Create Interactive Tour

Windows Analysis Report
https://winscp.net/download/WinSCP-5.19.6-Setup.exe

Overview

General Information

Sample URL:https://winscp.net/download/WinSCP-5.19.6-Setup.exe
Analysis ID:607461
Infos:

Detection

Score:21
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Creates HTML files with .exe extension (expired dropper behavior)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cmd.exe (PID: 3360 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://winscp.net/download/WinSCP-5.19.6-Setup.exe" > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 744 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://winscp.net/download/WinSCP-5.19.6-Setup.exe" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • iexplore.exe (PID: 5576 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\download\WinSCP-5.19.6-Setup.exe.svg MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2972 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5576 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup
No configs have been found
No yara matches

There are no malicious signatures, click here to show all signatures.

Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://winscp.net/download/WinSCP-5.19.6-Setup.exe" , CommandLine: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://winscp.net/download/WinSCP-5.19.6-Setup.exe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wget.exe, NewProcessName: C:\Windows\SysWOW64\wget.exe, OriginalFileName: C:\Windows\SysWOW64\wget.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://winscp.net/download/WinSCP-5.19.6-Setup.exe" > cmdline.out 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3360, ParentProcessName: cmd.exe, ProcessCommandLine: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://winscp.net/download/WinSCP-5.19.6-Setup.exe" , ProcessId: 744, ProcessName: wget.exe
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\wget.exe, ProcessId: 744, TargetFilename: C:\Users\user\Desktop\download\WinSCP-5.19.6-Setup.exe
Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://winscp.net/download/WinSCP-5.19.6-Setup.exe" > cmdline.out 2>&1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3360, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5880, ProcessName: conhost.exe
No Snort rule has matched

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Source: unknownHTTPS traffic detected: 88.198.21.111:443 -> 192.168.2.3:49717 version: TLS 1.2

Networking

barindex
Source: C:\Windows\SysWOW64\wget.exeFile created: WinSCP-5.19.6-Setup.exe.2.dr
Source: unknownDNS traffic detected: queries for: winscp.net
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: global trafficHTTP traffic detected: GET /download/WinSCP-5.19.6-Setup.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: winscp.netConnection: Keep-Alive
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: <li><a href="https://www.facebook.com/winscp/">Facebook</a></li> equals www.facebook.com (Facebook)
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: <li><a href="https://www.linkedin.com/company/winscp/">LinkedIn</a></li> equals www.linkedin.com (Linkedin)
Source: WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: <blockquote cite="https://www.facebook.com/winscp/" class="fb-xfbml-parse-ignore"><a href="https://www.facebook.com/winscp/">WinSCP on Facebook</a></blockquote> equals www.facebook.com (Facebook)
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: <div class="fb-page" data-href="https://www.facebook.com/winscp/" data-tabs="timeline" data-height="400" data-small-header="false" data-adapt-container-width="true" data-hide-cover="false" data-show-facepile="true"> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4a9ab1f0,0x01d84e50</date><accdate>0x4ab9b02b,0x01d84e50</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4bf92c27,0x01d84e50</date><accdate>0x4c30011a,0x01d84e50</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4ca272cb,0x01d84e50</date><accdate>0x4cd6e5b1,0x01d84e50</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: wget.exe, 00000002.00000003.241893355.0000000000DCC000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241853487.0000000000DCC000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.242574361.0000000000DCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000003.241893355.0000000000DCC000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241853487.0000000000DCC000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.242574361.0000000000DCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msapplication.xml.3.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.3.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.3.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.3.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.3.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.3.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.3.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.3.drString found in binary or memory: http://www.youtube.com/
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://cdn.winscp.net/files/WinSCP-5.19.6-Setup.exe?secure=0EAl9HvfWaixzAce9gHxZw==
Source: WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://platform.twitter.com/widgets.js
Source: wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://sourceforge.net/projects/winscp/
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://sourceforge.net/projects/winscp/files/WinSCP/5.19.6/WinSCP-5.19.6-Setup.exe/download
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241408425.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://teamforge.net/
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://twitter.com/winscpnet
Source: WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://winscp-static-746341.c.cdn77.org/assets/css/bootstrap-modified.css?v=6990
Source: WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://winscp-static-746341.c.cdn77.org/assets/css/styles-all.css?v=6990
Source: WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://winscp-static-746341.c.cdn77.org/assets/images/logos/logo
Source: WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://winscp-static-746341.c.cdn77.org/assets/images/logos/logo.png?v=6990
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://winscp-static-746341.c.cdn77.org/assets/js/bootstrap.min.js?v=6990
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://winscp-static-746341.c.cdn77.org/assets/js/footer.js?v=6990
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://winscp-static-746341.c.cdn77.org/assets/js/jquery.min.js?v=6990
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://winscp-static-746341.c.cdn77.org/assets/js/slick-init.js?v=6990
Source: WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://winscp-static-746341.c.cdn77.org/assets/js/slick/slick.css?v=6990
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://winscp-static-746341.c.cdn77.org/assets/js/slick/slick.min.js?v=6990
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://winscp-static-746341.c.cdn77.org/assets/js/svg-src-polyfill.js?v=6990
Source: WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://winscp.net/
Source: wget.exe, 00000002.00000002.242574361.0000000000DCC000.00000004.00000800.00020000.00000000.sdmp, cmdline.out.0.drString found in binary or memory: https://winscp.net/download/WinSCP-5.19.6-Setup.exe
Source: wget.exe, 00000002.00000002.242750112.0000000000F45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://winscp.net/download/WinSCP-5.19.6-Setup.exeK
Source: WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://winscp.net/download/files/202204120032637ca77d034d0ff95fd7e59a9f1a8326/WinSCP-5.19.6-Setup.e
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241408425.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://www.dokuwiki.org/
Source: WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-22775137-1
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://www.linkedin.com/company/winscp/
Source: wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241408425.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drString found in binary or memory: https://www.phpbb.com/
Source: unknownHTTPS traffic detected: 88.198.21.111:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF5AE3B69924D0077E.TMPJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: sus21.win@7/11@1/1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://winscp.net/download/WinSCP-5.19.6-Setup.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://winscp.net/download/WinSCP-5.19.6-Setup.exe"
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\download\WinSCP-5.19.6-Setup.exe.svg
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5576 CREDAT:17410 /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://winscp.net/download/WinSCP-5.19.6-Setup.exe" Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5576 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_01
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection
1
Masquerading
OS Credential Dumping1
File and Directory Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection
LSASS Memory12
System Information Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
Non-Application Layer Protocol
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
Remote System Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
Application Layer Protocol
Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer1
Ingress Tool Transfer
SIM Card SwapCarrier Billing Fraud
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 607461 URL: https://winscp.net/download... Startdate: 12/04/2022 Architecture: WINDOWS Score: 21 5 cmd.exe 2 2->5         started        7 iexplore.exe 2 89 2->7         started        process3 9 wget.exe 2 5->9         started        13 conhost.exe 5->13         started        15 iexplore.exe 21 7->15         started        dnsIp4 17 winscp.net 88.198.21.111, 443, 49717 HETZNER-ASDE Germany 9->17 19 Creates HTML files with .exe extension (expired dropper behavior) 9->19 signatures5

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
https://winscp.net/download/WinSCP-5.19.6-Setup.exe0%VirustotalBrowse
https://winscp.net/download/WinSCP-5.19.6-Setup.exe0%Avira URL Cloudsafe
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://winscp-static-746341.c.cdn77.org/assets/images/logos/logo0%Avira URL Cloudsafe
https://winscp-static-746341.c.cdn77.org/assets/js/slick-init.js?v=69900%Avira URL Cloudsafe
https://winscp-static-746341.c.cdn77.org/assets/js/slick/slick.css?v=69900%Avira URL Cloudsafe
https://winscp-static-746341.c.cdn77.org/assets/js/svg-src-polyfill.js?v=69900%Avira URL Cloudsafe
https://winscp-static-746341.c.cdn77.org/assets/js/slick/slick.min.js?v=69900%Avira URL Cloudsafe
https://teamforge.net/0%Avira URL Cloudsafe
https://winscp-static-746341.c.cdn77.org/assets/images/logos/logo.png?v=69900%Avira URL Cloudsafe
https://winscp-static-746341.c.cdn77.org/assets/css/bootstrap-modified.css?v=69900%Avira URL Cloudsafe
https://winscp-static-746341.c.cdn77.org/assets/css/styles-all.css?v=69900%Avira URL Cloudsafe
https://winscp-static-746341.c.cdn77.org/assets/js/jquery.min.js?v=69900%Avira URL Cloudsafe
https://winscp-static-746341.c.cdn77.org/assets/js/bootstrap.min.js?v=69900%Avira URL Cloudsafe
http://www.wikipedia.com/0%URL Reputationsafe
https://winscp-static-746341.c.cdn77.org/assets/js/footer.js?v=69900%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
winscp.net
88.198.21.111
truefalse
    high
    NameMaliciousAntivirus DetectionReputation
    https://winscp.net/download/WinSCP-5.19.6-Setup.exefalse
      high
      NameSourceMaliciousAntivirus DetectionReputation
      https://winscp-static-746341.c.cdn77.org/assets/images/logos/logoWinSCP-5.19.6-Setup.exe.2.drfalse
      • Avira URL Cloud: safe
      unknown
      https://winscp-static-746341.c.cdn77.org/assets/js/slick-init.js?v=6990wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drfalse
      • Avira URL Cloud: safe
      unknown
      https://sourceforge.net/projects/winscp/wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drfalse
        high
        https://www.phpbb.com/wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241408425.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drfalse
          high
          http://www.nytimes.com/msapplication.xml3.3.drfalse
            high
            https://winscp-static-746341.c.cdn77.org/assets/js/slick/slick.css?v=6990WinSCP-5.19.6-Setup.exe.2.drfalse
            • Avira URL Cloud: safe
            unknown
            https://winscp-static-746341.c.cdn77.org/assets/js/svg-src-polyfill.js?v=6990wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drfalse
            • Avira URL Cloud: safe
            unknown
            http://www.amazon.com/msapplication.xml.3.drfalse
              high
              https://www.linkedin.com/company/winscp/wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drfalse
                high
                https://winscp.net/WinSCP-5.19.6-Setup.exe.2.drfalse
                  high
                  http://www.twitter.com/msapplication.xml5.3.drfalse
                    high
                    https://winscp-static-746341.c.cdn77.org/assets/js/slick/slick.min.js?v=6990wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://teamforge.net/wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241408425.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://cdn.winscp.net/files/WinSCP-5.19.6-Setup.exe?secure=0EAl9HvfWaixzAce9gHxZw==wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drfalse
                      high
                      https://winscp.net/download/WinSCP-5.19.6-Setup.exeKwget.exe, 00000002.00000002.242750112.0000000000F45000.00000004.00000020.00020000.00000000.sdmpfalse
                        high
                        https://www.dokuwiki.org/wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241408425.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drfalse
                          high
                          https://platform.twitter.com/widgets.jsWinSCP-5.19.6-Setup.exe.2.drfalse
                            high
                            https://winscp-static-746341.c.cdn77.org/assets/images/logos/logo.png?v=6990WinSCP-5.19.6-Setup.exe.2.drfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://winscp-static-746341.c.cdn77.org/assets/css/bootstrap-modified.css?v=6990WinSCP-5.19.6-Setup.exe.2.drfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://winscp-static-746341.c.cdn77.org/assets/css/styles-all.css?v=6990WinSCP-5.19.6-Setup.exe.2.drfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.youtube.com/msapplication.xml7.3.drfalse
                              high
                              https://winscp-static-746341.c.cdn77.org/assets/js/jquery.min.js?v=6990wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://winscp-static-746341.c.cdn77.org/assets/js/bootstrap.min.js?v=6990wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.wikipedia.com/msapplication.xml6.3.drfalse
                              • URL Reputation: safe
                              unknown
                              http://www.live.com/msapplication.xml2.3.drfalse
                                high
                                http://www.reddit.com/msapplication.xml4.3.drfalse
                                  high
                                  https://twitter.com/winscpnetwget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drfalse
                                    high
                                    https://winscp.net/download/files/202204120032637ca77d034d0ff95fd7e59a9f1a8326/WinSCP-5.19.6-Setup.eWinSCP-5.19.6-Setup.exe.2.drfalse
                                      high
                                      https://sourceforge.net/projects/winscp/files/WinSCP/5.19.6/WinSCP-5.19.6-Setup.exe/downloadwget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drfalse
                                        high
                                        https://winscp-static-746341.c.cdn77.org/assets/js/footer.js?v=6990wget.exe, 00000002.00000003.241383407.0000000000E06000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241393608.0000000000E07000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241373418.0000000000DFE000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.241411874.0000000000E09000.00000004.00000800.00020000.00000000.sdmp, WinSCP-5.19.6-Setup.exe.2.drfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.google.com/msapplication.xml1.3.drfalse
                                          high
                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs
                                          IPDomainCountryFlagASNASN NameMalicious
                                          88.198.21.111
                                          winscp.netGermany
                                          24940HETZNER-ASDEfalse
                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:607461
                                          Start date and time: 12/04/202202:31:212022-04-12 02:31:21 +02:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 4m 34s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:urldownload.jbs
                                          Sample URL:https://winscp.net/download/WinSCP-5.19.6-Setup.exe
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:27
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:SUS
                                          Classification:sus21.win@7/11@1/1
                                          EGA Information:Failed
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.205.181.161, 152.199.19.161
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ie9comview.vo.msecnd.net, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, login.live.com, go.microsoft.com.edgekey.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cs9.wpc.v0cdn.net
                                          • Execution Graph export aborted for target wget.exe, PID 744 because there are no executed function
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          No simulations
                                          No context
                                          No context
                                          No context
                                          No context
                                          No context
                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                          File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):355
                                          Entropy (8bit):5.12833922142142
                                          Encrypted:false
                                          SSDEEP:6:TMVBdc9EMdLD5Ltqc41EqAyT6OcTD90/QL3WIZK0QhPPWXpsVDHkEtMjwu:TMHdNMNxOERyWOcnWimI00ObVbkEtMb
                                          MD5:F31B4D1EA15A209AFCC1D641C709CEEC
                                          SHA1:914D73F52967C4CC0350A86590BBD9C2F501B137
                                          SHA-256:9EFAA3F9BF4A710E582D3D130E4DCBACCFF1AA86F2632C5FAF1CF710F6B40441
                                          SHA-512:406E3F7AA39628B91BCC3644B020D623A6F0BAD36BF286EC63D52EFE26A706C57F43EF47D6A42E0C45B629E84C678C1F2B084D355938904401301758622207DC
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4bf92c27,0x01d84e50</date><accdate>0x4c30011a,0x01d84e50</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..
                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                          File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):353
                                          Entropy (8bit):5.1590290865241935
                                          Encrypted:false
                                          SSDEEP:6:TMVBdc9EMdLD5Ltqc4fLGTkUI3c+cTD90/QL3WIZK0QhPPWXpskI5kU5EtMjwu:TMHdNMNxe2kUAc+cnWimI00Obkak6Ety
                                          MD5:CB5871AE59FEA995DE6EB85EA053AA9C
                                          SHA1:CD1F931BBE2ECBC77C301FEBFA428585BCA20639
                                          SHA-256:7F0C17F044486608DD9F980C701690699F73FB5FDB88FE104D9B8C3A6C3050A4
                                          SHA-512:9C93207F0DAF85D4AF994BBD1DB64CF4FF700C2FDF5313138BEFBE0B90FCF0E271B1BF22C9E699CA07832F11FA0BB76014A8195328D3C4400DB5F59E861B5ACC
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x4a663df5,0x01d84e50</date><accdate>0x4a7bb3f1,0x01d84e50</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..
                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                          File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):359
                                          Entropy (8bit):5.1293681890004645
                                          Encrypted:false
                                          SSDEEP:6:TMVBdc9EMdLD5Ltqc4GLLHVODSwlecTD90/QL3WIZK0QhPPWXpsyhBcEEtMjwu:TMHdNMNxvL7sOwlecnWimI00ObmZEtMb
                                          MD5:3B5380E51C901452B1C26BFFABE9ED14
                                          SHA1:D2B609B9EA70FD143F97072E41A6969C5A1868FD
                                          SHA-256:AC7301BF9DBCD9E630F1948BA2B25FFC3836AECD5E1E9B45D0DAEAAD16A2145D
                                          SHA-512:F98412287DD26D95918C5D65D5BCEE6BC34DF2F2849C8791788000CC7FAF9C3342059407AC8F18EC9BCF447F864310390DCF4DF9D10A31EE2BD067E9F455A245
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x4c4f007a,0x01d84e50</date><accdate>0x4c837337,0x01d84e50</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..
                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                          File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):349
                                          Entropy (8bit):5.162906597899968
                                          Encrypted:false
                                          SSDEEP:6:TMVBdc9EMdLD5Ltqc4JqURI5sRcTD90/QL3WIZK0QhPPWXpsgE5EtMjwu:TMHdNMNxivRImRcnWimI00Obd5EtMb
                                          MD5:D55628EF463E927FD4297C29E543334F
                                          SHA1:58DA81141C1D5B05BE3B14BDCEAC2C65A8D2DDF7
                                          SHA-256:70AEBB3526171FC47A14A24E0BDE7E365D82211A67974B65ED78002F35AA216C
                                          SHA-512:873AF93DBB3C23E659F2AD493868BEC8290BDAF8527959155AF0FDE3E879F89CCC2EB4D1DC7AFCE2315CBD4B97298B0B5A693EB629A7B5285B6210203288141E
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x4b1449fe,0x01d84e50</date><accdate>0x4b2c2106,0x01d84e50</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..
                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                          File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):355
                                          Entropy (8bit):5.1626560893215245
                                          Encrypted:false
                                          SSDEEP:6:TMVBdc9EMdLD5Ltqc4UxGwmU7MPcTD90/QL3WIZK0QhPPWXps8K0QU5EtMjwu:TMHdNMNxhGwvWcnWimI00Ob8K075EtMb
                                          MD5:71C3F12FE4CA2E052CAB8F6999FFD3A9
                                          SHA1:782B35D296B4097100CA056FAB7D4D797136166A
                                          SHA-256:0E8CD466B8FF7B9E54DBB300250E6AE8C10276BED5813B72ACEC90F99B30410A
                                          SHA-512:37E801D40AAEE1D966B6F4F7A0A095A0D6CBC52EEEB1EBBEB9C11C38D89B72ABA1F327D5E8D51F17D3A12F60824C299538F2B050EE562E6505B1AC4AA01DE76B
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4ca272cb,0x01d84e50</date><accdate>0x4cd6e5b1,0x01d84e50</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..
                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                          File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):353
                                          Entropy (8bit):5.110540787378884
                                          Encrypted:false
                                          SSDEEP:6:TMVBdc9EMdLD5Ltqc4Qunqus5wdO7cTD90/QL3WIZK0QhPPWXpsAkEtMjwu:TMHdNMNx0naudO7cnWimI00ObxEtMb
                                          MD5:B06B66DE2B29F48F74A6AF4934915521
                                          SHA1:8A78C3BE35132CA672BAC28B463AA251CB49B228
                                          SHA-256:B5CFB2D9675C2C939860A18F9FC3BB35DCF00BFCFEA116E706C2506DE3659F1F
                                          SHA-512:72A56F84EB8A9E8E96C2B89518087EDE6C019766EDC7011D70D66F47883225891F1A53DA045517738C092558E823BDF39BCF49387493BCB39767ED186D76F823
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x4ba5b91c,0x01d84e50</date><accdate>0x4bdc8ec0,0x01d84e50</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..
                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                          File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):355
                                          Entropy (8bit):5.200497452051882
                                          Encrypted:false
                                          SSDEEP:6:TMVBdc9EMdLD5Ltqc4oTqCDQR5SArVU7cTD90/QL3WIZK0QhPPWXps6Kq5EtMjwu:TMHdNMNxxiRfBecnWimI00Ob6Kq5EtMb
                                          MD5:1E34F050762F2CFA193EDFEF28D0DF37
                                          SHA1:71D28316925136F0DFE0DAB596CD62DF88C498B9
                                          SHA-256:3421851FB273FCB406DFB213BB79127CE124710FEA8A46EF36FBAEAFE616B39E
                                          SHA-512:D4DE62C55147E430D8E4E1302DB1BB38554C6B483F242DBEBD8C8AB30F52E68F6776FF9D217E98D31CBDA268AC2B6E4545F5E40310D249FE5EE93E248F602021
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x4b4b1fbf,0x01d84e50</date><accdate>0x4b7f9372,0x01d84e50</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..
                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                          File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):357
                                          Entropy (8bit):5.14066293991928
                                          Encrypted:false
                                          SSDEEP:6:TMVBdc9EMdLD5Ltqc4YX2nqwacTD90/QL3WIZK0QhPPWXps02CqEtMjwu:TMHdNMNxcjacnWimI00ObVEtMb
                                          MD5:3F715D68853E517B155C327AFB03052F
                                          SHA1:E197762B01A17D8AE8A5E02C94DB9C33D87E6FB1
                                          SHA-256:49FB0A540E96C4E0E05D219367A8C3FFFE702776BC5A690DEEBD644068AA926D
                                          SHA-512:9FA73FED5528E2562539669034D7F2EC8506454B34FF402E473545FDDE84ACBEA3E8356B640399B533820586C6DA47FC719761C3C8F34B9C09D9A3811FDC1C09
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4a9ab1f0,0x01d84e50</date><accdate>0x4ab9b02b,0x01d84e50</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..
                                          Process:C:\Program Files\internet explorer\iexplore.exe
                                          File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):353
                                          Entropy (8bit):5.096646403268484
                                          Encrypted:false
                                          SSDEEP:6:TMVBdc9EMdLD5Ltqc4InIC77rOcTD90/QL3WIZK0QhPPWXpsiwE5EtMjwu:TMHdNMNxfnF7WcnWimI00Obe5EtMb
                                          MD5:61D1B3C13688AF8D91D4FDB4A628AFAF
                                          SHA1:592E9461D9E76C9AFC8B0A021960F0C07EB9CEB2
                                          SHA-256:2A98CA47B836DB03CCDADFA7F74BC091EC3883F5ECA3CA2AC650817741857426
                                          SHA-512:CA7D0DF08D184A3CDF4BA519747DD3FC0E91C377F6871DA35B73BDDB183EF949EE39C81DA94C316986617A66FA8D98039B83EC4BF2B054621E8CA9EFF6CB72D3
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x4ad8aee8,0x01d84e50</date><accdate>0x4aee24a2,0x01d84e50</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..
                                          Process:C:\Windows\SysWOW64\cmd.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):541
                                          Entropy (8bit):5.097941091950316
                                          Encrypted:false
                                          SSDEEP:12:HE98x4vUVy6GdcvHbK2cvgT1De5RhKkk1DbBKvUVyhmVp9eiBKvUVyp:k9uPJ2s7vsqxePgJ1pxPn9eEx0
                                          MD5:E90CCE23727E4DD14D95647247A7FDBE
                                          SHA1:BA36D39667AF62FA3047358C86548A6BA32EAAFC
                                          SHA-256:61BCA9B7004A2041E08B7138A128A5329618E457AC0E328E0DC00133EA9D62F0
                                          SHA-512:C118570C497E937452730E895D282391E0C784BF3ED839622ED7D0B6AB48B38E8ABE890524E48275F6C98440BFF8F3B4B67ABF0CE9901FAB21D6A45C1D80E561
                                          Malicious:false
                                          Reputation:low
                                          Preview:--2022-04-12 02:32:21-- https://winscp.net/download/WinSCP-5.19.6-Setup.exe..Resolving winscp.net (winscp.net)... 88.198.21.111..Connecting to winscp.net (winscp.net)|88.198.21.111|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: unspecified [text/html]..Saving to: 'C:/Users/user/Desktop/download/WinSCP-5.19.6-Setup.exe'.... 0K .......... ....... 558K=0.03s....2022-04-12 02:32:21 (558 KB/s) - 'C:/Users/user/Desktop/download/WinSCP-5.19.6-Setup.exe' saved [18357]....
                                          Process:C:\Windows\SysWOW64\wget.exe
                                          File Type:HTML document, UTF-8 Unicode text, with very long lines
                                          Category:dropped
                                          Size (bytes):18357
                                          Entropy (8bit):4.868815126047053
                                          Encrypted:false
                                          SSDEEP:384:MtLhg5tzGnL0EcZRD42D4iFxLBZD4E/cjGj:Mt9g5t80EGDrDB//D0jGj
                                          MD5:A8CA13EC8F2EADB0772A1B77615EC3BE
                                          SHA1:2FF19DC6C3A4BF743DCA7D8796DB1B6ED3DA3D6D
                                          SHA-256:C1AB1A23738B6A79115B3D1BEC0F635ED482A3FFFCE005355ADC59F162A9AD04
                                          SHA-512:3D5434577088446F9C64AFF60FFFE6883008D7EBE11AAFA248D3310BA15658540D7929B0BC217B79A024A8D4BC16A8B140C665D4E408FF7997A74976468095C7
                                          Malicious:false
                                          Reputation:low
                                          Preview:<!DOCTYPE html>.<html lang="en">.<head>.<title>Downloading WinSCP-5.19.6-Setup.exe :: WinSCP</title>.<meta charset="utf-8" />.<meta name="viewport" content="width=device-width, initial-scale=1" />.<link rel="stylesheet" href="https://winscp-static-746341.c.cdn77.org/assets/css/bootstrap-modified.css?v=6990" />.<link rel="stylesheet" href="https://winscp-static-746341.c.cdn77.org/assets/js/slick/slick.css?v=6990"/>.<link rel="stylesheet" href="https://winscp-static-746341.c.cdn77.org/assets/css/styles-all.css?v=6990" />.<link rel="schema.DCTERMS" href="http://purl.org/dc/terms/" />.<meta name="keywords" content="sftp client,scp client,ftp client,windows,secure file transfer,ftp,freeware" />.<meta name="description" content="WinSCP is a free SFTP, SCP, Amazon S3, WebDAV, and FTP client for Windows." />.<meta name="google-site-verification" content="R-0cOllfdlHe93mQzthYHV_GUkAImaodzbyD5--pXOQ" />.<link rel="shortcut icon" href="/favicon.ico" />.<link rel="alternate" type="application/rss+
                                          No static file info

                                          Download Network PCAP: filteredfull

                                          • Total Packets: 11
                                          • 443 (HTTPS)
                                          • 53 (DNS)
                                          TimestampSource PortDest PortSource IPDest IP
                                          Apr 12, 2022 02:32:21.543804884 CEST49717443192.168.2.388.198.21.111
                                          Apr 12, 2022 02:32:21.543869019 CEST4434971788.198.21.111192.168.2.3
                                          Apr 12, 2022 02:32:21.543987036 CEST49717443192.168.2.388.198.21.111
                                          Apr 12, 2022 02:32:21.546216011 CEST49717443192.168.2.388.198.21.111
                                          Apr 12, 2022 02:32:21.546243906 CEST4434971788.198.21.111192.168.2.3
                                          Apr 12, 2022 02:32:21.614610910 CEST4434971788.198.21.111192.168.2.3
                                          Apr 12, 2022 02:32:21.614744902 CEST49717443192.168.2.388.198.21.111
                                          Apr 12, 2022 02:32:21.617898941 CEST49717443192.168.2.388.198.21.111
                                          Apr 12, 2022 02:32:21.617924929 CEST4434971788.198.21.111192.168.2.3
                                          Apr 12, 2022 02:32:21.618129015 CEST4434971788.198.21.111192.168.2.3
                                          Apr 12, 2022 02:32:21.619488001 CEST49717443192.168.2.388.198.21.111
                                          Apr 12, 2022 02:32:21.662195921 CEST4434971788.198.21.111192.168.2.3
                                          Apr 12, 2022 02:32:21.676146984 CEST4434971788.198.21.111192.168.2.3
                                          Apr 12, 2022 02:32:21.676192045 CEST4434971788.198.21.111192.168.2.3
                                          Apr 12, 2022 02:32:21.676306963 CEST4434971788.198.21.111192.168.2.3
                                          Apr 12, 2022 02:32:21.676481962 CEST49717443192.168.2.388.198.21.111
                                          Apr 12, 2022 02:32:21.676523924 CEST4434971788.198.21.111192.168.2.3
                                          Apr 12, 2022 02:32:21.676548958 CEST49717443192.168.2.388.198.21.111
                                          Apr 12, 2022 02:32:21.676637888 CEST49717443192.168.2.388.198.21.111
                                          Apr 12, 2022 02:32:21.720392942 CEST49717443192.168.2.388.198.21.111
                                          Apr 12, 2022 02:32:21.720433950 CEST4434971788.198.21.111192.168.2.3
                                          TimestampSource PortDest PortSource IPDest IP
                                          Apr 12, 2022 02:32:21.514389992 CEST5811653192.168.2.38.8.8.8
                                          Apr 12, 2022 02:32:21.537676096 CEST53581168.8.8.8192.168.2.3
                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Apr 12, 2022 02:32:21.514389992 CEST192.168.2.38.8.8.80x8ffbStandard query (0)winscp.netA (IP address)IN (0x0001)
                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Apr 12, 2022 02:32:21.537676096 CEST8.8.8.8192.168.2.30x8ffbNo error (0)winscp.net88.198.21.111A (IP address)IN (0x0001)
                                          • winscp.net
                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.34971788.198.21.111443C:\Windows\SysWOW64\wget.exe
                                          TimestampkBytes transferredDirectionData
                                          2022-04-12 00:32:21 UTC0OUTGET /download/WinSCP-5.19.6-Setup.exe HTTP/1.1
                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
                                          Accept: */*
                                          Accept-Encoding: identity
                                          Host: winscp.net
                                          Connection: Keep-Alive
                                          2022-04-12 00:32:21 UTC0INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Tue, 12 Apr 2022 00:32:21 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          X-Powered-By: PHP/7.3.33
                                          Vary: Accept-Encoding
                                          X-Frame-Options: SAMEORIGIN
                                          X-Powered-By: PleskLin
                                          Access-Control-Allow-Origin: *
                                          2022-04-12 00:32:21 UTC0INData Raw: 31 66 32 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 44 6f 77 6e 6c 6f 61 64 69 6e 67 20 57 69 6e 53 43 50 2d 35 2e 31 39 2e 36 2d 53 65 74 75 70 2e 65 78 65 20 3a 3a 20 57 69 6e 53 43 50 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 69 6e 73 63 70 2d 73 74 61 74 69 63 2d 37
                                          Data Ascii: 1f2f<!DOCTYPE html><html lang="en"><head><title>Downloading WinSCP-5.19.6-Setup.exe :: WinSCP</title><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><link rel="stylesheet" href="https://winscp-static-7
                                          2022-04-12 00:32:21 UTC16INData Raw: 32 20 63 6f 6c 2d 73 6d 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 63 6c 61 73 73 3d 22 66 6f 6f 74 65 72 2d 68 65 61 64 65 72 22 3e 41 73 73 6f 63 69 61 74 69 6f 6e 73 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 0a 38 38 36 0d 0a 3c 75 6c 20 63 6c 61 73 73 3d 22 6c 69 73 74 2d 75 6e 73 74 79 6c 65 64 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 6f 75 72 63 65 66 6f 72 67 65 2e 6e 65 74 2f 70 72 6f 6a 65 63 74 73 2f 77 69 6e 73 63 70 2f 22 3e 53 6f 75 72 63 65 46 6f 72 67 65 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                          Data Ascii: 2 col-sm-3"> <h2 class="footer-header">Associations</h2> 886<ul class="list-unstyled"> <li><a href="https://sourceforge.net/projects/winscp/">SourceForge</a></li>


                                          Click to jump to process

                                          Click to jump to process

                                          • File
                                          • Network

                                          Click to dive into process behavior distribution

                                          Target ID:0
                                          Start time:02:32:19
                                          Start date:12/04/2022
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://winscp.net/download/WinSCP-5.19.6-Setup.exe" > cmdline.out 2>&1
                                          Imagebase:0xc20000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          Target ID:1
                                          Start time:02:32:20
                                          Start date:12/04/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7c9170000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          Target ID:2
                                          Start time:02:32:20
                                          Start date:12/04/2022
                                          Path:C:\Windows\SysWOW64\wget.exe
                                          Wow64 process (32bit):true
                                          Commandline:wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://winscp.net/download/WinSCP-5.19.6-Setup.exe"
                                          Imagebase:0x400000
                                          File size:3895184 bytes
                                          MD5 hash:3DADB6E2ECE9C4B3E1E322E617658B60
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          Target ID:3
                                          Start time:02:32:23
                                          Start date:12/04/2022
                                          Path:C:\Program Files\internet explorer\iexplore.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Desktop\download\WinSCP-5.19.6-Setup.exe.svg
                                          Imagebase:0x7ff638ba0000
                                          File size:823560 bytes
                                          MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                          Target ID:4
                                          Start time:02:32:24
                                          Start date:12/04/2022
                                          Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5576 CREDAT:17410 /prefetch:2
                                          Imagebase:0xd0000
                                          File size:822536 bytes
                                          MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                          No disassembly