Edit tour

Windows Analysis Report
Your File Is Ready To Download.zip

Overview

General Information

Sample name:	Your File Is Ready To Download.zip
Analysis ID:	1362066
MD5:	1b4974a0a04e0e537262a392b5944786
SHA1:	0ba859f1d929c69226e4d264c9a3f3e435d47c64
SHA256:	4d4533b1b6c84077f9eeb4a19ff2b637a8e1ee4fb2b8772cf19cee5035bd3841
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Downloads suspicious files via Chrome

Modifies Chrome's extension installation force list

Writes to foreign memory regions

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Enables debug privileges

Installs a Chrome extension

May sleep (evasive loops) to hinder dynamic analysis

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Uses insecure TLS / SSL version for HTTPS connection

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64_ra

Your File Is Ready To Download.exe (PID: 60 cmdline: "C:\Users\user\Desktop\Your File Is Ready To Download.exe" MD5: 0C0A3D01C45F66056D607BBAD486B39B)

Your File Is Ready To Download.exe (PID: 2632 cmdline: "C:\Users\user\Desktop\Your File Is Ready To Download.exe" MD5: 0C0A3D01C45F66056D607BBAD486B39B)

chrome.exe (PID: 1492 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://getfiles.wiki/welcome.php MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 1372 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2372,i,16584848455203160165,18006748831736426992,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

msedge.exe (PID: 3240 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" https://getfiles.wiki/welcome.php MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7056 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=117.0.2045.47 --initial-client-data=0x154,0x158,0x15c,0x130,0x164,0x7ffdd31a8e88,0x7ffdd31a8e98,0x7ffdd31a8ea8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5928 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=117.0.2045.47 --initial-client-data=0x18c,0x190,0x194,0x168,0x198,0x7ff6d9ff1368,0x7ff6d9ff1378,0x7ff6d9ff1388 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6460 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2044 --field-trial-handle=2040,i,13136158115941223659,15677216447442921038,262144 /prefetch:2 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6384 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2340 --field-trial-handle=2040,i,13136158115941223659,15677216447442921038,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

taskkill.exe (PID: 5376 cmdline: /IM chrome.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1000 cmdline: /IM msedge.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedge.exe (PID: 5476 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2904 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=117.0.2045.47 --initial-client-data=0x12c,0x154,0x158,0x130,0x1a4,0x7ffdd31a8e88,0x7ffdd31a8e98,0x7ffdd31a8ea8 MD5: 69222B8101B0601CC6663F8381E7E00F)

chrome.exe (PID: 1076 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4508 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 --field-trial-handle=2020,i,11844467829304668407,15516714887544658327,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

taskkill.exe (PID: 7224 cmdline: /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7612 cmdline: /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedge.exe (PID: 5732 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://getfiles.wiki/welcome.php MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5540 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=117.0.2045.47 --initial-client-data=0x160,0x164,0x168,0x13c,0x174,0x7ffdd31a8e88,0x7ffdd31a8e98,0x7ffdd31a8ea8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2352 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2056 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:2 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5088 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2232 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 1492 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-GB --service-sandbox-type=service --mojo-platform-channel-handle=2548 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4528 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=renderer --disable-nacl --first-renderer-process --lang=en-GB --js-flags=--ms-user-locale=en_CH --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1702542096228565 --launch-time-ticks=5838769761 --mojo-platform-channel-handle=3400 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:1 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6276 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=renderer --disable-nacl --lang=en-GB --js-flags=--ms-user-locale=en_CH --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1702542096228565 --launch-time-ticks=5838869208 --mojo-platform-channel-handle=3588 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:1 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6292 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=renderer --disable-nacl --lang=en-GB --js-flags=--ms-user-locale=en_CH --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1702542096228565 --launch-time-ticks=5839068631 --mojo-platform-channel-handle=3688 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:1 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6996 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=renderer --disable-nacl --lang=en-GB --js-flags=--ms-user-locale=en_CH --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --time-ticks-at-unix-epoch=-1702542096228565 --launch-time-ticks=5839537573 --mojo-platform-channel-handle=4792 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:1 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6536 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-GB --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5592 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --disable-nacl --disable-gpu-compositing --lang=en-GB --js-flags=--ms-user-locale=en_CH --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --time-ticks-at-unix-epoch=-1702542096228565 --launch-time-ticks=5839890168 --mojo-platform-channel-handle=5092 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:1 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3440 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-GB --service-sandbox-type=service --mojo-platform-channel-handle=5300 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 3240 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --disable-nacl --disable-gpu-compositing --lang=en-GB --js-flags=--ms-user-locale=en_CH --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --time-ticks-at-unix-epoch=-1702542096228565 --launch-time-ticks=5840144929 --mojo-platform-channel-handle=5604 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:1 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2480 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --disable-nacl --disable-gpu-compositing --lang=en-GB --js-flags=--ms-user-locale=en_CH --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --time-ticks-at-unix-epoch=-1702542096228565 --launch-time-ticks=5840336035 --mojo-platform-channel-handle=5796 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:1 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6648 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --disable-nacl --disable-gpu-compositing --lang=en-GB --js-flags=--ms-user-locale=en_CH --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --time-ticks-at-unix-epoch=-1702542096228565 --launch-time-ticks=5840526288 --mojo-platform-channel-handle=5976 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:1 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 348 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --disable-nacl --disable-gpu-compositing --lang=en-GB --js-flags=--ms-user-locale=en_CH --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --time-ticks-at-unix-epoch=-1702542096228565 --launch-time-ticks=5840621379 --mojo-platform-channel-handle=6140 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:1 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2088 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-GB --service-sandbox-type=service --mojo-platform-channel-handle=6356 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2424 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-GB --service-sandbox-type=service --mojo-platform-channel-handle=6584 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2732 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-GB --service-sandbox-type=service --mojo-platform-channel-handle=6648 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2400 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-GB --service-sandbox-type=service --mojo-platform-channel-handle=6608 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6308 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=renderer --disable-nacl --disable-gpu-compositing --lang=en-GB --js-flags=--ms-user-locale=en_CH --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --time-ticks-at-unix-epoch=-1702542096228565 --launch-time-ticks=5843305504 --mojo-platform-channel-handle=7140 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:1 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5256 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7296 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4316 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7688 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7328 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-GB --service-sandbox-type=service --mojo-platform-channel-handle=7924 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7396 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-GB --service-sandbox-type=service --mojo-platform-channel-handle=6436 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7404 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-GB --service-sandbox-type=service --mojo-platform-channel-handle=3652 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7440 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-GB --service-sandbox-type=service --mojo-platform-channel-handle=6980 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7456 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-GB --service-sandbox-type=service --mojo-platform-channel-handle=8308 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7484 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-GB --service-sandbox-type=service --mojo-platform-channel-handle=8456 --field-trial-handle=2052,i,11542245964142544923,5319805300231437499,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7132 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --profile-directory=Default --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6448 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=117.0.2045.47 --initial-client-data=0x160,0x164,0x168,0x13c,0x1a4,0x7ffdd31a8e88,0x7ffdd31a8e98,0x7ffdd31a8ea8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2424 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1876 --field-trial-handle=2016,i,2864284278806494210,79671049654359720,262144 /prefetch:2 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6480 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1464 --field-trial-handle=2016,i,2864284278806494210,79671049654359720,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

Your File Is Ready To Download.exe (PID: 7804 cmdline: "C:\Users\user\Desktop\Your File Is Ready To Download.exe" MD5: 0C0A3D01C45F66056D607BBAD486B39B)

Your File Is Ready To Download.exe (PID: 7864 cmdline: "C:\Users\user\Desktop\Your File Is Ready To Download.exe" MD5: 0C0A3D01C45F66056D607BBAD486B39B)

msedge.exe (PID: 7920 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" https://getfiles.wiki/welcome.php MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7112 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=117.0.2045.47 --initial-client-data=0x154,0x158,0x15c,0x130,0x1a4,0x7ffdd31a8e88,0x7ffdd31a8e98,0x7ffdd31a8ea8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7236 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=117.0.5938.132 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=117.0.2045.47 --initial-client-data=0x1bc,0x1c0,0x1c4,0x174,0x1c8,0x7ff6d9ff1368,0x7ff6d9ff1378,0x7ff6d9ff1388 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 2424 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2008 --field-trial-handle=1992,i,15478457847577823314,11846488167821622926,262144 /prefetch:2 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7352 cmdline: "C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1228 --field-trial-handle=1992,i,15478457847577823314,11846488167821622926,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

chrome.exe (PID: 7928 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://getfiles.wiki/welcome.php MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8108 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=2004,i,16211199081525446302,11786368910216131414,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

Taskmgr.exe (PID: 3248 cmdline: "C:\Windows\system32\taskmgr.exe" /7 MD5: 58D5BC7895F7F32EE308E34F06F25DD5)

Taskmgr.exe (PID: 7316 cmdline: "C:\Windows\system32\taskmgr.exe" /7 MD5: 58D5BC7895F7F32EE308E34F06F25DD5)

cleanup

Process created: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe "c:\program files (x86)\microsoft\edgecore\117.0.2045.47\msedge.exe" --profile-directory=default --no-startup-window --load-extension="c:\users\user\appdata\local\serviceapp\apps-helper" --hide-crash-restore-bubble --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\images\logo.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\images\logo.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation
Source: C:\Windows\System32\Taskmgr.exe	Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings

Modifies Chrome's extension installation force list

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\google\chrome\ExtensionInstallForcelist

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Windows Management Instrumentation	11 Browser Extensions	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Browser Session Hijacking	Exfiltration Over Other Network Medium	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Virtualization/Sandbox Evasion	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Extra Window Memory Injection	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information

Source	Detection	Scanner	Link
getfiles.wiki	9%	Virustotal	Browse
sni1gl.wpc.nucdn.net	0%	Virustotal	Browse
part-0013.t-0009.t-msedge.net	0%	Virustotal	Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
a.nel.cloudflare.com	35.190.80.1	true	false		high
part-0013.t-0009.t-msedge.net	13.107.213.41	true	false	0%, Virustotal, Browse	unknown
accounts.google.com	192.178.50.45	true	false		high
www3.l.google.com	142.250.217.238	true	false		high
getfiles.wiki	104.21.11.107	true	true	9%, Virustotal, Browse	unknown
www.google.com	142.250.217.164	true	false		high
clients.l.google.com	142.250.217.206	true	false		high
googlehosted.l.googleusercontent.com	142.250.217.193	true	false		high
sni1gl.wpc.nucdn.net	152.195.19.97	true	false	0%, Virustotal, Browse	unknown
clients2.googleusercontent.com	unknown	unknown	false		high
clients2.google.com	unknown	unknown	false		high
chrome.google.com	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.6.158	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.21.11.107	getfiles.wiki	United States	13335	CLOUDFLARENETUS	true
13.107.21.200	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.67.191.210	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.217.238	www3.l.google.com	United States	15169	GOOGLEUS	false
142.250.64.234	unknown	United States	15169	GOOGLEUS	false
142.250.217.164	www.google.com	United States	15169	GOOGLEUS	false
142.250.217.163	unknown	United States	15169	GOOGLEUS	false
142.251.35.238	unknown	United States	15169	GOOGLEUS	false
13.107.213.41	part-0013.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
204.79.197.239	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
191.235.44.176	unknown	Brazil	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.189.131	unknown	United States	15169	GOOGLEUS	false
192.178.50.45	accounts.google.com	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
192.178.50.46	unknown	United States	15169	GOOGLEUS	false
13.107.21.239	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.217.206	clients.l.google.com	United States	15169	GOOGLEUS	false
142.250.64.205	unknown	United States	15169	GOOGLEUS	false
13.107.42.16	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.64.174	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.3.77	unknown	United States	15169	GOOGLEUS	false
142.250.217.193	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
20.246.247.192	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1362066
Start date and time:	2023-12-14 10:58:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	81
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Your File Is Ready To Download.zip
Detection:	MAL
Classification:	mal60.phis.winZIP@157/63@32/134
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe
Excluded IPs from analysis (whitelisted): 142.250.217.163, 142.250.189.131, 34.104.35.123, 13.107.42.16, 204.79.197.239, 13.107.21.239, 13.107.6.158, 20.246.247.192
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Timeout during stream target processing, analysis might miss dynamic analysis data

Source: unknown	HTTPS traffic detected: 23.1.237.25:443 -> 192.168.2.16:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.7:443 -> 192.168.2.16:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.44.10.122:443 -> 192.168.2.16:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.7:443 -> 192.168.2.16:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.1.237.25:443 -> 192.168.2.16:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.7:443 -> 192.168.2.16:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.1.237.25:443 -> 192.168.2.16:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.7:443 -> 192.168.2.16:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.22.254:443 -> 192.168.2.16:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.253.254:443 -> 192.168.2.16:49798 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.1.237.25:443 -> 192.168.2.16:49801 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.25

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_03
Source: C:\Windows\System32\Taskmgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\Taskmgr.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "msedge.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	File created: \your file is ready to download.exe

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\Users\user\AppData\Local\ServiceApp\apps-helper" --hide-crash-restore-bubble

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_7807D6340FEC7246BC00DDFA59FA135D
Source: C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_7807D6340FEC7246BC00DDFA59FA135D

Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\Taskmgr.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /IM msedge.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /IM chrome.exe
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /F /IM chrome.exe /T
Source: C:\Users\user\Desktop\Your File Is Ready To Download.exe	Process created: C:\Windows\SysWOW64\taskkill.exe /F /IM msedge.exe /T

Process:	C:\Program Files (x86)\Microsoft\EdgeCore\117.0.2045.47\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	58458
Entropy (8bit):	6.1034421410106745
Encrypted:	false
SSDEEP:
MD5:	B1B76B852CBC0CF864E4EC9E33CF04F1
SHA1:	3EF301903676F86431186796AF74E869093F78D6
SHA-256:	A77FB64B9AFF1C6D3BAA284DBA5913B7D6BD7F52DEECC08C66A778C52DE9A61E
SHA-512:	2FED2D4482DEABB241ADA08EE90C6D5234E7FF49B60D1EDF635DDF95245205F87CF38351684C812C9322F5AA374D82BFEED0B1BEF5DAB6EDE5782F153E3407FC
Malicious:	false
Reputation:	low
Preview:	{"abusive_adblocker_etag":"\"8ABCE35666CBACA121128B98C75E78308AAC1CE803625FAFB4A7AFA722C77CA4\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

Process:	C:\Windows\System32\Taskmgr.exe
File Type:	data
Category:	dropped
Size (bytes):	65552
Entropy (8bit):	0.012543881408137456
Encrypted:	false
SSDEEP:
MD5:	D2FB266B97CAFF2086BF0FA74EDDB6B2
SHA1:	2F0061CE9C51B5B4FBAB76B37FC6A540BE7F805D
SHA-256:	B09F68B61D9FF5A7C7C8B10EEE9447D4813EE0E866346E629E788CD4ADECB66A
SHA-512:	C3BA95A538C1D266BEB83334AF755C34CE642A4178AB0F2E5F7822FD6821D3B68862A8B58F167A9294E6D913B08C1054A69B5D7AEC2EFDB3CF9796ED84DE21A8
Malicious:	false
Reputation:	low
Preview:	.6.G........................................f...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\Your File Is Ready To Download.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	46654
Entropy (8bit):	7.9590350147638365
Encrypted:	false
SSDEEP:
MD5:	2BA2554244EA500AA5847F1FF7A9D26C
SHA1:	DEBA543755C488CDC7A3BEE7CD46E7FE4B7F1212
SHA-256:	8B7D4B43A9EEBC6C3FC78DEA1AB562711651FC24043F260018C80021B33FBC4B
SHA-512:	104FBB55F037015FFB02025A3F663C29D0D113DBF72AFCF9A9D1D7C0D20013E3A72905A5B2EEACCDD23828C0DA1855FB852CB7AA74535BF7EB0A5854E6877311
Malicious:	false
Reputation:	low
Preview:	Cr24....E.........0.."0....H.............0............-.."a....7.@M....lVa...$E.F...\|..l.5<o4_...P....5.1K.[.S.......Y.GJ.Na{.x~\|.........d7$...J...n.....,..tV.0.\|..2..~..?...._G.2.&.....z.3..\|{...-I......f..,{q..h6E..l.\..Zz......hFs...1bU..UyS.c....]..L)-..~7.lz.:.D.............!..{0.G........f...O.{a...<......p1.%_...$PV....M..V...G.....m:..B....+...w.~.\|"......`^....L....;P."...k.r.!{...=.A..'.._+...,M.L.....y.......B....{.#.....+4.c6.A K...o.!\.e.<.j.0...Z.5Qa.\!..aZ.YO......A(.x...o...Y....u....tR\|z.w..u.....i.K'._r..V2-.r..3.@&.......BU....PX..,...r.PK..-.......OV...[............manifest.json.....................SMo.0...W...(.9n..h.a.......!3.#W..%.....I.]wK..f?>>R...".r...Y...m^D.d.....:a[.@.w#>..w{C..-k=.j.Y.m....Q..#)a...._........f........u.b.!....xc.o0......<@.C...CK..m..<. ..`.h..S....d. p*..IW.:=wn7......8...3...$.\|..)..?.X~,.b.,.....c....bJ..uqY.. ...Q.u.v..%B^..E[......8..qJ.Fg...V.b.Pa>..[`.cFJ..v....M..7)...8ipiyj..a...5.5../..

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 14 08:59:42 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.979187998640117
Encrypted:	false
SSDEEP:
MD5:	F18EA4759555B25FA527BEE092D7F8AB
SHA1:	9C00EE61253B222D2B942F65441926BD9DBC8C19
SHA-256:	1D8EF2E6EEBB9EC2BEA6A0C45A45703C451792100817D5534C38FCB7E3670B4D
SHA-512:	AF8F026DFD3C4D116708EEDFA2D4E67F3B03E670577BC710537DA36C6BA97DA89E4804EC84BCF4928EA3CB2066D3B0C213D62976EFB4935534C3BF7D22366353
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ...$+.,....~..Bt...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.WIO....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.WXO....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.WXO....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.WXO..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.WvO...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........OA(......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.9965871205757555
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	Your File Is Ready To Download.zip
File size:	103'030 bytes
MD5:	1b4974a0a04e0e537262a392b5944786
SHA1:	0ba859f1d929c69226e4d264c9a3f3e435d47c64
SHA256:	4d4533b1b6c84077f9eeb4a19ff2b637a8e1ee4fb2b8772cf19cee5035bd3841
SHA512:	8293cbe3c8a25f020716fa983b9a789e30d0b04657dfc16aa530d045a2a8940c4fb437cc1047f59decfda5dc167c043e1b0c63d6b4406f8671ef92a305281d30
SSDEEP:	1536:XvOARROViuj32rRWLzM3OI0UZAJ2dDfN9Itnaxs4QvdDW2EtMNxFEsSqADGlK0av:2ARRO0ujzLA3OQdHeaqwuxCsSrDiKqhW
TLSH:	76A3121DEE9C47358482E5688DB0F13414EECA302AFACEAAD53B4DF4E9764541CD67B0
File Content Preview:	PK...........V.T......p3.."...Your File Is Ready To Download.exe..{x.U.8Z..$..I5.`. Q..A&N.%6...CT..b:DH..`..af...g..+..(J9G..9Gg...s~:.x....h.`....h.F3.....(14...Z..;..<.......h.~....k.....*.....9...g............_..?fs/d.uY.m.[....gC...?....~Z...~...K...

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Your File Is Ready To Download.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

(copy)

C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\0e7a9017-777a-4eca-8266-d7332ace4465.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\1b24a964-ad26-4ee4-9500-a11ffd3ec321.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\7e5b49ff-2651-4e55-97c1-b51db3b52ba0.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\9af0506b-81fd-40c5-a554-f4ba9a8e0f16.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-657AD1DA-1564.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-657AD1DB-1BDC.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-657AD20B-1EF0.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\2f8ba5a3-77fd-4ba0-b18b-ab9473f3269b.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\618647c9-6709-46b9-915e-f798ff47fdd9.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000003.log

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000004

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000005

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\4335e5c8-be98-4e5c-a4d5-9373de0f1699.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\7bdf7966-16ae-45f1-819a-6a9b5386436b.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\a0e99707-0d06-48a0-8bfe-4d8326950271.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\arbitration_service_config.json

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Browser

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\customSettings

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\edgeSettings

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\RemoteData\edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1

Windows Analysis Report
Your File Is Ready To Download.zip

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre