Edit tour

Windows Analysis Report
https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57

Overview

General Information

Sample URL:https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&se
Analysis ID:1667340
Infos:

Detection

Score:1
Range:0 - 100
Confidence:60%

Signatures

Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cmd.exe (PID: 7740 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wget.exe (PID: 7792 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4692, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2" > cmdline.out 2>&1, ProcessId: 7740, ProcessName: cmd.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownHTTPS traffic detected: 18.160.78.78:443 -> 192.168.2.4:49712 version: TLS 1.2
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: wetransfer.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: wetransfer.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Content-Length: 7947Connection: closeCache-Control: private, no-cache, no-store, max-age=0, must-revalidateCross-Origin-Opener-Policy: same-originDate: Thu, 17 Apr 2025 09:47:57 GMTETag: "asyiw80d5964r"Referrer-Policy: strict-origin-when-cross-originSet-Cookie: _wt_snowplowid.0497=0fa1034a-1639-4f09-bce3-948f15fde98d.1744883277804.0.1744883277804.; Max-Age=63072000; Domain=.wetransfer.com; Path=/Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadVary: Accept-EncodingX-Content-Type-Options: nosniffX-DNS-Prefetch-Control: onX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockX-Cache: Error from cloudfrontVia: 1.1 6065fa4dfa87d92a6009e7fe74c3def0.cloudfront.net (CloudFront)X-Amz-Cf-Pop: ATL59-P2Alt-Svc: h3=":443"; ma=86400X-Amz-Cf-Id: -UrsoIgpRu-jBLnDtdxz7RaQ9dR8s1pgTfQU3kdLXcqBchYj0oHETQ==
Source: wget.exe, 00000002.00000002.1190648549.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.drString found in binary or memory: https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 18.160.78.78:443 -> 192.168.2.4:49712 version: TLS 1.2
Source: classification engineClassification label: clean1.win@4/1@1/1
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: wget.exe, 00000002.00000002.1190789898.0000000000CF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://wetransfer.com/download/local-bartender?apibase=%2fapi%2fv4&ddproxybase=https%3a%2f%2flocal-bartender-dd-proxy.wetransfer.net%2fapi&transferid=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainuserid=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileids=af1b562ab57456f064ccd665283f782d20250417092955&localstorageid=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://wetransfer.com/download/local-bartender?apibase=%2fapi%2fv4&ddproxybase=https%3a%2f%2flocal-bartender-dd-proxy.wetransfer.net%2fapi&transferid=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainuserid=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileids=af1b562ab57456f064ccd665283f782d20250417092955&localstorageid=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://wetransfer.com/download/local-bartender?apibase=%2fapi%2fv4&ddproxybase=https%3a%2f%2flocal-bartender-dd-proxy.wetransfer.net%2fapi&transferid=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainuserid=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileids=af1b562ab57456f064ccd665283f782d20250417092955&localstorageid=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2" Jump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
1
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Process Injection
LSASS Memory2
System Information Discovery
Remote Desktop ProtocolData from Removable Media3
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive4
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture3
Ingress Tool Transfer
Traffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1667340 URL: https://wetransfer.com/down... Startdate: 17/04/2025 Architecture: WINDOWS Score: 1 13 wetransfer.com 2->13 6 cmd.exe 2 2->6         started        process3 process4 8 wget.exe 1 6->8         started        11 conhost.exe 6->11         started        dnsIp5 15 wetransfer.com 18.160.78.78, 443, 49712 MIT-GATEWAYSUS United States 8->15
SourceDetectionScannerLabelLink
https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c20%Avira URL Cloudsafe
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
wetransfer.com
18.160.78.78
truefalse
    high
    NameMaliciousAntivirus DetectionReputation
    https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2false
      high
      NameSourceMaliciousAntivirus DetectionReputation
      https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-wget.exe, 00000002.00000002.1190648549.0000000000B70000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.drfalse
        high
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        18.160.78.78
        wetransfer.comUnited States
        3MIT-GATEWAYSUSfalse
        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1667340
        Start date and time:2025-04-17 11:46:58 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 1m 50s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:urldownload.jbs
        Sample URL:https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:4
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:CLEAN
        Classification:clean1.win@4/1@1/1
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Unable to download file
        • Exclude process from analysis (whitelisted): svchost.exe
        • Not all processes where analyzed, report is missing behavior information
        • VT rate limit hit for: https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&amp;ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&amp;transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&amp;secret=fa855c&amp;domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&amp;intent=single_file&amp;fileIds=af1b562ab57456f064ccd665283f782d20250417092955&amp;localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2
        No simulations
        No context
        No context
        No context
        No context
        No context
        Process:C:\Windows\SysWOW64\cmd.exe
        File Type:ASCII text, with very long lines (412), with CRLF line terminators
        Category:modified
        Size (bytes):968
        Entropy (8bit):5.355129299323853
        Encrypted:false
        SSDEEP:24:GaYNXOEu5TLrBfsegDP3s5s/5jSdPj6mfxePPOR0WWu5TLrBfs1Yf:GaYNm5TLGeAZhjQj6KAg5TLG1Yf
        MD5:52B972B3E43264E552C8BD5A5AA06A1A
        SHA1:40FCA89A1D981585C1FC7FAC86F2FF891E6F87B0
        SHA-256:94629987441F8272589AAE10C0ACF1EC57A954E94E626A7CC8E5A2BBD1523BE4
        SHA-512:B2C7A6DC87589A1F2AAB05C1CF61EB7DFE35A7BB037EECD19CF5D636903759EE26EAA23B94753681E42F38FECF0F972AF555CCD3C14E6A5A188D9203D19D3399
        Malicious:false
        Reputation:low
        Preview:--2025-04-17 05:47:56-- https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2..Resolving wetransfer.com (wetransfer.com)... 18.160.78.78, 18.160.78.5, 18.160.78.7, .....Connecting to wetransfer.com (wetransfer.com)|18.160.78.78|:443... connected...HTTP request sent, awaiting response... 404 Not Found..The name is too long, 355 chars total...Trying to shorten.....New name is local-bartender@apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4...2025-04-17 05:47:57 ERROR 404: Not Found.....
        No static file info

        Download Network PCAP: filteredfull

        • Total Packets: 11
        • 443 (HTTPS)
        • 53 (DNS)
        TimestampSource PortDest PortSource IPDest IP
        Apr 17, 2025 11:47:57.376003027 CEST49712443192.168.2.418.160.78.78
        Apr 17, 2025 11:47:57.376044989 CEST4434971218.160.78.78192.168.2.4
        Apr 17, 2025 11:47:57.376125097 CEST49712443192.168.2.418.160.78.78
        Apr 17, 2025 11:47:57.378015995 CEST49712443192.168.2.418.160.78.78
        Apr 17, 2025 11:47:57.378031015 CEST4434971218.160.78.78192.168.2.4
        Apr 17, 2025 11:47:57.607109070 CEST4434971218.160.78.78192.168.2.4
        Apr 17, 2025 11:47:57.607209921 CEST49712443192.168.2.418.160.78.78
        Apr 17, 2025 11:47:57.609144926 CEST49712443192.168.2.418.160.78.78
        Apr 17, 2025 11:47:57.609153986 CEST4434971218.160.78.78192.168.2.4
        Apr 17, 2025 11:47:57.609555006 CEST4434971218.160.78.78192.168.2.4
        Apr 17, 2025 11:47:57.610847950 CEST49712443192.168.2.418.160.78.78
        Apr 17, 2025 11:47:57.656270981 CEST4434971218.160.78.78192.168.2.4
        Apr 17, 2025 11:47:57.902132034 CEST4434971218.160.78.78192.168.2.4
        Apr 17, 2025 11:47:57.902164936 CEST4434971218.160.78.78192.168.2.4
        Apr 17, 2025 11:47:57.902218103 CEST4434971218.160.78.78192.168.2.4
        Apr 17, 2025 11:47:57.902221918 CEST49712443192.168.2.418.160.78.78
        Apr 17, 2025 11:47:57.902245998 CEST4434971218.160.78.78192.168.2.4
        Apr 17, 2025 11:47:57.902260065 CEST49712443192.168.2.418.160.78.78
        Apr 17, 2025 11:47:57.902739048 CEST4434971218.160.78.78192.168.2.4
        Apr 17, 2025 11:47:57.902806044 CEST49712443192.168.2.418.160.78.78
        Apr 17, 2025 11:47:57.907181978 CEST49712443192.168.2.418.160.78.78
        Apr 17, 2025 11:47:57.907201052 CEST4434971218.160.78.78192.168.2.4
        TimestampSource PortDest PortSource IPDest IP
        Apr 17, 2025 11:47:57.263075113 CEST5887053192.168.2.41.1.1.1
        Apr 17, 2025 11:47:57.370412111 CEST53588701.1.1.1192.168.2.4
        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Apr 17, 2025 11:47:57.263075113 CEST192.168.2.41.1.1.10x6053Standard query (0)wetransfer.comA (IP address)IN (0x0001)false
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Apr 17, 2025 11:47:57.370412111 CEST1.1.1.1192.168.2.40x6053No error (0)wetransfer.com18.160.78.78A (IP address)IN (0x0001)false
        Apr 17, 2025 11:47:57.370412111 CEST1.1.1.1192.168.2.40x6053No error (0)wetransfer.com18.160.78.5A (IP address)IN (0x0001)false
        Apr 17, 2025 11:47:57.370412111 CEST1.1.1.1192.168.2.40x6053No error (0)wetransfer.com18.160.78.7A (IP address)IN (0x0001)false
        Apr 17, 2025 11:47:57.370412111 CEST1.1.1.1192.168.2.40x6053No error (0)wetransfer.com18.160.78.124A (IP address)IN (0x0001)false
        • wetransfer.com
        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.44971218.160.78.784437792C:\Windows\SysWOW64\wget.exe
        TimestampBytes transferredDirectionData
        2025-04-17 09:47:57 UTC554OUTGET /download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2 HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
        Accept: */*
        Accept-Encoding: identity
        Host: wetransfer.com
        Connection: Keep-Alive
        2025-04-17 09:47:57 UTC928INHTTP/1.1 404 Not Found
        Content-Type: text/html; charset=utf-8
        Content-Length: 7947
        Connection: close
        Cache-Control: private, no-cache, no-store, max-age=0, must-revalidate
        Cross-Origin-Opener-Policy: same-origin
        Date: Thu, 17 Apr 2025 09:47:57 GMT
        ETag: "asyiw80d5964r"
        Referrer-Policy: strict-origin-when-cross-origin
        Set-Cookie: _wt_snowplowid.0497=0fa1034a-1639-4f09-bce3-948f15fde98d.1744883277804.0.1744883277804.; Max-Age=63072000; Domain=.wetransfer.com; Path=/
        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
        Vary: Accept-Encoding
        X-Content-Type-Options: nosniff
        X-DNS-Prefetch-Control: on
        X-Frame-Options: SAMEORIGIN
        X-XSS-Protection: 1; mode=block
        X-Cache: Error from cloudfront
        Via: 1.1 6065fa4dfa87d92a6009e7fe74c3def0.cloudfront.net (CloudFront)
        X-Amz-Cf-Pop: ATL59-P2
        Alt-Svc: h3=":443"; ma=86400
        X-Amz-Cf-Id: -UrsoIgpRu-jBLnDtdxz7RaQ9dR8s1pgTfQU3kdLXcqBchYj0oHETQ==
        2025-04-17 09:47:57 UTC7487INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 53 65 74 3d 22 75 74 66 2d 38 22 2f 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 69 6e 74 65 72 65 73 74 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 70 69 6e 22 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66
        Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><meta name="viewport" content="width=device-width, minimum-scale=1, initial-scale=1"/><meta name="pinterest" content="nopin"/><meta name="ref
        2025-04-17 09:47:57 UTC460INData Raw: 70 74 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 66 69 78 65 64 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 74 6f 70 3a 30 3b 6c 65 66 74 3a 30 3b 72 69 67 68 74 3a 30 3b 62 6f 74 74 6f 6d 3a 30 3b 70 61 64 64 69 6e 67 3a 33 32 70 78 22 3e 3c 68 31 3e 74 69 74 6c 65 3c 2f 68 31 3e 3c 70 3e 74 65 78 74 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 6e 6f 73 63 72 69 70 74 3e 3c 70 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 66 69 78 65 64 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 45 36 35 30 35 30 3b 63 6f 6c 6f 72 3a 77 68 69 74 65 3b 74 6f 70 3a 30 3b 6c 65 66 74 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 31
        Data Ascii: pt><div style="display:none;visibility:hidden;position:fixed;background:#fff;top:0;left:0;right:0;bottom:0;padding:32px"><h1>title</h1><p>text</p></div><noscript><p style="position:fixed;background-color:#E65050;color:white;top:0;left:0;margin:0;padding:1


        0123s020406080100

        Click to jump to process

        Click to jump to process

        • File
        • Network

        Click to dive into process behavior distribution

        Target ID:0
        Start time:05:47:56
        Start date:17/04/2025
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2" > cmdline.out 2>&1
        Imagebase:0xc70000
        File size:236'544 bytes
        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Target ID:1
        Start time:05:47:56
        Start date:17/04/2025
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff62fc20000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        Target ID:2
        Start time:05:47:56
        Start date:17/04/2025
        Path:C:\Windows\SysWOW64\wget.exe
        Wow64 process (32bit):true
        Commandline:wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://wetransfer.com/download/local-bartender?apiBase=%2Fapi%2Fv4&ddProxyBase=https%3A%2F%2Flocal-bartender-dd-proxy.wetransfer.net%2Fapi&transferId=28d58f463b372b48b39f0aa6b326a68120250417092917&secret=fa855c&domainUserId=d96e4c44-1959-4ec5-9ca6-c016f7b0aef8&intent=single_file&fileIds=af1b562ab57456f064ccd665283f782d20250417092955&localStorageId=4ac1e42d-b3b1-4088-ad71-1cc0210cb6c2"
        Imagebase:0x400000
        File size:3'895'184 bytes
        MD5 hash:3DADB6E2ECE9C4B3E1E322E617658B60
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        No disassembly