Threat Roundup for May 04 - 11

2018-05-11T12:48:00

Description

[![](https://4.bp.blogspot.com/-U683yzl8isA/WuN8Kq_D6XI/AAAAAAAAAdo/49dZD3rtnps0yuugDzjPrix4dhEZCTjJACEwYBhgL/s640/threat_roundup_logo_v2.png)](<https://4.bp.blogspot.com/-U683yzl8isA/WuN8Kq_D6XI/AAAAAAAAAdo/49dZD3rtnps0yuugDzjPrix4dhEZCTjJACEwYBhgL/s1600/threat_roundup_logo_v2.png>) Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 4 and May 11. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. The most prevalent threats highlighted in this round up are: * **Win.Dropper.Zbot-6533101-0** Dropper Zeus (AKA Zbot) is a trojan horse malware package used to carry out many malicious and criminal tasks. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. * **Win.Dropper.Khalesi-6535750-0** Dropper A Trojan is a program that gains privileged access to the operating system while appearing to perform a desirable function, but instead drops a malicious payload, often a backdoor allowing unauthorized access to the system. Trojans may steal information or infect the host systems. They are commonly distributed via spam, drive-by downloads or embedded into games or internet-driven applications. * **Win.Dropper.Gandcrab-6530134-0** Dropper Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB" or ".CRAB". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. * * * ## Threats ### Win.Dropper.Zbot-6533101-0 #### Indicators of Compromise **Registry Keys** * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS** * **Value: **ProxyServer * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS** * **Value: **AutoDetect * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS** * **Value: **ProxyOverride * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS** * **Value: **ProxyEnable * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS** * **Value: **AutoConfigURL * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS** * **Value: **SavedLegacySettings * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS** * **Value: **DefaultConnectionSettings * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104** * **Value: **CheckSetting * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103** * **Value: **CheckSetting * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102** * **Value: **CheckSetting * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101** * **Value: **CheckSetting * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100** * **Value: **CheckSetting * **<HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections** * **<HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0** * **<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY** * **Value: **CleanCookies * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN** * **Value: **internat.exe * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN** * **Value: **{1BBA4DA8-81FD-E86C-47AD-DE1A52F353F7} * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY** * **Value: **CachePrefix * **<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}** * **Value: **DhcpNetbiosOptions * **<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}** * **Value: **DhcpNameServerList * **<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}** * **Value: **DhcpDefaultGateway * **<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}** * **Value: **DhcpDomain * **<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}** * **Value: **DhcpNameServer * **<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}** * **Value: **DhcpSubnetMaskOpt * **<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}** * **Value: **DhcpInterfaceOptions * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT** * **Value: **CachePrefix * **<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS** * **Value: **DhcpDomain * **<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS** * **Value: **DhcpNameServer * **<HKCU>\SOFTWARE\MICROSOFT\NAEGOP** * **Value: **Kypuubb * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP** * **Value: **UNCAsIntranet * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP** * **Value: **AutoDetect * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP** * **Value: **ProxyBypass * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP** * **Value: **IntranetName * **<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS** * **Value: **DhcpScopeID * **<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP** * **Value: **ProxyBypass * **<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP** * **Value: **IntranetName * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES** * **Value: **CachePrefix * **<HKU>\Identities\\{20DF22BC-6CEF-4DC3-9D67-B017F18A4D87}\Software\Microsoft\Outlook Express\5.0** * **<HKU>\Software\Microsoft\Bole** * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\4** * **Value: **1609 * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\4** * **Value: **1406 * **<HKU>\Software\Microsoft\Internet Explorer\PhishingFilter** * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2** * **Value: **1609 * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2** * **Value: **1406 * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\1** * **Value: **1609 * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\1** * **Value: **1406 * **<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP** * **Value: **Collection * **<HKCU>\SOFTWARE\MICROSOFT\Naegop** * **<HKCU>\SOFTWARE\Microsoft\Naegop** * **<HKU>\Software\Microsoft\Internet Explorer\Privacy** * **<HKCU>\Software\Microsoft\Windows\Currentversion\Run** * **<HKU>\Software\Microsoft\WAB\WAB4** * **<HKU>\Software\Microsoft\Windows\CurrentVersion\Run** * **<HKCU>\Software\Microsoft\Internet Explorer\Privacy** * **<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings** * **<HKCU>\SOFTWARE\Microsoft** * **<HKU>\Software\Microsoft\Bole** **Mutexes** * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-A687-6AA2864FE740} * \BaseNamedObjects\Local\\{A3B40D9B-F602-0E7A-E1A6-CDF8C16E401A} * \BaseNamedObjects\Local\\{A3B40D98-F601-0E7A-E1A6-CDF8C16E401A} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-0E81-6AA22E49E740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-AE83-6AA28E4BE740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-FE84-6AA2DE4CE740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-E682-6AA2C64AE740} * \BaseNamedObjects\Local\\{881268A9-9330-25DC-E1A6-CDF8C16E401A} * \BaseNamedObjects\Global\\{C252BB8C-4015-6F9C-E1A6-CDF8C16E401A} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-6680-6AA24648E740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-8A81-6AA2AA49E740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-4E82-6AA26E4AE740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-D287-6AA2F24FE740} * \BaseNamedObjects\Global\\{C252BB8D-4014-6F9C-E1A6-CDF8C16E401A} * \BaseNamedObjects\Global\\{2A12683C-93A5-87DC-E1A6-CDF8C16E401A} * \BaseNamedObjects\Global\\{CEBE6CB8-9721-6370-E1A6-CDF8C16E401A} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-9283-6AA2B24BE740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-2683-6AA2064BE740} * \BaseNamedObjects\Global\\{CEBE6CB7-972E-6370-E1A6-CDF8C16E401A} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-9A82-6AA2BA4AE740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-368F-6AA21647E740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-5E8A-6AA27E42E740} * \BaseNamedObjects\Global\\{A86A58AE-A337-05A4-E1A6-CDF8C16E401A} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-BE86-6AA29E4EE740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-2E8D-6AA20E45E740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-8E85-6AA2AE4DE740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-C684-6AA2E64CE740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-4686-6AA2664EE740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-1A83-6AA23A4BE740} * \BaseNamedObjects\Global\\{D1EC3E61-C5F8-7C22-9284-6AA2B24CE740} * \BaseNamedObjects\Global\\{320B4DE2-B67B-9FC5-E1A6-CDF8C16E401A} * \BaseNamedObjects\Global\\{3D11D76B-2CF2-90DF-E1A6-CDF8C16E401A} **IP Addresses** * 185[.]24[.]234[.]54 **Domain Names** * N/A **Files and or directories created** * %LocalAppData%\Temp\tmp60e9fbcd.bat * %AppData%\Neku * %AppData%\Neku\amto.exe * %AppData%\Leolo * %AppData%\Leolo\peogh.vus **File Hashes** * f5dd87d465516dd03308ae2e7673681fc497d4c30751e5a0fcefdf320761b56e * 48fcb5ce8670e1829205abd6a911937a9b591d079067c8b25f6867bac059897c * a6b52e4b6803092c91f81aeff5093cdee346b810b415b7b82a24afd63a33c309 * 59de88ff962f019ad7b0bc2b242120ff0c916743c975f74c169247809ae2cfa5 * 158a7f507f494481083c4137dbb11474d7d8625c4ca45d0554caa4fcbb903992 * 8298f4cfb3d5d6838bdebc4642e6b3aba2b1e74562014be11f6fc106af1be491 * 28a2e64885f1aa2d81fefb0fda91ae7eb2801dfdbf4d9dc65f3848e4bdbf4d65 * a3a4c038aa654a5dac595465222404deef3f133828f6209f42ea8395156205da * 5f9afad7831895772534737ac2c036b1b65d02a46bc0f91ea0ef2879de3ba8fb * 1392b5afc478adfc11e6690ff6b6f9d55658bb2edf064b1cfbf655e674dcdc0f * 7326ec6dcf89d8e86d797ab70d4a8ad1a08b672af0c0a45cfb315ef83685cf43 * 908f86c043b0bb012e639d6c2b102a6af11288b7596c574abc4734213f5d95cb * dd8c0af99b112521bfebdb19afa5fe130925d158703180063c2b2c027b8adbc9 * 38a951f8f57f1028a92d658841df63068d0a59aa9f140087870b2b6450002baa * f92989215865e61e5cfed94d716d37b4b9fdd92ddd3699ab269b2dad39d0e93a * 03eaea48946117d85dde3d2a4668eb24b94323a255bc1fb7536b1de2bd888e74 * 8db0ff52b62f3f07bc3c7a359dd06cf78e875a18f8b5120107a7f39bed3243b9 * 6baab60dcfdbd2ee3dbb012b1a00d063a4b05305a444f7ffe633d6175dca6852 #### Coverage [![](https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png)](<https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png>) #### Screenshots of Detection **AMP** [![](https://2.bp.blogspot.com/-kG_QfwetGCM/WvXoYXVbP0I/AAAAAAAAAfA/_nxRiEFGAhcqmPfRci3gzW0v93m3zpSwQCLcBGAs/s400/Win_Dropper_Zbot_6533101_0_amp.png)](<https://2.bp.blogspot.com/-kG_QfwetGCM/WvXoYXVbP0I/AAAAAAAAAfA/_nxRiEFGAhcqmPfRci3gzW0v93m3zpSwQCLcBGAs/s1600/Win_Dropper_Zbot_6533101_0_amp.png>) **ThreatGrid** [![](https://1.bp.blogspot.com/-TDX6A2KEBwM/WvXoekUCeoI/AAAAAAAAAfE/RRR_hjW2yUM1vd5fersSCAjjE4-ZbucwwCLcBGAs/s640/Win_Dropper_Zbot_6533101_0_threatgrid.png)](<https://1.bp.blogspot.com/-TDX6A2KEBwM/WvXoekUCeoI/AAAAAAAAAfE/RRR_hjW2yUM1vd5fersSCAjjE4-ZbucwwCLcBGAs/s1600/Win_Dropper_Zbot_6533101_0_threatgrid.png>) * * * ### Win.Dropper.Khalesi-6535750-0 #### Indicators of Compromise **Registry Keys** * **<HKU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run** **Mutexes** * N/A **IP Addresses** * 204[.]11[.]56[.]48 * 74[.]220[.]215[.]63 * 184[.]168[.]221[.]42 * 198[.]54[.]117[.]217 * 187[.]84[.]225[.]36 **Domain Names** * www[.]backpackerdesi[.]info * backpackerdesi[.]info * www[.]lovelouevents[.]com * parkingpage[.]namecheap[.]com * www[.]riopumpen[.]com * riopumpen[.]com * www[.]shungavietnam[.]com * lovelouevents[.]com * www[.]tourniquetleash[.]com **Files and or directories created** * %LocalAppData%\Temp\~DF84B5AD10771E60C5.TMP **File Hashes** * db560e6239674b9b4ea242d13e83269bc7cc26972bfc36d1ca729a95bec86311 * 214252466a63120c1473180e5f4d2558f59a6a12aa8f3c38d3d5f45712965d7c * 093bd942ba8d60e579f1f6ec68f997e609d1ec2d1dee37369ea61e33d175ab0b * 8c668d6ec3c6a619342d674e6f696403bcb872342fa17d7b18642861b4c9b596 * f40486fa225ebc8fdfc133136453d84649860c55bdb03966f58500030c4d50d7 * 58182cbb334d50f9758cd669ead059ddd8902fe0902bc8e3a9b5d9ad21906a0d * ef52d2737ded930694deb98880041e97a22be13240e143e9fe7c665dd8ba486d * ba8e4a8555628171ee51b9730e3d5fb549936921645b34e4bc5669573fa1fccd * 6972e8b418b60905c630c80c8476b43c941eafab0e0f79ebe6a985e3e60bdb00 * f047a66647005edfb80ce99ce23dfab6874989081d3ff33c0795ccfddb47b0c7 * 8aeecbac14b07c7498a0a14ec5f6faba3586ef253e63a6ff035090e937cee4ad * cf0425375056e906b8cb739d432d724ac30870995915342bc275d047637ea54d * 1b8f2e90a2be6bfbcb409b0a87236abddfdeb6c8f1e43c87dea1ad384b3853ac * eb8f9802493874e099e8b026be2736f2bb15ecb5c3bc0e82a967fdcf1f319fdf * 606d305ed683a5b6b32fb3d4d8f1567416b3e6e0cc57b2a2ae22abc23563fc13 #### Coverage [![](https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png)](<https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png>) #### Screenshots of Detection **AMP** [![](https://3.bp.blogspot.com/-IaGqaek46bk/WvXonLbaEsI/AAAAAAAAAfI/WOzkdjWuFooaMLZ2ViLTmE9Kyv6fSqQKQCLcBGAs/s400/Win_Dropper_Khalesi_6535750_0_amp.png)](<https://3.bp.blogspot.com/-IaGqaek46bk/WvXonLbaEsI/AAAAAAAAAfI/WOzkdjWuFooaMLZ2ViLTmE9Kyv6fSqQKQCLcBGAs/s1600/Win_Dropper_Khalesi_6535750_0_amp.png>) **ThreatGrid** [![](https://3.bp.blogspot.com/-4DSXbPmI-JQ/WvXotXozhdI/AAAAAAAAAfQ/9kZFxbrqzY0Vk7i5jbFQr16RsBSZJZkGACLcBGAs/s640/Win_Dropper_Khalesi_6535750_0_threatgrid.png)](<https://3.bp.blogspot.com/-4DSXbPmI-JQ/WvXotXozhdI/AAAAAAAAAfQ/9kZFxbrqzY0Vk7i5jbFQr16RsBSZJZkGACLcBGAs/s1600/Win_Dropper_Khalesi_6535750_0_threatgrid.png>) * * * ### Win.Dropper.Gandcrab-6530134-0 #### Indicators of Compromise **Registry Keys** * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS** * **Value: **SavedLegacySettings * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS** * **Value: **DefaultConnectionSettings * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT** * **Value: **CachePrefix * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP** * **Value: **UNCAsIntranet * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP** * **Value: **AutoDetect * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP** * **Value: **ProxyBypass * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP** * **Value: **IntranetName * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5** * **Value: **_FileId_ * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5** * **Value: **_ObjectLru_ * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5** * **Value: **_Usn_ * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5** * **Value: **_ObjectId_ * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5** * **Value: **AeFileID * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5** * **Value: **_UsnJournalId_ * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5** * **Value: **AeProgramID * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3** * **Value: **ObjectLru * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3** * **Value: **ObjectId * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\100000000967D** * **Value: **AB5 * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}** * **Value: **_IndexName_ * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY** * **Value: **CachePrefix * **<HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections** * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST** * **Value: **CurrentLru * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES** * **Value: **CachePrefix * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE** * **Value: **_CurrentObjectId_ * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE** * **Value: **zcwgnjwshlm * **<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\DEBUG** * **Value: **ExceptionRecord * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS** * **Value: **ProxyServer * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS** * **Value: **AutoDetect * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS** * **Value: **ProxyOverride * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS** * **Value: **ProxyEnable * **<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS** * **Value: **AutoConfigURL * **<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP** * **Value: **ProxyBypass * **<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP** * **Value: **IntranetName * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}** * **Value: **100000000967D * **<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION** * **Value: **PnpInstanceID * **<HKLM>\SOFTWARE\MICROSOFT\RAS AUTODIAL\Default** * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}** * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LruList** * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5** * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}** * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3** * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\ObjectTable** * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\100000000967D** * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\IndexTable** * **<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce** * **<HKLM>\Software\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug** * **<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings** * **<A>\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\Indexes** * **<HKU>\Software\Microsoft\Windows\CurrentVersion\RunOnce** **Mutexes** * \BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=359814f23c28b0e4 **IP Addresses** * 66[.]171[.]248[.]178 **Domain Names** * zonealarm[.]bit * ns2[.]corp-servers[.]ru * 1[.]0[.]168[.]192[.]in-addr[.]arpa * ipv4bot[.]whatismyipaddress[.]com * ns1[.]corp-servers[.]ru * ransomware[.]bit **Files and or directories created** * %LocalAppData%\CrashDumps * %AppData%\Microsoft\jczhdq.exe * %LocalAppData%\CrashDumps\82128b025ada18df07ae8ea6b24f3cb3a22ff91d8795a697cf03ca28f0601eb3.exe.2772.dmp * %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\7TZAD419.htm * %LocalAppData%\Microsoft\Windows\WER\ReportQueue\AppCrash_82128b025ada18df_4525121b7779449a024bea365e36f36721b3e46_9a496044\Report.wer * %LocalAppData%\Microsoft\Windows\WER\ReportQueue\AppCrash_82128b025ada18df_4525121b7779449a024bea365e36f36721b3e46_9a496044 * %WinDir%\SysWOW64\rsaenh.dll **File Hashes** * 82128b025ada18df07ae8ea6b24f3cb3a22ff91d8795a697cf03ca28f0601eb3 * 8b0122198f51599af74f7e40783bf8f8273e8c5bd1a0e0747161bb3fb74bff75 * 1c69810013cb87242df28f48ff1b80bd006b2bd0cec8bdcb3ad0c0441a9c48a7 * 9ba83f1273348883e47f60b3497d14f259656d366cd9c38be1b15c99a4887433 * 4f5d759ad38c44b01c5442a985f25c10b2863ac890d26f42a3661a39eb6233d3 * 5cd57d70b048fa751d8d093614cb86096567958778c7bd99ac6ff0355b699d19 * a17fba572e8a74bc22061711196df78b603d6a857f8b687f55da21296b3cbba3 * 6637106cacc9767350a3ad1518e513996accbf45daeb9bebdffb699ae2d89dac * a332b560a01b6e07a5810ec6428314c23e426ea4292280ee0d06bfc2201ac47b * a7250b307556cb0e6716312dce166ce8d6329cdbbe1e7a7ec7d9ad8dc37bef1c * ba7cc79a6b9ee4973b90ce17f4552a6c8a869ebcda495109e7558788f5dd4581 * 722d9b3b235c118fd93c35d76535310f32ef383037645f9539dd46eedbe908a1 * 749cc6d350bccd23970b70463abcd9efb782a35da7c03bc8de5c555f2bdda430 * e4b1789755f543b508745baaa7325e337e6b7f132cc5e051985ca677836cc571 * fd2de37d51a398725239f1c9943604506d52bb623ecfcbc40f6fb474cde9fbd0 #### Coverage [![](https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png)](<https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png>) #### Screenshots of Detection **AMP** [![](https://1.bp.blogspot.com/-QcR88yIN45g/WvXpIFE0HWI/AAAAAAAAAf4/tOcR5XMYPjcG1ZdkL7wGOczfoBr5nC3aQCLcBGAs/s400/Win_Dropper_Gandcrab_6530134_0_amp.png)](<https://1.bp.blogspot.com/-QcR88yIN45g/WvXpIFE0HWI/AAAAAAAAAf4/tOcR5XMYPjcG1ZdkL7wGOczfoBr5nC3aQCLcBGAs/s1600/Win_Dropper_Gandcrab_6530134_0_amp.png>) **ThreatGrid** [![](https://1.bp.blogspot.com/-Y6HshBMNOOM/WvXpPSjzEtI/AAAAAAAAAgA/m2NfUjX5LBECKveL8cPewgOU20a44cNAwCLcBGAs/s640/Win_Dropper_Gandcrab_6530134_0_threatgrid.png)](<https://1.bp.blogspot.com/-Y6HshBMNOOM/WvXpPSjzEtI/AAAAAAAAAgA/m2NfUjX5LBECKveL8cPewgOU20a44cNAwCLcBGAs/s1600/Win_Dropper_Gandcrab_6530134_0_threatgrid.png>) [![](http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA)](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=1N282LdYcts:B0EjXJBZeq8:yIl2AUoC8zA>) ![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/1N282LdYcts)

{"id": "TALOSBLOG:5EC1F08F6EB248DD25D43A822ADEDF28", "type": "talosblog", "bulletinFamily": "blog", "title": "Threat Roundup for May 04 - 11", "description": "[![](https://4.bp.blogspot.com/-U683yzl8isA/WuN8Kq_D6XI/AAAAAAAAAdo/49dZD3rtnps0yuugDzjPrix4dhEZCTjJACEwYBhgL/s640/threat_roundup_logo_v2.png)](<https://4.bp.blogspot.com/-U683yzl8isA/WuN8Kq_D6XI/AAAAAAAAAdo/49dZD3rtnps0yuugDzjPrix4dhEZCTjJACEwYBhgL/s1600/threat_roundup_logo_v2.png>)\n\n \n\n\n \n\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between May 4 and May 11. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nThe most prevalent threats highlighted in this round up are: \n \n\n\n * **Win.Dropper.Zbot-6533101-0** \nDropper \nZeus (AKA Zbot) is a trojan horse malware package used to carry out many malicious and criminal tasks. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. \n \n * **Win.Dropper.Khalesi-6535750-0** \nDropper \nA Trojan is a program that gains privileged access to the operating system while appearing to perform a desirable function, but instead drops a malicious payload, often a backdoor allowing unauthorized access to the system. Trojans may steal information or infect the host systems. They are commonly distributed via spam, drive-by downloads or embedded into games or internet-driven applications. \n \n * **Win.Dropper.Gandcrab-6530134-0** \nDropper \nGandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension \".GDCB\" or \".CRAB\". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. \n \n\n* * *\n\n## Threats\n\n### Win.Dropper.Zbot-6533101-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS**\n * **Value: **ProxyServer\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS**\n * **Value: **AutoDetect\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS**\n * **Value: **ProxyOverride\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS**\n * **Value: **ProxyEnable\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS**\n * **Value: **AutoConfigURL\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\CONNECTIONS**\n * **Value: **SavedLegacySettings\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\CONNECTIONS**\n * **Value: **DefaultConnectionSettings\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104**\n * **Value: **CheckSetting\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103**\n * **Value: **CheckSetting\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102**\n * **Value: **CheckSetting\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101**\n * **Value: **CheckSetting\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100**\n * **Value: **CheckSetting\n * **<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections**\n * **<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0**\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\PRIVACY**\n * **Value: **CleanCookies\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN**\n * **Value: **internat.exe\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN**\n * **Value: **{1BBA4DA8-81FD-E86C-47AD-DE1A52F353F7}\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\HISTORY**\n * **Value: **CachePrefix\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NETBT\\PARAMETERS\\INTERFACES\\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}**\n * **Value: **DhcpNetbiosOptions\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NETBT\\PARAMETERS\\INTERFACES\\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}**\n * **Value: **DhcpNameServerList\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TCPIP\\PARAMETERS\\INTERFACES\\\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}**\n * **Value: **DhcpDefaultGateway\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TCPIP\\PARAMETERS\\INTERFACES\\\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}**\n * **Value: **DhcpDomain\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TCPIP\\PARAMETERS\\INTERFACES\\\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}**\n * **Value: **DhcpNameServer\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TCPIP\\PARAMETERS\\INTERFACES\\\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}**\n * **Value: **DhcpSubnetMaskOpt\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TCPIP\\PARAMETERS\\INTERFACES\\\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}**\n * **Value: **DhcpInterfaceOptions\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\CONTENT**\n * **Value: **CachePrefix\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TCPIP\\PARAMETERS**\n * **Value: **DhcpDomain\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TCPIP\\PARAMETERS**\n * **Value: **DhcpNameServer\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\NAEGOP**\n * **Value: **Kypuubb\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP**\n * **Value: **UNCAsIntranet\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP**\n * **Value: **AutoDetect\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP**\n * **Value: **ProxyBypass\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP**\n * **Value: **IntranetName\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NETBT\\PARAMETERS**\n * **Value: **DhcpScopeID\n * **<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP**\n * **Value: **ProxyBypass\n * **<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP**\n * **Value: **IntranetName\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\COOKIES**\n * **Value: **CachePrefix\n * **<HKU>\\Identities\\\\{20DF22BC-6CEF-4DC3-9D67-B017F18A4D87}\\Software\\Microsoft\\Outlook Express\\5.0**\n * **<HKU>\\Software\\Microsoft\\Bole**\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONES\\4**\n * **Value: **1609\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONES\\4**\n * **Value: **1406\n * **<HKU>\\Software\\Microsoft\\Internet Explorer\\PhishingFilter**\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONES\\2**\n * **Value: **1609\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONES\\2**\n * **Value: **1406\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONES\\1**\n * **Value: **1609\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONES\\1**\n * **Value: **1406\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC\\PARAMETERS\\PORTKEYWORDS\\DHCP**\n * **Value: **Collection\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\Naegop**\n * **<HKCU>\\SOFTWARE\\Microsoft\\Naegop**\n * **<HKU>\\Software\\Microsoft\\Internet Explorer\\Privacy**\n * **<HKCU>\\Software\\Microsoft\\Windows\\Currentversion\\Run**\n * **<HKU>\\Software\\Microsoft\\WAB\\WAB4**\n * **<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Run**\n * **<HKCU>\\Software\\Microsoft\\Internet Explorer\\Privacy**\n * **<HKCU>\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings**\n * **<HKCU>\\SOFTWARE\\Microsoft**\n * **<HKU>\\Software\\Microsoft\\Bole**\n**Mutexes** \n\n\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-A687-6AA2864FE740}\n * \\BaseNamedObjects\\Local\\\\{A3B40D9B-F602-0E7A-E1A6-CDF8C16E401A}\n * \\BaseNamedObjects\\Local\\\\{A3B40D98-F601-0E7A-E1A6-CDF8C16E401A}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-0E81-6AA22E49E740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-AE83-6AA28E4BE740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-FE84-6AA2DE4CE740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-E682-6AA2C64AE740}\n * \\BaseNamedObjects\\Local\\\\{881268A9-9330-25DC-E1A6-CDF8C16E401A}\n * \\BaseNamedObjects\\Global\\\\{C252BB8C-4015-6F9C-E1A6-CDF8C16E401A}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-6680-6AA24648E740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-8A81-6AA2AA49E740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-4E82-6AA26E4AE740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-D287-6AA2F24FE740}\n * \\BaseNamedObjects\\Global\\\\{C252BB8D-4014-6F9C-E1A6-CDF8C16E401A}\n * \\BaseNamedObjects\\Global\\\\{2A12683C-93A5-87DC-E1A6-CDF8C16E401A}\n * \\BaseNamedObjects\\Global\\\\{CEBE6CB8-9721-6370-E1A6-CDF8C16E401A}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-9283-6AA2B24BE740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-2683-6AA2064BE740}\n * \\BaseNamedObjects\\Global\\\\{CEBE6CB7-972E-6370-E1A6-CDF8C16E401A}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-9A82-6AA2BA4AE740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-368F-6AA21647E740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-5E8A-6AA27E42E740}\n * \\BaseNamedObjects\\Global\\\\{A86A58AE-A337-05A4-E1A6-CDF8C16E401A}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-BE86-6AA29E4EE740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-2E8D-6AA20E45E740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-8E85-6AA2AE4DE740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-C684-6AA2E64CE740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-4686-6AA2664EE740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-1A83-6AA23A4BE740}\n * \\BaseNamedObjects\\Global\\\\{D1EC3E61-C5F8-7C22-9284-6AA2B24CE740}\n * \\BaseNamedObjects\\Global\\\\{320B4DE2-B67B-9FC5-E1A6-CDF8C16E401A}\n * \\BaseNamedObjects\\Global\\\\{3D11D76B-2CF2-90DF-E1A6-CDF8C16E401A}\n**IP Addresses** \n\n\n * 185[.]24[.]234[.]54\n**Domain Names** \n\n\n * N/A\n**Files and or directories created** \n\n\n * %LocalAppData%\\Temp\\tmp60e9fbcd.bat\n * %AppData%\\Neku\n * %AppData%\\Neku\\amto.exe\n * %AppData%\\Leolo\n * %AppData%\\Leolo\\peogh.vus\n**File Hashes** \n\n\n * f5dd87d465516dd03308ae2e7673681fc497d4c30751e5a0fcefdf320761b56e\n * 48fcb5ce8670e1829205abd6a911937a9b591d079067c8b25f6867bac059897c\n * a6b52e4b6803092c91f81aeff5093cdee346b810b415b7b82a24afd63a33c309\n * 59de88ff962f019ad7b0bc2b242120ff0c916743c975f74c169247809ae2cfa5\n * 158a7f507f494481083c4137dbb11474d7d8625c4ca45d0554caa4fcbb903992\n * 8298f4cfb3d5d6838bdebc4642e6b3aba2b1e74562014be11f6fc106af1be491\n * 28a2e64885f1aa2d81fefb0fda91ae7eb2801dfdbf4d9dc65f3848e4bdbf4d65\n * a3a4c038aa654a5dac595465222404deef3f133828f6209f42ea8395156205da\n * 5f9afad7831895772534737ac2c036b1b65d02a46bc0f91ea0ef2879de3ba8fb\n * 1392b5afc478adfc11e6690ff6b6f9d55658bb2edf064b1cfbf655e674dcdc0f\n * 7326ec6dcf89d8e86d797ab70d4a8ad1a08b672af0c0a45cfb315ef83685cf43\n * 908f86c043b0bb012e639d6c2b102a6af11288b7596c574abc4734213f5d95cb\n * dd8c0af99b112521bfebdb19afa5fe130925d158703180063c2b2c027b8adbc9\n * 38a951f8f57f1028a92d658841df63068d0a59aa9f140087870b2b6450002baa\n * f92989215865e61e5cfed94d716d37b4b9fdd92ddd3699ab269b2dad39d0e93a\n * 03eaea48946117d85dde3d2a4668eb24b94323a255bc1fb7536b1de2bd888e74\n * 8db0ff52b62f3f07bc3c7a359dd06cf78e875a18f8b5120107a7f39bed3243b9\n * 6baab60dcfdbd2ee3dbb012b1a00d063a4b05305a444f7ffe633d6175dca6852\n \n\n\n#### Coverage\n\n[![](https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png)](<https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[![](https://2.bp.blogspot.com/-kG_QfwetGCM/WvXoYXVbP0I/AAAAAAAAAfA/_nxRiEFGAhcqmPfRci3gzW0v93m3zpSwQCLcBGAs/s400/Win_Dropper_Zbot_6533101_0_amp.png)](<https://2.bp.blogspot.com/-kG_QfwetGCM/WvXoYXVbP0I/AAAAAAAAAfA/_nxRiEFGAhcqmPfRci3gzW0v93m3zpSwQCLcBGAs/s1600/Win_Dropper_Zbot_6533101_0_amp.png>)\n\n \n\n\n \n**ThreatGrid** \n\n\n[![](https://1.bp.blogspot.com/-TDX6A2KEBwM/WvXoekUCeoI/AAAAAAAAAfE/RRR_hjW2yUM1vd5fersSCAjjE4-ZbucwwCLcBGAs/s640/Win_Dropper_Zbot_6533101_0_threatgrid.png)](<https://1.bp.blogspot.com/-TDX6A2KEBwM/WvXoekUCeoI/AAAAAAAAAfE/RRR_hjW2yUM1vd5fersSCAjjE4-ZbucwwCLcBGAs/s1600/Win_Dropper_Zbot_6533101_0_threatgrid.png>)\n\n \n\n\n \n \n \n \n\n\n* * *\n\n \n\n\n### Win.Dropper.Khalesi-6535750-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * **<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run**\n**Mutexes** \n\n\n * N/A\n**IP Addresses** \n\n\n * 204[.]11[.]56[.]48\n * 74[.]220[.]215[.]63\n * 184[.]168[.]221[.]42\n * 198[.]54[.]117[.]217\n * 187[.]84[.]225[.]36\n**Domain Names** \n\n\n * www[.]backpackerdesi[.]info\n * backpackerdesi[.]info\n * www[.]lovelouevents[.]com\n * parkingpage[.]namecheap[.]com\n * www[.]riopumpen[.]com\n * riopumpen[.]com\n * www[.]shungavietnam[.]com\n * lovelouevents[.]com\n * www[.]tourniquetleash[.]com\n**Files and or directories created** \n\n\n * %LocalAppData%\\Temp\\~DF84B5AD10771E60C5.TMP\n**File Hashes** \n\n\n * db560e6239674b9b4ea242d13e83269bc7cc26972bfc36d1ca729a95bec86311\n * 214252466a63120c1473180e5f4d2558f59a6a12aa8f3c38d3d5f45712965d7c\n * 093bd942ba8d60e579f1f6ec68f997e609d1ec2d1dee37369ea61e33d175ab0b\n * 8c668d6ec3c6a619342d674e6f696403bcb872342fa17d7b18642861b4c9b596\n * f40486fa225ebc8fdfc133136453d84649860c55bdb03966f58500030c4d50d7\n * 58182cbb334d50f9758cd669ead059ddd8902fe0902bc8e3a9b5d9ad21906a0d\n * ef52d2737ded930694deb98880041e97a22be13240e143e9fe7c665dd8ba486d\n * ba8e4a8555628171ee51b9730e3d5fb549936921645b34e4bc5669573fa1fccd\n * 6972e8b418b60905c630c80c8476b43c941eafab0e0f79ebe6a985e3e60bdb00\n * f047a66647005edfb80ce99ce23dfab6874989081d3ff33c0795ccfddb47b0c7\n * 8aeecbac14b07c7498a0a14ec5f6faba3586ef253e63a6ff035090e937cee4ad\n * cf0425375056e906b8cb739d432d724ac30870995915342bc275d047637ea54d\n * 1b8f2e90a2be6bfbcb409b0a87236abddfdeb6c8f1e43c87dea1ad384b3853ac\n * eb8f9802493874e099e8b026be2736f2bb15ecb5c3bc0e82a967fdcf1f319fdf\n * 606d305ed683a5b6b32fb3d4d8f1567416b3e6e0cc57b2a2ae22abc23563fc13\n \n\n\n#### Coverage\n\n[![](https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png)](<https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[![](https://3.bp.blogspot.com/-IaGqaek46bk/WvXonLbaEsI/AAAAAAAAAfI/WOzkdjWuFooaMLZ2ViLTmE9Kyv6fSqQKQCLcBGAs/s400/Win_Dropper_Khalesi_6535750_0_amp.png)](<https://3.bp.blogspot.com/-IaGqaek46bk/WvXonLbaEsI/AAAAAAAAAfI/WOzkdjWuFooaMLZ2ViLTmE9Kyv6fSqQKQCLcBGAs/s1600/Win_Dropper_Khalesi_6535750_0_amp.png>)\n\n \n\n\n \n**ThreatGrid** \n\n\n[![](https://3.bp.blogspot.com/-4DSXbPmI-JQ/WvXotXozhdI/AAAAAAAAAfQ/9kZFxbrqzY0Vk7i5jbFQr16RsBSZJZkGACLcBGAs/s640/Win_Dropper_Khalesi_6535750_0_threatgrid.png)](<https://3.bp.blogspot.com/-4DSXbPmI-JQ/WvXotXozhdI/AAAAAAAAAfQ/9kZFxbrqzY0Vk7i5jbFQr16RsBSZJZkGACLcBGAs/s1600/Win_Dropper_Khalesi_6535750_0_threatgrid.png>)\n\n \n\n\n \n \n \n\n\n* * *\n\n \n\n\n### Win.Dropper.Gandcrab-6530134-0\n\n \n\n\n#### Indicators of Compromise\n\n \n**Registry Keys** \n\n\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\CONNECTIONS**\n * **Value: **SavedLegacySettings\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\CONNECTIONS**\n * **Value: **DefaultConnectionSettings\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\CONTENT**\n * **Value: **CachePrefix\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP**\n * **Value: **UNCAsIntranet\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP**\n * **Value: **AutoDetect\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP**\n * **Value: **ProxyBypass\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP**\n * **Value: **IntranetName\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\OBJECTTABLE\\AB5**\n * **Value: **_FileId_\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\OBJECTTABLE\\AB5**\n * **Value: **_ObjectLru_\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\OBJECTTABLE\\AB5**\n * **Value: **_Usn_\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\OBJECTTABLE\\AB5**\n * **Value: **_ObjectId_\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\OBJECTTABLE\\AB5**\n * **Value: **AeFileID\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\OBJECTTABLE\\AB5**\n * **Value: **_UsnJournalId_\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\OBJECTTABLE\\AB5**\n * **Value: **AeProgramID\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\LRULIST\\00000000000029D3**\n * **Value: **ObjectLru\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\LRULIST\\00000000000029D3**\n * **Value: **ObjectId\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\INDEXTABLE\\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\\100000000967D**\n * **Value: **AB5\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\INDEXTABLE\\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}**\n * **Value: **_IndexName_\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\HISTORY**\n * **Value: **CachePrefix\n * **<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections**\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\LRULIST**\n * **Value: **CurrentLru\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\COOKIES**\n * **Value: **CachePrefix\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE**\n * **Value: **_CurrentObjectId_\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE**\n * **Value: **zcwgnjwshlm\n * **<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\WINDOWS ERROR REPORTING\\DEBUG**\n * **Value: **ExceptionRecord\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS**\n * **Value: **ProxyServer\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS**\n * **Value: **AutoDetect\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS**\n * **Value: **ProxyOverride\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS**\n * **Value: **ProxyEnable\n * **<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS**\n * **Value: **AutoConfigURL\n * **<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP**\n * **Value: **ProxyBypass\n * **<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP**\n * **Value: **IntranetName\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\OBJECTTABLE\\AB5\\INDEXES\\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}**\n * **Value: **100000000967D\n * **<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\NETWORK\\\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\\CONNECTION**\n * **Value: **PnpInstanceID\n * **<HKLM>\\SOFTWARE\\MICROSOFT\\RAS AUTODIAL\\Default**\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\OBJECTTABLE\\AB5\\INDEXES\\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}**\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\LruList**\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\OBJECTTABLE\\AB5**\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\INDEXTABLE\\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}**\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\LRULIST\\00000000000029D3**\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\ObjectTable**\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\INDEXTABLE\\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\\100000000967D**\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\IndexTable**\n * **<HKCU>\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce**\n * **<HKLM>\\Software\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\Debug**\n * **<HKCU>\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings**\n * **<A>\\\\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\OBJECTTABLE\\AB5\\Indexes**\n * **<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce**\n**Mutexes** \n\n\n * \\BaseNamedObjects\\Global\\pc_group=WORKGROUP&ransom_id=359814f23c28b0e4\n**IP Addresses** \n\n\n * 66[.]171[.]248[.]178\n**Domain Names** \n\n\n * zonealarm[.]bit\n * ns2[.]corp-servers[.]ru\n * 1[.]0[.]168[.]192[.]in-addr[.]arpa\n * ipv4bot[.]whatismyipaddress[.]com\n * ns1[.]corp-servers[.]ru\n * ransomware[.]bit\n**Files and or directories created** \n\n\n * %LocalAppData%\\CrashDumps\n * %AppData%\\Microsoft\\jczhdq.exe\n * %LocalAppData%\\CrashDumps\\82128b025ada18df07ae8ea6b24f3cb3a22ff91d8795a697cf03ca28f0601eb3.exe.2772.dmp\n * %LocalAppData%\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SSZWDDXW\\7TZAD419.htm\n * %LocalAppData%\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_82128b025ada18df_4525121b7779449a024bea365e36f36721b3e46_9a496044\\Report.wer\n * %LocalAppData%\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_82128b025ada18df_4525121b7779449a024bea365e36f36721b3e46_9a496044\n * %WinDir%\\SysWOW64\\rsaenh.dll\n**File Hashes** \n\n\n * 82128b025ada18df07ae8ea6b24f3cb3a22ff91d8795a697cf03ca28f0601eb3\n * 8b0122198f51599af74f7e40783bf8f8273e8c5bd1a0e0747161bb3fb74bff75\n * 1c69810013cb87242df28f48ff1b80bd006b2bd0cec8bdcb3ad0c0441a9c48a7\n * 9ba83f1273348883e47f60b3497d14f259656d366cd9c38be1b15c99a4887433\n * 4f5d759ad38c44b01c5442a985f25c10b2863ac890d26f42a3661a39eb6233d3\n * 5cd57d70b048fa751d8d093614cb86096567958778c7bd99ac6ff0355b699d19\n * a17fba572e8a74bc22061711196df78b603d6a857f8b687f55da21296b3cbba3\n * 6637106cacc9767350a3ad1518e513996accbf45daeb9bebdffb699ae2d89dac\n * a332b560a01b6e07a5810ec6428314c23e426ea4292280ee0d06bfc2201ac47b\n * a7250b307556cb0e6716312dce166ce8d6329cdbbe1e7a7ec7d9ad8dc37bef1c\n * ba7cc79a6b9ee4973b90ce17f4552a6c8a869ebcda495109e7558788f5dd4581\n * 722d9b3b235c118fd93c35d76535310f32ef383037645f9539dd46eedbe908a1\n * 749cc6d350bccd23970b70463abcd9efb782a35da7c03bc8de5c555f2bdda430\n * e4b1789755f543b508745baaa7325e337e6b7f132cc5e051985ca677836cc571\n * fd2de37d51a398725239f1c9943604506d52bb623ecfcbc40f6fb474cde9fbd0\n \n\n\n#### Coverage\n\n[![](https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png)](<https://3.bp.blogspot.com/-tSS3VoI1eOo/WPEtzFghLhI/AAAAAAAAA2c/sELBUbsbhFAhWd_8GeacC_PrQGegGhZGQCLcB/s400/all.png>)\n\n \n\n\n#### Screenshots of Detection\n\n**AMP** \n\n\n[![](https://1.bp.blogspot.com/-QcR88yIN45g/WvXpIFE0HWI/AAAAAAAAAf4/tOcR5XMYPjcG1ZdkL7wGOczfoBr5nC3aQCLcBGAs/s400/Win_Dropper_Gandcrab_6530134_0_amp.png)](<https://1.bp.blogspot.com/-QcR88yIN45g/WvXpIFE0HWI/AAAAAAAAAf4/tOcR5XMYPjcG1ZdkL7wGOczfoBr5nC3aQCLcBGAs/s1600/Win_Dropper_Gandcrab_6530134_0_amp.png>)\n\n \n\n\n \n**ThreatGrid** \n\n\n[![](https://1.bp.blogspot.com/-Y6HshBMNOOM/WvXpPSjzEtI/AAAAAAAAAgA/m2NfUjX5LBECKveL8cPewgOU20a44cNAwCLcBGAs/s640/Win_Dropper_Gandcrab_6530134_0_threatgrid.png)](<https://1.bp.blogspot.com/-Y6HshBMNOOM/WvXpPSjzEtI/AAAAAAAAAgA/m2NfUjX5LBECKveL8cPewgOU20a44cNAwCLcBGAs/s1600/Win_Dropper_Gandcrab_6530134_0_threatgrid.png>)\n\n \n\n\n \n\n\n[![](http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA)](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=1N282LdYcts:B0EjXJBZeq8:yIl2AUoC8zA>)\n\n![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/1N282LdYcts)", "published": "2018-05-11T12:48:00", "modified": "2018-05-11T19:48:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/1N282LdYcts/threat-roundup-0504-0511.html", "reporter": "noreply@blogger.com (William Largent)", "references": [], "cvelist": [], "lastseen": "2018-05-11T21:17:24", "viewCount": 17, "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645406250, "score": 1659797217, "epss": 1678857887}, "_internal": {"score_hash": "4a8f08afe6afe33b65bd1fb1ad5d918c"}}