hxxp:///search?q=reflection+nebula&rlz=1CAKLUN_enGB1063&oq=&gs_lcrp=EgZjaHJvbWUqCQgFEEUYOxjCAzIJCAAQRRg7GMIDMgkIARBFGDsYwgMyCQgCEEUYOxjCAzIJCAMQRRg7GMIDMgkIBBBFGDsYwgMyCQgFEEUYOxjCAzIJCAYQRRg7GMIDMgkIBxBFGDsYwgPSAQsyODE5NDAzajBqN6gCCLACAQ&sourceid=chrome&ie=UTF-8&safe=active&ssui=on

max time kernel
0s
max time network
1088s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http:///search?q=reflection+nebula&rlz=1CAKLUN_enGB1063&oq=&gs_lcrp=EgZjaHJvbWUqCQgFEEUYOxjCAzIJCAAQRRg7GMIDMgkIARBFGDsYwgMyCQgCEEUYOxjCAzIJCAMQRRg7GMIDMgkIBBBFGDsYwgMyCQgFEEUYOxjCAzIJCAYQRRg7GMIDMgkIBxBFGDsYwgPSAQsyODE5NDAzajBqN6gCCLACAQ&sourceid=chrome&ie=UTF-8&safe=active&ssui=on

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1908	msedge.exe
1908	msedge.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 2536	4952	msedge.exe	12
PID 4952 wrote to memory of 2536	4952	msedge.exe	12
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 3544	4952	msedge.exe	25
PID 4952 wrote to memory of 1908	4952	msedge.exe	18
PID 4952 wrote to memory of 1908	4952	msedge.exe	18
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19
PID 4952 wrote to memory of 3752	4952	msedge.exe	19

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc53046f8,0x7ffcc5304708,0x7ffcc5304718
1⤵
PID:2536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http:///search?q=reflection+nebula&rlz=1CAKLUN_enGB1063&oq=&gs_lcrp=EgZjaHJvbWUqCQgFEEUYOxjCAzIJCAAQRRg7GMIDMgkIARBFGDsYwgMyCQgCEEUYOxjCAzIJCAMQRRg7GMIDMgkIBBBFGDsYwgMyCQgFEEUYOxjCAzIJCAYQRRg7GMIDMgkIBxBFGDsYwgPSAQsyODE5NDAzajBqN6gCCLACAQ&sourceid=chrome&ie=UTF-8&safe=active&ssui=on
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2988 /prefetch:8
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5284 /prefetch:2
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9724039273679719267,7732824072490842418,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:1120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f246cc2c0e84109806d24fcf52bd0672

SHA1
8725d2b2477efe4f66c60e0f2028bf79d8b88e4e

SHA256
0c1014ae07c2077dd55d7386cc9cf9e0551be1d67fe05a6006957427ae09fec5

SHA512
dcf31357eb39a05213550a879941e2c039ec0ba41e4867d5d630807420f070289552d56d9f16c6d11edcdb0f9448bf51e7d2e460e88aa9c55a5bfe5d8d331640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c8ff61eaea29f9c3af36b1330fecc873

SHA1
a05fec4d9d23fc88b4e630e4331e2c9b1b01bb31

SHA256
7cc4966d9594d1522a0e0084236571cf5d5839a04d22521be45f3b8a109166f7

SHA512
b08db74cd370688c9494502220ea410fd6ad90459b5da60955ed69b1d7bff10491e000f6124fa7ad5371663fc092ba331112bb2ae1d1995ff9d98ff0694c7da4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit