hxxps://drive[.]google[.]com/file/d/1aVCuHXMiEPJZhgYkfmin9Y_9f6hiewZx/view?usp=sharing

Resubmissions

08/09/2024, 19:13

240908-xxevlstgje 7

08/09/2024, 19:05

240908-xrnkkatfja 7

Analysis

max time kernel
440s
max time network
441s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1aVCuHXMiEPJZhgYkfmin9Y_9f6hiewZx/view?usp=sharing

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4068	DarkRefflection.exe

Loads dropped DLL 1 IoCs

pid	Process
4068	DarkRefflection.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
30	drive.google.com
31	drive.google.com
32	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkRefflection.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	7zFM.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4164	msedge.exe
4164	msedge.exe
5084	msedge.exe
5084	msedge.exe
4576	identity_helper.exe
4576	identity_helper.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
4020	msedge.exe
4020	msedge.exe
4068	DarkRefflection.exe
4068	DarkRefflection.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4616	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	1804	7zFM.exe
Token: 35	1804	7zFM.exe
Token: SeRestorePrivilege	4616	7zFM.exe
Token: 35	4616	7zFM.exe
Token: SeSecurityPrivilege	4616	7zFM.exe
Token: SeSecurityPrivilege	4616	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe
5084	msedge.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
3144	OpenWith.exe
4068	DarkRefflection.exe
4068	DarkRefflection.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 716	5084	msedge.exe	82
PID 5084 wrote to memory of 716	5084	msedge.exe	82
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 2848	5084	msedge.exe	83
PID 5084 wrote to memory of 4164	5084	msedge.exe	84
PID 5084 wrote to memory of 4164	5084	msedge.exe	84
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85
PID 5084 wrote to memory of 2144	5084	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1aVCuHXMiEPJZhgYkfmin9Y_9f6hiewZx/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd2ffd46f8,0x7ffd2ffd4708,0x7ffd2ffd4718
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1356 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1
  2⤵
  PID:3196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3276

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3144

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2740

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\DarkRefflection.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\DarkRefflection.rar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4616
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO802C8B2C\Инструкция.txt
  2⤵
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\7zO80292B5D\DarkRefflection.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO80292B5D\DarkRefflection.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/redroom_hacks
    3⤵
    PID:2712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffd2ffd46f8,0x7ffd2ffd4708,0x7ffd2ffd4718
      4⤵
      PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
c2b9bbb7bf3facda57dbea7b5f450ec4

SHA1
96b3385c63493ca63ecc591a0d37048b9e8e2514

SHA256
a7e4f728ab290b1a184f5ed0adbf252d763f2cb259024b4d3309278c35dd40eb

SHA512
3994a7cd7b8c28405cc710ab09f849047e5fcede906ea9fa15d98b8292a71143ad45e5eebc05a52e581e78b290d81e3976e6f43fc3693a0b04d9bcc5dc63e023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
796ba93195ec421750e1655e08a54afb

SHA1
aece026caac3af214efb082aee7850d5fb399bab

SHA256
d228ff4d03d291a334ee1e3dae737e352fe515dd012497c6baee45d432e41216

SHA512
e7cb348b13c1e8816f84ed1e88e7528be6f16acb359ca6fde411dc470bfb32b78034571fb13938149a4f4282286b7e8cb512b0cb39b09fb5f128d6b7a4fb09de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a6ca1dfc978a9af0ddc7ffb96bdd196b

SHA1
64a972beee0496f79f7907ae6f8a6e6ccc2520a5

SHA256
c6d869d932c1390f4aca79e0be927ff735912e79dbdf00178e101f68a874127e

SHA512
a66df8e0dc74e7179ba7c3fac4e5e2106bddab1f7208e5ad109d0672752b81a7dca8b0264c237f3378aff74eecefe2e98abd0c8c3a106def2ab9952e3d2fb1ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
7f9eb9be5cb689787f5fbcb1ab575ae5

SHA1
9b35983fbaaf267f49bc994b8fececc7b60b901e

SHA256
8f4056e512fe31fe53d499000d1323f3b0898faee7c8ccaeb77e12da5cf82f72

SHA512
f5d946859c45ad58697a11d8ecb358437a224f973bde07e23dde9b9a590163d0c6710e2a11ac3a702ae754598de57010c56a32f61d90d3398b552babe571a7c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
94c9223dc81f03cbcafa3cb5a077ea18

SHA1
b37c50bf2c797c8eff1f8203f997c33fcf5256fe

SHA256
57be0a646e4a764b1ccee3f483252bcfa5701bc4a29a74cbafe653a5cf4a81cf

SHA512
7fb1574a2a52bc3dc8612569bc7aeaa56ae9f47a38bc29c8e2f07531491f30c5f330dfda77ac1c5461bbb04f806cca67c36474932ff06a328b92456c577e72fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
03f25fec77b79a5210167e3d63a1e5ff

SHA1
36c286877e63d0236127c3ea25a41a5598d2bc05

SHA256
c7a67582af56b731f6e2c9bb1eab2e4db526f4cbb83eb8a633aa8b642e22edf4

SHA512
2dabc8b6a7395c2812db2da328fa76934cc354e41cd07aa9910937b2905109c6add8f566f474b0f89c6601423f1fa48f30c5be70f41e6da4b9f9bdc099e94cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
e533273ed62616ab3a686d06d1136b31

SHA1
b34b3473af99a81fe9f6fbd19e3708042e2be525

SHA256
96154501bd350c96c1f3daf39566a477bebe8c889cb7f495fe4665f707d1ad09

SHA512
ca7ee6a561eb8ad7a72788a282adf8fed3c7e957ba81eb73da467ba4eba1a58e2b73d4a70a875fbebc443f5864aeaeb749e956fcf1813322270ea54234933f3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
85fb5c0fde3268f289d8f36e872a629b

SHA1
8bd317f3fba9fd892077b5a769b81dee027a6481

SHA256
5114f81e2061a0b949095795378321c4b8bc7359445cab09bfc18732fc847e44

SHA512
386f84d5f4ce409d95d494cdb566a2c8187e97b39d2f21ad7594ca1823e3ae6fb8b73a7ae951debd51a0b5e635b275bea6ec4e71f664217d3916d5dffc976608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
5b02299c42e225c9dea2919d1d160e9a

SHA1
8a734159df9b6a4985f4cd5b13532d178c887fb7

SHA256
96ba8d4208bb1285fa4da43b28b333207c002e200780d5b2684d6bfd28654797

SHA512
015110f594e6a5d4b632f0e5f0f8f34c78925e4187625bf0f9e03a5e370fd6998924544d80c17b132d5085b2b2b1ea6fc7af2ef79fb447a44a10798bcf6ed37d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b9b4dcab157bd9357fc2ac578de94d8

SHA1
dc807a33337511743a51c59ecc2cd76c9fdde02d

SHA256
ed7698cf055b98aa90886e172e3fd02990fa583fe12ce9bc232342861772fb57

SHA512
1b04588a1a49358bf30d663f7cb77d1af4259a339ef77800b97f3f53b0e52b4f22eb6a0c3bf92922b742fddfaae41d39348c78f5b0b90422cdf53f2f1d1c3ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5d5bb4420a0420a1cbbed03a033893eb

SHA1
968c845fde3d812d900c8c1864e03fc7c0ae06ba

SHA256
6fcc10049d67466c22a4f551dfa84dff0a4c8eb0e3c7734d8d242a9df4cba898

SHA512
eb2808ead104512c2a982fe9ef39dfe02f5f484f1a67953934e8d83f48abdc8e19f52b0d7aa19bf84971892436967b949c878ae1fc6b7ebffded5c0ed5559a22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e1c7c6f099fbe511ff9257d4f10bb03

SHA1
f11df835452b1ccb82e27c65335896ae63c583bc

SHA256
032bbf2b3e7c874eaa4213d33246f0b7d93aa2473acacc72c9a2a91168e5c082

SHA512
9f7128bac2884974a4b23a6ddc7267c371825786e0d85cafd157a38355e86b1595e20e40ff6838628fa4b851a89ee58bb897440142f49932bb5fd7d052710a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
db2aa617965add0d9044a86e84c13ce0

SHA1
dd188908aa9a6783f19f8088957a219ee7e7a6a0

SHA256
9085c4e67f0e8de88cfcb79cbbe6d19e1d0f6544ed6c0422e2566ec9604e39aa

SHA512
a29cbf58574c7fc6beeed959ad4dda2bc48a1b458e09cc61e92e541dddc306723894abb11693026caef8c7d78af47e7e8338dd5b2f2f057cf6765089c24a67a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d5d26.TMP

Filesize
1KB

MD5
873f680f879ffb3ff4aa4c3bf649674d

SHA1
5e468702e947e579dd415b4057832622d1163934

SHA256
e2fd2d7a560f824e04f024035b6747157c1b0a60621ec189a28804058319e038

SHA512
3e38a52c19e62ca7bcf86af805e6d6ab02bed2eaef6e401f7adabcdbb4ffd699dbb189ecb9e02b79d1e8561d756f9486907c90fd304d88d58df85ab2aa1835ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\eff0054f-2565-4cfe-bd76-670c65e9d2b3.tmp

Filesize
6KB

MD5
aca2721f50083612aed777ac69ead730

SHA1
a01de503d377c4f2d2ea9c4ce3c87f8fa11bedc8

SHA256
5c477ece132dc4f66adeb11a3622f98c7119562d0a290012b54825168c86e623

SHA512
85b355927e7eb56ac9982f6ebc4e85eab94d3891f94a180baf7a15b737ca06f0c5f27a6c995b903f3724e94ffe3cf3127bcb7c9c88f82b5e52658e9225da1992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
056083f2fc3f63a44378a2211b4292d9

SHA1
3b18b0911b18170b11ea21e16e29479eef492bbc

SHA256
3c161d4240af7645954e35175f117fbc33e35fa7fb65cbab35f65aac79bfec80

SHA512
4fd3dd012e32bd8bee1563d18d03b0fa658b1d3a485f35077801e1df79e5aeafb23081bd0282cfd43cd629a8a838ffa142c622158dcdf1c8ef8a5ac18d6ce3dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0622aaf889537d19888faf2f8096539e

SHA1
9dfc6baf2dee0648dabe8722a6a069352784e227

SHA256
4961d79fdc1b01ecce8f97a10bf0d307c655a5c5cc2b17e5624551180bf01604

SHA512
9af23b766345f22fd39a3a5250d03f628a4e17449640c8e7a0e48a37c405e6e299fb0cfdb9ec1a0be354dac0b9ab01bfefa6f5f127d4671619790188286df8e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
18f1b72e5a31f31fd337135bac6acb5e

SHA1
58cfcdd3763168b0c511b679f369d1d07d263731

SHA256
cdc01b1624f7d6f256c81bc1368476c830bcb0640df44a2ceaaffd7989b2872d

SHA512
9bb7ff66af2c0bc070d16fb47e7cc5cf1d672c7e8cfb6b187d6d8de28ffa595de065904178896561f4b4dfc32c63813f40841ee8e86301761abb9714d1055afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO80292B5D\DarkRefflection.exe

Filesize
34.6MB

MD5
4084d96024c9cf19fba9996a944a4dea

SHA1
7a4c3960f0c6548ec26e357e66a3ac230a680952

SHA256
84a3aba8946a088189348592698b4905c2db2ff9399143ab1ce5cc9034c13444

SHA512
f9969fc09193781bac019c5a2d9891582142c254dee8d7b53866193c24baa40d3f4bb0ca3a57fb0f1c1af64735b63173a4e22135c21489aa0a87d8dae28e89a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO80292B5D\SpoofLib.dll

Filesize
13.1MB

MD5
63d6bc41c5fa99497670e1073fc08f9f

SHA1
ddc73364bb4b54336b9410d688ebcc8ba46dc20b

SHA256
2da8127602f755b5c5ad367e869a1bd926c96e526448bf4e289ab83d4a30a64e

SHA512
6feb8d1677a2ce4fc6b7d2f17236342a9fae327e4c76179007e69742fe1da9ca69fa5018888d4e52bd965f3ba14a5b28a8edbcc39b5c064cab615492b2afee53

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO802C8B2C\Инструкция.txt

Filesize
5KB

MD5
cc218fe7a61937a5ef28c7e5ab0cd424

SHA1
76307ad5c9da5f5aa6afd4a0d693d0e7c527f4db

SHA256
75f128fec92d40883bda7422ad2c51aeec0ba6e10b0da699ad161e687eb87e6b

SHA512
d5d1f2ce6f8c71f6042f264f19ce4fdecb805f249923a78c3a2463a4e97248736c341d34bd8322803525fbd1b97e0634333ec94633ce497c9bc4b121c64dab47

Download Submit
memory/4068-286-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/4068-287-0x0000000073130000-0x000000007496A000-memory.dmp

Filesize
24.2MB

Download
memory/4068-310-0x0000000000E40000-0x0000000003105000-memory.dmp

Filesize
34.8MB

Download