c87b7d0346deafda9169ce149778e6f61b945c80713d680ea8f

SHA512
23c8590daf9bdf3211a209c0f00596e6ed13930e6ca4c74340711750810945c4859abd35171ffc4b81ce9d203695ade54f7059d731500ace71fd855781178096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
41c4de6c33c79caf027988dd0a6d5d36

SHA1
ab4e5eadca2d6440cef3f336814385f68f244aaf

SHA256
1c144c4bfd74fc55ad957fedc45152e4f1fb45c1a46519d21c0330fe41c238d8

SHA512
d3106f80a0994a8300ceb00aacc4a8fe26c6d13367fd80f129eacfefa71e34d564c80cd5c4905d4970b9804eb2647b118ec1bbad67878ffa75c29bb249da3c55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dffb53cfe05cd2478b620c3d9c5f4635

SHA1
939d0cd0a0b9c633b7b30a584f0928ad7b6abec6

SHA256
ebff494a06db75e2a06e6a44326210fd247521d29edf0c7dda318886688cb66d

SHA512
e935008fda02f54d74263b9e0f4423f85f14925295e8a045e365536e9405220b87ef80d9d9006ea5c4c42f5d7ff08ce4ce0f722f3a12eb15626b8445b179efcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2a3f69b8f3bcf59363c0c7f06795f2a9

SHA1
c2a10815c5eeaca68711548df2b03407fc5d22a8

SHA256
b070acf0cccf4734202e9019e5eda3d930327635bfd8116681a47606b717cb49

SHA512
253fb4532c29ec98ae72a7f1116827d66d1a26fb32c25f3f7f42670a6f6034727d8e94c3bafe92449b4df7b207add8b6d49aa883af0269b4c6c626e3a5a40208

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
252B

MD5
6bd8c8968b88cad55f25bfc840934ded

SHA1
f35039030102060847e97d47ceedb0dd5158ee2e

SHA256
39d6448cda6f90a89a52a851a773dc7baf2c92e81ba770dc5a75639fc87abb65

SHA512
09104ef02d0b2adf3df3f9672d1070006de816ef14ad40cb86b08b2d2532164f91a99c8c398728fe4b1ded34914d8f110e2391965e4b9557013b0c3c127753f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\IJASSWSG\winscp[1].xml
Filesize
100B

MD5
df63cc0784365c718f5b09e703ac233f

SHA1
23e178a3c3e576234f8d4363b972869a5f3b31a4

SHA256
b85e07b72d124717369b65071371924ea50b8a1802c11bac82ace249bae19a21

SHA512
ac5bff81ff5c358936d620af3aacef8acdbc3267b45f6b67f9ca3922cf64b90d2b8e45250136715af0f7e079adf77ef5a4de69dbc6ae1cbbf8e8239d1456ab0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIC7WQYE\f[1].txt
Filesize
162KB

MD5
40a8af1d97e42a0ae3147737283bf6ba

SHA1
73d494f1ab035fea40e17126391c6c2369c3c47c

SHA256
9b5cacaf29c02c5089f7a9ce97a987485375f9da503bdf4aca048b224c47cd48

SHA512
65f9f7d1863e7080209c7197ced24838e9f2fdca18ad6ebc05394fac9b255c9e7cd391f5d9f7ec13dde6b1286ea5fe14e0752895c983a883c474d7d843bdf9a6

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND
Filesize
128B

MD5
351d38227cd2e378a21acce4b653ccc7

SHA1
8d7f9bbb1300a9b2746e73ac117e21a561767221

SHA256
4bf6a49dbefe08b56b31c86cdd3e03f57a3e1fa8b2b81400d1b7763674bbdd73

SHA512
d92e6f37b85156476af995dfa96f4f81e6654daf55bcfd1522977da94302de741994619b249b4f88272e8f5786ea00defca67921581d2b16279448ddc0024300

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND
Filesize
128B

MD5
380bb3efc88098cb564b9e6eb12bb4c3

SHA1
e5a6ee1d5365a08f94dc15766e4549601c4b9261

SHA256
d782353fd4cf703745db15fc1c12dfbf82eda563b06f49b8f90ac444270c3490

SHA512
56db5caeb8ce7ef5aed54a56ad44e60ec974a7c9ed7faef2898b9f3acc87a92f90cef54c29e53c5a249e203516d4b662a25d36cf8948277fd04acfd7633d8136

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4CBC.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4CF0.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4DE2.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AHD18.tmp\WinSCP-5.21.7-Setup.tmp
Filesize
3.1MB

MD5
cbc9e059de252e52ad2f1d6c3b215e78

SHA1
4111f1543d22077afa12376e3b358c14b6a4ed36

SHA256
5cf4783828639fd8f11310c5afcdec98566b7b041bc1ee18c554dd78faf03c96

SHA512
e9c306bd563e848ed9d5030e480fb992a677212883a857e7575f5fa490f98a210eae3516306e11b51e2c3931cd4105cadac8194045a299aa35cad16a17851117

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AHD18.tmp\WinSCP-5.21.7-Setup.tmp
Filesize
3.1MB

MD5
cbc9e059de252e52ad2f1d6c3b215e78

SHA1
4111f1543d22077afa12376e3b358c14b6a4ed36

SHA256
5cf4783828639fd8f11310c5afcdec98566b7b041bc1ee18c554dd78faf03c96

SHA512
e9c306bd563e848ed9d5030e480fb992a677212883a857e7575f5fa490f98a210eae3516306e11b51e2c3931cd4105cadac8194045a299aa35cad16a17851117

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-ms
Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-ms
Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-ms
Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XO5H6YHTI0S80WTJI2Z5.temp
Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
\Program Files (x86)\WinSCP\DragExt64.dll
Filesize
479KB

MD5
5aa9eb658328c2a51dade7dae59aecf7

SHA1
f6718e0fc2abd4bcbf4dc248aacd4a1b383aaaf0

SHA256
86361a2499566dd1b06a713a790e32c59876bebcec6b0ece7b54fe871f43d4f5

SHA512
78f421fbe84e641d3f787cf4b17221aa45a714c33abe4b4177c13b0acd9f8d057e49852adb79d6573b11dd1ca276b966cb2266fe410de6a00e657d45493c79fd

Download Submit
\Program Files (x86)\WinSCP\DragExt64.dll
Filesize
479KB

MD5
5aa9eb658328c2a51dade7dae59aecf7

SHA1
f6718e0fc2abd4bcbf4dc248aacd4a1b383aaaf0

SHA256
86361a2499566dd1b06a713a790e32c59876bebcec6b0ece7b54fe871f43d4f5

SHA512
78f421fbe84e641d3f787cf4b17221aa45a714c33abe4b4177c13b0acd9f8d057e49852adb79d6573b11dd1ca276b966cb2266fe410de6a00e657d45493c79fd

Download Submit
\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
\Users\Admin\AppData\Local\Temp\is-AHD18.tmp\WinSCP-5.21.7-Setup.tmp
Filesize
3.1MB

MD5
cbc9e059de252e52ad2f1d6c3b215e78

SHA1
4111f1543d22077afa12376e3b358c14b6a4ed36

SHA256
5cf4783828639fd8f11310c5afcdec98566b7b041bc1ee18c554dd78faf03c96

SHA512
e9c306bd563e848ed9d5030e480fb992a677212883a857e7575f5fa490f98a210eae3516306e11b51e2c3931cd4105cadac8194045a299aa35cad16a17851117

Download Submit
memory/580-272-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/580-1077-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/580-1190-0x00000000009E0000-0x000000000246C000-memory.dmp

Filesize
26.5MB

Download
memory/580-277-0x00000000009E0000-0x000000000246C000-memory.dmp

Filesize
26.5MB

Download
memory/580-262-0x00000000009E0000-0x000000000246C000-memory.dmp

Filesize
26.5MB

Download
memory/656-246-0x0000000001230000-0x0000000002CBC000-memory.dmp

Filesize
26.5MB

Download
memory/656-239-0x0000000001230000-0x0000000002CBC000-memory.dmp

Filesize
26.5MB

Download
memory/900-236-0x0000000001230000-0x0000000002CBC000-memory.dmp

Filesize
26.5MB

Download
memory/900-222-0x0000000001230000-0x0000000002CBC000-memory.dmp

Filesize
26.5MB

Download
memory/1060-54-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1060-275-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1060-76-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1992-259-0x00000000003D0000-0x0000000001E5C000-memory.dmp

Filesize
26.5MB

Download
memory/1992-251-0x00000000003D0000-0x0000000001E5C000-memory.dmp

Filesize
26.5MB

Download
memory/2016-78-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2016-79-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2016-81-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2016-77-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2016-198-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2016-62-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2016-267-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2016-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2016-248-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2016-274-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download