Threat Roundup for April 26 to May 3

Main / Threat Roundup for April 26 to May 3

Discription

[![](https://4.bp.blogspot.com/-OZk_HZUnWw8/XNGon29pJLI/AAAAAAAAGNI/IY-WnPRAA6UTgQH2jV6_IyW_zGeZtU03wCK4BGAYYCw/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg)]()

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 26 and May 03. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here]() that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

* **Win.Malware.Shadowbrokers-6958490-0**
Malware
Uiwix uses ETERNALBLUE and DOUBLEPULSAR to install ransomware on the infected system. Encrypted file names include “UIWIX” as part of the file extension. Unlike the well-known WannaCry ransomware, Uiwix doesn’t “worm itself.” It only installs itself on the system.

* **Win.Malware.Fareit-6958493-0**
Malware
The Fareit trojan is primarily an information stealer that downloads and installs other malware.

* **Win.Malware.Ursnif-6957672-0**
Malware
Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.

* **Win.Ransomware.Cerber-6957317-0**
Ransomware
Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension “.cerber.”

* **Win.Dropper.Nymaim-6956636-0**
Dropper
Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.

* **Win.Dropper.Qakbot-6956539-0**
Dropper
Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.

* **Win.Malware.Tovkater-6956309-0**
Malware
This malware is able to download and upload files, inject malicious code and install additional malware.

* **Doc.Downloader.Powload-6956274-0**
Downloader
Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing Emotet malware.

* **Win.Dropper.Kovter-6956146-0**
Dropper
Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.

* **Win.Trojan.Razy-6956092-0**
Trojan
Razy is oftentimes a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.

* * *

## Threats

### Win.Malware.Shadowbrokers-6958490-0

#### Indicators of Compromise

* `00e8030802e8f6b32c9e9b5167ba6854797af91947d605889b5dba3b2a29b74e`
* `054441dbcac05960e2ba1ae81903f4ed48786be51aeb346f4c2cc1162ba1749f`
* `0fa0b6d80e850f42f7d17681b2ff2147694053aa4680ddfcf632ee89d183a6fc`
* `16488c72a0c92c8a72dc78ee9d52cfc4ebf8a6392d9f91f2c966fc99abe05a03`
* `181ce9db0dea2a3a2e08860620c3015e61995a93729cb07e0b157d0e75c73343`
* `229ab5a9502a4f9efaf6b1ae193d49cd529479e4adf0475caa80f0086dd20c31`
* `23e3a6d9ce11a9ceef4f1a0731368a85587d612063d67fb518156fa88e20a277`
* `5a831048eaeed5fa07ae830ebe1ac176cdffd0764a978c89228f45125a8c07c3`
* `749cdaf3de5490da6a5c1900b415e1a10cba45d19593ca98378781d9488b6bee`
* `77f5a8b8c3d9091b5d3f050b2ac6183a9bfb86e8fd1085e96926c513c69cbffb`
* `811fc3535e7e4e67164d12a3a8a5d839365873b53e20f1ac3b5638cba279d0e9`
* `96799361f9e214dcdb35d14f3b93e35736d4f5e11a25e4672989c9b436ee6cdc`
* `a013f2631ac35d43652d5ab7fd30e71187398b5c6ede6081fa6c73fb3f0b469a`
* `ac80e17388fbd1f59b80c411d1449ce90a4ce5ada9d6ced63dc9890bfe5249ea`
* `c29ae0b2992a0320c5d584a7af6ff8dfc590140d0652aa22b374a8b6946a76f3`
* `c74a2a95439224bdef39354f37ccb4ded7ce7ba071aac9d5efe505cdb7a828ac`
* `db1b669b7daffcb3b6be5ba635afe5890d85e3f734a74e9a97c864ebb23ffd30`
* `dc814196d52db10a9231754a3c33b58af9c995490a16c20328a954d8c1918589`
* `e3e7c5bcb49da52952d85f30efbc86830536593e96e6b29f05f22ac14e208ce5`
* `e6d879189c9cfe58aa9f83856eb4849caee841eb71557522c14d38bdd8bc8efe`
* `fcad77aba9a0290e0f25b0512ceadf102aff36c955a319275b3f44565d53c383`

#### Coverage

[![](https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png)]()

#### Screenshots of Detection

**AMP**

[![](https://1.bp.blogspot.com/-BVdh1EuPokw/XMxzDh4xGKI/AAAAAAAABn4/P0eC0r6sABA-tAUxV2aoe7zRVQXTDxEkQCLcBGAs/s400/16488c72a0c92c8a72dc78ee9d52cfc4ebf8a6392d9f91f2c966fc99abe05a03_amp.png)]()

**ThreatGrid**

[![](https://2.bp.blogspot.com/-ENIncY7lWNw/XMxzIy_4zoI/AAAAAAAABn8/lkQzXx2smXIJFQVSpDQlRyhtNI2m73KRACLcBGAs/s400/16488c72a0c92c8a72dc78ee9d52cfc4ebf8a6392d9f91f2c966fc99abe05a03_tg.png)]()

**Umbrella**

[![](https://3.bp.blogspot.com/-Pe8jpDKZflk/XMxzOPjvcgI/AAAAAAAABoA/ucC2fok5MwU1uOo6QojCWWHqO5w7xX02ACLcBGAs/s400/749cdaf3de5490da6a5c1900b415e1a10cba45d19593ca98378781d9488b6bee_umbrella.png)]()

### Win.Malware.Fareit-6958493-0

#### Indicators of Compromise

Registry Keys | Occurrences
—|—
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: internat.exe ` | 4
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: AGP Manager ` | 3
`SoftwareWow6432NodeMicrosoftTracingRASAPI32 ` | 2
`SoftwareWow6432NodeMicrosoftTracingRASMANCS ` | 2
`SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32
Value Name: EnableFileTracing ` | 2
`SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32
Value Name: EnableConsoleTracing ` | 2
`SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32
Value Name: FileTracingMask ` | 2
`SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32
Value Name: ConsoleTracingMask ` | 2
`SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32
Value Name: MaxFileSize ` | 2
`SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32
Value Name: FileDirectory ` | 2
`SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS
Value Name: EnableFileTracing ` | 2
`SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS
Value Name: EnableConsoleTracing ` | 2
`SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS
Value Name: FileTracingMask ` | 2
`SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS
Value Name: ConsoleTracingMask ` | 2
`SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS
Value Name: MaxFileSize ` | 2
`SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS
Value Name: FileDirectory ` | 2
`SoftwareMicrosoftWindows Script HostSettings ` | 2
`SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULECOMPATIBILITYADAPTERSIGNATURES
Value Name: AGP Manager.job ` | 2
`SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULECOMPATIBILITYADAPTERSIGNATURES
Value Name: AGP Manager.job.fp ` | 2
`SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETREEAGP MANAGER
Value Name: Index ` | 2
`SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULECOMPATIBILITYADAPTERSIGNATURES
Value Name: AGP Manager Task.job ` | 2
`SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULECOMPATIBILITYADAPTERSIGNATURES
Value Name: AGP Manager Task.job.fp ` | 2
`SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETREEAGP MANAGER TASK
Value Name: Index ` | 2
`SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETREEAGP MANAGER
Value Name: Id ` | 2
`SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETREEAGP MANAGER TASK
Value Name: Id ` | 2
Mutexes | Occurrences
—|—
`A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A` | 2
`Remcos_Mutex_Inj` | 1
`rdyboost_Perf_Library_Lock_PID_210` | 1
`usbhub_Perf_Library_Lock_PID_210` | 1
`.NET CLR Data_Perf_Library_Lock_PID_5b8` | 1
`.NET CLR Networking 4.0.0.0_Perf_Library_Lock_PID_5b8` | 1
`.NET CLR Networking_Perf_Library_Lock_PID_5b8` | 1
`.NET Data Provider for Oracle_Perf_Library_Lock_PID_5b8` | 1
`.NET Data Provider for SqlServer_Perf_Library_Lock_PID_5b8` | 1
`.NET Memory Cache 4.0_Perf_Library_Lock_PID_5b8` | 1
`.NETFramework_Perf_Library_Lock_PID_5b8` | 1
`ASP.NET_1.1.4322_Perf_Library_Lock_PID_5b8` | 1
`ASP.NET_4.0.30319_Perf_Library_Lock_PID_5b8` | 1
`ASP.NET_Perf_Library_Lock_PID_5b8` | 1
`BITS_Perf_Library_Lock_PID_5b8` | 1
`ESENT_Perf_Library_Lock_PID_5b8` | 1
`Lsa_Perf_Library_Lock_PID_5b8` | 1
`MSDTC Bridge 3.0.0.0_Perf_Library_Lock_PID_5b8` | 1
`MSDTC Bridge 4.0.0.0_Perf_Library_Lock_PID_5b8` | 1
`MSDTC_Perf_Library_Lock_PID_5b8` | 1
`Outlook_Perf_Library_Lock_PID_5b8` | 1
`PerfDisk_Perf_Library_Lock_PID_5b8` | 1
`PerfNet_Perf_Library_Lock_PID_5b8` | 1
`PerfOS_Perf_Library_Lock_PID_5b8` | 1
`PerfProc_Perf_Library_Lock_PID_5b8` | 1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`47[.]254[.]132[.]217` | 2
`5[.]8[.]88[.]213` | 2
`91[.]192[.]100[.]4` | 1
`185[.]165[.]153[.]19` | 1
`91[.]193[.]75[.]33` | 1
`194[.]5[.]99[.]4` | 1
`103[.]200[.]5[.]186` | 1
`185[.]165[.]153[.]135` | 1
`105[.]112[.]98[.]98` | 1
`129[.]205[.]112[.]132` | 1
`212[.]7[.]192[.]241` | 1
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`snooper112[.]ddns[.]net` | 1
`harryng[.]ddns[.]net` | 1
`popen[.]ru` | 1
`hfgdhgjkgf[.]ru` | 1
`rtyrtygjgf[.]ru` | 1
`icabodgroup[.]hopto[.]org` | 1
Files and or directories created | Occurrences
—|—
`%APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5` | 3
`%APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5Logs` | 3
`%APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5LogsAdministrator` | 3
`%APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5run.dat` | 3
`%ProgramFiles(x86)%AGP Manager` | 3
`%ProgramFiles(x86)%AGP Manageragpmgr.exe` | 3
`%System32%TasksAGP Manager` | 2
`%APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5task.dat` | 2
`%APPDATA%Install` | 2
`%APPDATA%InstallHost.exe` | 2
`%System32%TasksAGP Manager Task` | 2
`%ProgramData%MicrosoftVaultAC658CB4-9126-49BD-B877-31EEDAB3F204Policy.vpol` | 1
`%LOCALAPPDATA%MicrosoftVault4BF4C442-9B8A-41A0-B380-DD4A704DDB28Policy.vpol` | 1
`%APPDATA%remcos` | 1
`%APPDATA%remcoslogs.dat` | 1
`%APPDATA%remcosremcos.exe` | 1
`%System32%driversetchosts` | 1
`%APPDATA%Screenshots` | 1
`%TEMP%install.vbs` | 1
`??scsi#disk&ven_red_hat&prod_virtio#4&2556063a&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}` | 1
`%TEMP%MyttloApp` | 1
`%TEMP%tmpD22A.tmp` | 1
`%TEMP%subos` | 1
`%TEMP%tmpD4E9.tmp` | 1
`%TEMP%subossubose.exe` | 1
See JSON for more IOCs
**File Hashes**

* `0758f55d7c977e33b0c64c6bdf273d1fc639440505d3f015c5d519dc6200017f`
* `17537f41d384c9a3fe385e6ec51feacf23dcab755b26e274bddcb25ad51f3b20`
* `3409a0970239cd2fc61b66db3c6e7c49921b2c828b59530e37dc34504ee46081`
* `446166d1a9e7e1b7e12547510f7de7bc4c281681cce1f9f8576fce9de7b1dc05`
* `5c0016d2122382734395929696e2d737162f797bb4e21ab1cb9af7c9429823bf`
* `63053625336da966b1c41eae9b39dfc6dd6829be50852d657f48cf6351102955`
* `71795cda989e98003d22a59a88951ce0c2b1dd472b5c1bea4f79f03e0f22747c`
* `7634476cf6e1d538bbf9b5dc0b2dad3f55d78a7a0699f0aa3ec1a926867b602d`
* `b0ab801164d28470c2e76fa775ace286b9c218eed099373ba6a6b879cb9473f4`
* `c433ec83fd1ab4c370c218feda1fde4514573278464cff96c053479d5c6aea95`
* `c68c68c512cd5b66fbc56df273f55bc8e9db9e5c3840dc28d905ca676029f86b`
* `dfaf92e94e698ded2dfec6fde877118a2ed30d2709ce8c431d35ca3ce9d7f836`
* `e6a4c246c552c5152b500443a603304bac2edbeb2925c4da2e3bf457351b66c1`
* `f08bf06ef32de3aea50ded12434753f08c336408715fdcc7ab263cf95892bd5b`
* `f5f336ac45dec2fa199ce54cc93035967037f7550ad9ddc89f9dfc91918d57c8`

#### Coverage

[![](https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png)]()

#### Screenshots of Detection

**AMP**

[![](https://4.bp.blogspot.com/-VRwhkr0dfSo/XMxzbUXUNoI/AAAAAAAABoM/ulp6jDFLV0QC7uQPVLydgf7LxmxdiAooQCLcBGAs/s400/0758f55d7c977e33b0c64c6bdf273d1fc639440505d3f015c5d519dc6200017f_amp.png)]()

**ThreatGrid**

[![](https://2.bp.blogspot.com/-Jf4SLlGT8f0/XMxzy-cxeEI/AAAAAAAABoY/KSdQFb7YAk4otz4dCQMj-wodShYCMZrsgCLcBGAs/s400/5c0016d2122382734395929696e2d737162f797bb4e21ab1cb9af7c9429823bf_tg.png)]()

**Umbrella**

[![](https://1.bp.blogspot.com/-hot_JhIbyqA/XMxz7bRW2TI/AAAAAAAABoc/p6GaYDFy_DYK4Rxn_peiBC4wvdsZbFB2ACLcBGAs/s400/e6a4c246c552c5152b500443a603304bac2edbeb2925c4da2e3bf457351b66c1_umbrella.png)]()

### Win.Malware.Ursnif-6957672-0

#### Indicators of Compromise

Registry Keys | Occurrences
—|—
`SOFTWAREWOW6432NODEJAVASOFTJAVA WEB START1.6.0_41
Value Name: Home ` | 19
`SOFTWAREMICROSOFTINTERNET EXPLORERLOWREGISTRY
Value Name: AddToFavoritesInitialSelection ` | 19
`SOFTWAREMICROSOFTINTERNET EXPLORERLOWREGISTRY
Value Name: AddToFeedsInitialSelection ` | 19
`SOFTWAREMICROSOFTINTERNET EXPLORERMAINWINDOWSSEARCH
Value Name: Version ` | 19
`SOFTWAREMICROSOFTINTERNET EXPLORERRECOVERYPENDINGRECOVERY
Value Name: AdminActive ` | 19
`SOFTWAREMICROSOFTINTERNET EXPLOREREUPPDSP
Value Name: ChangeNotice ` | 19
`SOFTWAREMICROSOFTINTERNET EXPLORERMINIE
Value Name: TabBandWidth ` | 19
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}
Value Name: NewInstallPromptCount ` | 19
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}
Value Name: CompatBlockPromptCount ` | 19
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
Value Name: NewInstallPromptCount ` | 19
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
Value Name: CompatBlockPromptCount ` | 19
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
Value Name: NewInstallPromptCount ` | 19
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
Value Name: CompatBlockPromptCount ` | 19
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
Value Name: NewInstallPromptCount ` | 19
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
Value Name: CompatBlockPromptCount ` | 19
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{B4F3A835-0E21-4959-BA22-42B3008E02FF}
Value Name: NewInstallPromptCount ` | 19
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{B4F3A835-0E21-4959-BA22-42B3008E02FF}
Value Name: CompatBlockPromptCount ` | 19
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{DBC80044-A445-435B-BC74-9C25C1C588A9}
Value Name: NewInstallPromptCount ` | 19
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{DBC80044-A445-435B-BC74-9C25C1C588A9}
Value Name: CompatBlockPromptCount ` | 19
`SoftwareMicrosoftInternet ExplorerRecoveryActive ` | 19
`SoftwareMicrosoftCTFTIP{1188450c-fdab-47ae-80d8-c9633f71be64}LanguageProfilex00000000{63800dac-e7ca-4df9-9a5c-20765055488d} ` | 19
`SOFTWAREClassesTypeLib{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}1.1win32 ` | 19
`SoftwareMicrosoftInternet ExplorerSuggested Sites ` | 19
`SoftwareMicrosoftWindowsCurrentVersionExplorerMenuOrderFavoritesLinks ` | 19
`SoftwareMicrosoftWindowsCurrentVersionExtStats{2670000A-7350-4F3C-8081-5663EE0C6C49}iexplore ` | 19
Mutexes | Occurrences
—|—
`!PrivacIE!SharedMem!Mutex` | 19
`LocalVERMGMTBlockListFileMutex` | 19
`Local!BrowserEmulation!SharedMemory!Mutex` | 19
`LocalURLBLOCK_DOWNLOAD_MUTEX` | 19
`LocalURLBLOCK_HASHFILESWITCH_MUTEX` | 19
`UpdatingNewTabPageData` | 19
`{5312EE61-79E3-4A24-BFE1-132B85B23C3A}` | 19
`{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}` | 19
`{A7AAF118-DA27-71D5-1CCB-AE35102FC239}` | 18
`Local{57025AD2-CABB-A1F8-8C7B-9E6580DFB269}` | 18
`Local{7FD07DA6-D223-0971-D423-264D4807BAD1}` | 18
`Local{B1443895-5CF6-0B1E-EE75-506F02798413}` | 18
`CommunicationManager_Mutex` | 15
`SmartScreen_AppRepSettings_Mutex` | 15
`SmartScreen_ClientId_Mutex` | 15
`LocalURLBLOCK_FILEMAPSWITCH_MUTEX_1760` | 6
`{33B6645E-F685-DDC4-9817-8A614C3B5E25}` | 6
`{9FB8F914-72AD-292E-7443-C66DE8275AF1}` | 4
`{EF2CA93C-8275-F9B6-0493-D63D78776AC1}` | 3
`{1FE6DE6D-F2FC-A937-F4C3-46ED68A7DA71}` | 3
`LocalURLBLOCK_FILEMAPSWITCH_MUTEX_1916` | 3
`{27CB7058-5ACE-F149-9C4B-2EB590AF42B9}` | 3
`BaseNamedObjectsLocal{FCAA51DD-2B0A-8E99-95F0-8FA2992433F6}` | 3
`BaseNamedObjectsLocal{6AE7CB31-C1EF-2C06-9B3E-8520FF528954}` | 3
`BaseNamedObjectsLocal{72534A3F-299C-7437-43C6-6DE8275AF19C}` | 3
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`204[.]79[.]197[.]200` | 19
`185[.]193[.]141[.]60` | 19
`208[.]67[.]222[.]222` | 18
`194[.]147[.]35[.]95` | 18
`13[.]107[.]21[.]200` | 13
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`vmelynaa[.]club` | 19
`resolver1[.]opendns[.]com` | 18
`222[.]222[.]67[.]208[.]in-addr[.]arpa` | 18
`myip[.]opendns[.]com` | 18
`ciemona[.]top` | 18
`zwbaoeladiou[.]xyz` | 16
`fqwalfredoesheridan[.]info` | 16
Files and or directories created | Occurrences
—|—
`%APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-500Preferred` | 19
`%LOCALAPPDATA%LowMicrosoftInternet ExplorerServicessearch_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico` | 19
`%LOCALAPPDATA%MicrosoftWindowsWebCacheV0100008.log` | 19
`%LOCALAPPDATA%MicrosoftWindowsWebCacheV0100009.log` | 19
`%LOCALAPPDATA%MicrosoftWindowsWebCacheV010000A.log` | 19
`%LOCALAPPDATA%MicrosoftWindowsWebCacheV010000B.log` | 19
`%LOCALAPPDATA%MicrosoftWindowsWebCacheV010000D.log` | 19
`%LOCALAPPDATA%MicrosoftWindowsWebCacheV010000F.log` | 19
`%LOCALAPPDATA%MicrosoftWindowsHistoryHistory.IE5MSHist012018082820180829container.dat` | 19
`%LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE51NSKV6K6suggestions[2].en-US` | 19
`%LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE57V3XNPL2favicon[2].ico` | 19
`%LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE5SSZWDDXWviews[2]` | 19
`%LOCALAPPDATA%MicrosoftInternet Explorerimagestoreaowwxkhimagestore.dat` | 19
`%LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE5SSZWDDXWfavicon[1].ico` | 19
`%LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE51NSKV6K6favicon[2].png` | 19
`%LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE56YL4T24Gviews[1]` | 19
`%LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE57V3XNPL2favicon[1].ico` | 19
`%LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE57V3XNPL2` | 19
`%LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE5SSZWDDXW` | 19
`%HOMEPATH%Local SettingsTemporary Internet FilesContent.IE5C5MZMU22desktop.ini` | 19
`%TEMP%www2.tmp` | 19
`%TEMP%www3.tmp` | 19
`%TEMP%www4.tmp` | 19
`%HOMEPATH%FavoritesLinksSuggested Sites.url` | 19
`%HOMEPATH%Local SettingsApplication DataMicrosoftFeeds{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~WebSlices~Suggested Sites~.feed-ms` | 19
See JSON for more IOCs
**File Hashes**

* `0870f99237954ec3b6c5d2bef78a68484ec211bdd3f98439570d6a316c8a15ee`
* `395a5bb5a15f3d0c277835b62372c985cf718cdd2b1a5a504b5e9433c5dab8a5`
* `44e6613a20fda10678242f331152b6377edc18a3bbece8a7546ef54fe2dbb9d2`
* `4509bfad5dacb2f5ac43483fb991fa5bba25b90a46a1829d5d812be529dff930`
* `5bdab30c2318e1a15917c5a5fa5a970845e473c3df7e3baf134393d9fe7dd1c5`
* `6c29026c61c2bcf1502ffa77b56d2b41504598e6b660cb4f4aadeef547248861`
* `8caac9f128ef6d7cd20ad6395b16fc180456eed45d86b68b49b87b4b57aa0142`
* `8cc7ec0c3662c3e68a0063f9aa37943eb83ac6cd472a76f9f047e0fad21f9875`
* `8df6c10dd50118b2fc7bd380d0423ad0d7a36630f2f6be81fe508eb0b7d409cb`
* `b824f4bb9174eda6738710e1fed13a74088e2c23d8c31ce81ecde3cd03260396`
* `c3f72c971d83fd3ac32d8bbee2d94fe78bcbde553212f3e4c3d626a8d124ccb6`
* `d1d54cc60dfc5957d76c37218d89bf59aaa45c4cc45067af83429280463923e5`
* `e450ad1c3dad95a579f43bf2deb9b58acc8c661e0090a162da75dd66ef608e8b`
* `e7f7e41a55b11e5aee84f519b267c19c5943ca923b8c05d3aff99a47ab074f58`
* `f1fc8274b0155470b6983ba68c70ea5df59196ae8b89366fc4fe922575719536`
* `f58c95835e8a08cbef55c00ae86d03399302cdf7d500ab499f312156f275f2f9`
* `f5e3128f71497dd5ee29c05296c3815466fd2eacc714ce914771d0ede672639c`
* `fb7592a3c2994ba426046328c87f08574c7d367b0c75e206ddfd32cc5d7bfcd0`
* `fb76a896e5ead6658b589c20e715fe18ffec03b9f57f895e14a0d43574de71e3`

#### Coverage

[![](https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png)]()

#### Screenshots of Detection

**AMP**

[![](https://4.bp.blogspot.com/-H1Ettm0gzSk/XMx0FvYiBLI/AAAAAAAABok/SMFny5S-vcswrrMhTi-9_WH6fZx6e8OzACLcBGAs/s400/f58c95835e8a08cbef55c00ae86d03399302cdf7d500ab499f312156f275f2f9_amp.png)]()

**ThreatGrid**

[![](https://4.bp.blogspot.com/-YS9pRIIPp88/XMx0KI0rI_I/AAAAAAAABoo/V2zqIuuF5psb58rYK71FZ9iN9-vuQCw1QCLcBGAs/s400/f1fc8274b0155470b6983ba68c70ea5df59196ae8b89366fc4fe922575719536_tg.png)]()

### Win.Ransomware.Cerber-6957317-0

#### Indicators of Compromise

Registry Keys | Occurrences
—|—
`SystemCurrentControlSetServicesNapAgentShas ` | 25
`SystemCurrentControlSetServicesNapAgentQecs ` | 25
`SoftwareMicrosoftWindowsCurrentVersionExplorerStartPage2 ` | 25
`SystemCurrentControlSetServicesNapAgentLocalConfig ` | 25
`SYSTEMCONTROLSET001SERVICESNAPAGENTLOCALCONFIGEnrollHcsGroups ` | 25
`SYSTEMCONTROLSET001SERVICESNAPAGENTLOCALCONFIGUI ` | 25
`SystemCurrentControlSetControlSession Manager ` | 25
`SoftwareMicrosoftWindowsShellNoRoamMUICache ` | 25
`CONTROL PANELDESKTOP
Value Name: Wallpaper ` | 25
`SYSTEMCONTROLSET001CONTROLSESSION MANAGER
Value Name: PendingFileRenameOperations ` | 25
`SYSTEMControlSet001ControlSession Manager ` | 25
`SOFTWAREMicrosoftSystemCertificatesCACertificates189271E573FED295A8C130EAF357A20C4A9F115E ` | 9
`SystemCurrentControlSetControlSecurityProvidersSchannel ` | 6
Mutexes | Occurrences
—|—
`Global3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7` | 25
`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 25
`BaseNamedObjectsshell.{718951EE-6DB9-E41A-53AA-8B715AE18B45}` | 2
`BaseNamedObjectsshell.{493BC5E1-8EB5-5EFC-281D-65B759CEECC3}` | 2
`BaseNamedObjectsshell.{B1A92788-E01E-5F0F-2EBD-8C1B64B4440E}` | 1
`BaseNamedObjectsshell.{3B5BBD57-DC86-C667-6198-1ED86151C492}` | 1
`BaseNamedObjectsshell.{3290A7F9-5947-C52F-A9C4-FFC568696593}` | 1
`BaseNamedObjectsshell.{A90EDFAB-A502-430E-BDBC-2A277AABA37D}` | 1
`BaseNamedObjectsshell.{FCDAE584-CD77-B6D4-3AF3-33D1E72CBBA2}` | 1
`BaseNamedObjectsshell.{5ED88314-B21B-6A1E-9E28-1194C46E655A}` | 1
`BaseNamedObjectsshell.{0382099C-AC13-59BE-3A2C-B533D776D30C}` | 1
`BaseNamedObjectsshell.{8A1F6AB1-121B-A240-F2AC-6815C5405429}` | 1
`BaseNamedObjectsshell.{6B956E68-ABAA-AB50-EB9F-299C556E0FC1}` | 1
`BaseNamedObjectsshell.{D593CF55-EF38-7E41-B3D1-189932BF5ACA}` | 1
`BaseNamedObjectsshell.{6E8CD1E8-3AA4-8152-A1AC-9DF81B4CF52F}` | 1
`BaseNamedObjectsshell.{CA80F6A6-97F3-B746-F936-72E156EADCA1}` | 1
`BaseNamedObjectsshell.{77337C05-6A9D-48D8-548B-5BC4EDE52644}` | 1
`BaseNamedObjectsshell.{5F59AF38-9EAC-3B8F-A08E-700EC4307348}` | 1
`BaseNamedObjectsshell.{1DEF893E-C150-B52C-8B2C-18DC50905097}` | 1
`BaseNamedObjectsshell.{114716B6-D98A-FB35-E73B-ABDB1C2ECBE3}` | 1
`BaseNamedObjectsshell.{940BFEC0-D658-3349-9964-7D4820AF7C5D}` | 1
`BaseNamedObjectsshell.{DCA07E8B-8FF0-AAD5-5A30-43E0A4FC3355}` | 1
`BaseNamedObjectsshell.{9F3E7036-D399-5D1C-15F0-27F90C81CEA7}` | 1
`BaseNamedObjectsshell.{4D979936-6ECD-C1FC-8B7E-C65E6397B59E}` | 1
`BaseNamedObjectsshell.{2981A90C-3618-499B-5205-FD704DC8D53D}` | 1
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`178[.]33[.]160[.]176` | 25
`178[.]33[.]160[.]175` | 25
`178[.]33[.]160[.]178` | 25
`178[.]33[.]160[.]177` | 25
`178[.]33[.]160[.]179` | 25
`178[.]33[.]160[.]170` | 25
`178[.]33[.]160[.]172` | 25
`178[.]33[.]160[.]171` | 25
`178[.]33[.]160[.]196` | 25
`178[.]33[.]160[.]195` | 25
`178[.]33[.]160[.]198` | 25
`178[.]33[.]160[.]197` | 25
`178[.]33[.]160[.]199` | 25
`178[.]33[.]160[.]190` | 25
`178[.]33[.]160[.]192` | 25
`178[.]33[.]160[.]191` | 25
`178[.]33[.]160[.]194` | 25
`178[.]33[.]160[.]193` | 25
`178[.]33[.]159[.]31` | 25
`178[.]33[.]159[.]30` | 25
`178[.]33[.]159[.]29` | 25
`178[.]33[.]159[.]28` | 25
`178[.]33[.]159[.]27` | 25
`178[.]33[.]159[.]26` | 25
`178[.]33[.]159[.]25` | 25
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`api[.]blockcypher[.]com` | 25
`chain[.]so` | 13
`bitaps[.]com` | 13
`btc[.]blockr[.]io` | 13
`hjhqmbxyinislkkt[.]1j9r76[.]top` | 12
`www[.]coinbase[.]com` | 9
`p27dokhpz2n7nvgr[.]1j9r76[.]top` | 6
`hjhqmbxyinislkkt[.]1bxzyr[.]top` | 3
Files and or directories created | Occurrences
—|—
`%HOMEPATH%DocumentsOneNote NotebooksPersonalGeneral.one` | 25
`%HOMEPATH%DocumentsOneNote NotebooksPersonalUnfiled Notes.one` | 25
`%HOMEPATH%DocumentsOutlook FilesOutlook.pst` | 25
`%HOMEPATH%DocumentsRILLReturn.ppt` | 25
`%HOMEPATH%DocumentsSerialsOverview.ppt` | 25
`%HOMEPATH%DocumentsTSR_Observations_2-14-2007.doc` | 25
`%HOMEPATH%DocumentsVISSpring13Schedule.pdf` | 25
`%HOMEPATH%Documentsbooklaunch_e.doc` | 25
`%HOMEPATH%Documentsfeatureb0906.pdf` | 25
`%HOMEPATH%Documentsgenealogy.ppt` | 25
`%HOMEPATH%Documentsgreenpaper.doc` | 25
`%HOMEPATH%Documentsjames_harrison_public_forum_presentation_e.doc` | 25
`%HOMEPATH%Documentsself-guided_SoE_Tour.pdf` | 25
`%HOMEPATH%Documentssshws_2012rev.pdf` | 25
`%HOMEPATH%Documentstimeentrylimit.xlsx` | 25
`%HOMEPATH%Documentsworkshopagenda10may2001_e.doc` | 25
`%TEMP%d19ab989` | 25
`%TEMP%d19ab9894710.tmp` | 25
`%TEMP%d19ab989a35f.tmp` | 25
`%LOCALAPPDATA%MicrosoftOfficeGrooveSystemCSMIPC.dat` | 25
`DAV RPC SERVICE` | 25
`DeviceNull` | 25
`%APPDATA%MicrosoftOutlookOutlook.srs` | 25
`%APPDATA%MicrosoftOutlookOutlook.xml` | 25
`%HOMEPATH%Local SettingsApplication DataMicrosoftOfficeONetConfig21d4feba3519c30e149fdf62432f198a.xml` | 25
See JSON for more IOCs
**File Hashes**

* `0536d5867571e0ed9998dfe458e7cf42334a9abc67e1cbd9ea3004507f899e3c`
* `17f6fab817ae1a1ac4478c121c3dcfed044924ba4beac8cae734cd14d453596b`
* `212ef6edb374b8aab38ad19fa15e2e2f4674b7d2cbb024f36b9477fc71c71769`
* `276438f97b45ccd5ff93586ae0adfa3c4e4ba92f1adc87fca607eb6d6bd17919`
* `2b7669616638e5976b1c65b492d9e775ab668648d0b2ca5df81bcbe26b7e1123`
* `33dcb7c8ce845f1840cb6508a67595d415227babe474eae0f3a06383eab16e63`
* `3d5bab5798ad6d27131075732d829b90f3f37d5e63bab43b53a071c002678fce`
* `418a712f9e44f3adba6125d9f3d7ad4a52ffef9d8ad5b485e903a984a4cd8c63`
* `420dc43a8c9200df4138d720415304017b861b3cfddfb5de16af50099f3b0e37`
* `436e308c38fb3872fe1a64be90eed2a86d7f9806cd163c83e83fbfd0edf3f8d8`
* `55e8cb67e967b51aacd85258cc4c5a2d8c7c2ad48e44d6f4ecf9c0a721d4fbfe`
* `57de16edb0bd7e590ad1adf4474b18eb968d72781f0d34f33ee51cf6ed71763e`
* `5da318b569c3cbad701f06f4b26905c5ac95048b748481fae2552653acdeb25b`
* `629c1b76328b10077af530bfc5526fcb5592eefd8fb0b618179a8429bf6b6259`
* `64b193a1fcdd2d2ec2444e989ecb9283a5f7679abfc5dc3efa9a248793e0197c`
* `6e7bc2af711eac2a82384b3738229d3b69f60f1522a0c59f781f4d6731b1f198`
* `763b5c07061e6f306399991efd08ac8b9efb74c37ab6280c840a779fb7ca929c`
* `77ee427b01cecdc4adcdee50b679ddab7ae6175a9ec3ec199b81cbfb3684a172`
* `7e93d6b812b9ba8833a2f6727e35714ae301c8ab8ac9988ae540f4a993e41c05`
* `84d4734cd55e627870c58fe07bd29895cc40726ea235de6980c1ebe73c8f838c`
* `9d60618b662ed064573688abf10cb3eb562b46baceb864a4343e8851b2e6686e`
* `a2dd530ea97e84d507d13eccef73f736ef1c7c2722b82c84e6d84c61f9406f9b`
* `a6943fd03952cc9d1b7a492ca30cc75ecaefdb54e20af0fc0dcbbcc93483d031`
* `a9efbbec61b1901e23bd5d29f2e1c34e9d0e7c41dbd216386ec52489239068fe`
* `b0ba2997331995d24a85a7d4f586fcaaeb4e6b62de46f068d165ef0d13b172cc`
* See JSON for more IOCs

#### Coverage

[![](https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png)]()

#### Screenshots of Detection

**AMP**

[![](https://4.bp.blogspot.com/-MOjyKPofNTM/XMx0SAyBuSI/AAAAAAAABow/MB5ovY4qOVYK199p_FwALEjic5CIUSxiACLcBGAs/s400/17f6fab817ae1a1ac4478c121c3dcfed044924ba4beac8cae734cd14d453596b_amp.png)]()

**ThreatGrid**

[![](https://2.bp.blogspot.com/-R0_yHyzohfQ/XMx0ZBSH9pI/AAAAAAAABo8/tGilsRPM2u06O_vCsYsjDCNOtyMBF4xTgCLcBGAs/s400/17f6fab817ae1a1ac4478c121c3dcfed044924ba4beac8cae734cd14d453596b_tg.png)]()

**Umbrella**

[![](https://2.bp.blogspot.com/-2GVWgxLe3os/XMx0gJ2KEGI/AAAAAAAABpA/LW7-e4LrqdsjW0Zo9Ipm-6-7h_8HkTw8ACLcBGAs/s400/05863f8c9b9608169db2678d0cae1bce91a80819c091b9b762dd05cab2dac6ce_umbrella.png)]()

**Malware**

[![](https://2.bp.blogspot.com/-dvHojpZ2G28/XMx0loF5SEI/AAAAAAAABpI/36BmhPMZUfMisnicVzLBKfUDdLKw9qI0QCLcBGAs/s400/17f6fab817ae1a1ac4478c121c3dcfed044924ba4beac8cae734cd14d453596b_malware.png)]()

### Win.Dropper.Nymaim-6956636-0

#### Indicators of Compromise

Registry Keys | Occurrences
—|—
`SoftwareMicrosoftGOCFK ` | 19
`SoftwareWow6432NodeMicrosoftTracingtapi3 ` | 19
`SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3
Value Name: EnableFileTracing ` | 19
`SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3
Value Name: EnableConsoleTracing ` | 19
`SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3
Value Name: FileTracingMask ` | 19
`SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3
Value Name: ConsoleTracingMask ` | 19
`SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3
Value Name: MaxFileSize ` | 19
`SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3
Value Name: FileDirectory ` | 19
`SOFTWAREMICROSOFTGOCFK
Value Name: mbijg ` | 19
`SoftwareMicrosoftFROD ` | 18
Mutexes | Occurrences
—|—
`Local{369514D7-C789-5986-2D19-AB81D1DD3BA1}` | 19
`Local{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}` | 19
`Local{F04311D2-A565-19AE-AB73-281BA7FE97B5}` | 19
`Local{F6F578C7-92FE-B7B1-40CF-049F3710A368}` | 19
`Local{306BA354-8414-ABA3-77E9-7A7F347C71F4}` | 19
`Local{F58B5142-BC49-9662-B172-EA3D10CAA47A}` | 19
`Local{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}` | 19
`Local{B888AC68-15DA-9362-2153-60CCDE3753D5}` | 19
`Local{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E}` | 19
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences
—|—
N/A | –
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`otmqa[.]in` | 18
`nuyfyp[.]in` | 18
`omctebl[.]pw` | 18
`qxqdslcvhs[.]pw` | 18
`eyhwvkyswsts[.]in` | 18
`lqeyztwnmqw[.]pw` | 18
`tgkddewbn[.]in` | 18
`bibmbkjvelox[.]net` | 18
`mpoghxb[.]net` | 18
`zglevl[.]net` | 18
`cixhrfbok[.]com` | 18
`yqxpvvbvncxr[.]com` | 18
`vhmfwvrbln[.]net` | 18
`pyioepars[.]com` | 18
`iwxbgsvj[.]net` | 18
Files and or directories created | Occurrences
—|—
`%ProgramData%ph` | 19
`%ProgramData%phfktiipx.ftf` | 19
`%TEMP%gocf.ksv` | 19
`%TEMP%fro.dfx` | 18
`Documents and SettingsAll Userspxspil.ohu` | 18
`%LOCALAPPDATA%7z2` | 5
`%APPDATA%s269` | 5
`%ProgramData%hm94p64` | 3
`%LOCALAPPDATA%2870` | 3
`%APPDATA%710i5v8` | 3
`%ProgramData%5n3` | 3
`%ProgramData%m2` | 3
`%ProgramData%j91z` | 2
`%LOCALAPPDATA%9b8` | 2
`%APPDATA%mb31` | 2
`%ProgramData%6745h` | 2
`%ProgramData%63h6c` | 2
`%LOCALAPPDATA%546byxl` | 2
`%APPDATA%k5f5` | 2
`%APPDATA%1ok411c` | 1
`%ProgramData%84q9q` | 1
`%LOCALAPPDATA%6b0d19t` | 1
`%APPDATA%9980c` | 1
`%ProgramData%2p077d` | 1
`%LOCALAPPDATA%ja68siv` | 1
See JSON for more IOCs
**File Hashes**

* `0a79d985e81449aeabc401545955323e3d9fa0951a6fabe8727370679cee362c`
* `2d7e1dee56892ffe3fa7b85e33ef512e8017ce690a1118ad743736ba03c70c29`
* `2f017b1f3b3d430266be3da2be7b050dad8d2bbdfe457d6d053f2ca312c90691`
* `33c2883874a24e9abbd993f5d06b8596483d33a388b4832f7e8ed3585dab0f80`
* `4268fb8266c18ba7392e2ac655dad69b952bcfce10a71b34a821f0ea32a02954`
* `470dad272252de1d8631e7026ee324fa9238f722707a26f56b6377f2588a7b16`
* `4ff4835419292e13a5d7be1fe2b3b6a000a07f733948e5865b09082e91ef364b`
* `50bc7a1d67f67fbe4faaa7e1968addc631ee65c05dffdac6decfd021306d17c7`
* `5814f51e35d047cfd4e2b4d76bb2b401d70a860747b7ba817fe3bb035dea1b98`
* `68e743d3ab393a17a9120260b6e2c1a1fcea3ba32cebc06aa1970d62198f266d`
* `7e95831b38b1a32402ba5b6251180aca1b1cad457be756612b3ffe1ebf40dce2`
* `8b307748efc603648524dc47202a550bfcaee9a3a23da4f99802aef2e789d6cd`
* `9260c5ea2694dd47cbe563d7d39518d4b4f1249499dcae387e2da9955723286f`
* `a92aec525fddbe52002ba700344043cd99b8d1323728b9cc2114e64bf83c7ce3`
* `aca7c6cb8d0edcb41b44a0f53460ee8ac3078aca97f03979da0b1d4d5dfb860b`
* `b01ecd3e51d9efea860568d3ae336c7d3514f08bca6d3ba9c5cfd3ad069ec3fe`
* `d618459cbcf86c6797850757003d53db2f8bcc89364bf7de806f89f1736bf1cd`
* `d6a5f0855e7e2c8968e90159b42853361187b41d692626273807361c27bd5a37`
* `db421df81c436e54428bcaddcb394568afcd6769e88809a2634ea678643ec811`

#### Coverage

[![](https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png)]()

#### Screenshots of Detection

**AMP**

[![](https://4.bp.blogspot.com/-NpUF5vmE_qc/XMx0udM30eI/AAAAAAAABpU/uD3qfRmVKYIPOqIVRTYsAEcj5ZSoi62mACLcBGAs/s400/aca7c6cb8d0edcb41b44a0f53460ee8ac3078aca97f03979da0b1d4d5dfb860b_amp.png)]()

**ThreatGrid**

[![](https://2.bp.blogspot.com/-vUv8vwwdspU/XMx0yKkHIdI/AAAAAAAABpY/skwI70TmeA0P23ZVfdagsR4QfoCMopNlgCLcBGAs/s400/aca7c6cb8d0edcb41b44a0f53460ee8ac3078aca97f03979da0b1d4d5dfb860b_tg.png)]()

**Umbrella**

[![](https://2.bp.blogspot.com/-TEyBbwpg2Jo/XMx03R3ED0I/AAAAAAAABpg/2P-vC5PMU84dJFuQk9_bnHZks8HDKA4AwCLcBGAs/s400/aca7c6cb8d0edcb41b44a0f53460ee8ac3078aca97f03979da0b1d4d5dfb860b_umbrella.png)]()

### Win.Dropper.Qakbot-6956539-0

#### Indicators of Compromise

Registry Keys | Occurrences
—|—
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: internat.exe ` | 25
`SoftwareMicrosoftSystemCertificatesUserDS ` | 25
`SYSTEMCONTROLSET001SERVICESaqejpwsx ` | 25
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: Type ` | 25
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: Start ` | 25
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: ErrorControl ` | 25
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: ImagePath ` | 25
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: DisplayName ` | 25
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: DependOnService ` | 25
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: DependOnGroup ` | 25
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: WOW64 ` | 25
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: ObjectName ` | 25
`SOFTWAREMicrosoftSystemCertificatesDisallowedCertificates7D7F4414CCEF168ADF6BF40753B5BECD78375931 ` | 3
`SOFTWAREMicrosoftSystemCertificatesDisallowedCertificates637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6 ` | 3
Note that other Registry Keys are leveraged that may contain unicode characters. See JSON for more IOCs|

* `04a19e4e2d700292ba4ce5659e97413112bd079dacdbaf8a2387e6f6559dcba3`
* `117466b3e9dabd69d510d9e034eec875d9ca2ad9dbb8c5d123b388ac2a65ebbf`
* `17d23f910311aeb341ee348586bb212d1cddb70152bc4d1bc31ac579693d7741`
* `1b0573fb381b291b12cf7db4bfb6deb78e688c9c3076908e8581199169b8514a`
* `1c0c7d00ccfb9f12299fd7df7ec2ad497cb6c8fa60b903694f2d2bf54af7c30c`
* `278bc2f23ef0a5a79e36f1dca261bbf67f87aef637e76373061654353fc3f716`
* `33ba38fa1bfaab98c6ba48eb2a2fb3155b51118e9ef79642418e0903e2b2e008`
* `51390b6bde9196f7c0319c1253d08233202f6b4110b8c33557a2d2895f868769`
* `548c5b819c109a61e1ff6bc74bd43ad2702ed44e479dd6600da3bb9d5a9ca72e`
* `5b3cd274c3c0349f7d67238994e53e4a842a82e9e15905510a93b4d6643621e7`
* `611f34dcdcce11b0e48779e0fcfd950437614e603673903c8b342bdd2a34ce1a`
* `620e4f53e698c59971f4633cad4c7966f3432aeec0a6315b82a5dae8c13577c9`
* `6f6e53de5fb48c34cce494113f04e1b32d3dd85d8071023b2dff1febb1686c7f`
* `6fd63887adf0e0d4894d3b648e8be0d20474579f60138915b5e3e3a9761f43bc`
* `783a7e50bddf9b5c9547a8fabc7470fabdbe4410df76148dd6c5c81dfb7e6506`
* `7e7e09137fda05e6292d8d9646ab5bc18fd136b06aa77833819ccc46d79c4859`
* `7e9ab6bf4ee2141f4702e0cf4348340293c429416f7676c7946e940321220375`
* `8412cd2e7e60ac2d32bf43f350f8ce806876f54c2ed9b6d0f895179d289a1803`
* `84e0ad1b2d1ca15e2ea16d6d57b81a63af18f664b171ad9d144e710ad2e3cb75`
* `8786a734c5f7fccca5b87c04c5531bff6ec323a29860063c2ba31941706c83a3`
* `914960db7ffbdd3a5a5a98b740f724c0ab9469fcbdd547561622809e5d3c6396`
* `93ac57e8f8e341c84e25dd0c14f014d23f55e24a175b443f4cd399a086e70965`
* `98170c08d421f79a308074befb2c4e799db06e28ce10cea9d435c5868d1e6f36`
* `9d8dfe92711ea955120f4fdbb3b2d0cf37ff79ac74572c867c44da7d404213fa`
* `a0903affbe9bd3176863d83a9e57808aa55a3ea8695d09dbbd2d8f3f1d22e812`
* See JSON for more IOCs

#### Coverage

[![](https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png)]()

#### Screenshots of Detection

**AMP**

[![](https://1.bp.blogspot.com/-RhbSQz9CCck/XMx5rcLa5wI/AAAAAAAABp0/38Q5plfYQIAnfDBp6nvVNRGgqkJ07789QCLcBGAs/s400/98170c08d421f79a308074befb2c4e799db06e28ce10cea9d435c5868d1e6f36_amp.png)]()

**ThreatGrid**

[![](https://4.bp.blogspot.com/-6pwOCIwlYsY/XMx5xKGMPHI/AAAAAAAABp4/IKfNhwAzlmI-ha2snUU9OmrXDD-6KuctQCLcBGAs/s400/98170c08d421f79a308074befb2c4e799db06e28ce10cea9d435c5868d1e6f36_tg.png)]()

**Umbrella**

[![](https://3.bp.blogspot.com/-xIMmgSYrb5g/XMx51_DsAkI/AAAAAAAABp8/D6UPKjNI0yknxJo34efE12HTtN6eivb4QCLcBGAs/s400/0dfc7e8a60e8512f72fe45bcd2ff42edfe4008e984ff699c14a5b018750f267d_umbrella.png)]()

### Win.Malware.Tovkater-6956309-0

#### Indicators of Compromise

* `0b1c46b5535b4fc30fd8d813255220d3715d0bd7623e094e684af13a1c12f579`
* `0d806734aacf391b1c304155e8f186d7c354c46d08b5f2cb70c2a6029dba2e0e`
* `1187cf65c782ea451e0a46f8e5ea18f8133cc209d58db1c08793bb086b96df4f`
* `21a9fb85cec099bdc2bf419b9bc07dbe6f9b1dc40b8e2853c119093706d1a3a8`
* `2e23eb71950087f2212e0e591fa462b1706571fe55c87454de7003de4a982d95`
* `30d525e4acb5cbd5dd5fe9508cb0cf053c4b0480ab53168e9a06e58c2e9b323b`
* `35dae148e6507526256336e36eb9858dcf17c73f86c332582cd53af43c887f0a`
* `368e24183133ba0c4a7fb06b255458754e6662d6be0df18f44b7304b7f1438d7`
* `3dc644f5a69d86aeab33c6879bb508b59049d17a74cca73f15b160578ee0a358`
* `42f86e50ca2180192d30c556d001cf8720d17094850164e811872f1c864f10cb`
* `43150f037e396e69ff8e1e1d1da7e33614f100fba6b6133a99174a8bcc56d8c5`
* `46e6b3d8c0cff0c9dca7ee7fae9b15c7b23865f546533ee00be0d594f6d03a40`
* `4b0232b305a8504700570c6e177d0c1815924031908f2f2d5fe61510174804c5`
* `52e70ec3517105cdabea6b3448d4568fbca560683e7e90070d0209ea1a002de7`
* `5b1a72a9d50e9e41662848965957cf3b537a923f12a02d022d7e40bc76d6a59d`
* `5f16228ceca9d4d628bcddf5da07ddd8140b19c3458ba287b5e0a9a4533929c9`
* `626f2dbe08fcf4192f709111ca3f2ce5975cb9ac7bac7b007158b8e74070c403`
* `62bae87f17d56c22f89ec9c41c2e3bf76139df7a4a4c710e088ec9483918cf9b`
* `63d3a47aa0f89009ecc37199d269c8c3184d32e0632c3f1c1857dafd2aee7ae4`
* `67b73d01d619d30bc56d0f772207df38b68a433b1050137bb93a54e746c1c34f`
* `67ffbd39d1ebbceb4936645c822a10b6b71dc289acd026b1b4259f01c2168e8f`
* `6c2eae55f0ff4cb79a53f932a481812c7b8c5d61ff0aadf47c4211d676cc97b4`
* `6d0f17cdc45a3867ec8c89ae3cf9ef2264b4889fc135417857e04d8109ec62ec`
* `7b4c241497ba6cef5a8abc35d4c795e7c8b0b3d4a292a843d14d4389ddef57b7`
* `7dbb52a1de75d201b0565062452e81a210cc597ac4626aa95bf478562aa082cd`
* See JSON for more IOCs

#### Coverage

[![](https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png)]()

#### Screenshots of Detection

**AMP**

[![](https://2.bp.blogspot.com/-_H4KeaM5dbM/XMx59bSKckI/AAAAAAAABqE/JXhP4TE2ATkzrKIu6heuF1ion8Ghq1KPwCLcBGAs/s400/30d525e4acb5cbd5dd5fe9508cb0cf053c4b0480ab53168e9a06e58c2e9b323b_amp.png)]()

**ThreatGrid**

[![](https://2.bp.blogspot.com/-RccXZydvWKo/XMx6BJPeeJI/AAAAAAAABqI/Z2sg3kFAzvAGcIDBZUU-KWcQklMjz-x4ACLcBGAs/s400/30d525e4acb5cbd5dd5fe9508cb0cf053c4b0480ab53168e9a06e58c2e9b323b_tg.png)]()

**Umbrella**

[![](https://4.bp.blogspot.com/-NSmTV6bXVMw/XMx6GFlcaBI/AAAAAAAABqM/v252SXuiNFIP3btS7CA8WhKbNX4D56EwwCLcBGAs/s400/0d806734aacf391b1c304155e8f186d7c354c46d08b5f2cb70c2a6029dba2e0e_umbrella.png)]()

### Doc.Downloader.Powload-6956274-0

#### Indicators of Compromise

Registry Keys | Occurrences
—|—
`INTERFACE{8BD21D42-EC42-11CE-9E0D-00AA006002F3} ` | 29
`INTERFACE{8BD21D52-EC42-11CE-9E0D-00AA006002F3} ` | 29
`INTERFACE{8BD21D62-EC42-11CE-9E0D-00AA006002F3} ` | 29
`INTERFACE{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} ` | 29
`INTERFACE{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} ` | 29
`INTERFACE{79176FB2-B7F2-11CE-97EF-00AA006D2776} ` | 29
`INTERFACE{4C5992A5-6926-101B-9992-00000B65C6F9} ` | 29
`INTERFACE{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} ` | 29
`INTERFACE{47FF8FE0-6198-11CF-8CE8-00AA006CB389} ` | 29
`INTERFACE{47FF8FE1-6198-11CF-8CE8-00AA006CB389} ` | 29
`INTERFACE{47FF8FE2-6198-11CF-8CE8-00AA006CB389} ` | 29
`INTERFACE{47FF8FE3-6198-11CF-8CE8-00AA006CB389} ` | 29
`INTERFACE{47FF8FE4-6198-11CF-8CE8-00AA006CB389} ` | 29
`INTERFACE{47FF8FE5-6198-11CF-8CE8-00AA006CB389} ` | 29
`INTERFACE{47FF8FE6-6198-11CF-8CE8-00AA006CB389} ` | 29
`INTERFACE{47FF8FE8-6198-11CF-8CE8-00AA006CB389} ` | 29
`INTERFACE{47FF8FE9-6198-11CF-8CE8-00AA006CB389} ` | 29
`INTERFACE{5CEF5613-713D-11CE-80C9-00AA00611080} ` | 29
`INTERFACE{92E11A03-7358-11CE-80CB-00AA00611080} ` | 29
`INTERFACE{04598FC9-866C-11CF-AB7C-00AA00C08FCF} ` | 29
`INTERFACE{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} ` | 29
`SYSTEMCONTROLSET001SERVICESsourcebulk ` | 29
`SYSTEMCONTROLSET001SERVICESSOURCEBULK
Value Name: Type ` | 29
`SYSTEMCONTROLSET001SERVICESSOURCEBULK
Value Name: Start ` | 29
`SYSTEMCONTROLSET001SERVICESSOURCEBULK
Value Name: ErrorControl ` | 29
Mutexes | Occurrences
—|—
`GlobalI98B68E3C` | 29
`GlobalM98B68E3C` | 29
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`159[.]0[.]130[.]149` | 29
`191[.]92[.]69[.]115` | 29
`69[.]25[.]11[.]28` | 29
`88[.]198[.]20[.]57` | 29
`212[.]129[.]63[.]132` | 24
`198[.]58[.]114[.]91` | 18
`74[.]208[.]5[.]15` | 16
`209[.]85[.]144[.]109` | 10
`77[.]111[.]149[.]55` | 9
`74[.]6[.]141[.]50` | 8
`173[.]201[.]192[.]229` | 8
`74[.]208[.]5[.]2` | 7
`209[.]85[.]144[.]108` | 7
`17[.]36[.]205[.]74` | 7
`182[.]50[.]145[.]3` | 6
`67[.]195[.]228[.]95` | 6
`196[.]35[.]198[.]134` | 6
`54[.]88[.]144[.]211` | 6
`149[.]255[.]56[.]242` | 6
`184[.]106[.]54[.]10` | 5
`64[.]26[.]60[.]229` | 5
`173[.]203[.]187[.]14` | 5
`205[.]178[.]146[.]235` | 5
`212[.]227[.]15[.]167` | 5
`212[.]227[.]15[.]183` | 5
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`ises[.]com[.]pl` | 29
`ingenla[.]com` | 29
`hicast[.]tn` | 24
`smtp[.]mail[.]com` | 16
`secure[.]emailsrvr[.]com` | 14
`smtpout[.]secureserver[.]net` | 14
`smtp[.]office365[.]com` | 13
`smtp-mail[.]outlook[.]com` | 10
`smtp[.]1und1[.]de` | 10
`smtp[.]aol[.]com` | 8
`smtp[.]emailsrvr[.]com` | 7
`smtpout[.]asia[.]secureserver[.]net` | 6
`smtp[.]1and1[.]com` | 6
`smtp[.]rediffmailpro[.]com` | 6
`smtp[.]comcast[.]net` | 6
`smtp[.]263[.]net` | 6
`spam[.]pantos[.]com` | 6
`mail[.]longi-silicon[.]com` | 5
`smtp[.]prodigy[.]net[.]mx` | 5
`mail[.]huaqin[.]com` | 5
`betmngr[.]com` | 5
`smtp[.]yandex[.]com` | 4
`smtp[.]zoho[.]com` | 4
`smtp3[.]netcore[.]co[.]in` | 4
`smtp[.]mweb[.]co[.]za` | 4
See JSON for more IOCs
Files and or directories created | Occurrences
—|—
`%SystemRoot%SysWOW64configsystemprofileAppDataLocalMicrosoftWindowsTemporary Internet Filescounters.dat` | 29
`%HOMEPATH%423.exe` | 29
`%SystemRoot%SysWOW64version.dll` | 1
`%SystemRoot%GlobalizationSortingsortdefault.nls` | 1
`REGISTRYMACHINESOFTWAREClassesWord.Document.8` | 1
`%TEMP%CVR90.tmp` | 1
`%SystemRoot%SysWOW64sourcebulka.exe` | 1
`%SystemRoot%SysWOW643HqWfmuWUBgMP.exe` | 1
`%SystemRoot%Temp76D.tmp` | 1
`%SystemRoot%SysWOW64jq9Mk4Che.exe` | 1
**File Hashes**

* `1e0b73c5ec4b9516709c10ec708fc295df021451f958a89144d79d99604b3664`
* `325701284bf17203d71a9c5b4d46e4f7b651164ab92c643fe64a3e3bc2844dad`
* `3537f5cfc0ad20b8061b67f82dc43a7ac1856391bece8158023fcc3d6699f75a`
* `35965e3b9cff6a78e1331ed07f5e327a91301b5b023b20fb0c107bc3574b3a08`
* `3889458cad2eccfcd7f8ec5c842dd30edec24f36a37abde0e9359dd7117524e7`
* `3eb7c725b886abf672613a63d1c17c479f1144f1262a6c3cd66a44fe74581383`
* `407f21c8583dbf70a0069162b9f7c0ec142b63e05d4d94ec8e4c85345bf759d9`
* `51ee3cc17fa697ec7de8a60ea5ad2af4195de73c95401b1b17e7b9c346ed9c1a`
* `5a33cba1e854fb298486fe6ba6ebb071e045cb698aec109561178b2a66567662`
* `5eefdd75abcd812db0c1fe74f071dcb2c50ac7c9b73144900b9918fe8930af2b`
* `601804d1434691765b258649f0a9c8924bb1b28b5ff0dc2bafb3039b2c78f6a3`
* `65344e20c9e346e62bec15f369fcdbb619d64b362483feb36a6d60e3007c22db`
* `6f5795d34e8fa33548042554f0b05b6e79e9a68783f28a196476261a0de0e068`
* `72966d743059492c8caf5689758cdf98275e087cf5bf9d0e7914db1e4472fc05`
* `751ccbeabee910ea022ebc97fde11d5e1c3bba9f83b6d2df09a927924eb1e60e`
* `77ccc470c377e4a22e0091d0abd3f91cec17b6e06c0e17d8f87dbbbd735bfe0b`
* `7bfa867554a7f1a6a891712cfdaaf519bd44bdf53e0047930890495c9655ab7e`
* `8391f3706e60079dbdbeee083f8bda85915cc763bd683bb00270f694a031c66a`
* `9e40d6af4d13a6d65e179c109b4676c691fbf0b2de6deb0d84625e654989fa0d`
* `9fe28f27c0db9df3580f65069affb7f47171d910f69035ffdeeac5a545ab4ec9`
* `a1be08364eef857af56f506b206e780c803c212b76dbac8dc17e7983d08f65ff`
* `a50d314e9c13d667641b11c73695980d1fd4cc0020cd7f760bdbd88bf95b1c3c`
* `a95ddd15ef6f38762fbc16ca31539aabbf15c3c10d0c103cb4c204c88bfbbadf`
* `ac957b3a3b4e8d75ead5dabd4b70e28e27a697a719322071d66cfb796d3b28f6`
* `b1709a55b71ba9559aa839eb5304e2fc2388ae6275771b6cbbf8f49ac3e355fa`
* See JSON for more IOCs

#### Coverage

[![](https://1.bp.blogspot.com/-9t2Of3KWq7I/Wz-6a6Dy3kI/AAAAAAAAAbk/5J2B6tJuFS44Fz9CyF7x9wPcTvmCLrV1gCLcBGAs/s320/all-selected-except-cloudlock.png)]()

#### Screenshots of Detection

**AMP**

[![](https://2.bp.blogspot.com/-yfcqD2dtFgU/XMx7CfRZxnI/AAAAAAAABqk/SNwjHtqNUJUslvXuK_ixZs-F-KcXeoauQCLcBGAs/s400/601804d1434691765b258649f0a9c8924bb1b28b5ff0dc2bafb3039b2c78f6a3_amp.png)]()

**ThreatGrid**

[![](https://4.bp.blogspot.com/-_0n2qcNPflQ/XMx7HGK0R9I/AAAAAAAABqo/gY0U0z5YTFMasnDd7LChMrQHKdhAp2n1QCLcBGAs/s400/601804d1434691765b258649f0a9c8924bb1b28b5ff0dc2bafb3039b2c78f6a3_tg.png)]()

**Umbrella**

[![](https://4.bp.blogspot.com/-qmxZxlQaE4o/XMx7TH1g3NI/AAAAAAAABqw/XmJdBrfCWHg9Ok8l8sWkPecqXWx2nBKZACLcBGAs/s400/3537f5cfc0ad20b8061b67f82dc43a7ac1856391bece8158023fcc3d6699f75a_umbrella.png)]()

**Malware**

[![](https://4.bp.blogspot.com/-7cb_d282o3Q/XMx7Yn6gQwI/AAAAAAAABq4/hd9nHXMGfFYbw2YaeVuSZSUASXYL6gdIgCLcBGAs/s400/a1be08364eef857af56f506b206e780c803c212b76dbac8dc17e7983d08f65ff_malware.png)]()

### Win.Dropper.Kovter-6956146-0

#### Indicators of Compromise

Registry Keys | Occurrences
—|—
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: internat.exe ` | 25
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATE
Value Name: DisableOSUpgrade ` | 25
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEOSUPGRADE
Value Name: ReservationsAllowed ` | 25
`SOFTWAREWOW6432NODEXVYG
Value Name: xedvpa ` | 25
`SOFTWAREXVYG
Value Name: xedvpa ` | 25
`.8CA9D79 ` | 25
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: vrxzdhbyv ` | 25
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: ssishoff ` | 25
`SOFTWAREPOLICIESMICROSOFTWINDOWSWindowsUpdate ` | 25
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEOSUpgrade ` | 25
`SOFTWARExvyg ` | 25
`SOFTWAREWOW6432NODExvyg ` | 25
`c3b616 ` | 25
`C3B616shell ` | 25
`C3B616SHELLopen ` | 25
`C3B616SHELLOPENcommand ` | 25
`.8ca9d79 ` | 25
`SoftwareMicrosoftInternet ExplorerMainFeatureControlFEATURE_BROWSER_EMULATION ` | 25
`SOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_BROWSER_EMULATION ` | 25
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting ` | 25
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting ` | 25
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting ` | 25
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting ` | 25
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting ` | 25
`SOFTWAREXVYG
Value Name: tnzok ` | 25
Mutexes | Occurrences
—|—
`EA4EC370D1E573DA` | 25
`A83BAA13F950654C` | 25
`Global7A7146875A8CDE1E` | 25
`B3E8F6F86CDD9D8B` | 25
`BaseNamedObjects408D8D94EC4F66FC` | 24
`BaseNamedObjectsGlobal350160F4882D1C98` | 24
`BaseNamedObjects53C7D611BC8DF3A` | 24
`BaseNamedObjectsGlobal9F84EBC0DC30D3FA` | 1
`BaseNamedObjectsCF2F399CCFD46369` | 1
`BaseNamedObjects8450CD062CD6D8BB` | 1
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`107[.]160[.]89[.]93` | 2
`123[.]94[.]5[.]73` | 1
`6[.]179[.]232[.]209` | 1
`132[.]130[.]129[.]202` | 1
`87[.]221[.]222[.]176` | 1
`222[.]187[.]133[.]238` | 1
`126[.]207[.]27[.]58` | 1
`191[.]12[.]150[.]189` | 1
`92[.]253[.]215[.]124` | 1
`53[.]136[.]182[.]72` | 1
`188[.]232[.]142[.]236` | 1
`75[.]134[.]228[.]137` | 1
`15[.]17[.]189[.]214` | 1
`218[.]10[.]226[.]184` | 1
`160[.]60[.]207[.]38` | 1
`107[.]98[.]132[.]113` | 1
`134[.]68[.]158[.]4` | 1
`56[.]177[.]25[.]24` | 1
`52[.]196[.]162[.]138` | 1
`133[.]251[.]164[.]106` | 1
`108[.]118[.]74[.]142` | 1
`33[.]198[.]16[.]9` | 1
`18[.]75[.]88[.]134` | 1
`58[.]184[.]135[.]77` | 1
`77[.]189[.]216[.]194` | 1
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`www[.]cloudflare[.]com` | 1
`bleez[.]com[.]br` | 1
`lojadeunatelha[.]com[.]br` | 1
`revenda[.]lojadeunatelha[.]com[.]br` | 1
`easyfax[.]nrtnortheast[.]com` | 1
`www[.]username[.]n[.]nu` | 1
`www[.]n[.]nu` | 1
`staticjw[.]com` | 1
`www[.]acquia[.]com` | 1
`network[.]acquia[.]com` | 1
Files and or directories created | Occurrences
—|—
`%LOCALAPPDATA%4dd3cc519d0f.bat` | 25
`%LOCALAPPDATA%4dd3cc8e9866.8ca9d79` | 25
`%LOCALAPPDATA%4dd3ccd95adb.lnk` | 25
`%APPDATA%b08d66b3c0b.8ca9d79` | 25
`%APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-500Preferred` | 25
`%LOCALAPPDATA%4dd3cc` | 25
`%APPDATA%b08d66` | 25
`%APPDATA%MicrosoftWindowsStart MenuProgramsStartup91b4e5.lnk` | 25
`%APPDATA%db7ac227.a7783` | 24
`%HOMEPATH%Local SettingsApplication Dataf4fa97ea.lnk` | 24
`%HOMEPATH%Local SettingsApplication Dataf4fac0ce.bat` | 24
`%HOMEPATH%Local SettingsApplication Dataf4fad5a9.a7783` | 24
`%HOMEPATH%Start MenuProgramsStartupd733.lnk` | 24
`%HOMEPATH%Local SettingsTemporary Internet FilesContent.IE5C5MZMU22desktop.ini` | 3
`%APPDATA%MicrosoftWindowsCookiesS2KTL2FI.txt` | 2
`%APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fd8-6118f60c376b` | 2
`%APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fd0-5619f60c376b` | 2
`%APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fdf-6619f60c376b` | 2
`%LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE5SSZWDDXW1E8X74FH.htm` | 2
`%APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fdf-5e19f60c376b` | 2
`%APPDATA%MicrosoftWindowsCookiesTSDIW0B.txt` | 1
`%APPDATA%MicrosoftWindowsCookiesUGH0HZQB.txt` | 1
`%APPDATA%MicrosoftWindowsCookiesZLTD4G06.txt` | 1
`%APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fd2-6219f60c376b` | 1
`%APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fdd-6619f60c376b` | 1
See JSON for more IOCs
**File Hashes**

* `0699fc68be026ed52555783f4ca395dcd68dd93898e9ee1756e0ffe9493c300a`
* `06a3a8ebf6965042378a003857434f775a014293830a3d02d468b02b02f13329`
* `0826313d6cdb1c85d39edf77f5faeaff0241f09a8bc6ad8ea4453cab46628dd6`
* `2adfbe4ebd34d062e774d20d300e80ec31cdf4d59b018be2a45e644341c55f97`
* `2e7aa46acaacad3f7e1675d3090ae7669efcffb91beb976cdf93d69782fe5453`
* `2fbdb93de7475386719d620bd685b955ec05cca0f458579daa9932023351040b`
* `31d170788a623341e4d6636e1dec87b9812a1967441415bcb8097d3b4a4bdfee`
* `3337a63c7f42977759f9a961af5c7265abfe0489d68c48f90d066b40d84c0ddd`
* `3754208c5f620f262726467daac435fbcc3a262dde1620c876b72459750fc90d`
* `39b74f9fad057cc9603e2a7a716236c9671dc08abdf7e64c37ef2d2b53acf691`
* `4297d27c8909c9c40b311827f40bf195ffbb6c1ee8bef5f9203465cb10cab9bc`
* `477c74758b4c59334fcdb2051089efbe191d2cda4252aecea59b13bb93bfb101`
* `4802c24fcb2d97233d22b26077714ca09fe47f6602586da0f96965af41adecb6`
* `4be5d24a7846b4ef102b47c0488140194b49c145353259fc581fa0da4068d84a`
* `4e3b31344f80b1693ee28cedb5109a9a4e522c8ef225f6087e480954fa76b3d6`
* `5061a14b94f0794e79e4cc57a49a38c422cf30171df07282a5de10fbac455b01`
* `50939d9ddcc87d1d2e8a3c81a7683b42beeb86471fd2e4da903f062086203d5e`
* `58f3ac23dd98672c20e01c5963b11fba8b077031c7ac41f156a37d2306b812aa`
* `66d2f5f39b4fbb1cab2a4c23d696add166f6dec3ae4dcba20a1c2f89b35d4b08`
* `7199c5b3a081ae13f6b6fc457196f62ecaf3240b39b728f1255f9d3ccc86f853`
* `812e4481d2e23732e41d4e58cd19eccbd53fceba8273ea9bbd1bcaf3da13766f`
* `822bf74cf43fdfd74ef7edd6a4c52dc2ca32dd8a866afbdbd4ae933cd531dd6e`
* `8580001fd28261a74f92594fe42a01012e202e3322a35004857b6881fa73ee9a`
* `8e9f427bca537dfa11df3360b71788dc2dd70cfad927d852094f1c07e8cf2c64`
* `94ff1192ecf870614b1f98103ade1ba1ad46153ddeb8a0c3a07a76ab4461e377`
* See JSON for more IOCs

#### Coverage

[![](https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png)]()

#### Screenshots of Detection

**AMP**

[![](https://3.bp.blogspot.com/-7geJuPHxoz4/XMx7oihHK2I/AAAAAAAABrA/IZP8_ArpScQ6nokhkaeyBvpSEefobT3EACLcBGAs/s400/4297d27c8909c9c40b311827f40bf195ffbb6c1ee8bef5f9203465cb10cab9bc_amp.png)]()

**ThreatGrid**

[![](https://2.bp.blogspot.com/-eHvP38Ww1BQ/XMx7sS3cF7I/AAAAAAAABrI/ppydN_8CNVEBhc2A9AnG5EGh1LVwlUl0QCLcBGAs/s400/4297d27c8909c9c40b311827f40bf195ffbb6c1ee8bef5f9203465cb10cab9bc_tg.png)]()

### Win.Trojan.Razy-6956092-0

#### Indicators of Compromise

Registry Keys | Occurrences
—|—
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: internat.exe ` | 25
`SYSTEMCONTROLSET001SERVICESavkaxoq ` | 19
`SYSTEMCONTROLSET001SERVICESAVKAXOQ
Value Name: Type ` | 19
`SYSTEMCONTROLSET001SERVICESAVKAXOQ
Value Name: Start ` | 19
`SYSTEMCONTROLSET001SERVICESAVKAXOQ
Value Name: ErrorControl ` | 19
`SYSTEMCONTROLSET001SERVICESAVKAXOQ
Value Name: ImagePath ` | 19
`SYSTEMCONTROLSET001SERVICESAVKAXOQ
Value Name: DisplayName ` | 19
`SYSTEMCONTROLSET001SERVICESAVKAXOQ
Value Name: DependOnService ` | 19
`SYSTEMCONTROLSET001SERVICESAVKAXOQ
Value Name: DependOnGroup ` | 19
`SYSTEMCONTROLSET001SERVICESAVKAXOQ
Value Name: WOW64 ` | 19
`SYSTEMCONTROLSET001SERVICESAVKAXOQ
Value Name: ObjectName ` | 19
`SYSTEMCONTROLSET001SERVICESaqejpwsx ` | 6
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: Type ` | 6
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: Start ` | 6
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: ErrorControl ` | 6
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: ImagePath ` | 6
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: DisplayName ` | 6
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: DependOnService ` | 6
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: DependOnGroup ` | 6
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: WOW64 ` | 6
`SYSTEMCONTROLSET001SERVICESAQEJPWSX
Value Name: ObjectName ` | 6
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: mrldn ` | 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: ovsuw ` | 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: twgqm ` | 1
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: eqlshtrx ` | 1
Mutexes | Occurrences
—|—
`llzeou` | 25
`Globalamztgg` | 19
`amztgga` | 19
`Globaleqfik` | 6
`eqfika` | 6
`BaseNamedObjectseucofa` | 1
`003c194a95c7849375590c48f1c5bc5fÐ÷XAdministra` | 1
`02b5f67a3eba31421dc595a7efed8e0a` | 1
`0e390dd0547334471c08c3b8b4e7ec3aÐ÷IAdministra` | 1
`087ddce345ea3ed2fed8d02dd466026cÐ÷QAdministra` | 1
`14a95d66f90495fcc278258097ed704aÐ÷ Administra` | 1
`10435b4efc8049d260d4b36673f7d656Ð÷.Administra` | 1
`1dd13f0648a70754c883c6262c3633c1Ð÷CAdministra` | 1
`3afec20c013fca0abef646a7a6f0f5cdÐ÷dAdministra` | 1
`385f6390936d000f4d9db3e30b117aca` | 1
`3dede5abeacdabc758f70beef2984aca` | 1
`3f61be1a4bcb773c48a6dc7ed4898387Ð÷:Administra` | 1
`401b399a3aa67d42306ce7291299b7f2Ð÷6Administra` | 1
`897b0a510174cbc4757982703e42a0ca` | 1
`76097734f64ce5ae9b008273431fa4c8Ð÷9Administra` | 1
`8ae8d944960e54c7a833875f71bdae62Ð÷2Administra` | 1
`88cb1af973183aa93bf10d74440333b6Ð÷/Administra` | 1
`BaseNamedObjects380065180a` | 1
`BaseNamedObjectsgetnia` | 1
`BaseNamedObjectsxabzsenoa` | 1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences
—|—
N/A | –
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences
—|—
N/A | –
Files and or directories created | Occurrences
—|—
`%APPDATA%MicrosoftAmztggm` | 19
`%APPDATA%MicrosoftAmztggmamztg.dll` | 19
`%APPDATA%MicrosoftAmztggmamztgg.exe` | 19
`%TEMP%~amztgg.tmp` | 19
`%APPDATA%MicrosoftEqfikq` | 6
`%APPDATA%MicrosoftEqfikqeqfi.dll` | 6
`%APPDATA%MicrosoftEqfikqeqfik.exe` | 6
`%TEMP%~eqfik.tmp` | 6
`%APPDATA%MicrosoftIlgqylilgqy.exe` | 1
`%APPDATA%MicrosoftDuazxlbuduazxl.dll` | 1
`%APPDATA%MicrosoftDuazxlbuduazxlb.exe` | 1
`%APPDATA%MicrosoftJeofzejeof.dll` | 1
`%APPDATA%MicrosoftJeofzejeofz.exe` | 1
`%APPDATA%MicrosoftSsfsnsssfs.dll` | 1
`%APPDATA%MicrosoftSsfsnsssfsn.exe` | 1
`%APPDATA%MicrosoftDcpptfmacdcpptfm.dll` | 1
`%APPDATA%MicrosoftDcpptfmacdcpptfma.exe` | 1
`%APPDATA%MicrosoftTaozsataoz.dll` | 1
`%APPDATA%MicrosoftTaozsataozs.exe` | 1
`%APPDATA%MicrosoftEucofueuco.dll` | 1
`%APPDATA%MicrosoftEucofueucof.exe` | 1
`%APPDATA%MicrosoftGetniegetn.dll` | 1
`%APPDATA%MicrosoftGetniegetni.exe` | 1
`%APPDATA%MicrosoftXabzsenoaxabzsen.dll` | 1
`%APPDATA%MicrosoftXabzsenoaxabzseno.exe` | 1
See JSON for more IOCs
**File Hashes**

* `003c194a95c7849375590c48f1c5bc5fa23099976e09c997f29b22b367c1d3d2`
* `005055ca28d6866f033aff3753a1ef7c4064b5e094eaa663953407a9b19c6a71`
* `02b5f67a3eba31421dc595a7efed8e04834e9f0121c8bcd0186e99dba9781171`
* `087ddce345ea3ed2fed8d02dd466026c0fc0fa5aa7749b392683311fd97a80e2`
* `0e390dd0547334471c08c3b8b4e7ec3ad1d8fe4facabdb5df674af76c8e149d0`
* `10435b4efc8049d260d4b36673f7d656b9fa7163d00840acd0860175e2a79f47`
* `14a95d66f90495fcc278258097ed704aca265dd6bbb966903abe00dd7225cd11`
* `1dd13f0648a70754c883c6262c3633c19aeffa4e3558f0f16da78fc796a76cf1`
* `385f6390936d000f4d9db3e30b117ac382f70f4b7d1f3f4af06808e26683bf3d`
* `3afec20c013fca0abef646a7a6f0f5cdd3826541587cfd93c25033a35e588cb2`
* `3dede5abeacdabc758f70beef2984ac184bbec3112be97e891bb64abb2981373`
* `3f61be1a4bcb773c48a6dc7ed489838796a6b512bc14a517a667fb28a2a8e3ee`
* `401b399a3aa67d42306ce7291299b7f25a24345a980a7bd719c96a6834b9bf48`
* `52c90c5917cb1c6955f68c5b03e448b976ec3f1c258eb6039c5da399b2fd41db`
* `581d9e271871b1948191755bc99e2e9ec5346408f39613aec5c3b1e52d0449bd`
* `649e6217744762016fadb2f7f36a654c607ad160d136714946aa6e0478dc7a87`
* `673e3e8e62b09e39c161091ee70f046c038ba6f24f2a1da135af23bcc1701c20`
* `69c3c4ee664fc814ef070ae902ebaa305eda6ffd23a10e5b97afe49c1300ebff`
* `69d9d27ab1c802cd322c1b7795bda4de65cc7447982076f1e2d6873a8423d57f`
* `6aad36b27c188e73090f3b79352750489a1dce20f5396e63b2af3e998eba0f0a`
* `6e01014528a359c81851b2197a4656e13d87b15424dc961cc6d770e4d4c747ee`
* `76097734f64ce5ae9b008273431fa4c81e32b05a9b8586c39b80e68ee70d0a8a`
* `88cb1af973183aa93bf10d74440333b622206be6d0bd77322c6f8689f2cf24ec`
* `897b0a510174cbc4757982703e42a0c14c4bdba0e6bf77db5a6f94a3c2651f3a`
* `8ae8d944960e54c7a833875f71bdae6243e7fa380ae3fd8176b07cb7d7819508`
* See JSON for more IOCs

#### Coverage

[![](https://2.bp.blogspot.com/-jTB0CZDwsFQ/Wz-6aknWuhI/AAAAAAAAAbc/XPOsdG7hpfQpz9NPUVylIgNETUHICQ5OwCLcBGAs/s320/amp-email-threatgrid-cws-only.png)]()

#### Screenshots of Detection

**AMP**

[![](https://3.bp.blogspot.com/-yhOeY7f6r7Y/XMx8CgcawWI/AAAAAAAABrQ/EOdfwt0C3q8Y7UL5jYUTAGvV_cQeYtPlgCLcBGAs/s400/3dede5abeacdabc758f70beef2984ac184bbec3112be97e891bb64abb2981373_amp.png)]()

**ThreatGrid**

[![](https://4.bp.blogspot.com/-VzdGo7owf9g/XMx8GQfc78I/AAAAAAAABrU/EQZn4KpIT60mwHl6Pf7OaGeGW_7OrQ6NwCLcBGAs/s400/3dede5abeacdabc758f70beef2984ac184bbec3112be97e891bb64abb2981373_tg.png)]()

## Exprev

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

* **Kovter injection detected** (4469)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
* **Madshi injection detected** (3542)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
* **PowerShell file-less infection detected** (2488)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
* **Process hollowing detected** (541)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
* **Gamarue malware detected** (240)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
* **Dealply adware detected** (221)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
* **Suspicious PowerShell execution detected** (156)
A PowerShell command has attempted to bypass execution policy to run unsigned or untrusted script content. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
* **Installcore adware detected** (65)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
* **Atom Bombing code injection technique detected** (65)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
* **Excessively long PowerShell command detected** (57)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

![](https://feeds.feedburner.com/~r/feedburner/Talos/~4/7VneDOe8Dg0)Read More

References

Back to Main

Subscribe for the latest news: