Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
627s -
max time network
454s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 12:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://malware-traffic-analysis.net/2021/10/05/2021-10-05-MirrorBlast-malware-with-email-and-IOCs.zip
Resource
win10v2004-20240508-en
General
-
Target
https://malware-traffic-analysis.net/2021/10/05/2021-10-05-MirrorBlast-malware-with-email-and-IOCs.zip
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 2780 arab.exe 3364 rebol-view-278-3-1.exe 3424 rebol-view-278-3-1.exe 4364 rebol-view-278-3-1.exe 1788 arab.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\ProgramData\\Local\\Google\\rebol-view-278-3-1.exe -w -i -s C:\\ProgramData\\Local\\Google\\exemple.rb" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ msiexec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{DEA88988-9EB8-4997-B469-14BBF4540314} msiexec.exe File opened for modification C:\Windows\Installer\MSI4CD2.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\e5a692d.msi msiexec.exe File created C:\Windows\Installer\SourceHash{7DAD0B07-2406-4203-AE21-B31650B1B6AE} msiexec.exe File created C:\Windows\Installer\e5a692b.msi msiexec.exe File opened for modification C:\Windows\Installer\e5a692b.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI1C3B.tmp msiexec.exe File created C:\Windows\Installer\e5a692f.msi msiexec.exe File opened for modification C:\Windows\Installer\e5a692f.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI69F6.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5a692d.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1080 msedge.exe 1080 msedge.exe 3892 msedge.exe 3892 msedge.exe 3600 identity_helper.exe 3600 identity_helper.exe 4308 msedge.exe 4308 msedge.exe 3428 msiexec.exe 3428 msiexec.exe 3428 msiexec.exe 3428 msiexec.exe 3428 msiexec.exe 3428 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1488 7zFM.exe 2100 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 1488 7zFM.exe Token: 35 1488 7zFM.exe Token: SeSecurityPrivilege 1488 7zFM.exe Token: SeSecurityPrivilege 1488 7zFM.exe Token: SeSecurityPrivilege 1488 7zFM.exe Token: SeShutdownPrivilege 1880 msiexec.exe Token: SeIncreaseQuotaPrivilege 1880 msiexec.exe Token: SeSecurityPrivilege 3428 msiexec.exe Token: SeCreateTokenPrivilege 1880 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1880 msiexec.exe Token: SeLockMemoryPrivilege 1880 msiexec.exe Token: SeIncreaseQuotaPrivilege 1880 msiexec.exe Token: SeMachineAccountPrivilege 1880 msiexec.exe Token: SeTcbPrivilege 1880 msiexec.exe Token: SeSecurityPrivilege 1880 msiexec.exe Token: SeTakeOwnershipPrivilege 1880 msiexec.exe Token: SeLoadDriverPrivilege 1880 msiexec.exe Token: SeSystemProfilePrivilege 1880 msiexec.exe Token: SeSystemtimePrivilege 1880 msiexec.exe Token: SeProfSingleProcessPrivilege 1880 msiexec.exe Token: SeIncBasePriorityPrivilege 1880 msiexec.exe Token: SeCreatePagefilePrivilege 1880 msiexec.exe Token: SeCreatePermanentPrivilege 1880 msiexec.exe Token: SeBackupPrivilege 1880 msiexec.exe Token: SeRestorePrivilege 1880 msiexec.exe Token: SeShutdownPrivilege 1880 msiexec.exe Token: SeDebugPrivilege 1880 msiexec.exe Token: SeAuditPrivilege 1880 msiexec.exe Token: SeSystemEnvironmentPrivilege 1880 msiexec.exe Token: SeChangeNotifyPrivilege 1880 msiexec.exe Token: SeRemoteShutdownPrivilege 1880 msiexec.exe Token: SeUndockPrivilege 1880 msiexec.exe Token: SeSyncAgentPrivilege 1880 msiexec.exe Token: SeEnableDelegationPrivilege 1880 msiexec.exe Token: SeManageVolumePrivilege 1880 msiexec.exe Token: SeImpersonatePrivilege 1880 msiexec.exe Token: SeCreateGlobalPrivilege 1880 msiexec.exe Token: SeBackupPrivilege 464 vssvc.exe Token: SeRestorePrivilege 464 vssvc.exe Token: SeAuditPrivilege 464 vssvc.exe Token: SeBackupPrivilege 3428 msiexec.exe Token: SeRestorePrivilege 3428 msiexec.exe Token: SeRestorePrivilege 3428 msiexec.exe Token: SeTakeOwnershipPrivilege 3428 msiexec.exe Token: SeRestorePrivilege 3428 msiexec.exe Token: SeTakeOwnershipPrivilege 3428 msiexec.exe Token: SeRestorePrivilege 3428 msiexec.exe Token: SeTakeOwnershipPrivilege 3428 msiexec.exe Token: SeRestorePrivilege 3428 msiexec.exe Token: SeTakeOwnershipPrivilege 3428 msiexec.exe Token: SeBackupPrivilege 2584 srtasks.exe Token: SeRestorePrivilege 2584 srtasks.exe Token: SeSecurityPrivilege 2584 srtasks.exe Token: SeTakeOwnershipPrivilege 2584 srtasks.exe Token: SeBackupPrivilege 2584 srtasks.exe Token: SeRestorePrivilege 2584 srtasks.exe Token: SeSecurityPrivilege 2584 srtasks.exe Token: SeTakeOwnershipPrivilege 2584 srtasks.exe Token: SeShutdownPrivilege 4876 msiexec.exe Token: SeIncreaseQuotaPrivilege 4876 msiexec.exe Token: SeCreateTokenPrivilege 4876 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4876 msiexec.exe Token: SeLockMemoryPrivilege 4876 msiexec.exe Token: SeIncreaseQuotaPrivilege 4876 msiexec.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 1488 7zFM.exe 3892 msedge.exe 1488 7zFM.exe 1488 7zFM.exe 1488 7zFM.exe 1880 msiexec.exe 1880 msiexec.exe 4876 msiexec.exe 4876 msiexec.exe 4940 msiexec.exe 4940 msiexec.exe 2600 7zFM.exe 4204 7zFM.exe 2892 7zFM.exe 4196 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 3780 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 736 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 4388 OpenWith.exe 3272 OpenWith.exe 3272 OpenWith.exe 3272 OpenWith.exe 3272 OpenWith.exe 3272 OpenWith.exe 3272 OpenWith.exe 3272 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3892 wrote to memory of 3884 3892 msedge.exe 81 PID 3892 wrote to memory of 3884 3892 msedge.exe 81 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 3516 3892 msedge.exe 82 PID 3892 wrote to memory of 1080 3892 msedge.exe 83 PID 3892 wrote to memory of 1080 3892 msedge.exe 83 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 PID 3892 wrote to memory of 828 3892 msedge.exe 84 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://malware-traffic-analysis.net/2021/10/05/2021-10-05-MirrorBlast-malware-with-email-and-IOCs.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa37e46f8,0x7ffaa37e4708,0x7ffaa37e47182⤵PID:3884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵PID:828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:2236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:2940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5076 /prefetch:82⤵PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:12⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:12⤵PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,10535351111439257434,6855797622568577256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:12⤵PID:2416
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1996
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2868
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1756
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\2021-10-05-MirrorBlast-malware-with-email-and-IOCs.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1488
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\filter.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1880
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3428 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\ProgramData\001\arab.exe"C:\ProgramData\001\arab.exe" C:\ProgramData\001\arab.bin2⤵
- Executes dropped EXE
PID:2780
-
-
C:\ProgramData\Local\Google\rebol-view-278-3-1.exe"C:\ProgramData\Local\Google\rebol-view-278-3-1.exe" -w -i -s C:/ProgramData/Local/Google/exemple.rb2⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %USERDOMAIN%\%USERNAME% > name && for /f "tokens=4-5 delims=. " %i in ('ver') do echo %i.%j > os && echo %PROCESSOR_ARCHITECTURE% > arch3⤵PID:1444
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver4⤵PID:3816
-
-
-
-
C:\ProgramData\Local\Google\rebol-view-278-3-1.exe"C:\ProgramData\Local\Google\rebol-view-278-3-1.exe" -w -i -s C:/ProgramData/Local/Google/exemple.rb2⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %USERDOMAIN%\%USERNAME% > name && for /f "tokens=4-5 delims=. " %i in ('ver') do echo %i.%j > os && echo %PROCESSOR_ARCHITECTURE% > arch3⤵PID:1156
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver4⤵PID:4724
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:464
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\10opd3r_load.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4876
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /f "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\10opd3r_load.msi"1⤵PID:436
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\10opd3r_load.msi"1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4940
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\uuid"1⤵
- Suspicious use of FindShellTrayWindow
PID:2600
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\os"1⤵
- Suspicious use of FindShellTrayWindow
PID:4204
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\name"1⤵
- Suspicious use of FindShellTrayWindow
PID:2892
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap14452:222:7zEvent10638 -ad -saa -- "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\exemple"1⤵PID:1164
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\arch"1⤵
- Suspicious use of FindShellTrayWindow
PID:4196
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3780 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\uuid2⤵PID:3868
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:736 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\os2⤵PID:1560
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4388 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\name2⤵PID:2228
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3272 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\arch2⤵PID:880
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2100 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\exemple.rb2⤵PID:228
-
-
C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\rebol-view-278-3-1.exe"C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\rebol-view-278-3-1.exe"1⤵
- Executes dropped EXE
PID:4364
-
C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\001\arab.exe"C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\001\arab.exe"1⤵
- Executes dropped EXE
PID:1788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5eca4ea8456aa851fc7de8c7c711fe12d
SHA16952f34d9b9b1eed7bd5da9c1b89501048c124c2
SHA256c6137872656f4dde717d3d557621767d3166c3e9ee321c34a74fbad29c6bd09d
SHA512006f41fc3884a0352458d2017eb2c945c83dc1d580ee0072d56d7842e8304abd3286848c891ac349f68a6a91a3ef3ef632522b448046fd1cace93d261b10b3a9
-
Filesize
3KB
MD5a7dbd3db5265c500487f87a96ce2e238
SHA15dff846c27be9bcdf3332ba5d62748691bab6823
SHA25640d774262fd01e6fb990803401e8a3a0932de44509e1cbf8cfe523074f6a3f81
SHA512aec77d8d8569501774d3cc988a68e5ad6a331354283dccf49619e9f9fcd823a18f3092f1f01d4e107d7cd260cbda2f0f71f3a65c0c0982447f14812695c4bea4
-
Filesize
4KB
MD5f73896202f1af89a491ac53a4367fc5b
SHA1314576a998d21bdcba1265521cb6b7de0018347c
SHA2564d2ff2f554738bfdd29d7b60f3b43c94cd4089404cfe39a18c3f34ca2b796f6a
SHA512cae01f515bf2500722c98622eea9d94bf1672c75ca174fdbc2f8f5da37c6db014f6f5bed91295071e3f81bf37c610ee0cdb7b77e8315241b003a9878a8e4bf95
-
Filesize
261B
MD501bd4206c38b1a2cc925c10ea78f3be7
SHA1fd941083abcd7392f1071f035293cacca02f3b03
SHA256f6f2874755794840dc06a660603c78d4b4a294099719ff86f9e3c1af3e713172
SHA512a97f1dd147dc7ce2bd5b38ae5cbb0799b5b53073ba9617c1cf21c1c7f4c3870a5b0c4575c681971c6bd51572f98e91c48ccd910aa7b908fa090d83a7804ee2ec
-
Filesize
288KB
MD56c14b77096d4d6bfbe97f93411103e72
SHA1af1c6129ef6bbc51b31c6cc64799cc6299047a39
SHA256e95681e20ab19a50abdacd73c7d9eac9cfec7d949a23b8346b84d8f4bc493ca5
SHA5123f6a5f53ee8c7268e297aafe33b408fb529b4647b5b31155e21b02d85d60799a5ec7eea65365c75bd4151a6e48a2b5d8bfcfe56e967919470388fbb7b1c72924
-
Filesize
6B
MD58a882b4a938846d19520af8484f09012
SHA14ba6aa85fc2d9c1f087fd0573ed818af71c4b6fe
SHA2561009573fa6f897afcc5055f52a2216bfe7fcb308d6cab15922a5b3668df7f34b
SHA512299aa6f6d42b8be1a827b8a2543b89de4c324a050d3aa34cf74b7550774586aeec60cccf83782c69569a0fb81a171e3ea6de0c56c11ec6f563b1fe1864452543
-
Filesize
1002B
MD573002084795612b74c26e7c4db0ef48f
SHA1366337f7f7088f3accd78d6385216dbfaa6af42e
SHA2568c1eb0ac7b5dbee43746828bfa4ddaaebeb46290d9161674027d80ef99bb243e
SHA512d0377e3c1353596bbd37f58632d363faafe8fd5df62e5026ef1e76b611a771de7b2f1e42fe283c97637e48417c37eaf1a5dd66b800a914d307cfc695d25dd431
-
Filesize
18B
MD5aeba54e87efe494502179c0cc16c388e
SHA1f053768cc6597e32054690a4a7741af9f93033d4
SHA256a9333fd8057b1f9138ffe7488b969591b6e098d8c22d59b816190de9a5bb6d1f
SHA5128a42d54addaa9e0d20dda0b3d08e9e4ae93fc8e0274e01949b2c3909d052b6c41cc0523cd671319bcd3afc14bee465cab043343c6b7af4f97e83b42b41cfcb7f
-
Filesize
8B
MD583228b44ffe10b0d443969580b022f44
SHA11ebe8668b8ce8d9524cc539ab9c6af022e861d60
SHA256b57eac3cb43c42d7f2cc137b372a9271fe3906444bd9a9ed4b16c20ee3e9e70d
SHA512cc7c82779ffce41b68bb21a48c9872c27177353eac12d9f0364d98abbefda106af05486cf8a246a6192754d077d19fed46ce4e0018b7eb1ef724b1f15b397660
-
Filesize
844KB
MD5aa2f4fd92fe00de85428f39a6e0e9cfd
SHA11def65dde53ab24c122da6c76646a36d7d910790
SHA256215e28f9660472b6271a9902573c9d190e4d7ccca33fcf8d6054941d52a3ab85
SHA512952b500e4a291a8bd58810529c1fcc17d969b082d29f00460aba6ada44a30ddc41595f8b0fe71e568ecba803df69985840f10f0a9e478c796c73dc5659ce314e
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\04d4347b-d1d3-40c3-9280-4951fe40fd59.tmp
Filesize6KB
MD5daa8b0ec604f3667f2731c9cc5d06736
SHA1d629e3f19861747e394a3e2a430bf58c1d30909b
SHA2564260941e9dfd8d8df418c0f50eb7e550bd29c09af2e6a50f4fb694882222315a
SHA512dd6c46dd78c7c6fa5f37e2637442c4471a0a8f2406664448ca82717cd31798e3cbc1e36310345a53757914619cb1acae56e1b1bb2f579f7b8f81aa40c52d2900
-
Filesize
6KB
MD506ad427e708881538e4b071ccadbb5b4
SHA1aae9ca3dc229365b39923af3bfd87e88195f78cb
SHA256a0935c7d8c24114c22dce6e6afe8b30d6f2a6f675b298ad536cf7bf74b5f354f
SHA51216d661f75e16e6999eb93c1a06f7705e6509ddb33d5872ad23cd8778bdf1ed9561d7a1d7109531811eb8e088157ab248a0acf483096405a41ac4d118b6b75149
-
Filesize
6KB
MD5865823609ea719295ae6308b1f9c5973
SHA15aa7cbd5054371a290ca4e7a3d6d131fae9b3e8f
SHA2565a59d1387ce79d13634e02579c4ed2acd52f3c00adf0e4ab0980ff293c7ae02b
SHA512284144578d1eceb4100508b921635835d60c99c25839e4307c71bf1a2c306f99a111321336cd1c014797caac8128db0b60f78912394049863f03b13556a9a9f0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD53ec90766d683a26e917faa3d6c586a9d
SHA1889b2d87da0ebcf3431985d8f22f12edd9b514e5
SHA2563436bdb5bd7fc5f0cd73bff32c069a3806a1cff4ebc6a7e57ab8fa61e1f22be6
SHA512758a2a7ab3c9c105a11e79e6824b4d715a7bd27e6edce5fcf83c7e84358785f89fad25a0dc3e0b685d031d6fa531e7d553a81760524fb1d27a3b8c86fddfd33b
-
Filesize
11KB
MD5b0b3815f50ea69a4dca25fd0892afa8a
SHA1e541b853d8dfe1b46317cb04e2814bb5f61ff197
SHA2562ae9a7ac6779b4c8d6e8e1d6fb20ffc161321c195165ff6449324dc33dc73df3
SHA512d7a2378d726b360d9ebf4ead05528cd7d392b750e121f518d49d6e3497b81c28bdf00ba36b0e08ed77bbdcf75144736d9f3e30f2b7b3a670a6fefde20b5fef68
-
Filesize
11KB
MD55e963d797e8ade790e2c0b70d34b735d
SHA123aac6d8770458ad07d224722caef59ee3a19290
SHA2567d6c0379401336af61849420a0670c8efef96ee96b1492f39d2f362a27fc3b85
SHA512b64423aeaa391bf99099d267d62bbdac4180ca11639a7e9d0daa48ecc741d393374e684e8a0c455697e41b832a2f3c73d28046ff50fd0f6ef1f10c51a2cc559b
-
Filesize
548KB
MD513173913da1f35728d84e78a3de983c9
SHA19a1437af2d653fc265472a47edab9f22d49b1941
SHA2560e6451e1f0eadb89390f4360e2a49a2ffb66e92e8b3ae75400095e75f4dd6abb
SHA5123627ec46eb5b8cbdfd28015b38de6cd2279ff15be67e1a5d0c58a86fc1c165a39f4dd2d664977f7ce8a4ded9d2d678ce09c6fa3962e1b93f8543049313527a52
-
C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\name
Filesize31B
MD5d711ee9c21d7890b6bcba9084248d5fd
SHA1f7307e0922726e5cbf8b54ea8a6126f023b8daf9
SHA25605f0a15c64adae29c13b458d56b225e67c33c81b78c49a792d75ca658d93bb70
SHA512a1fcf1c5c4253fe9cde575247f12075a33f9dd71b206a6df2caf89707f8b03d266a4d79a1a8c4887cac0da8fe2fc6d8ec8f2f6edf8827bfa203e1ec3502d6396
-
C:\Users\Admin\Desktop\2021-10-05-MirrorBlast-malware-with-email-and-IOCs\ProgramData\Local\Google\uuid
Filesize36B
MD5ce7313ffeb22da6e1c2b9581b4423e55
SHA1b74bc267663d7904eaa7d7806464422fb574147f
SHA2566dafcb567c44079c788e695d9fea6e5dff69a514451ec318e71dd8e795ddede0
SHA5120a106f356f2b6248c6d5f77235af2d5f64555b8add60f88e85a71c770d564057444a17a67f614b3f90ffb0fd27c97618fc6b97eb417e7dc00c6bf9f1cef89579
-
Filesize
184KB
MD58b6199f5d5465c327c8c30ac9fdfd23a
SHA140c894efe07f5e54ffebddd13575eacc9a0968bb
SHA256ed7709cbbad9e164a45235be5270d6fb3492010ea945728a7d58f65f63434e58
SHA512169bf6e3b547b4c1a0d94dc1841e1bf86efa0c6f3b3bda55d3259c2465d0f500c3ea8642c283dfd3811ae08a55cc7caf9a4ce30eff1a052ef4bd3cc3c9aac594
-
Filesize
2.7MB
MD518c79a3915121517737d1d69219f32b1
SHA13c2b0454022c13db17170f8ea8043a8435fa69d6
SHA256032a874bc9250336b2b8734d8981797962b9097ea4348f132add594238e20f10
SHA512be30aae78c3313851e22d22237889f38bea744967a75ae977bb2d9502f6aa44daf954b046ef90d46800a8fc9196b989e7960645f13a2cd58f75c3d47f4e05641
-
Filesize
23.7MB
MD5d17575c7e5100a36efad00986bc436b6
SHA1fe8ea2a254275318ec249c61fe437f99580933ba
SHA256b70581085944c405614d03da2f36e6e674a95b1dd143331523d92a7f46df6237
SHA51217b726ef4eefd63d7825a2f71a27ab1d14ca99bfae2c54c3a848ab6196055c5828da53cd633c869581bda39bdedeb73911402f174d5a27a0b81b2a8c4058cc8a
-
\??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{82fb32a8-afd1-461b-b5de-70975861443b}_OnDiskSnapshotProp
Filesize6KB
MD5997b8d2d72203a4f1fb39e1832f8c342
SHA1da7319636973426ad2437d9ebedd8e507e7d7402
SHA2560e23c8c41e688990c9cfd1095a72b299fbe3b9f84e14f578aae381e33e74c349
SHA51223e331c1c9751be6ea62b0249398914462c90d794758e29941c4ccf6afd84d38b6c6f3be4e9b5571595980d9d4454383fd05a51975b152bb6b87694767398e64