hxxps://drive[.]google[.]com/file/d/1aVCuHXMiEPJZhgYkfmin9Y_9f6hiewZx/view?usp=sharing

Resubmissions

08/09/2024, 19:13

240908-xxevlstgje 7

08/09/2024, 19:05

240908-xrnkkatfja 7

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1aVCuHXMiEPJZhgYkfmin9Y_9f6hiewZx/view?usp=sharing

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5988	DarkRefflection.exe

Loads dropped DLL 1 IoCs

pid	Process
5988	DarkRefflection.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkRefflection.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133702965193227205"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3164	msedge.exe
3164	msedge.exe
4188	msedge.exe
4188	msedge.exe
3652	identity_helper.exe
3652	identity_helper.exe
5620	msedge.exe
5620	msedge.exe
5988	DarkRefflection.exe
5988	DarkRefflection.exe
5480	chrome.exe
5480	chrome.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5880	7zFM.exe
Token: 35	5880	7zFM.exe
Token: SeSecurityPrivilege	5880	7zFM.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe
Token: SeCreatePagefilePrivilege	5480	chrome.exe
Token: SeShutdownPrivilege	5480	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe
5480	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5988	DarkRefflection.exe
5988	DarkRefflection.exe
5480	chrome.exe
5480	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 4488	4188	msedge.exe	85
PID 4188 wrote to memory of 4488	4188	msedge.exe	85
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3840	4188	msedge.exe	86
PID 4188 wrote to memory of 3164	4188	msedge.exe	87
PID 4188 wrote to memory of 3164	4188	msedge.exe	87
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88
PID 4188 wrote to memory of 1840	4188	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1aVCuHXMiEPJZhgYkfmin9Y_9f6hiewZx/view?usp=sharing
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8a1f46f8,0x7ffa8a1f4708,0x7ffa8a1f4718
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1256 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,8111809280908062129,7397908852268106097,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5200 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5520

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\DarkRefflection.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5880
- C:\Users\Admin\AppData\Local\Temp\7zO8F6C48F8\DarkRefflection.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8F6C48F8\DarkRefflection.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/redroom_hacks
    3⤵
    PID:2576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa8a1f46f8,0x7ffa8a1f4708,0x7ffa8a1f4718
      4⤵
      PID:3664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa76d3cc40,0x7ffa76d3cc4c,0x7ffa76d3cc58
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,10179538739364180579,16054801073808140749,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1964,i,10179538739364180579,16054801073808140749,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,10179538739364180579,16054801073808140749,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,10179538739364180579,16054801073808140749,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3328,i,10179538739364180579,16054801073808140749,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3596,i,10179538739364180579,16054801073808140749,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,10179538739364180579,16054801073808140749,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,10179538739364180579,16054801073808140749,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:4300

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\7b4cfa6e-6596-4c2c-8639-68d54b4d4589.tmp

Filesize
205KB

MD5
8286872f015f85aea210388846b318df

SHA1
4d5bafa138b761c5163904579d4e586b1763cb10

SHA256
d828b179100b6596e01d98000e221f44a378112936a8af6565186517e16e8b64

SHA512
d7507cfa0d228a0266db440de6cea6c1f50c9c10c897d571191c0ffc6f1405f4a619aaa47719cdae03e3da706be2ad2e7b1ea258a8845162cf1775c5e19b7fef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6cc14fa843e9faffa0791a9e7bc1bebd

SHA1
fe166ea109c458a986d519ba73a03df08830da66

SHA256
c5c2c96edb281d09ec0177e700947b95aa66b053f09f402b9546c60491f6d428

SHA512
8c601365a6923eefe33c9452b28eccb170581600e8efc662025222d6632bd54cc10682a65d78d5e76b751b16972bb80ac3aa4160898a0c52b0c00190c8a8f7b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
01b0aeb71804c3bf829e4277b7f32192

SHA1
e88f516ac3b54353fafce7672fd1c5d562d5d4f8

SHA256
518827c97e7fb6859909b8b4f731274df523fd4808c0d51849904340ec921c46

SHA512
9791102a2fd925dfdf56ba66ebbd937fd0c20061a9845e647682c13b57ed2ce19ab9e0234dfc057df809146931d8b54462846adcb7dc3c42554a091baff5330a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\ba546ee6-3c63-482d-8d9a-c7f9aab74126.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3dabb408c158339d295df96b076c432d

SHA1
e8c31451c3d6c9019463ed78aab07aee2910cfdf

SHA256
695ef0b54f9548ee974a26bfe513ef9d14f6b11bd7c807551a36d1c6b28a0e9d

SHA512
e2589ff4f09cd882be1939e7b2f75fe8cce7b8fd4bed21233d1a42b0d28ab30b490e72bff113520aa76d5b51b10dacd7e6e33b28ca21a889580154386d3f53b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c416411a9ff311da1949b2ef963993c0

SHA1
09f21526b7a79c88015bfda66f8d74a7bc6a11c9

SHA256
84814d1488188ae4c358aa58792f6a594679b6ee223aaf15ecece2f3bc038709

SHA512
632e1befda79fa4e4fe4a02154aac603fd46a9b1c5d3a12b8cecc1e56ba431f3e29e1decadf2cfacd896d7043b9020c5078d00066cdbfed6e579fd1082712676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f816f032d04f916e80cc5a10746a1611

SHA1
3ea546b883c69c6331894dd7b546812db61f95ef

SHA256
a08bca260ddd1763ff433ba022aa40a7ceb845beec5c69802300aa22406bc9cc

SHA512
fff9906bb4f27c4678835881e05c987f542454c6df7f843f5a026fc4bf9b9592d4344b758c80be957a14ae7a7e265d1dd19edf34907f258718a785fa408b447b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
87913524c7d8c31dbec22888049f9e01

SHA1
54830694728e0a008434d15846e4adee406dded5

SHA256
d176fe1d322623c8c8dd38438c3bc0048642b507d02d627272c9c656ee7b9edd

SHA512
93708efd82f53965bbfb8300ebedb6e8ef3336627b6aeba668a638a490d9fada70954c6016d9b41152d0141fe9e29886fd81a0bee24ea5aaed91e066e526a797

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ae901244810a5d99963faccbcb83246e

SHA1
a8cd5fe27d929c8b2fdb325a10706ec013336109

SHA256
8a5362c1604ff70d994dde7832b1d78614c6554c39375d2d47cb98ff548f96af

SHA512
6d1ee124db15b5127a13d08b10e39c4ed961f2ac7904d6d34023197c0eba20bfb457691aa6f6fe7bfd7b1c724309fcd874e83be5b39165202c7eec776b6e03a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
5914e8a7b3464def7611843e0cbb233d

SHA1
c67421f418b430a62084425e6ee1733dc61596bc

SHA256
4bc78fbb1ffd874294d87528ca81585b1a08dfe65488866225ebd5a5836bd17d

SHA512
1a12f3e603fde42677df2a41376a93fd963517a8ab63610c17cfbf1426ad0298606fac69fadfeaf86fce978ef1f9ba3a1de9c787902fc77d8ba4d7e7f47d21ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0cbfa71f-3f32-4dc4-a25e-5b157f95a323.tmp

Filesize
1KB

MD5
74aea4c6f9250573910e4e7ef8f5b053

SHA1
56201c9363be52d97ca980435856a244d53a76c0

SHA256
809f9328be0b9cf7c60daaffa681864aaad9d63699f0ab45c1299417b32277d7

SHA512
6b0ce84c181a4beaa2b5c834d311c45f5d8e6548617178f34ea8519da34bac34a55fb4d3688e2a7b37edbea9828869652c76cf20432fa1b96c6a2f3b4e97b280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
cdfded87031919ab375d9a9194456937

SHA1
82e5ed8a16787898a5b3d31db9c8696222b6e6df

SHA256
4fbed10eaa79d949404ff398842633f063c0d5fa1886ad010365dc60e5a14db0

SHA512
f8dd48fa1a4ef388477ed71429efcabc79f37251bce32677a0345ff07286d991fc90ecf810891b0d598381388c759d57abe491377694d61a30c8c05fa76624ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
ee35e48dda27c17249b9691f78a716e7

SHA1
8ea73c833ca9f643d946cf95c68610c8d4bacb58

SHA256
9dcc9eea12b22019d39017de37b030bbb3ad0c23d6279b3b7d19a05955f948b5

SHA512
937abd8443f60fcbb6cc15ec71f310d96e0f7e428256682fdd7eceea78a7c631517790ddd83b7e23df0d5fa6fe2967470230fd60926718e3bd3e5e41bfa19269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
4cb763aa45d99c30bf38505260e1254c

SHA1
4eab14853d38cede92fddaf9cd78feeac92b6118

SHA256
ca66bbac4b143d1979ce85b301a4fcf1e04cf0ebb4c82ff9a0c2bf60a318d700

SHA512
6e15ec30e490f3b5f19561e6916fae0118feaccebea0faaf2d0d69917499270e98c98613bd43fd586d7f6856d983e6d5d353b848d31230d53f6969eba0298c8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3aadf1c150c11951eec3dfae826d2afc

SHA1
ce094545f5d86dd02fd12e8492d1464cfc5738e6

SHA256
92aac17b180b5b291fc5a613677a92af9715ef60bbdef4ed80a08a0af062db68

SHA512
31b3720b550abd412238230833951d7e415c5d39a2e50613cf8766e40a054f7182cf8f727530e3e09a8ad7ced444045a8c492ca8c2a7baafa4f1a55e45770f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4286e0fbc1c9ea8b31e018ab1f3eab45

SHA1
0114138941bb46f6d395152c43634e9ce48060e7

SHA256
94977eadc580106284d1ab274df88a1450b1022faaa56ab52c07edfb73f4a2da

SHA512
e78c0ae9a1722c3bdbb52d34c28e98a6bd8e009deb44da125c5a25e21197b62bb76ee3c3cf851c36ac7ff9fe5633bd444172042026c3016ee83cc459fac3f37a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f4c1800e90c82df4ec97b4b5a19f6ec2

SHA1
f591ad4b2b338e5ccde6686dcf8ffd3f76a24e36

SHA256
4f2c03cf7fea1a727b8144dee5a9afbf192f9b9bb60940efadb1c654866c2507

SHA512
9f79236d4e6c69d93eca6dd9bab10cfaa10636100d9b6790ffcd0c403251cdac60273aaa70deccb26fde418c2660fc738eb1d01fe7e0298ae4f3851fe7416100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ac43cd932e975e8436ebc5b3e97025c6

SHA1
c658d0fd9093778dd53211c14ad0f6bf1a5afb62

SHA256
31da9559b5acd13a1cabc8ddb60a89773c3635de3c4cc6221be3b3a271f1198c

SHA512
9b77c4938880a1e25df75e38cec66639701ddcf116aa078d2640a3f6afebbad006195b8e576d5411d101a3fcd314ded9665c3d2c88a75bf8ddd1b0126d6a81d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a836bc96b6c2990639e3a3ed332bdc44

SHA1
8152f7287a82ebb44f98a2064a2cd7ed6d910a2f

SHA256
8500f20c32e287bcd51f97cf52c6f9dc99f0aab65f1bb5e8e92024962b7f378c

SHA512
8bef9a683f65e9c8fd7a19ad489f522102bacb225534b7f17511dd876cf3810ce43936c443c36c3b45fb8ebee490f1ffdbdfeaf99260c0e4297b232b42455555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6be36f4d9db91f7d2ccf8b5070ed1a57

SHA1
2eb0b8e1bded253d33b5563c3fff997628ffec0d

SHA256
2fa5262959e11f35ac0dc961dc8e1bead67883d8db223525d4b10a88b8a99637

SHA512
410d09a2144ef3f7704305739844f6e3bfbe65a8ba989940ddeedcd1a98f891655e945fcf9518cc423b788950b82a8e2529a2dd1ad0bed6761c4c1df422a1fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e923.TMP

Filesize
1KB

MD5
df946f4ae030b2fef5746cbb18882ced

SHA1
813c1fa12f454a1973dfda6ff1c8ced5845dd342

SHA256
f97d227818f55a3d163bbe80ec56a89c40b62d12cbcb2794d921e4a077955c54

SHA512
27b700bf8e9304459921a3ed1be7c7fb9586aa2f8c57778907b3d946a8605ed526242d050976370f4032b1717b9cd7acb2839eeab47f22fef9982c99ba97f2ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fec3b60d13c4a8059a617daf68835d7a

SHA1
2a3551811e243ad573509ac595d707b87bdaa1bd

SHA256
2a666da471724dc7d0f99e89b6b5233a89528c1d8ce8eb657e398dc041dd91e3

SHA512
2422bd7f57611438b1df4d6fc7e2782fa04bf36f592d5ae5674684259c9c4f11e89a2340509f83121c43e532c31fff86da181751a2c0de5a708a67e5c840ebd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e87e525927ae82cadf9d7e428efc8232

SHA1
48e833ffab043cfe95f20865bd32477e7868a661

SHA256
5d8b67b171cd305bd8bbb3cdec5511fab9f85f5628a6b07b01567dc2c558bb92

SHA512
a6adab397b9dc2e4dbd4aad2b6420e800ee7e4638e7e85aaa03dd103c86feb26c060cb5c4f8f438d444a182de5539abc26543faf797373a52178950e5e5eed33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f7708a3134bab99cf837bcb525c7075b

SHA1
457842085752962b210a0ba3dd6e89b5fe4c6934

SHA256
fdb2354915f9ccf0da1a29a85249fcbd4473e2ba9064f5e764527b48856cfec9

SHA512
c5e6962fff549bbd33da4551f5a7e1bb0783686afe26eac53ee66501cd05a1a0edd2addf1c61bd8c7ef95747cd0efbf3e611b5692dd125f6b4558aa7b9976acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8F6C48F8\DarkRefflection.exe

Filesize
34.6MB

MD5
4084d96024c9cf19fba9996a944a4dea

SHA1
7a4c3960f0c6548ec26e357e66a3ac230a680952

SHA256
84a3aba8946a088189348592698b4905c2db2ff9399143ab1ce5cc9034c13444

SHA512
f9969fc09193781bac019c5a2d9891582142c254dee8d7b53866193c24baa40d3f4bb0ca3a57fb0f1c1af64735b63173a4e22135c21489aa0a87d8dae28e89a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8F6C48F8\SpoofLib.dll

Filesize
13.1MB

MD5
63d6bc41c5fa99497670e1073fc08f9f

SHA1
ddc73364bb4b54336b9410d688ebcc8ba46dc20b

SHA256
2da8127602f755b5c5ad367e869a1bd926c96e526448bf4e289ab83d4a30a64e

SHA512
6feb8d1677a2ce4fc6b7d2f17236342a9fae327e4c76179007e69742fe1da9ca69fa5018888d4e52bd965f3ba14a5b28a8edbcc39b5c064cab615492b2afee53

Download Submit
memory/5988-168-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/5988-169-0x00000000739A0000-0x00000000751DA000-memory.dmp

Filesize
24.2MB

Download
memory/5988-209-0x00000000002C0000-0x0000000002585000-memory.dmp

Filesize
34.8MB

Download