Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    627s
  • max time network
    454s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 12:52

General

  • Target

    https://malware-traffic-analysis.net/2021/10/05/2021-10-05-MirrorBlast-malware-with-email-and-IOCs.zip

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 14 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://malware-traffic-analysis.net/2021/10/05/2021-10-05-MirrorBlast-malware-with-email-and-IOCs.zip
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa37e46f8,0x7ffaa37e4708,0x7ffaa37e4718
      2⤵
        PID:3884
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        2⤵
          PID:3516
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1080
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
          2⤵
            PID:828
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
            2⤵
              PID:2236
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
              2⤵
                PID:2940
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
                2⤵
                  PID:1976
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3600
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
                  2⤵
                    PID:5000
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
                    2⤵
                      PID:4928
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5076 /prefetch:8
                      2⤵
                        PID:1604
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
                        2⤵
                          PID:3664
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4308
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
                          2⤵
                            PID:2736
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
                            2⤵
                              PID:2416
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1996
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2868
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:1756
                                • C:\Program Files\7-Zip\7zFM.exe
                                  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\2021-10-05-MirrorBlast-malware-with-email-and-IOCs.zip"
                                  1⤵
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  PID:1488
                                • C:\Windows\System32\msiexec.exe
                                  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\filter.msi"
                                  1⤵
                                  • Enumerates connected drives
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  PID:1880
                                • C:\Windows\system32\msiexec.exe
                                  C:\Windows\system32\msiexec.exe /V
                                  1⤵
                                  • Adds Run key to start application
                                  • Enumerates connected drives
                                  • Drops file in Windows directory
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3428
                                  • C:\Windows\system32\srtasks.exe
                                    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                                    2⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2584
                                  • C:\ProgramData\001\arab.exe
                                    "C:\ProgramData\001\arab.exe" C:\ProgramData\001\arab.bin
                                    2⤵
                                    • Executes dropped EXE
                                    PID:2780
                                  • C:\ProgramData\Local\Google\rebol-view-278-3-1.exe
                                    "C:\ProgramData\Local\Google\rebol-view-278-3-1.exe" -w -i -s C:/ProgramData/Local/Google/exemple.rb
                                    2⤵
                                    • Executes dropped EXE
                                    PID:3364
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c echo %USERDOMAIN%\%USERNAME% > name && for /f "tokens=4-5 delims=. " %i in ('ver') do echo %i.%j > os && echo %PROCESSOR_ARCHITECTURE% > arch
                                      3⤵
                                        PID:1444
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ver
                                          4⤵
                                            PID:3816
                                      • C:\ProgramData\Local\Google\rebol-view-278-3-1.exe
                                        "C:\ProgramData\Local\Google\rebol-view-278-3-1.exe" -w -i -s C:/ProgramData/Local/Google/exemple.rb
                                        2⤵
                                        • Executes dropped EXE
                                        PID:3424
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c echo %USERDOMAIN%\%USERNAME% > name && for /f "tokens=4-5 delims=. " %i in ('ver') do echo %i.%j > os && echo %PROCESSOR_ARCHITECTURE% > arch
                                          3⤵
                                            PID:1156
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ver
                                              4⤵
                                                PID:4724
                                        • C:\Windows\system32\vssvc.exe
                                          C:\Windows\system32\vssvc.exe
                                          1⤵
                                          • Checks SCSI registry key(s)
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:464
                                        • C:\Windows\System32\msiexec.exe
                                          "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\10opd3r_load.msi"
                                          1⤵
                                          • Enumerates connected drives
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          PID:4876
                                        • C:\Windows\System32\msiexec.exe
                                          "C:\Windows\System32\msiexec.exe" /f "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\10opd3r_load.msi"
                                          1⤵
                                            PID:436
                                          • C:\Windows\System32\msiexec.exe
                                            "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\10opd3r_load.msi"
                                            1⤵
                                            • Enumerates connected drives
                                            • Suspicious use of FindShellTrayWindow
                                            PID:4940
                                          • C:\Program Files\7-Zip\7zFM.exe
                                            "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\uuid"
                                            1⤵
                                            • Suspicious use of FindShellTrayWindow
                                            PID:2600
                                          • C:\Program Files\7-Zip\7zFM.exe
                                            "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\os"
                                            1⤵
                                            • Suspicious use of FindShellTrayWindow
                                            PID:4204
                                          • C:\Program Files\7-Zip\7zFM.exe
                                            "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\name"
                                            1⤵
                                            • Suspicious use of FindShellTrayWindow
                                            PID:2892
                                          • C:\Program Files\7-Zip\7zG.exe
                                            "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap14452:222:7zEvent10638 -ad -saa -- "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\exemple"
                                            1⤵
                                              PID:1164
                                            • C:\Program Files\7-Zip\7zFM.exe
                                              "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\arch"
                                              1⤵
                                              • Suspicious use of FindShellTrayWindow
                                              PID:4196
                                            • C:\Windows\system32\OpenWith.exe
                                              C:\Windows\system32\OpenWith.exe -Embedding
                                              1⤵
                                              • Modifies registry class
                                              • Suspicious use of SetWindowsHookEx
                                              PID:3780
                                              • C:\Windows\system32\NOTEPAD.EXE
                                                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\uuid
                                                2⤵
                                                  PID:3868
                                              • C:\Windows\system32\OpenWith.exe
                                                C:\Windows\system32\OpenWith.exe -Embedding
                                                1⤵
                                                • Modifies registry class
                                                • Suspicious use of SetWindowsHookEx
                                                PID:736
                                                • C:\Windows\system32\NOTEPAD.EXE
                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\os
                                                  2⤵
                                                    PID:1560
                                                • C:\Windows\system32\OpenWith.exe
                                                  C:\Windows\system32\OpenWith.exe -Embedding
                                                  1⤵
                                                  • Modifies registry class
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:4388
                                                  • C:\Windows\system32\NOTEPAD.EXE
                                                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\name
                                                    2⤵
                                                      PID:2228
                                                  • C:\Windows\system32\OpenWith.exe
                                                    C:\Windows\system32\OpenWith.exe -Embedding
                                                    1⤵
                                                    • Modifies registry class
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:3272
                                                    • C:\Windows\system32\NOTEPAD.EXE
                                                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\arch
                                                      2⤵
                                                        PID:880
                                                    • C:\Windows\system32\OpenWith.exe
                                                      C:\Windows\system32\OpenWith.exe -Embedding
                                                      1⤵
                                                      • Modifies registry class
                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                      PID:2100
                                                      • C:\Windows\system32\NOTEPAD.EXE
                                                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\exemple.rb
                                                        2⤵
                                                          PID:228
                                                      • C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\rebol-view-278-3-1.exe
                                                        "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\rebol-view-278-3-1.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        PID:4364
                                                      • C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\001\arab.exe
                                                        "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\001\arab.exe"
                                                        1⤵
                                                        • Executes dropped EXE
                                                        PID:1788

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Config.Msi\e5a692c.rbs

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        eca4ea8456aa851fc7de8c7c711fe12d

                                                        SHA1

                                                        6952f34d9b9b1eed7bd5da9c1b89501048c124c2

                                                        SHA256

                                                        c6137872656f4dde717d3d557621767d3166c3e9ee321c34a74fbad29c6bd09d

                                                        SHA512

                                                        006f41fc3884a0352458d2017eb2c945c83dc1d580ee0072d56d7842e8304abd3286848c891ac349f68a6a91a3ef3ef632522b448046fd1cace93d261b10b3a9

                                                      • C:\Config.Msi\e5a692e.rbs

                                                        Filesize

                                                        3KB

                                                        MD5

                                                        a7dbd3db5265c500487f87a96ce2e238

                                                        SHA1

                                                        5dff846c27be9bcdf3332ba5d62748691bab6823

                                                        SHA256

                                                        40d774262fd01e6fb990803401e8a3a0932de44509e1cbf8cfe523074f6a3f81

                                                        SHA512

                                                        aec77d8d8569501774d3cc988a68e5ad6a331354283dccf49619e9f9fcd823a18f3092f1f01d4e107d7cd260cbda2f0f71f3a65c0c0982447f14812695c4bea4

                                                      • C:\Config.Msi\e5a6930.rbs

                                                        Filesize

                                                        4KB

                                                        MD5

                                                        f73896202f1af89a491ac53a4367fc5b

                                                        SHA1

                                                        314576a998d21bdcba1265521cb6b7de0018347c

                                                        SHA256

                                                        4d2ff2f554738bfdd29d7b60f3b43c94cd4089404cfe39a18c3f34ca2b796f6a

                                                        SHA512

                                                        cae01f515bf2500722c98622eea9d94bf1672c75ca174fdbc2f8f5da37c6db014f6f5bed91295071e3f81bf37c610ee0cdb7b77e8315241b003a9878a8e4bf95

                                                      • C:\ProgramData\001\arab.bin

                                                        Filesize

                                                        261B

                                                        MD5

                                                        01bd4206c38b1a2cc925c10ea78f3be7

                                                        SHA1

                                                        fd941083abcd7392f1071f035293cacca02f3b03

                                                        SHA256

                                                        f6f2874755794840dc06a660603c78d4b4a294099719ff86f9e3c1af3e713172

                                                        SHA512

                                                        a97f1dd147dc7ce2bd5b38ae5cbb0799b5b53073ba9617c1cf21c1c7f4c3870a5b0c4575c681971c6bd51572f98e91c48ccd910aa7b908fa090d83a7804ee2ec

                                                      • C:\ProgramData\001\arab.exe

                                                        Filesize

                                                        288KB

                                                        MD5

                                                        6c14b77096d4d6bfbe97f93411103e72

                                                        SHA1

                                                        af1c6129ef6bbc51b31c6cc64799cc6299047a39

                                                        SHA256

                                                        e95681e20ab19a50abdacd73c7d9eac9cfec7d949a23b8346b84d8f4bc493ca5

                                                        SHA512

                                                        3f6a5f53ee8c7268e297aafe33b408fb529b4647b5b31155e21b02d85d60799a5ec7eea65365c75bd4151a6e48a2b5d8bfcfe56e967919470388fbb7b1c72924

                                                      • C:\ProgramData\Local\Google\arch

                                                        Filesize

                                                        6B

                                                        MD5

                                                        8a882b4a938846d19520af8484f09012

                                                        SHA1

                                                        4ba6aa85fc2d9c1f087fd0573ed818af71c4b6fe

                                                        SHA256

                                                        1009573fa6f897afcc5055f52a2216bfe7fcb308d6cab15922a5b3668df7f34b

                                                        SHA512

                                                        299aa6f6d42b8be1a827b8a2543b89de4c324a050d3aa34cf74b7550774586aeec60cccf83782c69569a0fb81a171e3ea6de0c56c11ec6f563b1fe1864452543

                                                      • C:\ProgramData\Local\Google\exemple.rb

                                                        Filesize

                                                        1002B

                                                        MD5

                                                        73002084795612b74c26e7c4db0ef48f

                                                        SHA1

                                                        366337f7f7088f3accd78d6385216dbfaa6af42e

                                                        SHA256

                                                        8c1eb0ac7b5dbee43746828bfa4ddaaebeb46290d9161674027d80ef99bb243e

                                                        SHA512

                                                        d0377e3c1353596bbd37f58632d363faafe8fd5df62e5026ef1e76b611a771de7b2f1e42fe283c97637e48417c37eaf1a5dd66b800a914d307cfc695d25dd431

                                                      • C:\ProgramData\Local\Google\name

                                                        Filesize

                                                        18B

                                                        MD5

                                                        aeba54e87efe494502179c0cc16c388e

                                                        SHA1

                                                        f053768cc6597e32054690a4a7741af9f93033d4

                                                        SHA256

                                                        a9333fd8057b1f9138ffe7488b969591b6e098d8c22d59b816190de9a5bb6d1f

                                                        SHA512

                                                        8a42d54addaa9e0d20dda0b3d08e9e4ae93fc8e0274e01949b2c3909d052b6c41cc0523cd671319bcd3afc14bee465cab043343c6b7af4f97e83b42b41cfcb7f

                                                      • C:\ProgramData\Local\Google\os

                                                        Filesize

                                                        8B

                                                        MD5

                                                        83228b44ffe10b0d443969580b022f44

                                                        SHA1

                                                        1ebe8668b8ce8d9524cc539ab9c6af022e861d60

                                                        SHA256

                                                        b57eac3cb43c42d7f2cc137b372a9271fe3906444bd9a9ed4b16c20ee3e9e70d

                                                        SHA512

                                                        cc7c82779ffce41b68bb21a48c9872c27177353eac12d9f0364d98abbefda106af05486cf8a246a6192754d077d19fed46ce4e0018b7eb1ef724b1f15b397660

                                                      • C:\ProgramData\Local\Google\rebol-view-278-3-1.exe

                                                        Filesize

                                                        844KB

                                                        MD5

                                                        aa2f4fd92fe00de85428f39a6e0e9cfd

                                                        SHA1

                                                        1def65dde53ab24c122da6c76646a36d7d910790

                                                        SHA256

                                                        215e28f9660472b6271a9902573c9d190e4d7ccca33fcf8d6054941d52a3ab85

                                                        SHA512

                                                        952b500e4a291a8bd58810529c1fcc17d969b082d29f00460aba6ada44a30ddc41595f8b0fe71e568ecba803df69985840f10f0a9e478c796c73dc5659ce314e

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                        Filesize

                                                        152B

                                                        MD5

                                                        a8e767fd33edd97d306efb6905f93252

                                                        SHA1

                                                        a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

                                                        SHA256

                                                        c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

                                                        SHA512

                                                        07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                        Filesize

                                                        152B

                                                        MD5

                                                        439b5e04ca18c7fb02cf406e6eb24167

                                                        SHA1

                                                        e0c5bb6216903934726e3570b7d63295b9d28987

                                                        SHA256

                                                        247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

                                                        SHA512

                                                        d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\04d4347b-d1d3-40c3-9280-4951fe40fd59.tmp

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        daa8b0ec604f3667f2731c9cc5d06736

                                                        SHA1

                                                        d629e3f19861747e394a3e2a430bf58c1d30909b

                                                        SHA256

                                                        4260941e9dfd8d8df418c0f50eb7e550bd29c09af2e6a50f4fb694882222315a

                                                        SHA512

                                                        dd6c46dd78c7c6fa5f37e2637442c4471a0a8f2406664448ca82717cd31798e3cbc1e36310345a53757914619cb1acae56e1b1bb2f579f7b8f81aa40c52d2900

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        06ad427e708881538e4b071ccadbb5b4

                                                        SHA1

                                                        aae9ca3dc229365b39923af3bfd87e88195f78cb

                                                        SHA256

                                                        a0935c7d8c24114c22dce6e6afe8b30d6f2a6f675b298ad536cf7bf74b5f354f

                                                        SHA512

                                                        16d661f75e16e6999eb93c1a06f7705e6509ddb33d5872ad23cd8778bdf1ed9561d7a1d7109531811eb8e088157ab248a0acf483096405a41ac4d118b6b75149

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        865823609ea719295ae6308b1f9c5973

                                                        SHA1

                                                        5aa7cbd5054371a290ca4e7a3d6d131fae9b3e8f

                                                        SHA256

                                                        5a59d1387ce79d13634e02579c4ed2acd52f3c00adf0e4ab0980ff293c7ae02b

                                                        SHA512

                                                        284144578d1eceb4100508b921635835d60c99c25839e4307c71bf1a2c306f99a111321336cd1c014797caac8128db0b60f78912394049863f03b13556a9a9f0

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                        Filesize

                                                        16B

                                                        MD5

                                                        6752a1d65b201c13b62ea44016eb221f

                                                        SHA1

                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                        SHA256

                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                        SHA512

                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                        Filesize

                                                        11KB

                                                        MD5

                                                        3ec90766d683a26e917faa3d6c586a9d

                                                        SHA1

                                                        889b2d87da0ebcf3431985d8f22f12edd9b514e5

                                                        SHA256

                                                        3436bdb5bd7fc5f0cd73bff32c069a3806a1cff4ebc6a7e57ab8fa61e1f22be6

                                                        SHA512

                                                        758a2a7ab3c9c105a11e79e6824b4d715a7bd27e6edce5fcf83c7e84358785f89fad25a0dc3e0b685d031d6fa531e7d553a81760524fb1d27a3b8c86fddfd33b

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                        Filesize

                                                        11KB

                                                        MD5

                                                        b0b3815f50ea69a4dca25fd0892afa8a

                                                        SHA1

                                                        e541b853d8dfe1b46317cb04e2814bb5f61ff197

                                                        SHA256

                                                        2ae9a7ac6779b4c8d6e8e1d6fb20ffc161321c195165ff6449324dc33dc73df3

                                                        SHA512

                                                        d7a2378d726b360d9ebf4ead05528cd7d392b750e121f518d49d6e3497b81c28bdf00ba36b0e08ed77bbdcf75144736d9f3e30f2b7b3a670a6fefde20b5fef68

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                        Filesize

                                                        11KB

                                                        MD5

                                                        5e963d797e8ade790e2c0b70d34b735d

                                                        SHA1

                                                        23aac6d8770458ad07d224722caef59ee3a19290

                                                        SHA256

                                                        7d6c0379401336af61849420a0670c8efef96ee96b1492f39d2f362a27fc3b85

                                                        SHA512

                                                        b64423aeaa391bf99099d267d62bbdac4180ca11639a7e9d0daa48ecc741d393374e684e8a0c455697e41b832a2f3c73d28046ff50fd0f6ef1f10c51a2cc559b

                                                      • C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\10opd3r_load.msi

                                                        Filesize

                                                        548KB

                                                        MD5

                                                        13173913da1f35728d84e78a3de983c9

                                                        SHA1

                                                        9a1437af2d653fc265472a47edab9f22d49b1941

                                                        SHA256

                                                        0e6451e1f0eadb89390f4360e2a49a2ffb66e92e8b3ae75400095e75f4dd6abb

                                                        SHA512

                                                        3627ec46eb5b8cbdfd28015b38de6cd2279ff15be67e1a5d0c58a86fc1c165a39f4dd2d664977f7ce8a4ded9d2d678ce09c6fa3962e1b93f8543049313527a52

                                                      • C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\name

                                                        Filesize

                                                        31B

                                                        MD5

                                                        d711ee9c21d7890b6bcba9084248d5fd

                                                        SHA1

                                                        f7307e0922726e5cbf8b54ea8a6126f023b8daf9

                                                        SHA256

                                                        05f0a15c64adae29c13b458d56b225e67c33c81b78c49a792d75ca658d93bb70

                                                        SHA512

                                                        a1fcf1c5c4253fe9cde575247f12075a33f9dd71b206a6df2caf89707f8b03d266a4d79a1a8c4887cac0da8fe2fc6d8ec8f2f6edf8827bfa203e1ec3502d6396

                                                      • C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\uuid

                                                        Filesize

                                                        36B

                                                        MD5

                                                        ce7313ffeb22da6e1c2b9581b4423e55

                                                        SHA1

                                                        b74bc267663d7904eaa7d7806464422fb574147f

                                                        SHA256

                                                        6dafcb567c44079c788e695d9fea6e5dff69a514451ec318e71dd8e795ddede0

                                                        SHA512

                                                        0a106f356f2b6248c6d5f77235af2d5f64555b8add60f88e85a71c770d564057444a17a67f614b3f90ffb0fd27c97618fc6b97eb417e7dc00c6bf9f1cef89579

                                                      • C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\filter.msi

                                                        Filesize

                                                        184KB

                                                        MD5

                                                        8b6199f5d5465c327c8c30ac9fdfd23a

                                                        SHA1

                                                        40c894efe07f5e54ffebddd13575eacc9a0968bb

                                                        SHA256

                                                        ed7709cbbad9e164a45235be5270d6fb3492010ea945728a7d58f65f63434e58

                                                        SHA512

                                                        169bf6e3b547b4c1a0d94dc1841e1bf86efa0c6f3b3bda55d3259c2465d0f500c3ea8642c283dfd3811ae08a55cc7caf9a4ce30eff1a052ef4bd3cc3c9aac594

                                                      • C:\Users\Admin\Downloads\Unconfirmed 508999.crdownload

                                                        Filesize

                                                        2.7MB

                                                        MD5

                                                        18c79a3915121517737d1d69219f32b1

                                                        SHA1

                                                        3c2b0454022c13db17170f8ea8043a8435fa69d6

                                                        SHA256

                                                        032a874bc9250336b2b8734d8981797962b9097ea4348f132add594238e20f10

                                                        SHA512

                                                        be30aae78c3313851e22d22237889f38bea744967a75ae977bb2d9502f6aa44daf954b046ef90d46800a8fc9196b989e7960645f13a2cd58f75c3d47f4e05641

                                                      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

                                                        Filesize

                                                        23.7MB

                                                        MD5

                                                        d17575c7e5100a36efad00986bc436b6

                                                        SHA1

                                                        fe8ea2a254275318ec249c61fe437f99580933ba

                                                        SHA256

                                                        b70581085944c405614d03da2f36e6e674a95b1dd143331523d92a7f46df6237

                                                        SHA512

                                                        17b726ef4eefd63d7825a2f71a27ab1d14ca99bfae2c54c3a848ab6196055c5828da53cd633c869581bda39bdedeb73911402f174d5a27a0b81b2a8c4058cc8a

                                                      • \??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{82fb32a8-afd1-461b-b5de-70975861443b}_OnDiskSnapshotProp

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        997b8d2d72203a4f1fb39e1832f8c342

                                                        SHA1

                                                        da7319636973426ad2437d9ebedd8e507e7d7402

                                                        SHA256

                                                        0e23c8c41e688990c9cfd1095a72b299fbe3b9f84e14f578aae381e33e74c349

                                                        SHA512

                                                        23e331c1c9751be6ea62b0249398914462c90d794758e29941c4ccf6afd84d38b6c6f3be4e9b5571595980d9d4454383fd05a51975b152bb6b87694767398e64