Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
440s -
max time network
441s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 19:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/1aVCuHXMiEPJZhgYkfmin9Y_9f6hiewZx/view?usp=sharing
Resource
win10v2004-20240802-en
General
-
Target
https://drive.google.com/file/d/1aVCuHXMiEPJZhgYkfmin9Y_9f6hiewZx/view?usp=sharing
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4068 DarkRefflection.exe -
Loads dropped DLL 1 IoCs
pid Process 4068 DarkRefflection.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 4 drive.google.com 30 drive.google.com 31 drive.google.com 32 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DarkRefflection.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings 7zFM.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4164 msedge.exe 4164 msedge.exe 5084 msedge.exe 5084 msedge.exe 4576 identity_helper.exe 4576 identity_helper.exe 8 msedge.exe 8 msedge.exe 8 msedge.exe 8 msedge.exe 4020 msedge.exe 4020 msedge.exe 4068 DarkRefflection.exe 4068 DarkRefflection.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4616 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 1804 7zFM.exe Token: 35 1804 7zFM.exe Token: SeRestorePrivilege 4616 7zFM.exe Token: 35 4616 7zFM.exe Token: SeSecurityPrivilege 4616 7zFM.exe Token: SeSecurityPrivilege 4616 7zFM.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe 5084 msedge.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 4068 DarkRefflection.exe 4068 DarkRefflection.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5084 wrote to memory of 716 5084 msedge.exe 82 PID 5084 wrote to memory of 716 5084 msedge.exe 82 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 2848 5084 msedge.exe 83 PID 5084 wrote to memory of 4164 5084 msedge.exe 84 PID 5084 wrote to memory of 4164 5084 msedge.exe 84 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85 PID 5084 wrote to memory of 2144 5084 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1aVCuHXMiEPJZhgYkfmin9Y_9f6hiewZx/view?usp=sharing1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd2ffd46f8,0x7ffd2ffd4708,0x7ffd2ffd47182⤵PID:716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:82⤵PID:2144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:1848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:82⤵PID:2640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:12⤵PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:12⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:4936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵PID:5004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:12⤵PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:12⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:12⤵PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5360 /prefetch:82⤵PID:1060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1356 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:12⤵PID:4020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,15257334133467590939,1729553790723823008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:12⤵PID:3196
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2928
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3276
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3144
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2740
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\DarkRefflection.rar"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\DarkRefflection.rar"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4616 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO802C8B2C\Инструкция.txt2⤵PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\7zO80292B5D\DarkRefflection.exe"C:\Users\Admin\AppData\Local\Temp\7zO80292B5D\DarkRefflection.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4068 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/redroom_hacks3⤵PID:2712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffd2ffd46f8,0x7ffd2ffd4708,0x7ffd2ffd47184⤵PID:1028
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5111c361619c017b5d09a13a56938bd54
SHA1e02b363a8ceb95751623f25025a9299a2c931e07
SHA256d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2
-
Filesize
152B
MD5983cbc1f706a155d63496ebc4d66515e
SHA1223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize408B
MD5c2b9bbb7bf3facda57dbea7b5f450ec4
SHA196b3385c63493ca63ecc591a0d37048b9e8e2514
SHA256a7e4f728ab290b1a184f5ed0adbf252d763f2cb259024b4d3309278c35dd40eb
SHA5123994a7cd7b8c28405cc710ab09f849047e5fcede906ea9fa15d98b8292a71143ad45e5eebc05a52e581e78b290d81e3976e6f43fc3693a0b04d9bcc5dc63e023
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize432B
MD5796ba93195ec421750e1655e08a54afb
SHA1aece026caac3af214efb082aee7850d5fb399bab
SHA256d228ff4d03d291a334ee1e3dae737e352fe515dd012497c6baee45d432e41216
SHA512e7cb348b13c1e8816f84ed1e88e7528be6f16acb359ca6fde411dc470bfb32b78034571fb13938149a4f4282286b7e8cb512b0cb39b09fb5f128d6b7a4fb09de
-
Filesize
3KB
MD5a6ca1dfc978a9af0ddc7ffb96bdd196b
SHA164a972beee0496f79f7907ae6f8a6e6ccc2520a5
SHA256c6d869d932c1390f4aca79e0be927ff735912e79dbdf00178e101f68a874127e
SHA512a66df8e0dc74e7179ba7c3fac4e5e2106bddab1f7208e5ad109d0672752b81a7dca8b0264c237f3378aff74eecefe2e98abd0c8c3a106def2ab9952e3d2fb1ab
-
Filesize
3KB
MD57f9eb9be5cb689787f5fbcb1ab575ae5
SHA19b35983fbaaf267f49bc994b8fececc7b60b901e
SHA2568f4056e512fe31fe53d499000d1323f3b0898faee7c8ccaeb77e12da5cf82f72
SHA512f5d946859c45ad58697a11d8ecb358437a224f973bde07e23dde9b9a590163d0c6710e2a11ac3a702ae754598de57010c56a32f61d90d3398b552babe571a7c0
-
Filesize
3KB
MD594c9223dc81f03cbcafa3cb5a077ea18
SHA1b37c50bf2c797c8eff1f8203f997c33fcf5256fe
SHA25657be0a646e4a764b1ccee3f483252bcfa5701bc4a29a74cbafe653a5cf4a81cf
SHA5127fb1574a2a52bc3dc8612569bc7aeaa56ae9f47a38bc29c8e2f07531491f30c5f330dfda77ac1c5461bbb04f806cca67c36474932ff06a328b92456c577e72fc
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
3KB
MD503f25fec77b79a5210167e3d63a1e5ff
SHA136c286877e63d0236127c3ea25a41a5598d2bc05
SHA256c7a67582af56b731f6e2c9bb1eab2e4db526f4cbb83eb8a633aa8b642e22edf4
SHA5122dabc8b6a7395c2812db2da328fa76934cc354e41cd07aa9910937b2905109c6add8f566f474b0f89c6601423f1fa48f30c5be70f41e6da4b9f9bdc099e94cfe
-
Filesize
3KB
MD5e533273ed62616ab3a686d06d1136b31
SHA1b34b3473af99a81fe9f6fbd19e3708042e2be525
SHA25696154501bd350c96c1f3daf39566a477bebe8c889cb7f495fe4665f707d1ad09
SHA512ca7ee6a561eb8ad7a72788a282adf8fed3c7e957ba81eb73da467ba4eba1a58e2b73d4a70a875fbebc443f5864aeaeb749e956fcf1813322270ea54234933f3b
-
Filesize
3KB
MD585fb5c0fde3268f289d8f36e872a629b
SHA18bd317f3fba9fd892077b5a769b81dee027a6481
SHA2565114f81e2061a0b949095795378321c4b8bc7359445cab09bfc18732fc847e44
SHA512386f84d5f4ce409d95d494cdb566a2c8187e97b39d2f21ad7594ca1823e3ae6fb8b73a7ae951debd51a0b5e635b275bea6ec4e71f664217d3916d5dffc976608
-
Filesize
3KB
MD55b02299c42e225c9dea2919d1d160e9a
SHA18a734159df9b6a4985f4cd5b13532d178c887fb7
SHA25696ba8d4208bb1285fa4da43b28b333207c002e200780d5b2684d6bfd28654797
SHA512015110f594e6a5d4b632f0e5f0f8f34c78925e4187625bf0f9e03a5e370fd6998924544d80c17b132d5085b2b2b1ea6fc7af2ef79fb447a44a10798bcf6ed37d
-
Filesize
6KB
MD59b9b4dcab157bd9357fc2ac578de94d8
SHA1dc807a33337511743a51c59ecc2cd76c9fdde02d
SHA256ed7698cf055b98aa90886e172e3fd02990fa583fe12ce9bc232342861772fb57
SHA5121b04588a1a49358bf30d663f7cb77d1af4259a339ef77800b97f3f53b0e52b4f22eb6a0c3bf92922b742fddfaae41d39348c78f5b0b90422cdf53f2f1d1c3ef3
-
Filesize
5KB
MD55d5bb4420a0420a1cbbed03a033893eb
SHA1968c845fde3d812d900c8c1864e03fc7c0ae06ba
SHA2566fcc10049d67466c22a4f551dfa84dff0a4c8eb0e3c7734d8d242a9df4cba898
SHA512eb2808ead104512c2a982fe9ef39dfe02f5f484f1a67953934e8d83f48abdc8e19f52b0d7aa19bf84971892436967b949c878ae1fc6b7ebffded5c0ed5559a22
-
Filesize
6KB
MD54e1c7c6f099fbe511ff9257d4f10bb03
SHA1f11df835452b1ccb82e27c65335896ae63c583bc
SHA256032bbf2b3e7c874eaa4213d33246f0b7d93aa2473acacc72c9a2a91168e5c082
SHA5129f7128bac2884974a4b23a6ddc7267c371825786e0d85cafd157a38355e86b1595e20e40ff6838628fa4b851a89ee58bb897440142f49932bb5fd7d052710a0f
-
Filesize
1KB
MD5db2aa617965add0d9044a86e84c13ce0
SHA1dd188908aa9a6783f19f8088957a219ee7e7a6a0
SHA2569085c4e67f0e8de88cfcb79cbbe6d19e1d0f6544ed6c0422e2566ec9604e39aa
SHA512a29cbf58574c7fc6beeed959ad4dda2bc48a1b458e09cc61e92e541dddc306723894abb11693026caef8c7d78af47e7e8338dd5b2f2f057cf6765089c24a67a0
-
Filesize
1KB
MD5873f680f879ffb3ff4aa4c3bf649674d
SHA15e468702e947e579dd415b4057832622d1163934
SHA256e2fd2d7a560f824e04f024035b6747157c1b0a60621ec189a28804058319e038
SHA5123e38a52c19e62ca7bcf86af805e6d6ab02bed2eaef6e401f7adabcdbb4ffd699dbb189ecb9e02b79d1e8561d756f9486907c90fd304d88d58df85ab2aa1835ea
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\eff0054f-2565-4cfe-bd76-670c65e9d2b3.tmp
Filesize6KB
MD5aca2721f50083612aed777ac69ead730
SHA1a01de503d377c4f2d2ea9c4ce3c87f8fa11bedc8
SHA2565c477ece132dc4f66adeb11a3622f98c7119562d0a290012b54825168c86e623
SHA51285b355927e7eb56ac9982f6ebc4e85eab94d3891f94a180baf7a15b737ca06f0c5f27a6c995b903f3724e94ffe3cf3127bcb7c9c88f82b5e52658e9225da1992
-
Filesize
11KB
MD5056083f2fc3f63a44378a2211b4292d9
SHA13b18b0911b18170b11ea21e16e29479eef492bbc
SHA2563c161d4240af7645954e35175f117fbc33e35fa7fb65cbab35f65aac79bfec80
SHA5124fd3dd012e32bd8bee1563d18d03b0fa658b1d3a485f35077801e1df79e5aeafb23081bd0282cfd43cd629a8a838ffa142c622158dcdf1c8ef8a5ac18d6ce3dd
-
Filesize
11KB
MD50622aaf889537d19888faf2f8096539e
SHA19dfc6baf2dee0648dabe8722a6a069352784e227
SHA2564961d79fdc1b01ecce8f97a10bf0d307c655a5c5cc2b17e5624551180bf01604
SHA5129af23b766345f22fd39a3a5250d03f628a4e17449640c8e7a0e48a37c405e6e299fb0cfdb9ec1a0be354dac0b9ab01bfefa6f5f127d4671619790188286df8e3
-
Filesize
10KB
MD518f1b72e5a31f31fd337135bac6acb5e
SHA158cfcdd3763168b0c511b679f369d1d07d263731
SHA256cdc01b1624f7d6f256c81bc1368476c830bcb0640df44a2ceaaffd7989b2872d
SHA5129bb7ff66af2c0bc070d16fb47e7cc5cf1d672c7e8cfb6b187d6d8de28ffa595de065904178896561f4b4dfc32c63813f40841ee8e86301761abb9714d1055afa
-
Filesize
34.6MB
MD54084d96024c9cf19fba9996a944a4dea
SHA17a4c3960f0c6548ec26e357e66a3ac230a680952
SHA25684a3aba8946a088189348592698b4905c2db2ff9399143ab1ce5cc9034c13444
SHA512f9969fc09193781bac019c5a2d9891582142c254dee8d7b53866193c24baa40d3f4bb0ca3a57fb0f1c1af64735b63173a4e22135c21489aa0a87d8dae28e89a6
-
Filesize
13.1MB
MD563d6bc41c5fa99497670e1073fc08f9f
SHA1ddc73364bb4b54336b9410d688ebcc8ba46dc20b
SHA2562da8127602f755b5c5ad367e869a1bd926c96e526448bf4e289ab83d4a30a64e
SHA5126feb8d1677a2ce4fc6b7d2f17236342a9fae327e4c76179007e69742fe1da9ca69fa5018888d4e52bd965f3ba14a5b28a8edbcc39b5c064cab615492b2afee53
-
Filesize
5KB
MD5cc218fe7a61937a5ef28c7e5ab0cd424
SHA176307ad5c9da5f5aa6afd4a0d693d0e7c527f4db
SHA25675f128fec92d40883bda7422ad2c51aeec0ba6e10b0da699ad161e687eb87e6b
SHA512d5d1f2ce6f8c71f6042f264f19ce4fdecb805f249923a78c3a2463a4e97248736c341d34bd8322803525fbd1b97e0634333ec94633ce497c9bc4b121c64dab47