Threat Round Up for Sept 22 - Sept 29

2017-09-29T13:56:00
ID TALOSBLOG:12EF3315B991E57A523BEB7918EF8A73
Type talosblog
Reporter noreply@blogger.com (Alexander Chiu)
Modified 2017-09-29T20:56:19

Description

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between September 22 and September 29. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.<br /><br />As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.<br /><a name='more'></a><br />The most prevalent threats highlighted in this round up are:<br /><br /><ul><li><b>Doc.Downloader.Jrat-6336393-1</b><br />Downloader<br />Malicious Office documents containing an embedded OLE object which can be an executable or Java JAR module mainly to contact certain domain and download additional malicious code<br /> </li><li><b>Doc.Dropper.Agent-6336814-0</b><br />Office Macro Downloader<br />This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable.<br /> </li><li><b>Doc.Macro.DownloadExe-6336397-0</b><br />Office Macro<br />This set of downloaders use hardcoded URLs to download and execute a sample on the machine. The VBA contains no obfuscation and contains just enough functionality to accomplish its task.<br /> </li><li><b>Doc.Macro.VBSDownloader-6336817-0</b><br />Downloader<br />The macros in these Word documents are base64 encoded and, when executed, download additional malicious files from an obfuscated list of URLs.<br /> </li><li><b>Win.Ransomware.TorrentLocker-6336835-0</b><br />Ransomware<br />TorrentLocker uses AES encryption to encrypt files on an infected host before demanding a ransom payment in Bitcoin. Code is unpacked from a series of strings through character replacement, selective subset parsing, and a final conversion that is written to the stack for later execution. Spawned child processes and additional binary drops follow afterward.<br /> </li><li><b>Win.Spyware.CCBkdr-6336251-2</b><br />APT Supply chain attack<br />Version 5.33 of CCleaner was compromised before vendor signing and was distributed with a backdoor module embedded. More information available at <a href="http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html">http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html</a> and <a href="http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html">http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html</a><br /> </li><li><b>Win.Trojan.Beeldeb-6336738-0</b><br />Trojan<br />Win.Trojan.Beeldeb-6336738-0 is a self-executing AutoIT script. The malware payload is injected into a dropped executable. Further, the malware adds itself to the startup folder for persistence.<br /> </li><li><b>Win.Trojan.Cossta-237</b><br />Trojan<br />Win.Trojan.Cossta-237 is a trojan that will download additional files and potentially receive further instructions from its operator.<br /> </li><li><b>Win.Worm.Untukmu-5949608-0</b><br />Worm<br />This worm is highly malicious and contains several anti-analysis mechanisms such as anti-debugging techniques as well as to avoid its removal also in SafeBoot. After the infection it gains persistence and disable cmd and the registry editor.<br /> </li></ul><hr /><h2>Threats</h2><h3>Doc.Downloader.Jrat-6336393-1</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b><br /><ul><li>N/A</li></ul><b>Domain Names</b><br /><ul><li>mike22[.]linkpc[.]net</li></ul><b>Files and or directories created</b><br /><ul><li>%AppData%\Microsoft\Office\Recent\ITT Tender - ABB -3600002386- Provision of Supply and Installation.LNK</li></ul><b>File Hashes</b><br /><ul><li>1508a8ab14c4639853c9f2e598a142756517bd078f505274b5783ddda8fed0a0</li><li>1570586012e23a7de3a8fd965bdc2d3a96175fd8a77d284827c1ed6d58944a7e</li><li>339ceac2076e833babc1ac838848ab2787af062835a24f05e0bf20ab1ec79ccf</li><li>6f276350ce399502dbf870702e1a09ee39b591b93ebface9d3214ce9822aed61</li><li>7dd8b4746bf2de079b3b66e9d5e0492cde0a3838311252176a8831c3fd64b33b</li><li>7e4ef415a75cea7d3d610c44c0fa51d0fba956cc8136784115641054cd470fa0</li><li>9394e12d1fe6d3627f5f928aff4a15699aa129e44fd4fd9eba29f6ad5a4f7556</li><li>a5dfb783b89232fcc317194d267b8cf7204ae457d86eb5cdf703a656c03f1b71</li><li>a601c81547e7180d284e2fa701599615070653cceaf63108a11c40821edbf024</li><li>baba92ad2bf34ef95611656722344af6b60f731e7cdc4a341f64658837976899</li><li>bb4793538712834408cd9b3b58c1edf8da81906ffc12e25766fb40ddabe1c383</li><li>50c1020efca0698519c89b468fc25926d1bad2eeb421482d9c17b6ab24535217</li><li>d29a6afc4b35eef25811664369471688a0ecd89fc2a5eb676de9c5518c9914f2</li><li>db4d85d172b31413c1f93162053032a9a2e26b273dfdea8b7506ee8ca982e32f</li><li>f745e3687dabecb07c033a70db4f8c2cb14b9fc75c896304f6e9ed4dc6e3a1ba</li><li>fff6555400d65b28590cdde1a1f1a8731f02e8c21c1a9f167d53dc1054cc865a</li><li>522a804aeee581c63049d0a5983a558c2a3225c4b14814cf0acb8912b79260d6</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-M_qXaQ3dZZ8/Wc6vf7jYwAI/AAAAAAAABXM/p3Ki002fJWQ8wH_3b45WjDwtqUwrfulXgCLcBGAs/s1600/Doc_Downloader_Jrat_6336393_1_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-M_qXaQ3dZZ8/Wc6vf7jYwAI/AAAAAAAABXM/p3Ki002fJWQ8wH_3b45WjDwtqUwrfulXgCLcBGAs/s400/Doc_Downloader_Jrat_6336393_1_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-JEEc011pXK0/Wc6wNx5D13I/AAAAAAAABXk/4BE9MfqRdOooyAyGacjYfwEezAhqPlyaQCLcBGAs/s1600/Doc_Downloader_Jrat_6336393_1_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="387" data-original-width="1250" height="198" src="https://1.bp.blogspot.com/-JEEc011pXK0/Wc6wNx5D13I/AAAAAAAABXk/4BE9MfqRdOooyAyGacjYfwEezAhqPlyaQCLcBGAs/s640/Doc_Downloader_Jrat_6336393_1_threatgrid.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Umbrella</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-X2zFhvxR0Y0/Wc6vqs1PMpI/AAAAAAAABXU/3f1Hn82lvZw4cBbuV7dq6h8QnE37eMxRACLcBGAs/s1600/Doc_Downloader_Jrat_6336393_1_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="342" data-original-width="1112" height="196" src="https://4.bp.blogspot.com/-X2zFhvxR0Y0/Wc6vqs1PMpI/AAAAAAAABXU/3f1Hn82lvZw4cBbuV7dq6h8QnE37eMxRACLcBGAs/s640/Doc_Downloader_Jrat_6336393_1_umbrella.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><br /><hr /><br /><h3>Doc.Dropper.Agent-6336814-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b><br /><ul><li>N/A</li></ul><b>Domain Names</b><br /><ul><li>acsbaroda[.]com</li><li>a[.]pomf[.]cat</li><li>b[.]reich[.]io</li><li>directlink[.]cz</li><li>nusacitracipta[.]co[.]id</li><li>u[.]teknik[.]io</li><li>wallpaperbekasi[.]co[.]id</li><li>www[.]b-f-v[.]info</li><li>www[.]noosabookkeepers[.]com[.]au</li><li>www[.]powerplusscable[.]com</li><li>www[.]styrenpack[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>\Users\Administrator\Documents\20170920\PowerShell_transcript.PC.Pbzg9q9Z.20170920011010.txt</li><li>\TEMP\Quotation_211.xls</li><li>%AppData%\Microsoft\Office\Recent\Quotation_211.LNK</li><li>%AppData%\Microsoft\Office\Recent\277336261.xls.LNK</li><li>%AppData%\Jaty\WebHelper.exe</li></ul><b>File Hashes</b><br /><ul><li>760d89498b3029b1c6fdc5feefa16170589a4b61414c6b1e9d76611031ab0bd5</li><li>19dc470f8c9a1a4e9e24707b68c43138178e81d4ec74e358941756667633c5b7</li><li>1d14387de0375c84c8c334fb4d29c8ec4e3c24cd9969bcd3acbb77cb65f77a11</li><li>a80e8da4851eccfad1b8c2b930389a1980dcdab0d193073a4d3dac2d6a0e73d7</li><li>f84e3b79c16a77db33d1f5ee66fa13d15f25fed78d219d77dfe83268650cd944</li><li>d1e2655394e9ffd7f7d502840ace6b0de7369c938abee8c1ddc84dcf73486dd3</li><li>81b61e9dd4682b079e0b1df3250640c99e0228d4bdcbef5f18bf4bd8fedbff09</li><li>5af528ce89a31516eb1b5303b0789b56ab64ad16d7d15193c8b24b5ac3ff22a0</li><li>a9fec7f8f911f431dd9934092903974c3206feefac7308f48087ab02fbc24927</li><li>93a1ddd820a187fd8db5ce8d595958fcfb34ea5c01b5971b359f318f8fe7bb3b</li><li>4eb507bf63d6273548238a6c7e6831b6b29363c1c37e9176b7c72a6c3faa862d</li><li>cffb8b6c103a443159c94dadd5058c3c083d906600f0db6291ab0e2f4c005b68</li><li>127cae520479d08e0bfa1b569ace82203cd8154f49f7a8569bfbc54d4c8c6da8</li><li>dfca64bac0dd845e4e0d98a0f0ce3ae235cddf2f6506fabb7923a2d5e0da3129</li><li>c1f97901518b6dab1c4516a7f400430030011c26f52cd429299d4331938b70bd</li><li>c3baeac24f2416d21e64df05b568600c3be76a6365e7cb5b8dbfdfe64ae95c46</li><li>ac535056dcd65160165ad9e53bc5bc4e08b61ce129fb37d7f7b727c4e1a875df</li><li>af9f674bc5a26324b62f8c5a67f256b6133b2ec26a25a7c93564fe048ae4afd4</li><li>2b06143fffe0099302b2ec0b6f40b5aac115f37c61db32a3be6e0ed13d8eee85</li><li>2eba0e3bb658230fe8617038b6be0f58d042a8bb13dd4d9169e775263f82eab3</li><li>304c6f454f0efca218002c12009518c27e63186dd5de57b652cf2d4d14c7f0a4</li><li>b75f01bb44d8a7f402bf01683230ff71138509344bd13d7c199855a321c26b30</li><li>5b5b1960bb43c0c115080b3393aaa263137141d53f6b173b24f6c08cbe86d2f8</li><li>51d6c81b77f098af1b463f72d236d44b21d873f3c8360004ac93ba803db620a9</li><li>f4eb5c188028bd80eaf5e822fd6e80e6d2826215e6698668202b72aedabc3daf</li><li>d8b26ec2609f02379d8b8489f0b52f060e1d5f2dea369dbb675c408c29f83401</li><li>81dea09c54a4f26cc078d1b341d5172ceeb5229861621e99552854c564747c83</li><li>80c8b5fad0efae1c96e51d97a3ae2ee0e3c9d802691e7178da29b12f23b0f2a0</li><li>5742ca6839d7b0b6e56f5406fcb744180bc76e81f7ebdc626b432ab3c1b3de81</li><li>c1fb997c7dd23f0bb6f19e20029650fc890beca44fbe2f50e21a001b3aa1d319</li><li>2159c51a8951b68089524aec9cbb7ba171da57baf733bd12c7d7741d8f17e55b</li><li>bef55fe81de1a2eb2c0a9e647619a483093b031f5c797d5a8e32bb787356e33a</li><li>7f0a79692fc21938be2f2acab035a56049a9444a8e380d62615546efd0862335</li><li>e618be36548c349562bbdc6c4d68efcb2c86b4354037e9014fd91eea3ec0a0ca</li><li>100b1db7896fbd9c4415a96aed0383babbc43ac1f6ae589d408d39532ce9125b</li><li>f48ecc2b672bc937370ef812eb1b23e3e76e680a2a96aff2d58af8331eb75cfe</li><li>da2ee40c1fcf98c416132ddf8d4a533f387fcc2214772588bf2ab0967a7d1ede</li><li>b5fd96e20d32e4f805c4b157037b8e382ff2ce3564fad2f5b3d3c7b6247ea1e2</li><li>bfc11420c2e7d86d66ca3c4cd495a47b7882d6abbb7a8cc87a58ce9e3daaacaa</li><li>5f5e981122a6264042e5b79860200c894538cb134d2c93d3f15750ec9443c7f2</li><li>76a940a6ef4397c6b7c8d1ba0dca3e891c2d526f58c03c766d041b98a8791e54</li><li>5056b55b83863c4ac1ed6ee66e4d2dc0de8b56416dd96cf712f5b889aeff5cdf</li><li>f9e29f39b89918fcf26237c5002cd98a2a001c37690720ba537eebd0e72a56cd</li><li>6264bc92083a561dd31c38fc752589eb7e8dd65fa2b6c792d2dd247b5f63ff98</li><li>544eac3c9205cc3ecaf57283c823050df3bfe4ce78d0c7e38592ef333cc8bdc8</li><li>dce3ff33424c5e43795ffba7ad33ee8a301606e3c4406e2cd1d07cf6d789ac8e</li><li>633dd2217d33b8a60f3ca98905bb7119d7d63e8db50525452c5bfe5449b7885d</li><li>6386f608f5f0fb7007ecf808b9a96048c4fc1fe3c20637332b9da1e5094972c5</li><li>60d4c6a68368b14ce9aa0b6b3e8eb91e92f823f6524a49e4e7cc265353982898</li><li>9804648f30f0a4af07a729f3bf0aa2cf23ed4174c8a1a9ffd98694efb3c51e2c</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-8-ewx032dEo/WShN7e2cmKI/AAAAAAAABAg/1zHeN8V4h-sP6aW4ev8jafnU6MW4QEE0wCLcB/s1600/no-email-security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://1.bp.blogspot.com/-8-ewx032dEo/WShN7e2cmKI/AAAAAAAABAg/1zHeN8V4h-sP6aW4ev8jafnU6MW4QEE0wCLcB/s1600/no-email-security.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-TFwURoYgQpA/Wc6vy81wcAI/AAAAAAAABXY/CKkglNiNKOYBykNL7ScES_8PqCV90ZWgQCLcBGAs/s1600/Doc_Dropper_Agent_6336814_0_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-TFwURoYgQpA/Wc6vy81wcAI/AAAAAAAABXY/CKkglNiNKOYBykNL7ScES_8PqCV90ZWgQCLcBGAs/s400/Doc_Dropper_Agent_6336814_0_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-XSr_-aG8OOE/Wc6v3R2bVEI/AAAAAAAABXc/rFoGgp3l04EtQtraMNFalsERxxACH69WACLcBGAs/s1600/Doc_Dropper_Agent_6336814_0_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1098" data-original-width="1200" height="584" src="https://1.bp.blogspot.com/-XSr_-aG8OOE/Wc6v3R2bVEI/AAAAAAAABXc/rFoGgp3l04EtQtraMNFalsERxxACH69WACLcBGAs/s640/Doc_Dropper_Agent_6336814_0_threatgrid.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Umbrella</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-yFjOivA4XHM/Wc6v9QKtvoI/AAAAAAAABXg/TiW6vnKr30o_hfDPHucN_-BeEdn6k1XbACLcBGAs/s1600/Doc_Dropper_Agent_6336814_0_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="414" data-original-width="1112" height="238" src="https://3.bp.blogspot.com/-yFjOivA4XHM/Wc6v9QKtvoI/AAAAAAAABXg/TiW6vnKr30o_hfDPHucN_-BeEdn6k1XbACLcBGAs/s640/Doc_Dropper_Agent_6336814_0_umbrella.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><hr /><br /><h3>Doc.Macro.DownloadExe-6336397-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li>N/A</li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b><br /><ul><li>66[.]55[.]90[.]17</li><li>52[.]179[.]17[.]38</li></ul><b>Domain Names</b><br /><ul><li>a[.]pomf[.]cat</li></ul><b>Files and or directories created</b><br /><ul><li>\TEMP\~$L Receipt.doc</li><li>%TEMP%\CVRFC94.tmp.cvr</li><li>\TEMP\gkmgax.exe</li><li>\TEMP\DHL Receipt.doc</li><li>\srvsvc</li><li>%AppData%\Microsoft\Office\Recent\runme.doc.LNK</li><li>%SystemDrive%\~$runme.doc</li><li>%AppData%\Microsoft\Office\Recent\DHL Receipt.LNK</li></ul><b>File Hashes</b><br /><ul><li>9fa533406df0d2d165f46f37d1167fdb97ff388a5e84b60bfd75921c6f44ff6c</li><li>74805a5b0a8171f723627c8b061805a6c9c098e7ce1ea83378a774769bc7a1c6</li><li>f861caffda478a4227bf06323ef32407f774274cdacf2e5e23506d67a08cd89c</li><li>9fa533406df0d2d165f46f37d1167fdb97ff388a5e84b60bfd75921c6f44ff6c</li><li>0ef4406f5608ad25b4c61d37b6ece1b71c2738814528af550dde14917d2cb4e3</li><li>f8dcc75be0d1354741606663aebb95e477fe1d4e46246e677fc0e414b7dd354f</li><li>216f09c6eff72fae7d6511a73be7530e80980ff6305e4dd2656c96aec29f242e</li><li>265de60479b8d8bd46b56a7bec778d6ef9c62a9053e42c6a632d52cdc16a9490</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-B3FrDZvJBDI/Wc6wk4c82bI/AAAAAAAABXo/5i0CV5vknAwhvjI2Zj88lyiHKqUH48Q8QCLcBGAs/s1600/Doc_Macro_DownloadExe_6336397_0_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://4.bp.blogspot.com/-B3FrDZvJBDI/Wc6wk4c82bI/AAAAAAAABXo/5i0CV5vknAwhvjI2Zj88lyiHKqUH48Q8QCLcBGAs/s400/Doc_Macro_DownloadExe_6336397_0_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-Qo4QGsQbkOs/Wc6wvwr5zmI/AAAAAAAABXs/xDwrIjRsa1swlNdAwlMnJsQkcxV7loJJwCLcBGAs/s1600/Doc_Macro_DownloadExe_6336397_0_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="827" data-original-width="1237" height="426" src="https://2.bp.blogspot.com/-Qo4QGsQbkOs/Wc6wvwr5zmI/AAAAAAAABXs/xDwrIjRsa1swlNdAwlMnJsQkcxV7loJJwCLcBGAs/s640/Doc_Macro_DownloadExe_6336397_0_threatgrid.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Umbrella</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-WuJqTmIireU/Wc6w13pm4XI/AAAAAAAABXw/tFplOI2sr4Af9uL9FlQJBC_vJuy7bNj1QCLcBGAs/s1600/Doc_Macro_DownloadExe_6336397_0_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="414" data-original-width="1112" height="238" src="https://3.bp.blogspot.com/-WuJqTmIireU/Wc6w13pm4XI/AAAAAAAABXw/tFplOI2sr4Af9uL9FlQJBC_vJuy7bNj1QCLcBGAs/s640/Doc_Macro_DownloadExe_6336397_0_umbrella.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><hr /><br /><h3>Doc.Macro.VBSDownloader-6336817-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>ProxyBypass</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>ProxyBypass</li></ul></ul><b>Mutexes</b><br /><ul><li>Global\MTX_MSO_AdHoc1_S-1-5-21-2580483871-590521980-3826313501-500</li><li>Local\ZonesLockedCacheCounterMutex</li><li>Global\MTX_MSO_Formal1_S-1-5-21-2580483871-590521980-3826313501-500</li><li>\BaseNamedObjects\Global\I9B0091C</li><li>RasPbFile</li><li>Local\WinSpl64To32Mutex_e39d_0_3000</li><li>Local\MSCTF.Asm.MutexDefault1</li><li>\BaseNamedObjects\MD99F8B3</li><li>Local\10MU_ACB10_S-1-5-5-0-58054</li><li>Local\ZonesCacheCounterMutex</li><li>Local\10MU_ACBPIDS_S-1-5-5-0-58054</li><li>Global\552FFA80-3393-423d-8671-7BA046BB5906</li><li>\BaseNamedObjects\Global\M9B0091C</li></ul><b>IP Addresses</b><br /><ul><li>50[.]63[.]119[.]1</li></ul><b>Domain Names</b><br /><ul><li>lymanite[.]com</li></ul><b>Files and or directories created</b><br /><ul><li>%SystemDrive%\~$c69c4b9785cdc861c8fae99998a1ad011cf2e98456a1891bd29bcc990897f0.doc</li><li>\TEMP\gescanntes-Dokument-07170222835.doc</li><li>\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24E5C5A3-7CF5-41D8-94C1-47B41F61C27E}.tmp</li><li>%AppData%\Microsoft\Office\Recent\fac69c4b9785cdc861c8fae99998a1ad011cf2e98456a1891bd29bcc990897f0.doc.LNK</li><li>%TEMP%\64388.exe</li><li>%AppData%\Microsoft\Templates\~$Normal.dotm</li><li>\TEMP\~$scanntes-Dokument-07170222835.doc</li><li>%AppData%\Microsoft\Office\Recent\gescanntes-Dokument-07170222835.LNK</li><li>%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\42994.exe</li><li>%AppData%\Microsoft\Office\Recent\Local Disk (C).LNK</li><li>%TEMP%\CVR26FE.tmp.cvr</li><li>\Users\Administrator\Documents\20170926\PowerShell_transcript.PC.sJClvqz1.20170926112823.txt</li></ul><b>File Hashes</b><br /><ul><li>fac69c4b9785cdc861c8fae99998a1ad011cf2e98456a1891bd29bcc990897f0</li><li>0274541153434372cb7c0bdc7f55c5b70a48ab0c22907611a89139d2073826bf</li><li>12b2acf3a81b16850fec270f521ba9b749a340f1357f225e495462822409da12</li><li>1d1407735650c83e62a561a1ea5cdc798aa1cdc92653f5e722dc8b22b5ed9a7c</li><li>2b4bbedb5119cd52c44fe035ee5b00b520792db60207ffd6ce3cdc339901346d</li><li>476e8075ba4866c0a78253dcb19961b28f150aa207d50b575b0d07fdcca4aa13</li><li>477bbf5395742a4e45331d71c6de3191729fbbf5914457ccfef7eb9d3e8697c7</li><li>4cfd3f25f178f5ae5dd5c5438a4bc3cd0af2ca712a5a59388612697d4b4424d4</li><li>5bb5975dd0b781d5fab3721ae66463e64825fccfdcf876bcb8899c2571ed04f4</li><li>5dc91a43bfcf5f4b4c2a759220e9eacec671bc275572b6feeca274d9c4836829</li><li>61411a7a585f12f1d3e60eb084e9dac648217b922a3d68ce4024b26a6fcce3cc</li><li>69b35b1bffd2d36c06d4598de38fa4364e726044623d89bc73fc1e9b31f57e71</li><li>6c0bf54da7ee15bf99b7ff6be57ee8331d8335a1d15513227c6ada04c841c4de</li><li>71cc8b291e0a1ad38ed9142eb112f56c4a8a3eb00d130bfa27e5c40a08bc9e43</li><li>75eb214657020fd9b6f2d533d3c12724cf1de2adbb925d7abfd744e6ff73633d</li><li>7cc1a551e6060d0e7a38423a2247edd4a84b6cca927f996d2bc056269dedb6e6</li><li>908b6ea63e3e916377fe0319886bf4b55c7aaddde27292b9dce5930eede5622a</li><li>a2fe92fa39d6b0f9dbfebd83be179524fadb87b11e555eee96c606af7d34ce73</li><li>b6bfdbfcbb5097912ad8bdf9cec2592a162a27b7c367193d1fdd10d9db5182dc</li><li>b7651bd99dda94f6bf962b473872690ee145c38546cd7b3f8bb477976d9a8617</li><li>c77d0bee9502f8d4c3afc1729a7ab9721ffce9bf2b7759d086e436370af4ff5c</li><li>d621d5dea6a95c31650a4c46aaf507625a8e18f33b5a4a22e8a801c25dc77a49</li><li>d919139e4965ad6c55b7f08e2f919aac5fd8deb0fd90cf65f2bd4a4aa5bd2dd8</li><li>d9c9e1fece032140a4754096b08a4eb147598a36f8b582c796b8764ff6cd9a91</li><li>df5c68270b14d82a523a503a717de1ccfe1739c62956e7a58aa8441f117b7344</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-VHId86TeS-E/Wc6xJrZDUgI/AAAAAAAABX0/ktoNSzDf-nY01Xr_hqUFr4HLCWNxtuftQCLcBGAs/s1600/Doc_Macro_VBSDownloader_6336817_0_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://4.bp.blogspot.com/-VHId86TeS-E/Wc6xJrZDUgI/AAAAAAAABX0/ktoNSzDf-nY01Xr_hqUFr4HLCWNxtuftQCLcBGAs/s400/Doc_Macro_VBSDownloader_6336817_0_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-6S6TNyPMg10/Wc6xOGp4-II/AAAAAAAABX4/2tkVEm7rYY7VeJtkM4-G4L1N2UlKmNgCLcBGAs/s1600/Doc_Macro_VBSDownloader_6336817_0_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1205" data-original-width="1237" height="622" src="https://4.bp.blogspot.com/-6S6TNyPMg10/Wc6xOGp4-II/AAAAAAAABX4/2tkVEm7rYY7VeJtkM4-G4L1N2UlKmNgCLcBGAs/s640/Doc_Macro_VBSDownloader_6336817_0_threatgrid.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Umbrella</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-aehLpkc7-QY/Wc6xS02Y3mI/AAAAAAAABX8/7Dslvx12pL8Njyn2P6-gEgjyzqIQWRt7gCLcBGAs/s1600/Doc_Macro_VBSDownloader_6336817_0_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1092" height="350" src="https://1.bp.blogspot.com/-aehLpkc7-QY/Wc6xS02Y3mI/AAAAAAAABX8/7Dslvx12pL8Njyn2P6-gEgjyzqIQWRt7gCLcBGAs/s640/Doc_Macro_VBSDownloader_6336817_0_umbrella.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Screenshot</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-XMvm7uZ-6iE/Wc6xYH0TYWI/AAAAAAAABYA/0Sgo5r9epjEaNEtM0wJ2sNVAaD8GIgeLgCLcBGAs/s1600/Doc_Macro_VBSDownloader_6336817_0_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://2.bp.blogspot.com/-XMvm7uZ-6iE/Wc6xYH0TYWI/AAAAAAAABYA/0Sgo5r9epjEaNEtM0wJ2sNVAaD8GIgeLgCLcBGAs/s640/Doc_Macro_VBSDownloader_6336817_0_malware.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><hr /><br /><h3>Win.Ransomware.TorrentLocker-6336835-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</b></li><ul><li><b>Value: </b>etejasix</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS</b></li><ul><li><b>Value: </b>ProxyEnable</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>ProxyBypass</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP</b></li><ul><li><b>Value: </b>ProxyBypass</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS</b></li><ul><li><b>Value: </b>AutoConfigURL</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS</b></li><ul><li><b>Value: </b>ProxyOverride</li></ul><li><b><HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\Shadow Copy Optimization Writer</b></li><li><b><HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</b></li></ul><b>Mutexes</b><br /><ul><li>\BaseNamedObjects\Global\otydesuxofyjyxufexycaga</li><li>Global\otydesuxofyjyxufexycaga</li><li>\BaseNamedObjects\Global\yjacitumaxicuqexyfitywoqewyquwy</li><li>qazwsxedc</li><li>Global\yjacitumaxicuqexyfitywoqewyquwy</li></ul><b>IP Addresses</b><br /><ul><li>N/A</li></ul><b>Domain Names</b><br /><ul><li>wrygsxi[.]zotebsca[.]net</li><li>atawgce[.]zotebsca[.]net</li><li>adez[.]zotebsca[.]net</li><li>uluxkqopy[.]zotebsca[.]net</li><li>efedaluc[.]zotebsca[.]net</li><li>mxed[.]zotebsca[.]net</li><li>omywuw[.]zotebsca[.]net</li><li>imjmawfcoja[.]zotebsca[.]net</li><li>evycoroz[.]zotebsca[.]net</li><li>erivequt[.]zotebsca[.]net</li><li>aqyjo[.]zotebsca[.]net</li><li>usuhazepug[.]zotebsca[.]net</li><li>avev[.]zotebsca[.]net</li><li>fhuga[.]zotebsca[.]net</li><li>uqydjnwn[.]zotebsca[.]net</li><li>evehasuruzo[.]zotebsca[.]net</li><li>ypyhi[.]zotebsca[.]net</li><li>epabojyluko[.]zotebsca[.]net</li><li>iqesex[.]zotebsca[.]net</li><li>ywapivuqexe[.]zotebsca[.]net</li><li>ihodi[.]zotebsca[.]net</li><li>rtacin[.]zotebsca[.]net</li><li>aliragifut[.]zotebsca[.]net</li><li>eztcu[.]zotebsca[.]net</li><li>ukajusi[.]zotebsca[.]net</li><li>okypag[.]zotebsca[.]net</li><li>ubapimiwdj[.]zotebsca[.]net</li></ul><b>Files and or directories created</b><br /><ul><li>%WinDir%\edaraxoz.exe</li><li>%AppData%\uqetukykopefyvij\02000000</li><li>%AllUsersProfile%\uqetukykopefyvij\02000000</li><li>%AppData%\uqetukykopefyvij\01000000</li><li>%AllUsersProfile%\uqetukykopefyvij\01000000</li><li>%AppData%\uqetukykopefyvij\00000000</li><li>%AllUsersProfile%\uqetukykopefyvij\00000000</li><li>%WinDir%\ukavdnlj.exe</li></ul><b>File Hashes</b><br /><ul><li>1a78a5c1c4ebb8a0047cbb4a8a27782212603d71cae2aeb033bceab76795a294</li><li>4312486eb32d7edc49d437a598d7e0453e8c9d1222b8b9ba429c73e0598db1a9</li><li>58f36594d9502e3e8e135d0a449e5c07a62ae6fcd34a32c5c4d9243cb28d958b</li><li>5c66755aeeed65c21c8d9774baebd79c962311a57b733cb19d4d2bb6a0eb52c3</li><li>ae7a23e9b4c2645c26dce4a83a97953fa5ca008570aa9ac32e0826369593a099</li><li>ba4fe6e91aae42e7a12747422443a361201898a4a5d2454472cf8d42b8d5cc52</li><li>bf795a1676a6dd795fb6915ecfbfdc200687907cae8769c55b9e26328b026f88</li><li>cc07ae7275b177c6882cffce894389383ca2c76af5dc75094453699252c9c831</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-sVPSoD1yZEY/Wc6xg-Ha8EI/AAAAAAAABYE/oAiaP9Hxn-UrQrM8o7qBf3xE3OoTeTqGACLcBGAs/s1600/bf795a1676a6dd795fb6915ecfbfdc200687907cae8769c55b9e26328b026f88_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://4.bp.blogspot.com/-sVPSoD1yZEY/Wc6xg-Ha8EI/AAAAAAAABYE/oAiaP9Hxn-UrQrM8o7qBf3xE3OoTeTqGACLcBGAs/s400/bf795a1676a6dd795fb6915ecfbfdc200687907cae8769c55b9e26328b026f88_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-7B195Spn5jk/Wc6xks9_bkI/AAAAAAAABYI/5Rv_VwrH90wLa9b1h8NuXCpzDTYyQziIQCLcBGAs/s1600/bf795a1676a6dd795fb6915ecfbfdc200687907cae8769c55b9e26328b026f88_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1017" data-original-width="1237" height="526" src="https://4.bp.blogspot.com/-7B195Spn5jk/Wc6xks9_bkI/AAAAAAAABYI/5Rv_VwrH90wLa9b1h8NuXCpzDTYyQziIQCLcBGAs/s640/bf795a1676a6dd795fb6915ecfbfdc200687907cae8769c55b9e26328b026f88_threatgrid.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Umbrella</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-7aTxCk-pVDA/Wc6xniSJeWI/AAAAAAAABYM/aUN4HxiJVnEHiCBpeoX7ob2CGNp5PsBqwCLcBGAs/s1600/wrygsxi.zotebsca.net_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="342" data-original-width="1112" height="196" src="https://3.bp.blogspot.com/-7aTxCk-pVDA/Wc6xniSJeWI/AAAAAAAABYM/aUN4HxiJVnEHiCBpeoX7ob2CGNp5PsBqwCLcBGAs/s640/wrygsxi.zotebsca.net_umbrella.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><br /><hr /><br /><h3>Win.Spyware.CCBkdr-6336251-2</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><HKLM>\HKLM\SOFTWARE\Piriform\Agomo</b></li><ul><li><b>Value: </b>NID</li></ul><li><b><HKLM>\HKLM\SOFTWARE\Piriform\Agomo</b></li><ul><li><b>Value: </b>TCID</li></ul><li><b><HKLM>\HKLM\SOFTWARE\Piriform\Agomo</b></li><ul><li><b>Value: </b>MUID</li></ul></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b><br /><ul><li>216[.]126[.]225[.]148</li></ul><b>Domain Names</b><br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>N/A</li></ul><b>File Hashes</b><br /><ul><li>04622bcbeb45a2bd360fa0adc55a2526eac32e4ce8f522eaeb5bee1f501a7d3d</li><li>1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff</li><li>30b1dfd6eae2e473464c7d744a094627e5a70a89b62916457e30e3e773761c48</li><li>53c6ad85a6b0db342ce07910d355dad53765767b4b9142912611ec81bee0f322</li><li>6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9</li><li>8562c9bb71391ab40d4e6986836795bcf742afdaff9a936374256056415c5e25</li><li>8a8485d2ba00eafaad2dbad5fad741a4c6af7a1eedd3010ad3693d128d94afab</li><li>dbf648e5522c693a87a76657e93f4d44bfd8031c0b7587f8b751c110d3a6e09f</li><li>07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902</li><li>128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f</li><li>27a098761e8fbf4f0a7587adeee8eb787c0224b231b3891fa9323d4a9831f7e5</li><li>2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06f</li><li>2c020ffa3436a69a1b884b5b723909c095e5e58406439287ac4c184a3c3c7da7</li><li>76cd0370af69d5c76e08673976972fee53764fca67f86fcf0db208b87b7341d6</li><li>8038ea1b72a720f86397fd2ee1f386bb832e5cbd8e12f97e11e0c787bde9e47e</li><li>dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83</li><li>e8e02191c1b38c808d27a899ac164b3675eb5cadd3a8907b0ffa863714000e72</li><li>f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-islRVzO1s88/Wc6xurRwuqI/AAAAAAAABYQ/qvERTNcgRUMO3rwJWiKUodtB-RTHFaOTwCLcBGAs/s1600/Win_Spyware_CCBkdr_6336251_2_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://3.bp.blogspot.com/-islRVzO1s88/Wc6xurRwuqI/AAAAAAAABYQ/qvERTNcgRUMO3rwJWiKUodtB-RTHFaOTwCLcBGAs/s400/Win_Spyware_CCBkdr_6336251_2_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-nPJPq9DlXyg/Wc6x0iKvLBI/AAAAAAAABYU/Ms95rcusi4IH3AZiJe57wJL5rNtP5LIrACLcBGAs/s1600/Win_Spyware_CCBkdr_6336251_2_tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="513" data-original-width="1237" height="264" src="https://3.bp.blogspot.com/-nPJPq9DlXyg/Wc6x0iKvLBI/AAAAAAAABYU/Ms95rcusi4IH3AZiJe57wJL5rNtP5LIrACLcBGAs/s640/Win_Spyware_CCBkdr_6336251_2_tg.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Umbrella</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-dG0RCSLBGLo/Wc6x95kqNzI/AAAAAAAABYY/te2UfJjBiH8jIS1vx3-jK2b8VwHC5qKSwCLcBGAs/s1600/Win_Spyware_CCBkdr_6336251_2_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1092" height="350" src="https://1.bp.blogspot.com/-dG0RCSLBGLo/Wc6x95kqNzI/AAAAAAAABYY/te2UfJjBiH8jIS1vx3-jK2b8VwHC5qKSwCLcBGAs/s640/Win_Spyware_CCBkdr_6336251_2_umbrella.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Screenshot</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-Fifg2ATZYns/Wc6yCqHgEyI/AAAAAAAABYc/GKqTvVpGFHktzxUTQyAWd4o7IMZCp6P7wCLcBGAs/s1600/Win_Spyware_CCBkdr_6336251_2_malware.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1024" height="480" src="https://3.bp.blogspot.com/-Fifg2ATZYns/Wc6yCqHgEyI/AAAAAAAABYc/GKqTvVpGFHktzxUTQyAWd4o7IMZCp6P7wCLcBGAs/s640/Win_Spyware_CCBkdr_6336251_2_malware.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><hr /><br /><h3>Win.Trojan.Beeldeb-6336738-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2</b></li></ul><b>Mutexes</b><br /><ul><li>\BaseNamedObjects\hTGfNaKIQ4lPz</li></ul><b>IP Addresses</b><br /><ul><li>41[.]45[.]138[.]91</li><li>156[.]203[.]64[.]64</li></ul><b>Domain Names</b><br /><ul><li>microsoft[.]net[.]linkpc[.]net</li></ul><b>Files and or directories created</b><br /><ul><li>%TEMP%\EqEhol.exe</li><li>%TEMP%\JTVxon.txt</li><li>%TEMP%\NJiSUL</li><li>%AppData%\njisul\NJiSUL</li><li>%AppData%\njisul\EqEhol.exe</li><li>%AppData%\njisul\fXMlDZ.exe</li><li>%AppData%\njisul\JTVxon.txt</li><li>%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\gmail.lnk</li></ul><b>File Hashes</b><br /><ul><li>bb8e4aec824aa052fdda739abb8472caf2bd6c34d1773248ea3072e5c024140a</li><li>2c89cbab497a1a5219b5d66f1ba39473b6ffc15ec4f53a2bb09c070a15a537e8</li><li>36e92852d67e66cb3c99312f107f83080605c2badf787108f619d6b54e6c85fc</li><li>1e76a00a1e6e4265ad5ff364d3139a62013a9628d90edd7e6a155e7f0a8193e8</li><li>07de12cf4c78151a0bdd6d8dcf8b5d0b91f51b606fd8ec0774e54fcb16e3440a</li><li>e15dc2879dccd3c62d77169fe77d869455e61e2706006da829013d55b42107ba</li><li>ca07844200067101a91d23604a7fb425ee8b47a66567a953103a9949f66d74cc</li><li>c4cf29d4e6a6b905e08534108ab07318d5704d91df50c9d5477b998a19395eff</li><li>a864f592f8fd01a57cf8302056a413e4a688f6cfa2beae8c5e136a40384f7b56</li><li>eea366f807de6e4a0834e9fcf8dc0847b7ab4707314191448950a22cc0dbfa76</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-0lqSlixFz6w/WRNEvDBYhOI/AAAAAAAAA8g/ipzkzUpN9Ioo6QWiDDftf95zMLP66gt9QCLcB/s1600/amp-threatgrid-proxy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://2.bp.blogspot.com/-0lqSlixFz6w/WRNEvDBYhOI/AAAAAAAAA8g/ipzkzUpN9Ioo6QWiDDftf95zMLP66gt9QCLcB/s1600/amp-threatgrid-proxy.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-pzkrvliriy8/Wc6yebSElLI/AAAAAAAABYg/_fPwA6JXvckVeoXT19ne-bjbQRHAAdwPwCLcBGAs/s1600/Win_Trojan_Beeldeb_6336738_0_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-pzkrvliriy8/Wc6yebSElLI/AAAAAAAABYg/_fPwA6JXvckVeoXT19ne-bjbQRHAAdwPwCLcBGAs/s400/Win_Trojan_Beeldeb_6336738_0_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-93dTGEZTShE/Wc6yjIBTn1I/AAAAAAAABYk/RAKz5N7H1AIQ1OTz4NRwDoewSMYpGc6kQCLcBGAs/s1600/Win_Trojan_Beeldeb_6336738_0_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="429" data-original-width="1250" height="218" src="https://1.bp.blogspot.com/-93dTGEZTShE/Wc6yjIBTn1I/AAAAAAAABYk/RAKz5N7H1AIQ1OTz4NRwDoewSMYpGc6kQCLcBGAs/s640/Win_Trojan_Beeldeb_6336738_0_threatgrid.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><hr /><br /><h3>Win.Trojan.Cossta-237</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><HKLM>\SYSTEM\ControlSet001\Services\Alerter</b></li></ul><b>Mutexes</b><br /><ul><li>\BaseNamedObjects\44-41</li></ul><b>IP Addresses</b><br /><ul><li>N/A</li></ul><b>Domain Names</b><br /><ul><li>wenrou88[.]3322[.]org</li></ul><b>Files and or directories created</b><br /><ul><li>%SystemDrive%\Program Files\Microsoft Explorer\AAA.exe</li></ul><b>File Hashes</b><br /><ul><li>e8feccbab518346c0ec9ea3787f3b09994e41ca278aa537bc753fa1d6b40d1c4</li><li>b955412a8b6ec7d48b70bc2ed05226755c2b418a075fd0e3f98ba52086caa495</li><li>de37309306863d4a1b6f12a9c6e047fd93a9645f8acdbcc2f36f65d00226af2d</li><li>2e3b79c0bc90f46218700afba5d5a55cb00832969a00f254ec113d342d76a992</li><li>38a58d5c41f91b483ae727e922039848e14410c485db577cd0e21ee28e8fa250</li><li>424e36fd9975a43f25fad06e0282833d1280bcd9e6d5ef8221dc322fd16fbaa0</li><li>83062a56de8404db9311d60c87cccc4c25a8887952e695e5ffa0ac2600606706</li><li>94bc3ce60f0750456467c4262543e1196eb8a3294fcd79441ef7250e8fdf7885</li><li>5ed30bc2f7412875ccba2ade6e124154eda0788d555978ab6b60a69dbdf0bac1</li><li>f81a1362894fa49b7008cffe93365ef2158180be9a935ae17acc2bafa8f983d9</li><li>6e678b7d3a7a46f20a19079644f0d879f03b1cad83e441ca64a4c0d1076d9ebb</li><li>f9e9a3d7b7bffae8cda1b3ff4c893933eff386b26fd035fa4bb61c7c31bf2690</li><li>53c7cececf2d29386f3184e588c5a0ec558292ff227891d3ce5605f82a5f9688</li><li>dfbafa207c90d3d4e20dabe7620f901e1abe30fa0fa4dd06bfabe852f8f1f0bc</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://3.bp.blogspot.com/-Uaaol5f_kuk/WRNnk9-GYDI/AAAAAAAAA80/c6qsYVz-hcM5CPhFuFQnHk3X4b1J6C6-ACLcB/s1600/amp-tg-proxy-umbrella.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-tJnUT7q0-JE/Wc6yozUylDI/AAAAAAAABYo/q2WIVkG0hnYoZljZmAGTXiuwrRVb5Ty2QCLcBGAs/s1600/Win_Trojan_Cossta_237_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-tJnUT7q0-JE/Wc6yozUylDI/AAAAAAAABYo/q2WIVkG0hnYoZljZmAGTXiuwrRVb5Ty2QCLcBGAs/s400/Win_Trojan_Cossta_237_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-T621DD-7FRE/Wc6ytN-tsTI/AAAAAAAABYs/8j5bevLnfso53O9O9Znd4YW-omAshXrdACLcBGAs/s1600/Win_Trojan_Cossta_237_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="664" data-original-width="1090" height="388" src="https://1.bp.blogspot.com/-T621DD-7FRE/Wc6ytN-tsTI/AAAAAAAABYs/8j5bevLnfso53O9O9Znd4YW-omAshXrdACLcBGAs/s640/Win_Trojan_Cossta_237_threatgrid.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Umbrella</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-9r1w6QMmFkg/Wc6yzPBUC5I/AAAAAAAABYw/S9MPme56lsQ83KICsN4Ud0kUpYxHruXOwCLcBGAs/s1600/Win_Trojan_Cossta_237_umbrella.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="342" data-original-width="1112" height="196" src="https://4.bp.blogspot.com/-9r1w6QMmFkg/Wc6yzPBUC5I/AAAAAAAABYw/S9MPme56lsQ83KICsN4Ud0kUpYxHruXOwCLcBGAs/s640/Win_Trojan_Cossta_237_umbrella.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><br /><br /><br /><hr /><br /><h3>Win.Worm.Untukmu-5949608-0</h3><br /><h4>Indicators of Compromise</h4><br /><b>Registry Keys</b><br /><ul><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER</b></li><ul><li><b>Value: </b>DisableMSI</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</b></li><ul><li><b>Value: </b>System Monitoring</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER</b></li><ul><li><b>Value: </b>NoFolderOptions</li></ul><li><b><HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM</b></li><ul><li><b>Value: </b>DisableCMD</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM</b></li><ul><li><b>Value: </b>DisableRegistryTools</li></ul><li><b><HKCU>\CONTROL PANEL\DESKTOP</b></li><ul><li><b>Value: </b>ScreenSaveTimeOut</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE</b></li><ul><li><b>Value: </b>FullPathAddress</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</b></li><ul><li><b>Value: </b>xk</li></ul><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE</b></li><ul><li><b>Value: </b>DisableConfig</li></ul><li><b><HKLM>\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT</b></li><ul><li><b>Value: </b>AlternateShell</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG</b></li><ul><li><b>Value: </b>Debugger</li></ul><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER</b></li><ul><li><b>Value: </b>LimitSystemRestoreCheckpointing</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON</b></li><ul><li><b>Value: </b>Userinit</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</b></li><ul><li><b>Value: </b>internat.exe</li></ul><li><b><HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM</b></li><ul><li><b>Value: </b>DisableRegistryTools</li></ul><li><b><HKCU>\CONTROL PANEL\DESKTOP</b></li><ul><li><b>Value: </b>SCRNSAVE.EXE</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG</b></li><ul><li><b>Value: </b>Auto</li></ul><li><b><HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE</b></li><ul><li><b>Value: </b>DisableSR</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED</b></li><ul><li><b>Value: </b>HideFileExt</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED</b></li><ul><li><b>Value: </b>ShowSuperHidden</li></ul><li><b><HKCU>\CONTROL PANEL\DESKTOP</b></li><ul><li><b>Value: </b>ScreenSaverIsSecure</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</b></li><ul><li><b>Value: </b>MSMSGS</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</b></li><ul><li><b>Value: </b>LogonAdministrator</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED</b></li><ul><li><b>Value: </b>Hidden</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0</b></li><ul><li><b>Value: </b>CheckSetting</li></ul><li><b><HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON</b></li><ul><li><b>Value: </b>Shell</li></ul><li><b><HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER</b></li><ul><li><b>Value: </b>NoFolderOptions</li></ul><li><b><HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN</b></li><ul><li><b>Value: </b>ServiceAdministrator</li></ul><li><b><HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System\</b></li><li><b><HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\</b></li><li><b><HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\</b></li><li><b><HKLM>\SOFTWARE\CLASSES\lnkfile\shell\open\command</b></li><li><b><HKCU>\Control Panel\Desktop\</b></li><li><b><HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore</b></li><li><b><HKLM>\SOFTWARE\CLASSES\batfile\shell\open\command</b></li><li><b><HKCU>\Software\Policies\Microsoft\Windows\System\</b></li><li><b><HKLM>\SOFTWARE\CLASSES\piffile\shell\open\command</b></li><li><b><HKLM>\SYSTEM\CurrentControlSet\Control\SafeBoot\</b></li><li><b><HKLM>\SOFTWARE\CLASSES\LNKFILE\SHELL\open</b></li><li><b><HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\</b></li><li><b><HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState</b></li><li><b><HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug</b></li><li><b><HKLM>\SOFTWARE\CLASSES\lnkfile</b></li><li><b><HKCU>\Software\Microsoft\Windows\CurrentVersion\Run\</b></li><li><b><HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\</b></li><li><b><HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Installer</b></li><li><b><HKLM>\SOFTWARE\CLASSES\exefile</b></li><li><b><HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon</b></li><li><b><HKLM>\SOFTWARE\CLASSES\exefile\shell\open\command</b></li><li><b><HKLM>\SOFTWARE\CLASSES\LNKFILE\shell</b></li><li><b><HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\System\</b></li><li><b><HKLM>\SOFTWARE\CLASSES\comfile\shell\open\command</b></li></ul><b>Mutexes</b><br /><ul><li>N/A</li></ul><b>IP Addresses</b><br /><ul><li>N/A</li></ul><b>Domain Names</b><br /><ul><li>N/A</li></ul><b>Files and or directories created</b><br /><ul><li>%System32%\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0</li><li>%WinDir%\setupact.log</li><li>%System32%\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0</li><li>%System32%\wdi\LogFiles\BootCKCL.etl</li><li>%WinDir%\Tasks\SCHEDLGU.TXT</li><li>%System32%\wdi{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2580483871-590521980-3826313501-500_UserData.bin</li><li>%System32%\wfp\wfpdiag.etl</li></ul><b>File Hashes</b><br /><ul><li>9e0419794e2d948623f74a1443a553946334beaaa1c902ddc2741b1586a3bd89</li><li>6735181a112e87550dba81d667012250ff78959cdfe4852043c35895a4a53635</li><li>fdb82a1a0c8b84d22d87e373d37a09cbbee481eca77a695f0a42b0ce8e7d15fb</li><li>1c3d3774371a96d8dac17ef186e1d10e6520fc82d9325974f4191d437bfa106a</li><li>c7e85bc2b8120dec204e5592ab9254e90030cf3a13a2281d047c1d0bcb878d10</li></ul><br /><h4>Coverage</h4><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-lMcm16MfzdA/WRTPVW_BAII/AAAAAAAAA9I/TUwW9Ai4QFAh5FURDnAbZJXWJ_Pc0etyACLcB/s1600/amp-esa-proxy-tg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="297" src="https://4.bp.blogspot.com/-lMcm16MfzdA/WRTPVW_BAII/AAAAAAAAA9I/TUwW9Ai4QFAh5FURDnAbZJXWJ_Pc0etyACLcB/s1600/amp-esa-proxy-tg.png" width="400" /></a></div><br /><h4>Screenshots of Detection</h4><b>AMP</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-jlq2JU-MeBE/Wc6y46hwzZI/AAAAAAAABY0/2kaBp7dAtGg9ZrzQNgutHxNDzF952maKQCLcBGAs/s1600/Win_Worm_Untukmu_amp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="702" height="272" src="https://1.bp.blogspot.com/-jlq2JU-MeBE/Wc6y46hwzZI/AAAAAAAABY0/2kaBp7dAtGg9ZrzQNgutHxNDzF952maKQCLcBGAs/s400/Win_Worm_Untukmu_amp.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>ThreatGrid</b><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://2.bp.blogspot.com/-f_n2qCEBcuE/Wc6zBGfzJvI/AAAAAAAABY4/Wy0vZslONEIip6h1v-ATeXT61LHwgKu2QCLcBGAs/s1600/Win_Worm_Untukmu_threatgrid.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1017" data-original-width="1237" height="526" src="https://2.bp.blogspot.com/-f_n2qCEBcuE/Wc6zBGfzJvI/AAAAAAAABY4/Wy0vZslONEIip6h1v-ATeXT61LHwgKu2QCLcBGAs/s640/Win_Worm_Untukmu_threatgrid.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div class="feedflare"> <a href="http://feeds.feedburner.com/~ff/feedburner/Talos?a=LydF9lu5EPY:sfCQHmS91sM:yIl2AUoC8zA"><img src="http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA" border="0"></img></a> </div><img src="http://feeds.feedburner.com/~r/feedburner/Talos/~4/LydF9lu5EPY" height="1" width="1" alt=""/>