6f8ba50c67083504a4dbc064f0d7e172ee9205db65557a12fd3193749fb8651b

Analysis

max time kernel
60s
max time network
72s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-04-2023 12:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinSCP-5.21.7-Setup.exe
Size

10.9MB
MD5

4b6dcc18e7ea50caab02f11d9abb3dee
SHA1

fd36c8ff64d2cabb7c35bb2e9100f5245544ecf2
SHA256

6f8ba50c67083504a4dbc064f0d7e172ee9205db65557a12fd3193749fb8651b
SHA512

ef9c0dbfb52919c3d420320406e3487892a5be30aa275d32981e799cb4711abe54e11085c3c9131073a0e012763db994acd0039c36475b0c35ebe54fe84a8a63
SSDEEP

196608:wCIA4//b/VVVLXx1is5RFZ06uhRrvh311cJGB/NP9AhXxtJUyT5:rO/r5fltZBQN5l1lB18X/JUy

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

WinSCP-5.21.7-Setup.tmpWinSCP.exeWinSCP.exeWinSCP.exeWinSCP.exe

pid process

2000 WinSCP-5.21.7-Setup.tmp
1440 WinSCP.exe
1308 WinSCP.exe
880 WinSCP.exe
520 WinSCP.exe

pid	process
2000	WinSCP-5.21.7-Setup.tmp
1440	WinSCP.exe
1308	WinSCP.exe
880	WinSCP.exe
520	WinSCP.exe

Loads dropped DLL 6 IoCs

Processes:

WinSCP-5.21.7-Setup.exeWinSCP-5.21.7-Setup.tmpregsvr32.exeregsvr32.exe

pid	process
1708	WinSCP-5.21.7-Setup.exe
2000	WinSCP-5.21.7-Setup.tmp
2000	WinSCP-5.21.7-Setup.tmp
2000	WinSCP-5.21.7-Setup.tmp
1916	regsvr32.exe
1156	regsvr32.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}\InProcServer32\ = "C:\\Program Files (x86)\\WinSCP\\DragExt64.dll"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WinSCP.exe

description	ioc	process
File opened (read-only)	\??\E:	WinSCP.exe
File opened (read-only)	\??\G:	WinSCP.exe
File opened (read-only)	\??\H:	WinSCP.exe
File opened (read-only)	\??\M:	WinSCP.exe
File opened (read-only)	\??\T:	WinSCP.exe
File opened (read-only)	\??\W:	WinSCP.exe
File opened (read-only)	\??\K:	WinSCP.exe
File opened (read-only)	\??\Q:	WinSCP.exe
File opened (read-only)	\??\R:	WinSCP.exe
File opened (read-only)	\??\U:	WinSCP.exe
File opened (read-only)	\??\V:	WinSCP.exe
File opened (read-only)	\??\Z:	WinSCP.exe
File opened (read-only)	\??\A:	WinSCP.exe
File opened (read-only)	\??\B:	WinSCP.exe
File opened (read-only)	\??\I:	WinSCP.exe
File opened (read-only)	\??\L:	WinSCP.exe
File opened (read-only)	\??\O:	WinSCP.exe
File opened (read-only)	\??\P:	WinSCP.exe
File opened (read-only)	\??\X:	WinSCP.exe
File opened (read-only)	\??\F:	WinSCP.exe
File opened (read-only)	\??\J:	WinSCP.exe
File opened (read-only)	\??\N:	WinSCP.exe
File opened (read-only)	\??\S:	WinSCP.exe
File opened (read-only)	\??\Y:	WinSCP.exe

Drops file in Program Files directory 61 IoCs

Processes:

WinSCP-5.21.7-Setup.tmp

description	ioc	process
File created	C:\Program Files (x86)\WinSCP\Translations\is-9TLLC.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-CC8R6.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\unins000.dat	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-DCRC7.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-RN1LF.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-1TO7N.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-A55R1.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-46CDS.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-H29AB.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-S2V39.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-8AV6R.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-CE03K.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\unins000.msg	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-VU1II.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-GQ921.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-74M3K.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-9ROAG.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-VRACH.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-13H92.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-NGTEV.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-UP9LG.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-082Q4.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-TIDL0.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-94N31.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-67BJ9.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-HD829.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-AK084.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-618OB.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-KHOJB.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-BP3LL.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-16E77.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-R343T.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-PACM7.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-GU4P9.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-LAIRP.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-R5QEB.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-HMOQH.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-J4EGI.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-JFCSH.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-8GRQG.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-SLSE5.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-3KHBN.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-BE6T4.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-QLCRV.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-8UGFN.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Extensions\is-9UGUV.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-MRHFL.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-AQP3H.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-4MACA.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-B5KRS.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-J4CJF.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-EQJ77.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\PuTTY\is-C9DAE.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-T1QER.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-2E3P7.tmp	WinSCP-5.21.7-Setup.tmp
File opened for modification	C:\Program Files (x86)\WinSCP\unins000.dat	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-AMJAS.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-SM1HD.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\Translations\is-CQR4P.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-Q2O0M.tmp	WinSCP-5.21.7-Setup.tmp
File created	C:\Program Files (x86)\WinSCP\is-R2V8M.tmp	WinSCP-5.21.7-Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C1FF5DF1-E2AF-11ED-B880-C227D5A71BE4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies registry class 64 IoCs

Processes:

WinSCP.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\s3\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-S3\shell\open	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftpes\shell\open	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sftp\shell	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scp\shell\open	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E15E1D68-0D1C-49F7-BEB8-812B1E00FA60}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\EditFlags = "2"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\davs\ = "URL: davs Protocol"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\davs\shell\open\command	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\winscp-HTTPS	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\shell\open\command	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\BrowserFlags = "8"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SFTP\EditFlags = "2"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\EditFlags = "2"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTP\shell\open\command	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTPS\shell\open	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WinSCP.Url	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sftp\DefaultIcon	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftpes\EditFlags = "2"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\scp\BrowserFlags = "8"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dav\ = "URL: dav Protocol"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\davs\URL Protocol	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-S3\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTPS\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\BrowserFlags = "8"	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\ftps	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ssh\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\davs\BrowserFlags = "8"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAV\ = "URL: winscp-DAV Protocol"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\EditFlags = "2"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTP\shell	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\shell	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\shell\open	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftpes\shell\open\command	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAV\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTP\shell\open	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\shell	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTPS\URL Protocol	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sftp\shell\open\command	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\s3\ = "URL: s3 Protocol"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAVS\BrowserFlags = "8"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPES\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scp\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\EditFlags = "2"	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\winscp-SFTP	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-S3\BrowserFlags = "8"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SSH\shell\open\command\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\" /Unsafe \"%1\""	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftps\shell\open\command	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-DAV\DefaultIcon	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SCP\ = "URL: winscp-SCP Protocol"	WinSCP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\winscp-S3	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-S3\ = "URL: winscp-S3 Protocol"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-FTPS\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-HTTP\DefaultIcon	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SSH\EditFlags = "2"	WinSCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\scp\EditFlags = "2"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\winscp-SFTP\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinSCP\\WinSCP.exe\",0"	WinSCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinSCP.Url\ = "WinSCP URL"	WinSCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	WinSCP.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WinSCP.exeWinSCP.exeWinSCP.exeWinSCP.exe

pid process

1440 WinSCP.exe
1308 WinSCP.exe
880 WinSCP.exe
880 WinSCP.exe
520 WinSCP.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinSCP-5.21.7-Setup.tmp

pid process

2000 WinSCP-5.21.7-Setup.tmp
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WinSCP.exeWinSCP.exeWinSCP.exeWinSCP.exeiexplore.exe

pid process

1440 WinSCP.exe
1308 WinSCP.exe
880 WinSCP.exe
520 WinSCP.exe
520 WinSCP.exe
520 WinSCP.exe
520 WinSCP.exe
1576 iexplore.exe
1576 iexplore.exe

pid	process
1440	WinSCP.exe
1308	WinSCP.exe
880	WinSCP.exe
880	WinSCP.exe
520	WinSCP.exe

pid	process
2000	WinSCP-5.21.7-Setup.tmp

pid	process
1440	WinSCP.exe
1308	WinSCP.exe
880	WinSCP.exe
520	WinSCP.exe
520	WinSCP.exe
520	WinSCP.exe
520	WinSCP.exe
1576	iexplore.exe
1576	iexplore.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

WinSCP-5.21.7-Setup.exeWinSCP-5.21.7-Setup.tmpregsvr32.exeiexplore.exe

description	pid	process	target process
PID 1708 wrote to memory of 2000	1708	WinSCP-5.21.7-Setup.exe	WinSCP-5.21.7-Setup.tmp
PID 1708 wrote to memory of 2000	1708	WinSCP-5.21.7-Setup.exe	WinSCP-5.21.7-Setup.tmp
PID 1708 wrote to memory of 2000	1708	WinSCP-5.21.7-Setup.exe	WinSCP-5.21.7-Setup.tmp
PID 1708 wrote to memory of 2000	1708	WinSCP-5.21.7-Setup.exe	WinSCP-5.21.7-Setup.tmp
PID 1708 wrote to memory of 2000	1708	WinSCP-5.21.7-Setup.exe	WinSCP-5.21.7-Setup.tmp
PID 1708 wrote to memory of 2000	1708	WinSCP-5.21.7-Setup.exe	WinSCP-5.21.7-Setup.tmp
PID 1708 wrote to memory of 2000	1708	WinSCP-5.21.7-Setup.exe	WinSCP-5.21.7-Setup.tmp
PID 2000 wrote to memory of 1916	2000	WinSCP-5.21.7-Setup.tmp	regsvr32.exe
PID 2000 wrote to memory of 1916	2000	WinSCP-5.21.7-Setup.tmp	regsvr32.exe
PID 2000 wrote to memory of 1916	2000	WinSCP-5.21.7-Setup.tmp	regsvr32.exe
PID 2000 wrote to memory of 1916	2000	WinSCP-5.21.7-Setup.tmp	regsvr32.exe
PID 2000 wrote to memory of 1916	2000	WinSCP-5.21.7-Setup.tmp	regsvr32.exe
PID 2000 wrote to memory of 1916	2000	WinSCP-5.21.7-Setup.tmp	regsvr32.exe
PID 2000 wrote to memory of 1916	2000	WinSCP-5.21.7-Setup.tmp	regsvr32.exe
PID 1916 wrote to memory of 1156	1916	regsvr32.exe	regsvr32.exe
PID 1916 wrote to memory of 1156	1916	regsvr32.exe	regsvr32.exe
PID 1916 wrote to memory of 1156	1916	regsvr32.exe	regsvr32.exe
PID 1916 wrote to memory of 1156	1916	regsvr32.exe	regsvr32.exe
PID 1916 wrote to memory of 1156	1916	regsvr32.exe	regsvr32.exe
PID 1916 wrote to memory of 1156	1916	regsvr32.exe	regsvr32.exe
PID 1916 wrote to memory of 1156	1916	regsvr32.exe	regsvr32.exe
PID 2000 wrote to memory of 1440	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 1440	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 1440	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 1440	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 1308	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 1308	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 1308	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 1308	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 880	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 880	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 880	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 880	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 1576	2000	WinSCP-5.21.7-Setup.tmp	iexplore.exe
PID 2000 wrote to memory of 1576	2000	WinSCP-5.21.7-Setup.tmp	iexplore.exe
PID 2000 wrote to memory of 1576	2000	WinSCP-5.21.7-Setup.tmp	iexplore.exe
PID 2000 wrote to memory of 1576	2000	WinSCP-5.21.7-Setup.tmp	iexplore.exe
PID 2000 wrote to memory of 520	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 520	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 520	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 2000 wrote to memory of 520	2000	WinSCP-5.21.7-Setup.tmp	WinSCP.exe
PID 1576 wrote to memory of 1644	1576	iexplore.exe	IEXPLORE.EXE
PID 1576 wrote to memory of 1644	1576	iexplore.exe	IEXPLORE.EXE
PID 1576 wrote to memory of 1644	1576	iexplore.exe	IEXPLORE.EXE
PID 1576 wrote to memory of 1644	1576	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.7-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.7-Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\is-VPJKE.tmp\WinSCP-5.21.7-Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VPJKE.tmp\WinSCP-5.21.7-Setup.tmp" /SL5="$70120,10341314,864768,C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.7-Setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\WinSCP\DragExt64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\WinSCP\DragExt64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1156

C:\Program Files (x86)\WinSCP\WinSCP.exe
"C:\Program Files (x86)\WinSCP\WinSCP.exe" /RegisterForDefaultProtocols
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Program Files (x86)\WinSCP\WinSCP.exe
"C:\Program Files (x86)\WinSCP\WinSCP.exe" /ImportSitesIfAny
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Program Files (x86)\WinSCP\WinSCP.exe
"C:\Program Files (x86)\WinSCP\WinSCP.exe" /Usage=TypicalInstallation:1,InstallationsUser+,InstallationParentProcess@,InstallationsFirstTypical+,LastInstallationAutomaticUpgrade:0,InstallationsGettingStarted+,InstallationsLaunch+,
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://winscp.net/eng/installed.php?ver=5.21.7&lang=en&utm_source=winscp&utm_medium=setup&utm_campaign=5.21.7&prevver=&automatic=0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1576 CREDAT:275457 /prefetch:2
4⤵
PID:1644

C:\Program Files (x86)\WinSCP\WinSCP.exe
"C:\Program Files (x86)\WinSCP\WinSCP.exe"
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinSCP\DragExt64.dll
Filesize
479KB

MD5
5aa9eb658328c2a51dade7dae59aecf7

SHA1
f6718e0fc2abd4bcbf4dc248aacd4a1b383aaaf0

SHA256
86361a2499566dd1b06a713a790e32c59876bebcec6b0ece7b54fe871f43d4f5

SHA512
78f421fbe84e641d3f787cf4b17221aa45a714c33abe4b4177c13b0acd9f8d057e49852adb79d6573b11dd1ca276b966cb2266fe410de6a00e657d45493c79fd

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\ArchiveDownload.WinSCPextension.ps1
Filesize
6KB

MD5
b16082ceeb34da39af1d52adc88be7db

SHA1
b7719fec4c89fe09904ae5fecf96aa364914e57e

SHA256
beee09ea768f58f29f03025984e0ce8fe4f8fd8c9cc454d9fa3869ba679f5356

SHA512
bb6509a92048f4a8219ec91c9b7e75d0453ee026f91e38daab33ff7af8022f690f2e31c6b6767010ae3ae0530c854ed92a458e2c1f42d11905bb1231e32fcdf5

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\BatchRename.WinSCPextension.ps1
Filesize
4KB

MD5
2ed11efbb12a1e8de4197b5432321958

SHA1
ed6add9f956866895ed2d55115f74061d8dd9b39

SHA256
7e605503bc77f9fec8f5b10ee6fd1e5da273ca8b8c213985e75069a66deee649

SHA512
acfbcad5dfa662f336f57db7d6975df53194faf985d1c8e874936885926fe846665c1e654026a91e6a6bec2f0ace2efc1680a17212f4278136009c5a721230c0

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\CompareFiles.WinSCPextension.ps1
Filesize
2KB

MD5
5658e87d86c7e1f4a375e65075c73f27

SHA1
1928b74fa34e139051bf8a8414a45ca84e6dc070

SHA256
71e5fb801d2132f44cda67c65fba980347b891b138a43d2e8ded6a1825a9a510

SHA512
b564a2588727762a34cedb5d0b39df6477da95784bfa1dd4b97f3603c3bff0261e10409c7caad10ca364dfe76e3236c839e61213c230d4e8b4864fdcb1f0a061

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\GenerateHttpUrl.WinSCPextension.ps1
Filesize
3KB

MD5
7b02c62423d08d7c340a530f85261534

SHA1
f57fc70cac8655e1ac75abfcd83d623f83778b89

SHA256
737c824e719e9e5cc43048383f8d7c7717bcb35ba37e07624c855e258d3753cf

SHA512
1cee9e7ac2eea1e47dfa6d8a81b5d6ed0540db83d5280b9a4983f4dd23fba8de79a5833afba413f1bfa0189aae860079a671e18f37716b48b4d1a4f39038f663

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\KeepLocalUpToDate.WinSCPextension.ps1
Filesize
5KB

MD5
6f10dd9ca31373018e319ba80abb5532

SHA1
1325eab389ec9961120e0cd569b37f566a764fe7

SHA256
79c87ff4a8cd2a2613a22f1e0dd4c3708b652e42fc92200b50e6d4adf91e561d

SHA512
8f272cf4de55bd6e3d563ae5c87df035b3684c008bf64152bca1480f411413ff0999dd14dc802fcc72372313d19aff8159ccd4be48528c54963c59deba49c726

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\SearchText.WinSCPextension.ps1
Filesize
3KB

MD5
d26c1a56f63d3682da6e676b606894af

SHA1
e18ed1d358dc0026ecf64f49cc5f7b4c687523c3

SHA256
6b9f82c04625443346c74b907fb96d8319d22bc5a6d946fcc7a7c19c67b0757c

SHA512
dffbba900e510deca45f24af1786a0cd4d5f97b6c6bd6a219bdaf74d773ed42fdbbc9490dcb457063e879d46eba047225ebf40f1110e18195d53de607b4baf07

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\SynchronizeAnotherServer.WinSCPextension.ps1
Filesize
10KB

MD5
680bbba778a319ba57ccc5c5c9f50c03

SHA1
12705a80f1be125f12a5c6e8511deccdba8bbec6

SHA256
e73b3b68425691605d643e53ac729426b52168585d4b06234cfd8d592828b019

SHA512
94983f38ecbc271b5452dee0777d0b669a106a0f8a9f23bfe528412ec0c75f2d249e2fb964f71d21d5bebf0f79952bf4bdc3af18f2678a2dbb32511d1259c84b

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\VerifyFileChecksum.WinSCPextension.ps1
Filesize
2KB

MD5
e4eb33335b663fc23aa03ab6ef80cb8d

SHA1
0db1095d82e27ef352d96a8f36ac022f035ce90d

SHA256
dbdf82b86dd366dcc71edbae46f7008910e2be3f420b79e34159a81df1b39534

SHA512
4f9df209721f293896c59a4db390ca2875d705625a1151f0b1481e37db6537480cf29ea1e8311dcea0643ae8e4f130efcda27d9246f8058b2765ef1b3a98138b

Download Submit
C:\Program Files (x86)\WinSCP\Extensions\ZipUpload.WinSCPextension.ps1
Filesize
5KB

MD5
3963399fcb03e28453f38d93755795a0

SHA1
384abd9957a9ac16805c36a44bc49de9bf757644

SHA256
a62d0af7080942304a27883fb986d3a3f2fa9fcefc73108a1142f968649cc872

SHA512
5944a51ac0bc1e6cb8e041853b2720e2790f6b0f3a69ede16eba499645b62f703fd4145ef7107ef4b64b818bc44349e3af71c0e9d8586693dacde2042c527051

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
C:\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
C:\Program Files (x86)\WinSCP\unins000.exe
Filesize
3.1MB

MD5
cbc9e059de252e52ad2f1d6c3b215e78

SHA1
4111f1543d22077afa12376e3b358c14b6a4ed36

SHA256
5cf4783828639fd8f11310c5afcdec98566b7b041bc1ee18c554dd78faf03c96

SHA512
e9c306bd563e848ed9d5030e480fb992a677212883a857e7575f5fa490f98a210eae3516306e11b51e2c3931cd4105cadac8194045a299aa35cad16a17851117

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
88664de1199b7eff448ffc9a478e27c6

SHA1
34810d3f97081e3759c3073e6f8eb729f01dafd0

SHA256
735153aec1286c0db43be9fc52a8ee6b1a45781026f2de9c936d7c21b7dffa47

SHA512
96edaf93208a931a53c0edef93f11d5aaf4d3b7331a12028a7fed5ce2be856f5650b6a1c620edd7b0bfafb634da41f77921921b009e50fe52ff2b218043181a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
Filesize
252B

MD5
b13db716565ca5af70902794056318fc

SHA1
450d7866225ff3c9830f40ea44543a222ff40a34

SHA256
e62641e99a72526aab00c42d7d72da9a4cc2d640c111f486798e007b9b3f721e

SHA512
dcb1b8444e35d5edbee2b3760c11d773b3f9d86cb347ef3dfeb93c062baacd3a5e18fb1744b999b32e086ad493f2e423b446b3540ba7f9d6af9ff027af001155

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND
Filesize
128B

MD5
4fab2a5caed2f5a36293492bfdf2d5da

SHA1
4cde4eeb9906e34bcb951dfd6c79b2b8d43216e5

SHA256
f34ba85e6b2c3ea692c8471ba9e483831b99c01f25bb31136539656a6e05a2e9

SHA512
f869b4f626db19e0b461c4e68ecac8075f86cbbbc7816c1ae7b008a18c2c4e53f7c23027394c0e5cb65072fe9bff5db4bef66a38eefb910aa69b83a03317dbe0

Download Submit
C:\Users\Admin\AppData\Local\PUTTY.RND
Filesize
128B

MD5
526eee0e82e38382223f67af75e214ac

SHA1
295e7685ad20405032a1ed677a71521091b3b61b

SHA256
01b41f637d803e142d2c58e1a7273a05073b88ee5c78868ac0ca2da94a0fcc34

SHA512
f69b58f7d4524fe28ad5a2b3ce426228edd6d9d6a4b38b3256a974649e8d6635d8a465334f54092d7c74ae3629ce547f29179bb24ba63e2288cd4f01ea307d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab20BD.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar20D1.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VPJKE.tmp\WinSCP-5.21.7-Setup.tmp
Filesize
3.1MB

MD5
cbc9e059de252e52ad2f1d6c3b215e78

SHA1
4111f1543d22077afa12376e3b358c14b6a4ed36

SHA256
5cf4783828639fd8f11310c5afcdec98566b7b041bc1ee18c554dd78faf03c96

SHA512
e9c306bd563e848ed9d5030e480fb992a677212883a857e7575f5fa490f98a210eae3516306e11b51e2c3931cd4105cadac8194045a299aa35cad16a17851117

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VPJKE.tmp\WinSCP-5.21.7-Setup.tmp
Filesize
3.1MB

MD5
cbc9e059de252e52ad2f1d6c3b215e78

SHA1
4111f1543d22077afa12376e3b358c14b6a4ed36

SHA256
5cf4783828639fd8f11310c5afcdec98566b7b041bc1ee18c554dd78faf03c96

SHA512
e9c306bd563e848ed9d5030e480fb992a677212883a857e7575f5fa490f98a210eae3516306e11b51e2c3931cd4105cadac8194045a299aa35cad16a17851117

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-ms
Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-ms
Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-ms
Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8J97NJYKBXC5RP8JW4MN.temp
Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
\Program Files (x86)\WinSCP\DragExt64.dll
Filesize
479KB

MD5
5aa9eb658328c2a51dade7dae59aecf7

SHA1
f6718e0fc2abd4bcbf4dc248aacd4a1b383aaaf0

SHA256
86361a2499566dd1b06a713a790e32c59876bebcec6b0ece7b54fe871f43d4f5

SHA512
78f421fbe84e641d3f787cf4b17221aa45a714c33abe4b4177c13b0acd9f8d057e49852adb79d6573b11dd1ca276b966cb2266fe410de6a00e657d45493c79fd

Download Submit
\Program Files (x86)\WinSCP\DragExt64.dll
Filesize
479KB

MD5
5aa9eb658328c2a51dade7dae59aecf7

SHA1
f6718e0fc2abd4bcbf4dc248aacd4a1b383aaaf0

SHA256
86361a2499566dd1b06a713a790e32c59876bebcec6b0ece7b54fe871f43d4f5

SHA512
78f421fbe84e641d3f787cf4b17221aa45a714c33abe4b4177c13b0acd9f8d057e49852adb79d6573b11dd1ca276b966cb2266fe410de6a00e657d45493c79fd

Download Submit
\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
\Program Files (x86)\WinSCP\WinSCP.exe
Filesize
25.9MB

MD5
f787cf4c084f5143c7de0dec3505af58

SHA1
72a19bea7ac2937497738cdf46b76827a1ec11c8

SHA256
366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

SHA512
16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

Download Submit
\Users\Admin\AppData\Local\Temp\is-VPJKE.tmp\WinSCP-5.21.7-Setup.tmp
Filesize
3.1MB

MD5
cbc9e059de252e52ad2f1d6c3b215e78

SHA1
4111f1543d22077afa12376e3b358c14b6a4ed36

SHA256
5cf4783828639fd8f11310c5afcdec98566b7b041bc1ee18c554dd78faf03c96

SHA512
e9c306bd563e848ed9d5030e480fb992a677212883a857e7575f5fa490f98a210eae3516306e11b51e2c3931cd4105cadac8194045a299aa35cad16a17851117

Download Submit
memory/520-255-0x00000000011A0000-0x0000000002C2C000-memory.dmp

Filesize
26.5MB

Download
memory/880-244-0x00000000011A0000-0x0000000002C2C000-memory.dmp

Filesize
26.5MB

Download
memory/880-252-0x00000000011A0000-0x0000000002C2C000-memory.dmp

Filesize
26.5MB

Download
memory/1308-241-0x0000000000180000-0x0000000001C0C000-memory.dmp

Filesize
26.5MB

Download
memory/1308-234-0x0000000000180000-0x0000000001C0C000-memory.dmp

Filesize
26.5MB

Download
memory/1440-217-0x0000000000A30000-0x00000000024BC000-memory.dmp

Filesize
26.5MB

Download
memory/1440-231-0x0000000000A30000-0x00000000024BC000-memory.dmp

Filesize
26.5MB

Download
memory/1708-54-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1708-63-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1708-265-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2000-62-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2000-264-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2000-64-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2000-61-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2000-81-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2000-182-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download