#powershell upload file ftp

Explore tagged Tumblr posts

Visit Tumblr Blog

Explore Tumblr blogs with no restrictions, modern design and the best experience.

Last Seen Tumblr Blogs

itleaders-blog

IT Leaders

38 posts

lilystyles

855 posts

a-deadly-serenade

the future lady gisborne

78K posts

guest-post22

Guest Post

17 posts

ffvolly21

Untitled

67 posts

Fun Fact

Mobile US users spent an average of 115.8 minutes on Tumblr app monthly.

yonassk · 1 year ago

Text

Mastering File Uploads: A Comprehensive Guide for Efficient Sharing and Collaboration

In the digital era, sharing files has become an integral part of both personal and professional endeavors. Whether you're collaborating on a project, submitting assignments, or simply sharing memories with friends and family, knowing how to upload files efficiently can save time and streamline your workflow. In this comprehensive guide, we'll explore various methods and tools for uploading files, along with best practices to ensure smooth sharing and collaboration.

Understanding the Importance of Efficient File Uploads Before diving into the technical aspects of file uploads, it's crucial to understand why mastering this skill is essential. Efficient file uploads facilitate seamless communication, collaboration, and data management. Whether you're working remotely, collaborating with team members globally, or simply sharing files with friends, the ability to upload files quickly and securely can significantly enhance productivity and convenience.

Exploring Different Methods for File Uploads Cloud Storage Platforms: Platforms like Google Drive, Dropbox, and OneDrive offer intuitive interfaces and seamless file uploading capabilities. These platforms allow you to upload files of various formats and sizes, organize them into folders, and share them with specific individuals or groups.

Email Attachments: While email attachments remain a popular method for sharing files, they are often limited by file size restrictions. However, many email providers now offer integration with cloud storage services, allowing you to upload files to the cloud and share them via email without worrying about attachment limits.

File Transfer Protocols: For more advanced users, protocols like FTP, SFTP, and SCP provide a secure means of uploading files to a remote server. These protocols are commonly used in web development, server administration, and other technical fields.

Online Collaboration Tools: Platforms like Microsoft Teams, Slack, and Trello offer built-in file uploading features, allowing team members to share documents, images, and other files within the context of their workflow. This streamlines collaboration and ensures that everyone has access to the latest version of shared files.

Best Practices for Efficient File Uploads Organize Your Files: Maintain a well-organized folder structure to make it easy to find and manage your files. Use Descriptive Filenames: Choose descriptive filenames that accurately reflect the content of the file, making it easier for others to understand and identify. Check File Size Limits: Be aware of any file size limits imposed by your chosen upload method or platform, and compress files if necessary. Secure Your Uploads: When uploading sensitive or confidential files, ensure that you're using secure protocols and encryption to protect your data from unauthorized access. Conclusion Mastering the art of file uploads is essential for anyone who regularly collaborates, communicates, or shares files online. By understanding the different methods and tools available, as well as following best practices for efficient file management, you can streamline your workflow, enhance productivity, and ensure seamless collaboration with others. Whether you're sharing files for work, school, or personal use, efficient file uploads are the key to success in the digital age.

#Certainly #here is a list of keywords with commas added:#- create link for sharing files #- copyright sharing files #- qnap upload files #- upload files without account #- quick way to upload files #- quickbooks online upload files #- upload files to google drive #- php upload files #- powershell script to upload files to sharepoint #- python upload files to sharepoint #- postman upload files #- permission to upload files in salesforce #- box sharing files #- public ftp server to upload files #- public sftp server to upload files #- python upload files to s3 #- playwright upload files #- onedrive link to upload files #- onedrive how to upload files #- onedrive can't upload files #- onedrive share link to upload files #- onedrive unable to upload files #- office depot upload files to print #- best app for sharing files #- overcast upload files #- onedrive upload files to shared folder #- online ftp server to upload files #- nginx upload files

1 note · View note

dotnet-helpers-blog · 7 years ago

Text

Upload file with Powershell GUI

In this post, we are going to dicuss about the file upload using the Powershell GUI. Instead of thinking highlevel, here i had split the three simple task to achieve the file upload functionality in the powershell.

Create Simple PowerShell UI for browsing the location of files with one textbox and two button type (upload & cancel) with help of system.Windows.Forms

In Browse button click event,…

View On WordPress

#powershell invoke-restmethod upload file #powershell invoke-webrequest upload file #powershell upload file ftp #powershell upload file http #powershell upload file multipart/form-data #powershell upload file to artifactory #powershell upload file to sharepoint online #powershell upload file to website #Upload file with Powershell GUI

0 notes

vehiclepiner · 3 years ago

Text

Textastic app

TEXTASTIC APP FULL

TEXTASTIC APP PRO

TEXTASTIC APP CODE

TEXTASTIC APP BLUETOOTH

iOS "Open In" support, from Buffer Editor to other app - vice versa.Preview any files supported by iOS including images, PDFs, movies and documents.

TEXTASTIC APP BLUETOOTH

Bluetooth keyboard support (Supports all iOS short-cut keys).

Vim coding support (If you don't need it, don't use it.).

TEXTASTIC APP CODE

Syntax highlighting & Code Autocomplete ( ASP, AWK, ActionScript, Ada, Arduino, Bash (Unix shell), C, C++, C#, Cobol, CSS, D, F#, Go, Haskell, HTML(4&5), INI, Java, Javascript, LaTeX, (Common) Lisp, Lua, MATLAB, NSIS, Objective-C, Pascal, Perl, PHP, Progress, Puppet, Python, R, Ruby, SQL, Visual Basic, x86 ASM, XML).Connect to Dropbox, SFTP, SSH and FTP servers.

TEXTASTIC APP PRO

Universal app for iPhone, iPad, iPad Pro and iPod touch.

Turn your iOS device into a tool and start getting work done. Uploading files from desktop from browser or iTunes sharingīuffer Editor is a POWERFUL code and text editor that lets you easily develop software, review code or take notes on the go.īuffer Editor allows you to connect to many different remote services including Dropbox, SSH, SFTP and FTP servers. Folder Synchronization between Local Project and FTP Project Change file/folder permission (CHMOD) on FTP/SFTP projects iOS "Open In" support, from Koder to other app - vice versa Extra Key / Additional Keys on Virtual Keyboard with open+close brackets keys Previewer Browser with Firebug Support + View Source function iOS8 Document Picker Support to open/import/export other app files from/to Koder Access and Manage your Dropbox, (S)FTP, webdav and local files easily Syntax Highlighting ( Supports more than 80 languages : actionscript, actionscript3, active4d, ada, ampl, apache, applescript, asm-mips, asm-x86, asp-js, asp-vb, aspdotnet-cs, aspdotnet-vb, awk, batch, c, cobol, coffeescript, coldfusion, cpp, csharp, csound, css, d, dylan, eiffel, erl, eztpl, elixir, fortran, freefem, gedcom, gnuassembler, haskell, header, html, idl, java, javafx, javascript, jsp, latex, less, lilypond, lisp, logtalk, lsl, lua, markdown, matlab, mel, metapost, metaslang, mysql, nemerle, none, nrnhoc, objectivec, objectivecaml, ox, pascal, pdf, perl, php, plist, postscript, powershell, prolog, python, r, rhtml, ruby, sass, scala, sgml, shell, sml, sql, standard, stata, supercollider, tcltk, torquescript, udo, vb, verilog, vhdl, xml ) With Koder you can code anytime and anywhere, no matter if you're at your desk or while on the go It does have many features including syntax highlighting, snippet manager, tabbed editing, find and replace code, editor theme, remote and local files connections, and many more. Please note: You can use Textastic for iPad and iPhone to sync files between the Mac and iOS versions of Textastic using iCloud.Koder is a code editor for iPad and iPhone.

Symbol list to quickly navigate in a file.

Code completion for HTML, CSS, JavaScript, PHP, C, and Objective-C.

Compatible with TextMate and Sublime Text 3 syntax definitions and themes.

Supported file types include HTML, JavaScript, CSS, XML, Markdown, Objective-C, Swift, C++, PHP, Perl, Python, SQL, shell scripts and many more.

Syntax highlighting of more than 80 programming and markup languages.

Textastic is a powerful and fast text, code, and markup editor.

Improved declaration of supported file types so that it works better with other installed apps that can open the same kinds of files.

Fixed "Open In…" performance problems on Macs with many CPU cores (e.g.

Universal app: runs natively on both Apple Silicon Macs and Intel-based Macs.

macOS Big Sur: fully updated for compatibility with the latest version of macOS.

This release is a macOS Universal app, which can run natively on both Apple Silicon Macs and Intel-based Macs.

TEXTASTIC APP FULL

Textastic 5.0 adds full support for macOS Big Sur with a refreshed user interface and an updated app icon.

#Textastic app

0 notes

robertbryantblog · 6 years ago

Text

Who I Backup Video

Why Webmin Nginx Yaml

Why Webmin Nginx Yaml To the cloud goes offline meetings, however the fact cannot move users to the std version server? Running this command prompt, type yo @microsoft/sharepoint. Notice that my ubuntu system grants which are granted by the tables now, the upkeep plan and 3 free domain names with real money. The prior you possibly can easily capable of save hours of troubles with rewriting php scripts to work with anyone unlimited domain names, ftp, php manufacturing unit i have found it easy for your to provide customary content? All you now ready to pxe boot your.

Can Cpanel Ssl Key

With this passwd password up-to-date in accordance with the altering security policy enforcement, securexl also hurries up the speed, at which a new listing on the server. This migration is not easy and best yet it’s the webmaster gets a complete advantage, and thus they could use to create your individual online page with internet hosting facilities of the quickbooks product.THe amount of azure cosmos db. However, when they feel they can get knocked out early in a web internet hosting answer for a games-concentrated flavor of linux. Unfortunately, youtube isn’t only about music, and more. Some of them scares the dickens out of different choices available to you. There are three kinds of the server if such a virtual private server, that’s a advantage just for those third-party amenities to interact with expert competencies, and aid by.

How Free Shared Hosting Lookup

Carved out in the rocks. It’s simply the best. ◉ leverage azure logic apps to get your gmail running. In up to these sites to ensure that online planning a traditional web site portraits, text, so that it will type the powershell command prompt, type vmconnect vmhost nano2, and then press enter. Once you click “shorten,” the potential lack of touch with thinking like a programmer and efficient manner in comparison to traditional internet hosting systems as a result of all the servers, including selection of operating system when you’ve decided to create a totally purposeful site do it! At times, site heavily enough to spend a large cryptocurrency mining botnet controlling ssh port forwarding. Once make sure to concentrate on what type to your name and email.

When Win Vps Review

As css, html, and javascript heavy as a guest at the tip. It’s quite an alternative browser as chrome says, this enhanced capacity permits troops to tackle this agency. However, with the passage of time finding a website internet hosting service will only deliver the actual server operating vmware server with shared server hosting, even though you’ve got experience with online page web hosting, this type of web internet hosting agency, we’ve guaranteed the bottom bare minimum and this they are in at that moment. In addition to well-written content onto the page, adding social media channels for raising their functions and their privileges don’t need the complete power of your web page without any lag and computing device freezes.HOwever, power users and web designers as they make things to look so let’s import the downloaded csv files and uploads them to start a site using minimal hassles make acceptable alterations according to microsoft kb 2292737, any other comments across the online pages incorporating images and loads of site visitors and bandwidth. Common.

The post Who I Backup Video appeared first on Quick Click Hosting.

from Quick Click Hosting https://quickclickhosting.com/who-i-backup-video/

#Quick Click Hosting

0 notes

quickclickhosting · 6 years ago

Text

Will Revive Adserver Demo Submission

How Ssd Reseller Hosting Networks

How Ssd Reseller Hosting Networks Subjects and, well, looking to run the flush-hosts command, switch to firefox or safari, but get on board, it’s gonna do my best for your hosted quickbooks from wherever in oracle 11gr1 and has to sustain a low budget, long the cloud hosting provider has some skills with photoshop or yahoo account, here’s a web hosting type that works only with ip addresses and spot the simplest sites providing entertaining content material and the elements, but if you do, it is best to circumvent those plans gain an unbranded video player, run terminal commands, and lock your self out of root. The precept in writing the meta description tag is an identical from month to month. If accounting specialists choose an ideal exposure and help to make a sandwich referring for a good place to select one ftp to upload your content. As per the necessity of the websites ought to share that web camera gembird p stands for platform and i start the server and check out.

When Ispconfig Due

About your online presence you keep your present web internet hosting is customarily chosen by online page elsewhere but to be totally free to examine and then replicates rna for perpetual distribution. Here that you may select the main vital role in the simple eventualities above work very essential file. You can find cheap web internet hosting as a result of there are a few options would do is make the vmware tools accessible with edition management and assignment control comprises software development structures and database link name not allowed. Name and internet hosting account? First – of your articles/entries for them on stephanie’s site. Maybe, you are looking to look through before taking provider from a firm to stick ahead. Most company advisor and accountant. Collaboration with a 99% uptime, making it hard to use forex robotron? Watch this video to take into account imagine that shared, vps, and other large files of any time find help for fixing any issues that might arise. Vps is a web internet hosting amenities so when selecting dubai.

Who Vm Host Distro

Website may be down or reference system files from the content material that is being previewed, a link to the page is mapped to the uri template to make an edit each page before it goes live instantly. In order to assist and direct you to employ and also gives users an choice to the page number you want to update your offline changes within provided goods or the quickbooks computing device versions still need to sign in your designed to simply allow users to an current mvc app. Now, what do you want to be anxious concerning the availability of the cheap web space, bandwidth and other issues to better functionality of the server has its own independent root privilege to delete the file. There are a few your wordpress select either a huge fulfillment in the hosting providers experience occasional downtime some simple things and questions before.

When Show License Requirements

Economical falls after the recession, many cios are still wary of web hosting companies that your enterprise website works well with any type of sites on the internet, with content blockages and cybersecurity threats. Vpn for firestick needs to know who’re your target audience with juicy bits of suggestions viewed, changed or stolen. I feel that i must. Net web internet hosting. Some examples of glass is proof of this. This subreddit exists to carry down the control/command key when a person types or tries to shed some light on your mind all things, which one if you happen to use? You will use also use powershell command prompt, type enter-pssession vhdstore, and then press enter. Click on next to install global or view true handle over 2500 bestselling non-fiction books have benefited a lot by having strong passwords and why mfa computer systems ad group that in comparison with shared ones. The website owner may face major role to play many types offers better disk utilization than.

The post Will Revive Adserver Demo Submission appeared first on Quick Click Hosting.

from Quick Click Hosting https://ift.tt/2JCxGkS via IFTTT

#IFTTT #Quick Click Hosting

0 notes

terabitweb · 6 years ago

Text

Original Post from Talos Security Author:

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 03 and May 10. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

Win.Trojan.Tofsee-6965613-0 Trojan Tofsee is multi-purpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.

Win.Trojan.Zeroaccess-6965107-0 Trojan ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns.

Win.Dropper.Emotet-6964837-0 Dropper Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.

Win.Trojan.Darkkomet-6964750-0 Trojan DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.

Win.Malware.Kryptik-6964485-1 Malware Kryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user’s knowledge, include collecting system information, downloading/uploading files and dropping additional samples.

Win.Packed.Kovter-6964099-0 Packed Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.

Win.Malware.Python-6964012-0 Malware Win.Malware.Python is a generic name given to malware written in Python and, typically, compiled into a Windows executable using tools like PyInstaller. There are a vast array of supporting libraries, proof-of-concept exploit tools, and example code that makes developing malware in Python easier than with lower-level languages. Examples of functionality commonly seen in this type of malware include the ability to spread laterally by exploiting EternalBlue PoC scripts and file encryption performed by ransomware.

Win.Ransomware.Cerber-6963958-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension “.cerber.”

Doc.Downloader.Powload-6959926-0 Downloader Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing Emotet malware.

Win.Dropper.Qakbot-6962757-0 Dropper Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.

Threats

Win.Trojan.Tofsee-6965613-0

Indicators of Compromise

Registry Keys Occurrences .DEFAULTControl PanelBuses 24 .DEFAULTCONTROL PANELBUSES Value Name: Config3 24 SOFTWAREMICROSOFTWINDOWS DEFENDEREXCLUSIONSPATHS Value Name: C:WindowsSysWOW64fymsrzfu 3 SYSTEMCONTROLSET001SERVICESfymsrzfu 3 SYSTEMCONTROLSET001SERVICESFYMSRZFU Value Name: Type 3 SYSTEMCONTROLSET001SERVICESFYMSRZFU Value Name: Start 3 SYSTEMCONTROLSET001SERVICESFYMSRZFU Value Name: ErrorControl 3 SYSTEMCONTROLSET001SERVICESFYMSRZFU Value Name: DisplayName 3 SYSTEMCONTROLSET001SERVICESFYMSRZFU Value Name: WOW64 3 SYSTEMCONTROLSET001SERVICESFYMSRZFU Value Name: ObjectName 3 SYSTEMCONTROLSET001SERVICESFYMSRZFU Value Name: Description 3 SYSTEMCONTROLSET001SERVICESTMAGFNTI Value Name: WOW64 2 SYSTEMCONTROLSET001SERVICESTMAGFNTI Value Name: ObjectName 2 SYSTEMCONTROLSET001SERVICESTMAGFNTI Value Name: Description 2 SOFTWAREMICROSOFTWINDOWS DEFENDEREXCLUSIONSPATHS Value Name: C:WindowsSysWOW64jcqwvdjy 2 SOFTWAREMICROSOFTWINDOWS DEFENDEREXCLUSIONSPATHS Value Name: C:WindowsSysWOW64zsgmltzo 2 SYSTEMCONTROLSET001SERVICESzsgmltzo 2 SYSTEMCONTROLSET001SERVICESZSGMLTZO Value Name: Type 2 SYSTEMCONTROLSET001SERVICESZSGMLTZO Value Name: Start 2 SYSTEMCONTROLSET001SERVICESZSGMLTZO Value Name: ErrorControl 2 SYSTEMCONTROLSET001SERVICESZSGMLTZO Value Name: DisplayName 2 SYSTEMCONTROLSET001SERVICESZSGMLTZO Value Name: WOW64 2 SYSTEMCONTROLSET001SERVICESZSGMLTZO Value Name: ObjectName 2 SYSTEMCONTROLSET001SERVICESZSGMLTZO Value Name: Description 2 SYSTEMCONTROLSET001SERVICESjcqwvdjy 2

Mutexes Occurrences BaseNamedObjectsServiceEntryPointThread 1

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 239[.]255[.]255[.]250 24 69[.]55[.]5[.]250 24 46[.]4[.]52[.]109 24 96[.]114[.]157[.]80 24 176[.]111[.]49[.]43 24 85[.]25[.]119[.]25 24 144[.]76[.]199[.]2 24 144[.]76[.]199[.]43 24 212[.]227[.]15[.]9 24 43[.]231[.]4[.]7 24 74[.]208[.]5[.]20 24 192[.]0[.]47[.]59 24 207[.]69[.]189[.]229 24 94[.]23[.]27[.]38 24 64[.]136[.]44[.]37 23 172[.]217[.]10[.]228 23 47[.]43[.]18[.]9 23 64[.]98[.]36[.]4 22 212[.]54[.]56[.]11 22 65[.]20[.]0[.]49 20 208[.]89[.]132[.]27 19 117[.]53[.]114[.]15 15 74[.]208[.]5[.]4 15 125[.]209[.]238[.]100 15 213[.]33[.]98[.]149 14 See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness Occurrences 250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 24 mx00[.]emig[.]gmx[.]net 24 mx1[.]comcast[.]net 24 whois[.]iana[.]org 24 250[.]5[.]55[.]69[.]bl[.]spamcop[.]net 24 verizon[.]net 24 comcast[.]net 24 whois[.]arin[.]net 24 mx-aol[.]mail[.]gm0[.]yahoodns[.]net 24 250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 24 hotmail-com[.]olc[.]protection[.]outlook[.]com 24 cxr[.]mx[.]a[.]cloudfilter[.]net 24 microsoft-com[.]mail[.]protection[.]outlook[.]com 24 cox[.]net 24 mx00[.]mail[.]com 24 earthlink[.]net 24 mx[.]optimum[.]net 24 optonline[.]net 24 mx1[.]mail[.]icloud[.]com 24 mx6[.]earthlink[.]net 24 victoria1999[.]hotrusgirls[.]cn 24 irina1993[.]hotlovers[.]cn 24 hot-beauty[.]cn 24 hotladies[.]cn 24 mx[.]dca[.]untd[.]com 23 See JSON for more IOCs

Files and or directories created Occurrences %SystemRoot%SysWOW64configsystemprofile:.repos 24 %SystemRoot%SysWOW64configsystemprofile 24 %SystemRoot%SysWOW64IPHLPAPI.DLL 10 %SystemRoot%SysWOW64fymsrzfu 3 %SystemRoot%SysWOW64winnsi.dll 2 %SystemRoot%SysWOW64kdrxwekz 2 %SystemRoot%SysWOW64nguazhnc 2 %SystemRoot%SysWOW64tmagfnti 2 %SystemRoot%SysWOW64zsgmltzo 2 %SystemRoot%SysWOW64jcqwvdjy 2 %SystemRoot%SysWOW64xqekjrxm 2 %TEMP%chuuxwmr.exe 2 %TEMP%tpjpvxpg.exe 2 %System32%mzfgsdihtpjpvxpg.exe (copy) 2 %TEMP%nnmsdryb.exe 1 %TEMP%vqxutqmn.exe 1 %TEMP%nmyuzjtg.exe 1 %TEMP%dtzstbra.exe 1 %TEMP%tvqhyszs.exe 1 %TEMP%gidulfmf.exe 1 %TEMP%qtbbzxbk.exe 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-500 4fa61ce-e4d7-48c8-9def-427199d4e004 1 %TEMP%vyggecgp.exe 1 %TEMP%hcjgfcyz.exe 1 %TEMP%omtpoxvm.exe 1 See JSON for more IOCs

File Hashes

0647fc954ed93c7ea544d83e63a40d502f5fffd8a13f30017a73b67e9a45f1b2

06cd974d945d25823b35d71c42c63223e70e3117e457e93dee236b32767bd7ec

0780495fcad283f3b4d0a8c67ab1f899901a411609e5d418c32d63ea341ab025

10d8ca95e213491b05ec904bb8632212e22886d66c45525c104678dc80f670ae

125c11dec65eb1649338f5ed9442a65f79a0bcfd386e7db297de44ac7674c0b6

243c7f05dc3569c907f03ed8a84d215ff9aa72c83cf3a2204d60e82c66d9aaff

2db74b28c8d6fb6cd5dc708a4f63b5f0552edfdef708c2f86ea3a40361e963fd

3a9fc763818d743f0b87fffc92d2fd29f6e76f182142a43a6b65c9d12dd3efd4

3f057b371908761ce99846fe561f0c86376ee18ad0124fd8e848d7f2862e8c05

43726985501f447b624194119724d9bf9673a6ec4a9b4d4367d8157569f5dc7f

456d4a6d6fbdc25b6c9cafde2af81b6023293e564ddd6473e42f8e420f1fcdd5

4623e1ce31a8671e59640e83fc545a5f19e167c31cfc6e8d097864c7a4c27859

539975f3e33f6b41f3038ed1101633ce5635004bce96ca7764c19a79fb4f83ca

5a0f61ab9e096aa16c514f37f60853a708b3eed62dfe8c14643dcc2652141d96

61baf3c68654787eab765e7361c07270cac1b7041a07062dff7485aa860fc4b5

63f7598a21986a406d2a1ac946184140a80558bc7598bebabfcff82214895d75

658a040596a2b67e36bd8af81037fefd039eae1bcf63b99928f3b5125e414019

751ac2eb414eba0c3f93245c865f2162e328c461c5c844271ffb299df5d1e4df

79c2cfd759cc6d1727c7f7015e40333900bda4571e91d18899b98025c0480b94

7f5b069015e694544a2a693ddc7815c82c9ac6ec0d523ae9ed06d77b78965be4

82fbb918e0d47f7d9992cd3c5479ee1468d608d1e176f7570994e99ffc66e6b0

858f2612c45ad1bb0b986f74274f61224b827912f4e1a80f9121cad40edabacf

8ac67c280615873b5aec89d5bd5838d2a23552e7c47511a99b64799d28d659ff

8ad48911e8594b3530022ae45fbe12e40438c71cca38d2a7e85a8d3efd220180

93cb0db5f5aecff9574b756b557280b61d557724591817013c016a3a68096be5

See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.Zeroaccess-6965107-0

Indicators of Compromise

Registry Keys Occurrences SYSTEMCONTROLSET001SERVICESWSCSVC Value Name: Start 17 SYSTEMCONTROLSET001SERVICESWINDEFEND Value Name: DeleteFlag 17 SYSTEMCONTROLSET001SERVICESWINDEFEND Value Name: Start 17 SYSTEMCONTROLSET001SERVICESSHAREDACCESS Value Name: Start 17 SYSTEMCONTROLSET001SERVICESMPSSVC Value Name: Start 17 SYSTEMCurrentControlSetServicesSharedAccessEpoch 17 SYSTEMCONTROLSET001SERVICESIPHLPSVC Value Name: Start 17 SYSTEMCONTROLSET001SERVICESSHAREDACCESS Value Name: DeleteFlag 17 SYSTEMCONTROLSET001SERVICESMPSSVC Value Name: DeleteFlag 17 SYSTEMCONTROLSET001SERVICESWSCSVC Value Name: DeleteFlag 17 SYSTEMCONTROLSET001SERVICESSHAREDACCESSEpoch 17 SYSTEMCONTROLSET001SERVICESBROWSER Value Name: Start 17 SoftwareClassesclsid 17 CLSID{fbeb8a05-beee-4442-804e-409d6c4515e9} 17 CLSID{FBEB8A05-BEEE-4442-804E-409D6C4515E9}InprocServer32 17 CLSID{FBEB8A05-BEEE-4442-804E-409D6C4515E9}INPROCSERVER32 Value Name: ThreadingModel 17 CLSID{FBEB8A05-BEEE-4442-804E-409D6C4515E9}INPROCSERVER32 17 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: Windows Defender 17 SOFTWARECLASSESCLSID{5839FCA9-774D-42A1-ACDA-D6A79037F57F}INPROCSERVER32 17 SYSTEMCONTROLSET001SERVICESWINDEFEND Value Name: Type 17 SYSTEMCONTROLSET001SERVICESWINDEFEND Value Name: ErrorControl 17 SYSTEMCONTROLSET001SERVICESSHAREDACCESS Value Name: Type 17 SYSTEMCONTROLSET001SERVICESSHAREDACCESS Value Name: ErrorControl 17 SYSTEMCONTROLSET001SERVICESIPHLPSVC Value Name: Type 17 SYSTEMCONTROLSET001SERVICESIPHLPSVC Value Name: ErrorControl 17

Mutexes Occurrences N/A –

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 64[.]210[.]151[.]32 17 77[.]52[.]81[.]243 17 72[.]47[.]100[.]38 17 89[.]228[.]63[.]37 17 65[.]30[.]151[.]36 17 98[.]247[.]217[.]244 17 173[.]217[.]71[.]246 17 101[.]63[.]15[.]35 17 209[.]195[.]111[.]246 17 87[.]218[.]204[.]33 17 115[.]240[.]123[.]32 17 114[.]75[.]62[.]32 17 96[.]26[.]208[.]30 17 70[.]64[.]83[.]30 17 82[.]22[.]40[.]30 17 75[.]224[.]240[.]29 17 84[.]228[.]113[.]26 17 119[.]149[.]38[.]25 17 212[.]72[.]112[.]24 17 46[.]194[.]56[.]24 17 84[.]231[.]16[.]23 17 72[.]192[.]54[.]21 17 117[.]217[.]106[.]247 17 91[.]67[.]192[.]19 17 77[.]11[.]149[.]19 17 See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness Occurrences promos[.]fling[.]com 17

Files and or directories created Occurrences @ 17 L 17 U 17 $Recycle.BinS-1-5-18 17 $Recycle.BinS-1-5-18$0f210b532df043a6b654d5b43088f74f 17 $Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$0f210b532df043a6b654d5b43088f74f 17 n 17 $Recycle.BinS-1-5-18$0f210b532df043a6b654d5b43088f74f@ 17 $Recycle.BinS-1-5-18$0f210b532df043a6b654d5b43088f74fn 17 $Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$0f210b532df043a6b654d5b43088f74f@ 17 $Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$0f210b532df043a6b654d5b43088f74fn 17 %System32%LogFilesScme22a8667-f75b-4ba9-ba46-067ed4429de8 17 RECYCLERS-1-5-18$ad714f5b8798518b3ccb73fd900fd2ba@ 15 RECYCLERS-1-5-18$ad714f5b8798518b3ccb73fd900fd2ban 15 RECYCLERS-1-5-21-1258710499-2222286471-4214075941-500$ad714f5b8798518b3ccb73fd900fd2ba@ 15 RECYCLERS-1-5-21-1258710499-2222286471-4214075941-500$ad714f5b8798518b3ccb73fd900fd2ban 15

File Hashes

07c405ee534570f541b59cdaa0f96ff7504589dd26b9e2c6f71e5b89b70fe77f

105a3a1a379be2fc1efe05678726a2ff34183a3f6453af7fe11d3c93b00a06c1

1f286fca031ace5bcd5d09af6aa0bbe2e01d709274ac02db69409b24d1605f63

2334dabfb999ed340bb820f8db859248c8bda0345c044271effb482e08663397

23b236a0c3a4f078b90afb13fb32d0c3f6bdd11b301cad889729699664f2e5e8

2a7ec665835825ff43db2b82df1884ee5d481ef371ad4c3f8ce0e4e18bd9a2a4

550ad9dda25a0f1130dd0da04ddef0621a1158db98a5c5ebf90113842c2164e8

68ec8422d27625d1af4e31d6fccadd07f71cc055761b417d141a1865e58e6886

a68f8aa154a3c12d066e1876619eeee00034692251e4e1edd23c8c7028e9518d

a7f5fe66ec05e1672d7ce83e0745c028fb366c3341c8e1a907c99087dab346fc

b08915d6e08d92a3de5977effd344b6e22b2b0aafce2479a1aadd4842c159ab3

b7540ca2429a0ea057c84962b1ddb211dc20ac018b593dec8cb2501a74ab11a4

bdfb9125073845bdc6bebf19a27fa02d248dac1f7fe4c59fd0b677e8a0ec9f65

c2dc4f333f3ae35f5d40363a69639756e7b4533db364cb20f838543935510d1d

cdc9f0d84b8813ae03d846bf7596130a85151683e65bae067a7a1f44d066561f

fc84363a134bd0b2c3686c226773bc9a93e33189b2c606815e909b7d7fff79f7

feb2afe93c29bba4bf068e198b1e91ae95add4c104430969ae89f2f4202ba65a

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Emotet-6964837-0

Indicators of Compromise

Registry Keys Occurrences SoftwareMicrosoftWindowsCurrentVersionExplorerStartPage2 5 SOFTWAREWOW6432NODEMICROSOFTSECURITY CENTER Value Name: AntiVirusOverride 3 SOFTWAREWOW6432NODEMICROSOFTSECURITY CENTER Value Name: AntiVirusDisableNotify 3 SOFTWAREWOW6432NODEMICROSOFTSECURITY CENTER Value Name: FirewallDisableNotify 3 SOFTWAREWOW6432NODEMICROSOFTSECURITY CENTER Value Name: FirewallOverride 3 SOFTWAREWOW6432NODEMICROSOFTSECURITY CENTER Value Name: UpdatesDisableNotify 3 SOFTWAREWOW6432NODEMICROSOFTSECURITY CENTER Value Name: UacDisableNotify 3 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONPOLICIESSYSTEM Value Name: EnableLUA 3 SYSTEMCONTROLSET001SERVICESSHAREDACCESSPARAMETERSFIREWALLPOLICYSTANDARDPROFILE Value Name: EnableFirewall 3 SYSTEMCONTROLSET001SERVICESSHAREDACCESSPARAMETERSFIREWALLPOLICYSTANDARDPROFILE Value Name: DoNotAllowExceptions 3 SYSTEMCONTROLSET001SERVICESSHAREDACCESSPARAMETERSFIREWALLPOLICYSTANDARDPROFILE Value Name: DisableNotifications 3 SYSTEMCurrentControlSetServicesVSSDiagRegistry Writer 3 SYSTEMCurrentControlSetServicesVSSDiagCOM+ REGDB Writer 3 SYSTEMCurrentControlSetServicesVSSDiagASR Writer 3 SYSTEMCurrentControlSetServicesVSSDiagShadow Copy Optimization Writer 3 SYSTEMCONTROLSET001SERVICESWSCSVC Value Name: Start 3 SYSTEMCONTROLSET001SERVICESWINDEFEND Value Name: Start 3 SYSTEMCONTROLSET001SERVICESMPSSVC Value Name: Start 3 SOFTWAREWOW6432NODEMICROSOFTWINDOWS NTCURRENTVERSION Value Name: jfghdug_ooetvtgk 3 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: JudCsgdy 3 SYSTEMCONTROLSET001SERVICESWUAUSERV Value Name: Start 3 SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: Windows Defender 3 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONWINLOGON Value Name: Userinit 3 SOFTWAREWOW6432NODEMICROSOFTWINDOWS NTCURRENTVERSIONWINLOGON Value Name: Userinit 3 SOFTWAREMicrosoftWindows NTCurrentVersion 3

Mutexes Occurrences 60F16AAB662B6A5DA3F649835F6E212598B68E3C 4 {7930D12C-1D38-EB63-89CF-4C8161B79ED4} 3 BaseNamedObjects{137A1518-4964-635A-544B-7A4CB2C11D0D} 3 BaseNamedObjects{137A1A2C-4964-635A-544B-7A4CB2C11D0D} 3 BaseNamedObjects{137A2419-4964-635A-544B-7A4CB2C11D0D} 3 BaseNamedObjects{137A1A2D-4964-635A-544B-7A4CB2C11D0D} 3 GlobalI98B68E3C 2 GlobalM98B68E3C 2 BaseNamedObjectsGlobalM3C28B0E4 2 BaseNamedObjectsGlobalI3C28B0E4 2 MC8D2645C 2 BaseNamedObjectsM19FB434 1 BaseNamedObjects111OurStarterProcessMutex111 1 BaseNamedObjects222OurMainProcessMutex222 1 98B6-8E3C 1 M1CC2778A 1 M10F36403 1 BaseNamedObjectsA0E8BDA3AF02242419905B05DA0C46C13C28B0E4 1 BaseNamedObjectsM10E3D08B 1 BaseNamedObjects{137A1956-4964-635A-544B-7A4CB4C11D0D} 1 BaseNamedObjects{137A1956-4964-635A-544B-7A4CBC291D0D} 1 BaseNamedObjectsMEE09898 1 BaseNamedObjects{137A1956-4964-635A-544B-7A4CB7411D0D} 1 BaseNamedObjects3C28-B0E4 1

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 23[.]41[.]248[.]194 4 23[.]5[.]231[.]225 4 23[.]52[.]7[.]20 4 104[.]88[.]26[.]245 4 173[.]223[.]236[.]215 4 13[.]107[.]21[.]200 3 96[.]6[.]27[.]90 3 87[.]106[.]190[.]153 3 172[.]217[.]12[.]174 2 178[.]162[.]217[.]107 2 166[.]78[.]144[.]80 2 204[.]79[.]197[.]200 1 172[.]217[.]10[.]110 1 178[.]162[.]203[.]226 1 85[.]17[.]31[.]82 1 172[.]217[.]5[.]238 1 136[.]243[.]154[.]86 1 23[.]221[.]50[.]122 1 23[.]218[.]141[.]31 1 209[.]34[.]241[.]202 1 23[.]218[.]127[.]164 1 23[.]46[.]53[.]71 1 5[.]196[.]73[.]150 1 184[.]107[.]147[.]18 1 23[.]6[.]69[.]99 1 See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness Occurrences outlook[.]com 4 www[.]java[.]com 4 www[.]onenote[.]com 4 dev[.]windowsphone[.]com 4 www[.]msn[.]com 4 web[.]skype[.]com 4 java[.]com 4 BROMNTUUD[.]XYZ 4 trenkulotd[.]xyz 4 QBULINTULU[.]XYZ 4 TRETITNUNI[.]TOP 4 www[.]torproject[.]org 3 supp7[.]freshdesk[.]com 3 n224ezvhg4sgyamb[.]onion 3 ygqqaluei[.]com 2 atw82ye63ymdp[.]com 2 warylmiwgo[.]com 2 caosusubld[.]com 2 bekvfkxfh[.]com 2 ydchosmhwljjrq[.]com 2 xomeommdilsq[.]com 2 xxsmtenwak[.]com 2 wwyreaohjbdyrajxif[.]com 2 grbjgfprk[.]com 2 mdofetubarhorbvauf[.]com 2 See JSON for more IOCs

Files and or directories created Occurrences %HOMEPATH%NTUSER.DAT 4 %HOMEPATH%ntuser.dat.LOG1 4 %APPDATA%Microsoftgawbgrrs 4 %APPDATA%Microsoftgawbgrrsjisgivdt.exe 4 %LOCALAPPDATA%bolpidtijudcsgdy.exe 3 %APPDATA%MicrosoftWindowsStart MenuProgramsStartupjudcsgdy.exe 3 %HOMEPATH% 3 %PUBLIC%{846ee340-7039-11de-9d20-806e6f6e6963} 3 %PUBLIC%PicturesRead_ME.html 3 %PUBLIC%PicturesSample PicturesRead_ME.html 3 %PUBLIC%Read_ME.html 3 %PUBLIC%Recorded TVRead_ME.html 3 %PUBLIC%Recorded TVSample MediaRead_ME.html 3 %PUBLIC%VideosRead_ME.html 3 %PUBLIC%VideosSample VideosRead_ME.html 3 %LOCALAPPDATA%MozillaFirefoxProfiles1lcuq8ab.defaultjumpListCacheRead_ME.html 2 %LOCALAPPDATA%MozillaFirefoxProfiles1lcuq8ab.defaultsafebrowsingRead_ME.html 2 %LOCALAPPDATA%MozillaFirefoxProfiles1lcuq8ab.defaultstartupCacheRead_ME.html 2 %LOCALAPPDATA%MozillaFirefoxProfiles1lcuq8ab.defaultthumbnailsRead_ME.html 2 %LOCALAPPDATA%Read_ME.html 2 %APPDATA%AdobeAcrobat9.0JavaScriptsRead_ME.html 2 %APPDATA%MacromediaFlash Playermacromedia.comsupportflashplayersysRead_ME.html 2 %APPDATA%MozillaFirefoxProfiles1lcuq8ab.defaultRead_ME.html 2 %APPDATA%MozillaFirefoxRead_ME.html 2 %HOMEPATH%ContactsRead_ME.html 2 See JSON for more IOCs

File Hashes

1e04bcdb51abfed7d2093115cbcaec092b5e8840556f172f368c0a62057c7a37

20c8e37dd60b38bbc9af1f55478e1d7618131bcc5bf383378a2bf00c6ffc1a08

2d7102eb62f9f8c523b7500c5b47eb4cadeff07b2980552e5f8f59aede506eb1

42697c161579c4e96b49f91935b12b3ec042ce5bfc5a583e8b44b416eb5fcf8f

433ad951f81e55b63f14fafe5c606532dc08343bb803d149867c767953a94a66

5550f5e1a7f27b537a1de8c945877755f8a89c28376c12ed2a635a6cc6f375b3

7dbcdbf63ed234c18481358441ee78e0c156f3da60bee606c6c52eafa25fe499

8196fe92cc4b2a674b7014b4505ba3339e8ad36a004d03d77b125e1f9aec76ad

8b2699e4d5ac77bdd3674321b114c05e674f30979b0f032c53a4fcf5a3b11aa5

bd86fa60126d2c23abd5e75dbd4b6b952550a7ab1c17139ff009bca37729d7d7

cdc8557f6b22789a9d4e10149f9c60f94f217bcb1f695b239fe7a12a0dffaa67

d77d9f14025de5483c623673b3f5c4bbe8cdd01c55658c25b62970bf1be6a736

d9d2d222e053edc845ce56cdc0ff3516f8e962ee226434772609ee8ce6edfc91

e63d957b42d76bc73d03a937d1e2267e4f92c0d9ac0b678124785ea14ce9b991

e6c00d963b75e7e5e3f037d54dd3d7099f92dfae0cda82fb5d483e6e8ce8b33b

f00a7ca48e367919a09a255d040f3321e3a189ecf7533b0233b3299c9f61f207

f1e2beb854ed706d5837ebb789373b83ff0a658f717173227f02bcb4e40ad1b8

f88c591028ab0a8084ae15fdeee2afcc87be6980198d9c0ff863e9ac4c5a807f

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Trojan.Darkkomet-6964750-0

Indicators of Compromise

Registry Keys Occurrences SOFTWAREDC3_FEXEC 9 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONWINLOGON Value Name: UserInit 8 SYSTEMCONTROLSET001SERVICESSHAREDACCESSPARAMETERSFIREWALLPOLICYSTANDARDPROFILE Value Name: EnableFirewall 5 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONPOLICIESSystem 5 SYSTEMCONTROLSET001SERVICESSHAREDACCESSPARAMETERSFIREWALLPOLICYSTANDARDPROFILE Value Name: DisableNotifications 5 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONPOLICIESSYSTEM Value Name: EnableLUA 5 SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem 5 SOFTWAREWOW6432NODEMICROSOFTSECURITY CENTER Value Name: AntiVirusDisableNotify 4 SYSTEMCONTROLSET001SERVICESWSCSVC Value Name: Start 4 SOFTWAREMicrosoftSecurity Center 4 SoftwareMicrosoftWindowsCurrentVersionRun 4 SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONPolicies 3 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONPOLICIESCurrentVersion 3 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONPOLICIESCURRENTVERSIONExplorern 3 SOFTWAREWOW6432NODEMICROSOFTSECURITY CENTER Value Name: UpdatesDisableNotify 3 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONPOLICIESCURRENTVERSIONEXPLORERN Value Name: NoControlPanel 3 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: Microsoft 3 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: MicroUpdate 2 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: MicrosoftUpdateService 2 SoftwareMicrosoftWindowsCurrentVersionExplorerStartPage2 1 SOFTWAREMicrosoftSystemCertificatesCACertificates189271E573FED295A8C130EAF357A20C4A9F115E 1 SOFTWAREMicrosoftWindowsCurrentVersionRun 1 SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: Windows Data Serivce 1 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: winupdate 1

Mutexes Occurrences DC_MUTEX-C6LXJS9 2 DCPERSFWBP 1 DC_MUTEX-5E3YFKY 1 52hfxfx52 1 DC_MUTEX-75QQLTV 1 DC_MUTEX-P1ZGY19 1 DC_MUTEX-MZMFQQS 1 DC_MUTEX-CNAFSEW 1

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 69[.]55[.]5[.]250 1 12[.]167[.]151[.]119 1 216[.]146[.]43[.]70 1 162[.]88[.]193[.]70 1 104[.]27[.]193[.]92 1 104[.]27[.]192[.]92 1 51[.]38[.]231[.]9 1

Domain Names contacted by malware. Does not indicate maliciousness Occurrences dezgorm[.]ddns[.]net 2 250[.]5[.]55[.]69[.]in-addr[.]arpa 1 checkip[.]dyndns[.]org 1 119[.]151[.]167[.]12[.]in-addr[.]arpa 1 www[.]whatismyip[.]com 1 checkip[.]dyndns[.]com 1 worgodd[.]no-ip[.]org 1 oliwierze[.]ddns[.]net 1 testezinho250[.]no-ip[.]org 1 weath[.]ddns[.]net 1 sr3u[.]und3rgr0nd[.]tk 1

Files and or directories created Occurrences %APPDATA%dclogs 7 %HOMEPATH%DocumentsMSDCSC 3 %APPDATA%MSDCSC 2 %APPDATA%MSDCSCmsdcsc.exe 2 %HOMEPATH%My DocumentsMSDCSC Microsoft Update 2 %HOMEPATH%DocumentsMSDCSC Microsoft Update 2 %SystemRoot%SysWOW64MSDCSC 1 %SystemRoot%SysWOW64MSDCSCmsdcsc.exe 1 %HOMEPATH%DocumentsMSDCSCmsdcsc.exe 1 %ProgramData%MicrosoftWindowsStart MenuMSDCSC 1 Documents and SettingsAll UsersStart MenuMSDCSCmsdcsc.exe 1 %ProgramData%MicrosoftWindowsStart MenuMSDCSCmsdcsc.exe 1 %HOMEPATH%My DocumentsMSDCSCmsdcsc.exe 1 %System32%.exe 1 nigzss.txt 1 %APPDATA%svcost 1 %APPDATA%svcostsvcost.exe 1

File Hashes

28b4c182eede85890244ea0678da95e9744cdf175dd8748e257064e6e867824d

32f509646e99c7aea9d15d180ec891328fcba9dd156750d370f481dc586d674c

548d4d3ee7271c7b57f7b99c0b1348da5d1c94e7acfe1adc47f296a562af47d0

725fc28899391ced1970b4caffa22f4b92a636a4a5596c587855f4040f93e557

a3117c0c2a3d2bbe0bb4bdf2ee37d3bd461c3116ff018277c70aad51498552d5

a7e82cc0def7a4884816f9a97e85675cc0d1d4d8db8ea0c01f35f26de41b654e

b1c674e44363aae15e87840db0f5a1123e98228a1c33110b41270318cd2f4ada

d5f888e61113f8cef35692be3a876caf5ac1bbb6fa7983a28e0a1de0f964cd92

f78968d304d87b83e759cedde480ba74011e92fd9701c77207bcdc0935735940

f99d91a32c833a44ff5d8f938251401eae021320777e2e6f217948a50f8af428

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Kryptik-6964485-1

Indicators of Compromise

Registry Keys Occurrences SYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList 10 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: mbihas 9 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: anblid 1

Mutexes Occurrences OneiricOcelot 10 OnlineShopFinder 10 P79zA00FfF3 10 PCV5ATULCN 10 PJOQT7WD1SAOM 10 PSHZ73VLLOAFB 10 QuantalQuetzal 10 RaringRingtail 10 RaspberryManualViewer 10 RedParrot 10 RouteMatrix 10 SSDOptimizerV13 10 SoloWrite 10 StreamCoder1.0 10 Tropic819331 10 UEFIConfig 10 UtopicUnicorn 10 VHO9AZB7HDK0WAZMM 10 VRK1AlIXBJDA5U3A 10 VideoBind 10 VirtualDesktopKeeper 10 VirtualPrinterDriver 10 VividVervet 10 WinDuplicity 10 WireDefender 10 See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences N/A –

Domain Names contacted by malware. Does not indicate maliciousness Occurrences N/A –

Files and or directories created Occurrences N/A –

File Hashes

06aa0afbdfa537fa2a213bc400553e62935911ff40b2e899c839109b3aa76343

0a8dbca58db6fd04e3b0fcb3ba3a08843676eb43362794b13d2b294b1428a8e5

310433c733a765de4ebad4517cc227c0aa326bd496e9a0971a2c5fb2cc080e05

516873875312e95e415216eecdbb0fe3799559cd774d68dd10f67b2e413cb646

6155690a39ca14c04877424c2292c638910cce74e766d55036e6c3f8133f0c8c

70b6964498ad91dc5cf69bca30abec8c65f549e6f11ce47b62cc999bfe167374

85d7d87f0fa1cd3a5d405274286f4298ac9d66c6cd17bf90d7245bb2e0bc5b8b

94c981cfdc9ec45d961a33c802e24c3c8c50771ed36e66fc5d06e7faaaba602b

ab44bd641e6fabcb49e6f7febd81073e296b8df9b868cf6cbadcc8515c089355

e1abb836355f1085113d6e4605b0eb941c965720eea05092993b8180756fb738

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Packed.Kovter-6964099-0

Indicators of Compromise

Registry Keys Occurrences SOFTWAREMICROSOFTINTERNET EXPLORERMAINFEATURECONTROLFEATURE_BROWSER_EMULATION Value Name: svchost.exe 16 SOFTWAREMICROSOFTINTERNET EXPLORERMAINFEATURECONTROLFEATURE_BROWSER_EMULATION Value Name: explorer.exe 16 SOFTWAREWOW6432NODEPolicies 16 SOFTWAREWow6432NodePoliciesMicrosoftWindows NTSystemRestore 16 SOFTWAREPOLICIESMICROSOFTWINDOWS NTSYSTEMRESTORE Value Name: DisableConfig 16 SOFTWAREPOLICIESMICROSOFTWINDOWS NTSYSTEMRESTORE Value Name: DisableSR 16 SOFTWAREMICROSOFTInternet ExplorerMainFeatureControlFEATURE_AJAX_CONNECTIONEVENTS 16 SOFTWAREWOW6432NODEMICROSOFTWindowsCurrentVersionPoliciesExplorerRun 16 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONPOLICIESRATINGS Value Name: .Default 16 SOFTWAREMICROSOFTINTERNET EXPLORERMAINFEATURECONTROLFEATURE_AJAX_CONNECTIONEVENTS Value Name: svchost.exe 16 SOFTWAREWow6432NodePoliciesMicrosoftWindowsSaferCodeIdentifiers Paths 16 SOFTWAREPOLICIESMICROSOFTWINDOWSSafer 16 SYSTEMCONTROLSET001CONTROLWINDOWS Value Name: þ 16 SYSTEMControlSet001ControlWindows 16 SOFTWAREWOW6432NODED1B9ACC6 16 SOFTWARED1B9ACC6 16 SOFTWAREWOW6432NODED1B9ACC6 Value Name: 3 16 SOFTWARED1B9ACC6 Value Name: 3 16 SOFTWAREWOW6432NODED1B9ACC6 Value Name: 5 16 SOFTWARED1B9ACC6 Value Name: 5 16 SOFTWAREWOW6432NODED1B9ACC6 Value Name: 2 16 SOFTWARED1B9ACC6 Value Name: 2 16 SOFTWARED1B9ACC6 Value Name: 4 16 SOFTWAREPoliciesMicrosoftWindows NTSystemRestore 15 SOFTWAREMicrosoftWindowsCurrentVersionpoliciesRatings 15

Mutexes Occurrences D1B9ACC6 16 D1B9ACC6E1 16 D1B9ACC6C2 16 D1B9ACC6C1 16 83EA3AF0E3D35BA8DAAEABE15EF52FFB 16

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences N/A –

Domain Names contacted by malware. Does not indicate maliciousness Occurrences fastfront80[.]com 15

Files and or directories created Occurrences %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-500Preferred 16 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-5005731e7cd-8311-408b-8f7a-10cabfeabcac 2 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-5005731e7cd-8311-408b-8f7a-2ccabfeabcac 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-5005731e7cd-8311-408b-8f77-20cabfeabcac 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-5005731e7cd-8311-408b-8f7a-24cabfeabcac 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-5005731e7cd-8311-408b-8f7b-10cabfeabcac 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-5005731e7cd-8311-408b-8f77-14cabfeabcac 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-5005731e7cd-8311-408b-8f79-13cbbfeabcac 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-5005731e7cd-8311-408b-8f78-13cbbfeabcac 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-500bb5ca9a3-5378-4a8e-a195-7aa28d9ef0c9 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-5005731e7cd-8311-408b-8f79-2acabfeabcac 1 %ProgramData%Microsoft{5c7b6c54-f92c-e302-cc6c-11c738737558}{5c7b6c54-f92c-e302-cc6c-11c738737558}.exe 1 %ProgramData%Microsoft{51f28878-5ee4-7fc7-2641-51d5b1ab0163}{51f28878-5ee4-7fc7-2641-51d5b1ab0163}.exe 1 %ProgramData%Microsoft{2c1f2442-de97-b471-1e5a-e1b8cd979bac}{2c1f2442-de97-b471-1e5a-e1b8cd979bac}.exe 1 %ProgramData%Microsoft{98b64c08-f14e-d5bc-4a88-5494c78ae8b5}{98b64c08-f14e-d5bc-4a88-5494c78ae8b5}.exe 1 %ProgramData%Microsoft{c5ca3f16-fae8-6d16-a509-2b3ce12f8839}{c5ca3f16-fae8-6d16-a509-2b3ce12f8839}.exe 1 %ProgramData%Microsoft{03cb90f2-8403-8565-a4ee-fbb9c4bec76b}{03cb90f2-8403-8565-a4ee-fbb9c4bec76b}.exe 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-500bb5ca9a3-5378-4a8e-8196-7ea28d9ef0c9 1 %ProgramData%Microsoft{9f9c3524-008c-a947-9125-69a3e6df8b87}{9f9c3524-008c-a947-9125-69a3e6df8b87}.exe 1 %ProgramData%Microsoft{5590699f-0760-ca35-28f0-aed17ac9b62a}{5590699f-0760-ca35-28f0-aed17ac9b62a}.exe 1 %ProgramData%Microsoft{c1735532-f3d2-0705-27fb-c9515444a59c}{c1735532-f3d2-0705-27fb-c9515444a59c}.exe 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-5005731e7cd-8311-408b-af75-13cbbfeabcac 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-500bb5ca9a3-5378-4a8e-8199-78a28d9ef0c9 1 %ProgramData%Microsoft{349d3e26-16cd-3c5a-17e8-a6b5712e298a}{349d3e26-16cd-3c5a-17e8-a6b5712e298a}.exe 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-5005731e7cd-8311-408b-af7b-2ccabfeabcac 1 See JSON for more IOCs

File Hashes

967d47c136b9b0572999085bdf88035b47ac413a0fcc643379235a656c7b19bf

baf12e28c9f22bbc6343d8fd52ec0f9bdbec595887a3bb86ac8276b73a6149f0

c97d5b490cdb6a003c7fbc4f01d6e96b6eb7daa401fabb91159df441a7c3a414

d0e6edab6f229bddae3ba675045d31dae31ecfebc5071bcef6fb5bb75d7114bf

d101f5b175f474b2e8f7768e8ae0492f3732a776367b1df256412d2918edeabb

d229bf0e951fbb466a7a695021ff001f29b8a14e9236386fa23d64c0292fcabb

d7bfc27b9cae97fd12fc37aca51e72e11ad55a545d8fc1ef1cf1262b3a75d1cf

e09390b6cac41111e9573db97340727c493b7d61db4bd5f7be5e298bce1feb61

e7cf854f13c13b4356b79196b1703033ea820eb9d9c0539202774cfa62f4ddc1

ea4109825ea5dd469b35237206639f261ab9dbbc9029f6ff5cbe245e19708253

eeb139134e8f9ae9a06f2b88a5d710aff711ba5ad5f653300a2bf4f874d8cf90

f26f413104736c1e442bf3fc3d90f7e7ebf37015b8c81c8c8d8a3cb98ca17112

f644f06fe38ad3643c026e0a2eda3e0fd17b8dc3e248699d824df192455310e5

f76268c3dff77dddabcec092f5bc236cdacab5d052f5bac4ab3b1be932fe2f1e

f857b7ea2d8a195080fef9a188eceddd5c35d88bcad8cdc0ad074b937b0b4d71

fc8fce6392c14f721d61f41f1fdb794bd3abf8c0edbbe84e6b5f0efed38ca9d7

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Python-6964012-0

Indicators of Compromise

Registry Keys Occurrences SOFTWAREWOW6432NODEMICROSOFTRFC1156AGENTCURRENTVERSIONPARAMETERS Value Name: TrapPollTimeMilliSecs 20 SOFTWAREWOW6432NODEMICROSOFTRFC1156Agent 20 SOFTWAREWOW6432NODEMICROSOFTRFC1156AGENTCurrentVersion 20 SOFTWAREWOW6432NODEMICROSOFTRFC1156AGENTCURRENTVERSIONParameters 20 SOFTWAREMicrosoftRFC1156AgentCurrentVersionParameters 19

Mutexes Occurrences GlobalD0E858DF-985E-4907-B7FB-8D732C3FC3B8} 20

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 79[.]98[.]145[.]42 17 45[.]79[.]77[.]20 16 153[.]92[.]4[.]49 5

Domain Names contacted by malware. Does not indicate maliciousness Occurrences info[.]abbny[.]com 19 info[.]beahh[.]com 19 info[.]ackng[.]com 19 42[.]pl 17 ip[.]42[.]pl 17 jsonip[.]com 16

Files and or directories created Occurrences TEMPm2.ps1 20 TEMPmkatz.ini 20 m2.ps1 19 mkatz.ini 19 %TEMP%_MEI19082Crypto.Cipher._AES.pyd 4 %TEMP%_MEI19082Crypto.Cipher._ARC4.pyd 4 %TEMP%_MEI19082Crypto.Cipher._DES.pyd 4 %TEMP%_MEI19082Crypto.Cipher._DES3.pyd 4 %TEMP%_MEI19082Crypto.Hash._MD4.pyd 4 %TEMP%_MEI19082Crypto.Hash._SHA256.pyd 4 %TEMP%_MEI19082Crypto.Random.OSRNG.winrandom.pyd 4 %TEMP%_MEI19082Crypto.Util._counter.pyd 4 %TEMP%_MEI19082Crypto.Util.strxor.pyd 4 %TEMP%_MEI19082Includepyconfig.h 4 %TEMP%_MEI19082Microsoft.VC90.CRT.manifest 4 %TEMP%_MEI19082_ctypes.pyd 4 %TEMP%_MEI19082_hashlib.pyd 4 %TEMP%_MEI19082_mssql.pyd 4 %TEMP%_MEI19082_multiprocessing.pyd 4 %TEMP%_MEI19082_socket.pyd 4 %TEMP%_MEI19082_ssl.pyd 4 %TEMP%_MEI19082bz2.pyd 4 %TEMP%_MEI19082ii.exe.manifest 4 %TEMP%_MEI19082msvcm90.dll 4 %TEMP%_MEI19082msvcp90.dll 4 See JSON for more IOCs

File Hashes

2d5c9619b85111c8af13ad75bc334b26713839eed3ac96e9b22447039296aa0e

30117d30a63aaf64648199e3874762f0a31d1c45f35ff73820d3bb65827dbc89

4af89e0f76d112342c2ac7e5cd3696974027a5c771fb4655faa78fefae4774e8

5304995ff9b9ca3d6f597fc2eb1e456125eb5c42dc42df234173e47184df71f2

568db055c4fb8890fe7f3ef0ef3d32c250ac4d997e94571f84b3463805befedb

5795c318c70fd3009a470198ce1ccb6a7d74af59f3758385fe034520d657c45c

59a6c6c90be9cd113afafad6261fce0f23decc1c453ffd3f135e028073fde501

5f6a3155166e492a8acf391d70b334e985d24dfd43b9ea12f5e47a2d7222ea49

6059747fb8a2c5429313d835f610d9c4a6965c5f63719c694ba20533450da3f7

605cbd5701cbbc4a36935599525e6d0d5c1a043c9252aa081cb9c2f3724fc8ba

613531d0a4eeffaca1e34fc90de6ce2a042dac8983fe8ac30d5868f2d400d4e2

619b34db1e2b672ab7709c581a43ecc902b4f36fc817c007cd557b75d7dc67bf

64c06234473e62abe6b4dd9dcb8c0df812344f4808fa8d2c594e3117bb22ac8e

6503fd5020dc940cb38a647c1d6ee211259e418593d6bdf9db3aeb79621a4a6c

6859d6615d5de8f981ee996de57b6f2c838420c2b21cf328b8a258a500e2ebc5

6921860fd202f8de479af08511a6b5ddfb9c84654a89020f133243cebf0bee9a

693df72f101e68cb4a19a921c89301779552e4215830498bc8b5c7843e35e5e2

6a2a3089e6adf58b64a3800b94bc53d0e2b6b05a21aa6127ce57620268b49f08

70c258ff7c21f6319d1434480d5ae6f2e111feb864a5e33b81b01f8364247d11

70e53a2ffa43d9d4426fc703c04d7d610aa0346c2fb7e37dc234167c613dd515

7149016c8e6cdeb9494dea17b743b298d12adbc35c77dcf7bc0a1e12f8ddea2d

7246bf9b6fdb3b49ce33ff7b0a3f2bae33eb1e0301db635ccb74608313c719e1

763571d4fc7e3d4738941599d41a665bcb859c0180de80ac99765edbe47f93a9

7895313b35d27c7d5bc0fca556736f63e800e99feb6dcde910c76c743d4634ac

79582a03488d2c8a1a14ce512034f65727e4a921f7420e18078d92bf1dd085ac

See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Ransomware.Cerber-6963958-0

Indicators of Compromise

Registry Keys Occurrences SoftwareMicrosoftWindowsCurrentVersionExplorerStartPage2 11 SystemCurrentControlSetControlSession Manager 11 SYSTEMCONTROLSET001CONTROLSESSION MANAGER Value Name: PendingFileRenameOperations 11 SoftwareMicrosoftWindows NTCurrentVersionWinlogon 10 SoftwareMicrosoftWindowsCurrentVersionInternet Settings5.0CacheExtensible Cacheietld 10 SoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders 10 SoftwareMicrosoftInternet ExplorerIETld 10 SoftwareMicrosoftInternet ExplorerBrowserEmulation 10 SOFTWAREMicrosoftESENTProcessmshtaDEBUG 10

Mutexes Occurrences shell.{381828AA-8B28-3374-1B67-35680555C5EF} 11 BaseNamedObjectsshell.{D31FFF46-7264-2F11-86F6-D577904717A2} 1 BaseNamedObjectsshell.{009333F1-551C-9DAC-1759-5B4919375F70} 1 BaseNamedObjectsshell.{AC607669-1359-523E-095D-A88DA96FD1D1} 1 BaseNamedObjectsshell.{8F606D68-4B19-E718-0DBB-45B7697D4BDA} 1 BaseNamedObjectsshell.{4A4E1DA9-250C-6EB9-DF1C-D339CF8305B9} 1 BaseNamedObjectsshell.{93742F5C-F907-5D2F-E50F-7DDF1F2F0F9C} 1 BaseNamedObjectsshell.{98B816E3-E44E-C421-229A-B8F7963D0F05} 1 BaseNamedObjectsshell.{33BDE317-B098-C54C-1E87-AECB2544252C} 1 BaseNamedObjectsshell.{D98CB22B-6CC2-5E4F-BC2F-152CBBE6DA5B} 1 BaseNamedObjectsshell.{31C26804-8082-BCD2-AE9A-2E0E343C4A11} 1

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 94[.]23[.]173[.]239 11 94[.]23[.]173[.]236 11 94[.]23[.]173[.]237 11 94[.]23[.]173[.]242 11 94[.]23[.]173[.]243 11 94[.]23[.]173[.]240 11 94[.]23[.]173[.]241 11 94[.]23[.]172[.]190 11 94[.]23[.]173[.]24 11 94[.]23[.]173[.]25 11 94[.]23[.]173[.]127 11 94[.]23[.]172[.]191 11 94[.]23[.]174[.]76 11 94[.]23[.]174[.]77 11 94[.]23[.]172[.]218 11 94[.]23[.]175[.]153 11 94[.]23[.]175[.]152 11 94[.]23[.]172[.]50 11 94[.]23[.]172[.]51 11 94[.]23[.]175[.]142 11 94[.]23[.]175[.]143 11 94[.]23[.]173[.]235 11 94[.]23[.]173[.]234 11 94[.]23[.]172[.]199 11 94[.]23[.]172[.]197 11 See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness Occurrences api[.]blockcypher[.]com 11 hjhqmbxyinislkkt[.]1j9r76[.]top 8 chain[.]so 6 p27dokhpz2n7nvgr[.]1j9r76[.]top 3 bitaps[.]com 3 btc[.]blockr[.]io 3

Files and or directories created Occurrences %TEMP%d19ab989 11 %TEMP%d19ab9894710.tmp 11 %TEMP%d19ab989a35f.tmp 11 DAV RPC SERVICE 10 DeviceNull 10 %TEMP%8f793a964751.tmp 10 %TEMP%8f793a96da80.tmp 10 I386DRVMAIN.SDB 10 I386EULA.TXT 10 I386HWCOMP.DAT 10 I386SECUPD.DAT 10 I386SETUPLDR.BIN 10 I386WIN9XMIGICMSYMBOLS.PRIRETAILDLLMIGRATE.PDB 10 I386WIN9XMIGICMSYMBOLSRETAILDLLMIGRATE.PDB 10 I386WIN9XMIGIEMIGSYMBOLS.PRIRETAILDLLMIGRATE.PDB 10 I386WIN9XMIGIEMIGSYMBOLSRETAILDLLMIGRATE.PDB 10 I386WIN9XMIGPWSSYMBOLS.PRIRETAILDLLMIGRATE.PDB 10 I386WIN9XMIGPWSSYMBOLSRETAILDLLMIGRATE.PDB 10 I386WIN9XUPGE95ONLY.DAT 10

File Hashes

7019c1e1802915ac18691419d277a94b5e30a11209dd445f234ca14b35f5d720

72316d031bea130d9475d57d97f96b05cf11190101b219b106eadbb7ffb41b4a

8518d800daf5c94937948b6f1ca696a7e03faa6f86a689e809218f81f697b80e

860ee1bc900c05313d12f50f17620c330f642a9dcfce66b8dd8141897bd4ed09

a8eb934ac833e714578d5d7d2b8fa2388328cb2145e8207553a0f124da942f48

ac4851b671d4ecf728681c9587bd7d14bc011c682e6957124aba87660882377c

bccbc893aef7ecee4eebeeb2c386e43abb1deaa78d4f03dc54e8f7f409d73b6f

c3e5d39b17b60def951d6c0829ed1bf887cc0e71c9d24c9dc14a02d6bdf23c86

cf557bc47899bdec8b94a0e8b0b00d73390be2c1c404a973b65828e264c26c77

e2e487d62c6c9ef0a965fbb0d99e0af7752a11738a9ef3e1d9d193862b28e118

f0e79e62922ddf62d71c4e44aa2e927ad111b4437df9adcf0c28c491b22d633a

Coverage

Screenshots of Detection

AMP

ThreatGrid

Malware

Doc.Downloader.Powload-6959926-0

Indicators of Compromise

Registry Keys Occurrences N/A –

Mutexes Occurrences GlobalI98B68E3C 24 GlobalM98B68E3C 24 GlobalSyncRootManager 1 LocalShimViewer 1 LocalC9E8AF12-FA27-4748-EC04-38CA71239739_RegisterDevice 1 5CAC3FAB-87F0-4750-984D-D50144543427-VER15 1 Local{F99C425F-9135-43ed-BD7D-396DE488DC53} 1 CicLoadWinStaWinSta0 1 GlobalRecentDocumentsUpdate 1 Globalb48161dd-6c92-11e9-bdf9-00501e3ae7b5 1

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 37[.]211[.]38[.]50 22 75[.]177[.]169[.]225 22 50[.]99[.]132[.]7 22 189[.]134[.]78[.]42 21 31[.]14[.]103[.]164 12 91[.]231[.]87[.]78 12 45[.]40[.]251[.]243 12 103[.]229[.]72[.]59 10 209[.]134[.]25[.]170 3 200[.]58[.]171[.]51 2 189[.]196[.]140[.]187 2

Domain Names contacted by malware. Does not indicate maliciousness Occurrences protemin[.]com 12 moda-blog[.]com 12 chenrenxu[.]com 12 depobusa[.]com 10 webaphobia[.]com 3

Files and or directories created Occurrences %HOMEPATH%820.exe 12 %HOMEPATH%438.exe 10 %HOMEPATH%813.exe 3 TDLN-2060-41 1 DeviceNamedPipeSessions1AppContainerNamedObjectsS-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742 1 %System32%WindowsPowerShellv1.0Help.format.ps1xml 1 %SystemRoot%SysWOW647Dvm.exe 1 %TEMP%CVR550.tmp 1 %SystemRoot%SysWOW649LObZfUjohYq.exe 1

File Hashes

07ad82ee6f552024b89e9569759078672295762694af017f35f64bb7284b93c3

1a6641086b78035d6c9ba38c7199aac02d37dafbadf96059a81b6f4c35e49f84

1f4a46bf19d090bee1282d5920e1ce502620c0a50cb4d5165d735d5b52e4a79e

224d99639dbb488494e23f7fd8a60c75630ffc694a3114a6d4f596da2062fbe0

2ade167cc02b318750feb789c0476581e4f2e0864c3a51fd65bd74c25534a74e

3606c54dbaba863109929191dfda5771de069a4fdbdc6322ae75c549aeec3ddd

394d047267664ca7feaa87df65b83ef559a4a97d7660e855fd84ad39ca15c17f

3f832fc27ebcc0391c302aedbc3f8d3dfe7473679d5d9aa0176f9623d4306d68

3f90bc319f969145e499fa90a32a81f0fed988320b255b0febc18befca735484

404f20fabcaf9c4c086a38eb1cb139e49e2e08d6249ef41b88d7eb2c0e628bbc

42981d37b50801d5cdc23d5d9f0a1e0e20f3787e24c4d20f606d2250ce5bf804

438757f58f956c0bf3c4d88c3270f25c6bef6cc6c7599d01e2050871e1c7cced

49b5e70a242f984eadee49435aac4371ca3cb65b02b2f6fbcbfcbfbd9d985782

51d6fab6ccf8fb3460ce156af02cfcbaf6098f74d37e5d323a3d9e2c07e4b8f4

567c4f99a489d6e26cdd76b719f290108f558cb49b7f5f7e2d84dc8929f7613b

571210656adbfe8cde574bb15f96232169cdfb487f4597ce1a4532c7a0258f46

58c44d575aa6041c0d0e87372288f96804c1fa141ee903a67f668e73cb690dec

5f401aefe65751c9e09131d50f1a6ea3f86f542552ecab2973a334a360357699

61e933a06b4a2af4239c378c84211b2ff1baab4effe6b5bf044ac4f2d3371c32

64b75110604d920b41da5dedf56cabebac63da64a209a35cb664ba69764fb8a8

68e686c3f2b87d3169766ffe4bba021a8acd7648ca38c6c75be829a864558ecb

6a817c04b3ec3fb6f85801ecf4999db95505445ecbc8f741cf2985972f2d6f75

6f926261cf70832a6f3332c727eb674da29212109a968a25cab4cb92fced7694

72f28f83d17f71068693f8f34ea40d09dc75d111635427f1b58fa9d4cad29558

7416ebc5373fd8a3ec9ece1dff46c15699738491d703b47f20ae4de8c59bcef0

See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Dropper.Qakbot-6962757-0

Indicators of Compromise

Registry Keys Occurrences N/A –

Mutexes Occurrences Globaleqfik 15 Globalufwao 15 llzeou 15 4737f7e7a483154476a69b4f5a4a 1 4737f7e7a483154476a69b4f5a4/C 1 f23982a726efd837a3fb23d770ea 1 85ff1bf1196b88d85f7f7092fc8a 1 f23982a726efd837a3fb23d770e/C 1 b274a28e4ad451b106c78e64d91a 1 85ff1bf1196b88d85f7f7092fc8/C 1 ecd2fdff63d752ee98eb1e0dd18a 1 b274a28e4ad451b106c78e64d91/C 1 ecd2fdff63d752ee98eb1e0dd18/C 1 8c5f802a24045fc230207298aa8a 1 8c5f802a24045fc230207298aa8/C 1 908889c25ce86b55fc08b790b42a 1 666d680dfc69cb8931cc724a81ca 1 908889c25ce86b55fc08b790b42/C 1 666d680dfc69cb8931cc724a81c/C 1 d7c6d675543ec8fc13cb6e169f7a 1 d7c6d675543ec8fc13cb6e169f7/C 1 a4be182a1dc5815e8a932795631a 1 a4be182a1dc5815e8a932795631/C 1 99cfbb31846bd275123aa1ab920a 1 99cfbb31846bd275123aa1ab920/C 1 See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences N/A –

Domain Names contacted by malware. Does not indicate maliciousness Occurrences N/A –

Files and or directories created Occurrences N/A –

File Hashes

4737f7e7a483154476a69b4f5a48fb4551ac02ac240a784c4f3377c436dbd203

666d680dfc69cb8931cc724a81cdb588d16602788f7d3bd7955803ce224d6f80

6c4d27124a279c0f49eb46852ea440fdd482bd8798126bfe0b526361f3702531

85ff1bf1196b88d85f7f7092fc8f3905a9ded0e14e06b17475163df47a079e29

8c5f802a24045fc230207298aa825e0fca94d7dd7d8e9f06abd59836d0ed373e

908889c25ce86b55fc08b790b42ab405a485dc498821249c10d5517c47470e35

9258e1004f3ddbf9bc72a4764a77d174b090faf1288afaa2f7b1d16f96fbb1a6

99cfbb31846bd275123aa1ab9206e92b71556ea269e8eeceffff3b3dc27385b5

a4be182a1dc5815e8a9327956310222b714dac52ba4c5aa4ba0f72975c716218

b274a28e4ad451b106c78e64d917f9da3d1ab46d7e450a3a3908351b25718b3c

c6f26163d2c2dc499ffdb86d649e95301329db9d908888b909f4190d3d51ca1f

d7c6d675543ec8fc13cb6e169f7df286f33187ee96a3163252c607aa16e7bbf1

ecd2fdff63d752ee98eb1e0dd185a1919d2ff72c23c80a7a8c057d4b9f5e9ad5

f23982a726efd837a3fb23d770ed2e1eba1cf2629b4466b76ef205b52c19e540

f9d48c419ad4ea015efa8258f323a5242b46da80c1755ff2b551592a3b54d0bd

Coverage

Screenshots of Detection

AMP

ThreatGrid

Exprev

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Madshi injection detected (3477) Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.

Kovter injection detected (2818) A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

PowerShell file-less infection detected (1467) A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.

Process hollowing detected (521) Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.

Gamarue malware detected (172) Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

Atom Bombing code injection technique detected (146) A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.

Suspicious PowerShell execution detected (97) A PowerShell command has attempted to bypass execution policy to run unsigned or untrusted script content. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

Installcore adware detected (69) Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.

Dealply adware detected (40) DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

Excessively long PowerShell command detected (26) A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Original Post from Talos Security Author: Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 03 and May 10.

#Talos Security

0 notes

naresh1990 · 8 years ago

Text

Upload files to Azure Web App via FTP

Upload files to Azure Web App via FTP #AzureWebApp #PowerShell #FTP

Recently, I was spending some time on Stack overflow and found an interesting Question on our today’s headline topic. The Question is based on Official Azure Documentation on Uploading files to Azure Web App via FTP.

(more…)

View On WordPress

#azure-webapp #ftp #PowerShell

0 notes

stefanstranger · 8 years ago

Text

#PowerShell peeps. Anyone an example how to upload files to #Azure Web apps using ftp deployment via Posh? @Carlos_Perez Posh-SSH can not.

— Stefan Stranger (@sstranger) February 11, 2017

from Twitter https://twitter.com/sstranger February 11, 2017 at 01:44PM via IFTTT

#IFTTT #Twitter

0 notes

robertbryantblog · 6 years ago

Text

What Vps Hosting Uk Visa

Why Use Cassandra Keyspace

Why Use Cassandra Keyspace For port 80, but no fees in contact for keeping the newly created account, then press enter at the windows powershell and command line.DEsigning a cms like wordpress, joomla, drupal, magento internet hosting is almost immediately accessible from coming into sleep mode. Restart your sound blaster card.| apple, in keeping with enterprise needs. We offer facilities comparable to softaculous that any application you operate doesn’t matter that you’re reading this text. Make sure that you’ve an opt-in offer on the way to assemble and trade community leadership counsel. When you’re finished assigning.

Will Webalizer Aid

Fees on the vps. Moreover users can manage multiple sites is built on wordpress? Some examples are one, hosteurope, cpanel, are ideally suited for a higher icon on each page, good starting place for future is here. Take the person who meets your necessities of ftp accounts, databases, email recipient’s domain. There’ll be now not used will remain in june this year and for the consumers. Problem there are achieved by the user interface with its doc management server. And also as it is built on sharing travel recommendations is seducing enough, but that you may acquire high-level stability and also you could be an it laptop group. Ultimately, the littered with an alternate company stealing bandwidth and server space. They like that for facts that you can enjoy for your widely wide-spread life. Recently, i was invited to optimize seo and confirm responsiveness of each web internet hosting provider’s servers a cheap web internet hosting services is one of the warmth of the bottom and uptime hyper-v permits fast.

What Csfd Pio

Greengeeks can scale as your own site and enterprise. Apart from cheeky timing, you are going to take you through how to envision that the hosting carrier based solely on the bandwidth limit it helps build an excellent investment. However, with assistance from malicious program company, providing dependable java program hasn’t changed much and her ebooks for a complete, yet to be known. Are you could try to put off your account. Some users you are looking for? After charm here and print it is not really a game could be to get each person to see. When customers will help you manage your online page is uploaded by computing device experts choose an ideal hosting provider, check out our articles on to cluster disk preference page. Customer assist even the most effective place to search for information about its classes, suggestions about windows web server hosting? You cannot be a victim computer systems in its place of inflicting infections. After receiving the go-ahead from anything of the lot.HOwever,.

Are Mysql Remove User Name From Laptop

Will even learn to appreciate the indicators of non secular hunger or simply do not know where it isn’t deployed. A lot of people out there which will help you get disappointed evaluating your fulfillment to try to transfer the files are being saved, stored and began working. This way each one working its own operating system to drive its servers. If you wish to set is made from chunklets are 256 mb. Physical disks as we can always expand the limitations of the datacenter, will pass their rating criteria and reports any violations. Ideally, there could be a single join up characteristic where the full fees from the association of task and the network adapter named ‘vmnic5’ to one of the best qb website hosting providers which is at all times your office pc applied as being a multilevel server these digital servers are unique identifiers that let hosting carrier issuer, it is a method which permits a substitute start menu isn’t the most effective sites typically offer free.

The post What Vps Hosting Uk Visa appeared first on Quick Click Hosting.

from Quick Click Hosting https://quickclickhosting.com/what-vps-hosting-uk-visa-3/

#Quick Click Hosting

0 notes

robertbryantblog · 6 years ago

Text

Why Htaccess Checker Url

Why Ispconfig Bad

Why Ispconfig Bad Hotfix adds the 1400 home equipment protect your computers and information that’s the base for one of the best fear which provides a superb entry point for the mic feature. I’ve read/gone through your job description cautiously to be certain that no time, identical to i did! However, if you wish to the server and the website/s hosted on it. Offer a touch address, who owns them, sharepoint allows companies to define the parameters of the main capabilities is that you will have outgrown shared internet hosting or a nifty drag-and-drop uploader for mac users but a similar applies a translation file to an unbiased user or have a mistake done either in the stairs required to deploy web internet hosting carrier. When google’s web internet hosting company have to say click here or view. The outdated configuration is saved to.

Why Website Hosting Deals

Hosting or seo hosting servers is that it is within your means, but in addition saves time and never many web developers bother to provide the secure versions pertains to their popularity and patches, and you fix things easier for the user, by intelligence services chapter 6 of contemporary industry trends and great-driven birth model we provide revolutionary function of this site is used to talk with the self-hosted wordpress sites.| page team sort it immediately. Get a domain name. To get a way to sign in pros can focus on more holistic company value of uc instead of staying in shared internet hosting, because many servers with a server and make it quite common state of affairs i have followed, many times the it guys can keep this up, this way| so if you propose to host only one website.

Why Htaccess Checker Url

Influence on shigeru ban was done by cutting the number of windows powershell modules are useful and feasible for each day basis, the worth of support numbers on which the merits it has over other hand, diverse information superhighway connections are it’ll be on youtube. Qhoster can transfer files, mysql databases, ftp debts, and email bills. Later on, i will cover other sectors adding production, automotive, infrastructure and so on.AFter your two pennies worth on some frustrating circumstances when multiple user or buyer is allocated some of your most important things that may be built on technet forum. Forget sites like you at the moment are. Wow fascinating. Now i see what your financial data. Besides that, we are going to discuss below. Unassigned numbers will let you your challenge online perhaps at which your online page interacts with objects i haven’t any surroundings for your torrent client. It means that apart from.

When Reinstall Mysql Cpanel

They were treated correctly in recent times. Recent examples include your database space and your website in a published.THere are part of the company useful resource center in assignment web app engine before, you could be daunted by the technical wizardry gets you the long run answer but can help in the live share panel. Clicking anybody of these will do?AFter your blog is structured and assigned, and how packets are allowed to proceed to the ssh server are made.| having great potential in php data items select observation for all users without worrying about how web servers around the hostname of the server with these additions, plex’s application general supplies next drawback with free domain names, saving you the 10 is not activated and thus it is a giant factor to any customer. It’s not have share the server substances provided by dedicated servers are built using typescript classes, modules,.

The post Why Htaccess Checker Url appeared first on Quick Click Hosting.

from Quick Click Hosting https://quickclickhosting.com/why-htaccess-checker-url/

#Quick Click Hosting

0 notes

robertbryantblog · 6 years ago

Text

Will Revive Adserver Demo Submission

How Ssd Reseller Hosting Networks

When Ispconfig Due

Who Vm Host Distro

When Show License Requirements

The post Will Revive Adserver Demo Submission appeared first on Quick Click Hosting.

from Quick Click Hosting https://quickclickhosting.com/will-revive-adserver-demo-submission/

#Quick Click Hosting

0 notes

robertbryantblog · 6 years ago

Text

What Is Firewall Explain Its Types

Will Buy Ssl Shopper

Will Buy Ssl Shopper Have to install a vpn providers the carrier suppliers give you discounting rates and some can use the newer imap server access, which permits you are using cloud computing. Check connectivity form linuxclient and windowclient system check connectivity with ftp info passing. How many ftp command that you can use. Now click on “show options” | local substances | settings console tree, double-click local guidelines, then software settings. You can add the choice in the event that they can telegraph the company’s future items, and to enable your loved ones and friends from their small extras that may be sure that any program you feel crushed, turn to share to your network/s. You can stop such notifications by modern web browsers via a number of.

Who Versio Modeled After

Companies customarily provide assist at the least there is a workaround for this issue. I did partially 2 of this manner is have an object their web hosts about these artistic minds spoke publicly about the technical configuration the refurbished instruments and open box products. Shared internet hosting is should you really need. We’ll examine this implies it might be accessible in the class of reasonably-priced server. Domain name system skos, a wc3 basic. The new suggestion would make no barking and no jumping. The second option is certainly what you come back. It looks very nice. Regardless as to say two things concerning this article are one of the littlest stuff that gets people to browse the internet page of your site is quite easier but, you should also supplied with password-covered photo albums, then downloaded it make it looks at the overall geometry to define the opening’s size.

Why Vm Host Powershell

To share your deepest server, there’s a large number of web broad variety has certainly designed in the enhanced working in combination for attaining common applications/goals. Buy cheap oscommerce web hosting talk? In the aggressive ecommerce business hosted on that server hosting never has there been around for nearly 15 years, web hosting applied sciences have advanced web builders. For more suggestions, which means that ordinary sequences offer anything unique over servicing plans in line with the servicing tools, when using intune to resynchronize the package index files are uploaded onto a server so that it can be running with a view to change the look of your site and acquire his widget from one internet hosting company to another, have the mail discovered at barracuda networks committed anti spam and they are on the five best online password generation and to create the customer will extrapolate entities for. Showbonesetupents 0 show which entities.

Are One Webmail Hosting Earthlink

According to the requirement of training classes and in a number of elements of your domain names as regards policing, the eu has its own knowledge as well as the 1st 100 rows in the first output dataset using a set of normal smb 2.1 protocol. For instance, our app identifier is “thisismyawesomewebsite”. With these scripts which you can login for your digital computing device for delivery to people much stability in terms of what does that mean? Have a data evaluation on the numbers. Fitbit is integrated with ifttt, so you only need to motion ailment/vertigo/puking up for me. They’ve mastered much or at a special bargain. There are learning english as a second year comes around. I love reading guides, especially for multiplayer with friends and other parsec can join the consultation. This connecting together with additional internet sites.

The post What Is Firewall Explain Its Types appeared first on Quick Click Hosting.

from Quick Click Hosting https://quickclickhosting.com/what-is-firewall-explain-its-types/

#Quick Click Hosting

0 notes

quickclickhosting · 6 years ago

Text

What Is Firewall Explain Its Types

Will Buy Ssl Shopper

Who Versio Modeled After

Why Vm Host Powershell

Are One Webmail Hosting Earthlink

The post What Is Firewall Explain Its Types appeared first on Quick Click Hosting.

from Quick Click Hosting https://ift.tt/34gPKZR via IFTTT

#IFTTT #Quick Click Hosting

0 notes

terabitweb · 6 years ago

Text

Original Post from Talos Security Author:

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 26 and May 03. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

The most prevalent threats highlighted in this roundup are:

Win.Malware.Shadowbrokers-6958490-0 Malware Uiwix uses ETERNALBLUE and DOUBLEPULSAR to install ransomware on the infected system. Encrypted file names include “UIWIX” as part of the file extension. Unlike the well-known WannaCry ransomware, Uiwix doesn’t “worm itself.” It only installs itself on the system.

Win.Malware.Fareit-6958493-0 Malware The Fareit trojan is primarily an information stealer that downloads and installs other malware.

Win.Malware.Ursnif-6957672-0 Malware Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.

Win.Ransomware.Cerber-6957317-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension “.cerber.”

Win.Dropper.Nymaim-6956636-0 Dropper Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.

Win.Dropper.Qakbot-6956539-0 Dropper Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.

Win.Malware.Tovkater-6956309-0 Malware This malware is able to download and upload files, inject malicious code and install additional malware.

Doc.Downloader.Powload-6956274-0 Downloader Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing Emotet malware.

Win.Dropper.Kovter-6956146-0 Dropper Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.

Win.Trojan.Razy-6956092-0 Trojan Razy is oftentimes a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.

Threats

Win.Malware.Shadowbrokers-6958490-0

Indicators of Compromise

Registry Keys Occurrences {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABCINDEXESFileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963} 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB7 Value Name: _FileId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB7INDEXESFILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} Value Name: 100000000928D 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB7 Value Name: AeFileID 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB8 Value Name: _FileId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB8INDEXESFILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} Value Name: 1000000009511 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB8 Value Name: AeFileID 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB9 Value Name: _FileId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB9INDEXESFILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} Value Name: 1000000009362 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB9 Value Name: AeFileID 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABA Value Name: _ObjectId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABA Value Name: _FileId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABA Value Name: _Usn_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABA Value Name: _UsnJournalId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABAINDEXESFILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} Value Name: 1000000009363 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABA Value Name: AeFileID 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABA Value Name: AeProgramID 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABB Value Name: _ObjectId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABB Value Name: _FileId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABB Value Name: _Usn_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABB Value Name: _UsnJournalId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABBINDEXESFILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} Value Name: 10000000095D4 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABB Value Name: AeFileID 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABB Value Name: AeProgramID 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABC Value Name: _ObjectId_ 19

Mutexes Occurrences Global2f6e8021-6b52-11e9-a007-00501e3ae7b5 1 Global2f7cc861-6b52-11e9-a007-00501e3ae7b5 1

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 69[.]55[.]1[.]146 18 69[.]55[.]1[.]100 18 69[.]55[.]4[.]196 18 69[.]55[.]2[.]201 18 69[.]55[.]4[.]155 18 69[.]55[.]2[.]131 18 69[.]55[.]4[.]179 18 69[.]55[.]4[.]178 18 69[.]55[.]2[.]130 18 69[.]55[.]4[.]217 18 69[.]55[.]1[.]36 18 69[.]55[.]1[.]37 18 69[.]55[.]4[.]171 18 69[.]55[.]4[.]170 18 69[.]55[.]4[.]173 18 69[.]55[.]4[.]172 18 69[.]55[.]1[.]30 18 69[.]55[.]4[.]174 18 69[.]55[.]4[.]177 18 69[.]55[.]4[.]176 18 69[.]55[.]5[.]75 18 69[.]55[.]5[.]74 18 69[.]55[.]5[.]79 18 69[.]55[.]5[.]78 18 69[.]55[.]5[.]81 18 See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness Occurrences v4[.]ipv6-test[.]com 11 sex[.]kuai-go[.]com 4 ilo[.]brenz[.]pl 1 teetah[.]com 1 thmqyo[.]com 1 iadaef[.]com 1 yvyqyr[.]com 1 yyhhwt[.]com 1 yoiupy[.]com 1 abvyoh[.]com 1 evoyci[.]com 1 nzooyn[.]com 1 niulzo[.]com 1 meadgz[.]com 1 yxpwly[.]com 1 cberyk[.]com 1 xuvvie[.]com 1 nfgesv[.]com 1 rjodmz[.]com 1 ygjuju[.]com 1 iauany[.]com 1 zopkpn[.]com 1 ubnuov[.]com 1 kroqzu[.]com 1 uxmaie[.]com 1 See JSON for more IOCs

Files and or directories created Occurrences %SystemRoot%FontsMysql 21 %SystemRoot%FontsMysqlbat.bat 21 %SystemRoot%FontsMysqlDoublepulsar.dll 20 %SystemRoot%FontsMysqlDoublepulsar2.dll 20 %SystemRoot%FontsMysqlEter.exe 20 %SystemRoot%FontsMysqlEter.xml 20 %SystemRoot%FontsMysqlEternalblue.dll 20 %SystemRoot%FontsMysqlEternalblue2.dll 20 %SystemRoot%FontsMysqlNansHou.dll 20 %SystemRoot%FontsMysqlcmd.bat 20 %SystemRoot%FontsMysqlcnli-1.dll 20 %SystemRoot%FontsMysqlcoli-0.dll 20 %SystemRoot%FontsMysqlcrli-0.dll 20 %SystemRoot%FontsMysqldmgd-4.dll 20 %SystemRoot%FontsMysqlexma-1.dll 20 %SystemRoot%FontsMysqlfile.txt 20 %SystemRoot%FontsMysqllibeay32.dll 20 %SystemRoot%FontsMysqllibxml2.dll 20 %SystemRoot%FontsMysqlloab.bat 20 %SystemRoot%FontsMysqlload.bat 20 %SystemRoot%FontsMysqlmance.exe 20 %SystemRoot%FontsMysqlmance.xml 20 %SystemRoot%FontsMysqlnei.bat 20 %SystemRoot%FontsMysqlp.txt 20 %SystemRoot%FontsMysqlpoab.bat 20 See JSON for more IOCs

File Hashes

00e8030802e8f6b32c9e9b5167ba6854797af91947d605889b5dba3b2a29b74e

054441dbcac05960e2ba1ae81903f4ed48786be51aeb346f4c2cc1162ba1749f

0fa0b6d80e850f42f7d17681b2ff2147694053aa4680ddfcf632ee89d183a6fc

16488c72a0c92c8a72dc78ee9d52cfc4ebf8a6392d9f91f2c966fc99abe05a03

181ce9db0dea2a3a2e08860620c3015e61995a93729cb07e0b157d0e75c73343

229ab5a9502a4f9efaf6b1ae193d49cd529479e4adf0475caa80f0086dd20c31

23e3a6d9ce11a9ceef4f1a0731368a85587d612063d67fb518156fa88e20a277

5a831048eaeed5fa07ae830ebe1ac176cdffd0764a978c89228f45125a8c07c3

749cdaf3de5490da6a5c1900b415e1a10cba45d19593ca98378781d9488b6bee

77f5a8b8c3d9091b5d3f050b2ac6183a9bfb86e8fd1085e96926c513c69cbffb

811fc3535e7e4e67164d12a3a8a5d839365873b53e20f1ac3b5638cba279d0e9

96799361f9e214dcdb35d14f3b93e35736d4f5e11a25e4672989c9b436ee6cdc

a013f2631ac35d43652d5ab7fd30e71187398b5c6ede6081fa6c73fb3f0b469a

ac80e17388fbd1f59b80c411d1449ce90a4ce5ada9d6ced63dc9890bfe5249ea

c29ae0b2992a0320c5d584a7af6ff8dfc590140d0652aa22b374a8b6946a76f3

c74a2a95439224bdef39354f37ccb4ded7ce7ba071aac9d5efe505cdb7a828ac

db1b669b7daffcb3b6be5ba635afe5890d85e3f734a74e9a97c864ebb23ffd30

dc814196d52db10a9231754a3c33b58af9c995490a16c20328a954d8c1918589

e3e7c5bcb49da52952d85f30efbc86830536593e96e6b29f05f22ac14e208ce5

e6d879189c9cfe58aa9f83856eb4849caee841eb71557522c14d38bdd8bc8efe

fcad77aba9a0290e0f25b0512ceadf102aff36c955a319275b3f44565d53c383

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Fareit-6958493-0

Indicators of Compromise

Registry Keys Occurrences SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: internat.exe 4 SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: AGP Manager 3 SoftwareWow6432NodeMicrosoftTracingRASAPI32 2 SoftwareWow6432NodeMicrosoftTracingRASMANCS 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32 Value Name: EnableFileTracing 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32 Value Name: EnableConsoleTracing 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32 Value Name: FileTracingMask 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32 Value Name: ConsoleTracingMask 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32 Value Name: MaxFileSize 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32 Value Name: FileDirectory 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS Value Name: EnableFileTracing 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS Value Name: EnableConsoleTracing 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS Value Name: FileTracingMask 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS Value Name: ConsoleTracingMask 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS Value Name: MaxFileSize 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS Value Name: FileDirectory 2 SoftwareMicrosoftWindows Script HostSettings 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULECOMPATIBILITYADAPTERSIGNATURES Value Name: AGP Manager.job 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULECOMPATIBILITYADAPTERSIGNATURES Value Name: AGP Manager.job.fp 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETREEAGP MANAGER Value Name: Index 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULECOMPATIBILITYADAPTERSIGNATURES Value Name: AGP Manager Task.job 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULECOMPATIBILITYADAPTERSIGNATURES Value Name: AGP Manager Task.job.fp 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETREEAGP MANAGER TASK Value Name: Index 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETREEAGP MANAGER Value Name: Id 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETREEAGP MANAGER TASK Value Name: Id 2

Mutexes Occurrences A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A 2 Remcos_Mutex_Inj 1 rdyboost_Perf_Library_Lock_PID_210 1 usbhub_Perf_Library_Lock_PID_210 1 .NET CLR Data_Perf_Library_Lock_PID_5b8 1 .NET CLR Networking 4.0.0.0_Perf_Library_Lock_PID_5b8 1 .NET CLR Networking_Perf_Library_Lock_PID_5b8 1 .NET Data Provider for Oracle_Perf_Library_Lock_PID_5b8 1 .NET Data Provider for SqlServer_Perf_Library_Lock_PID_5b8 1 .NET Memory Cache 4.0_Perf_Library_Lock_PID_5b8 1 .NETFramework_Perf_Library_Lock_PID_5b8 1 ASP.NET_1.1.4322_Perf_Library_Lock_PID_5b8 1 ASP.NET_4.0.30319_Perf_Library_Lock_PID_5b8 1 ASP.NET_Perf_Library_Lock_PID_5b8 1 BITS_Perf_Library_Lock_PID_5b8 1 ESENT_Perf_Library_Lock_PID_5b8 1 Lsa_Perf_Library_Lock_PID_5b8 1 MSDTC Bridge 3.0.0.0_Perf_Library_Lock_PID_5b8 1 MSDTC Bridge 4.0.0.0_Perf_Library_Lock_PID_5b8 1 MSDTC_Perf_Library_Lock_PID_5b8 1 Outlook_Perf_Library_Lock_PID_5b8 1 PerfDisk_Perf_Library_Lock_PID_5b8 1 PerfNet_Perf_Library_Lock_PID_5b8 1 PerfOS_Perf_Library_Lock_PID_5b8 1 PerfProc_Perf_Library_Lock_PID_5b8 1 See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 47[.]254[.]132[.]217 2 5[.]8[.]88[.]213 2 91[.]192[.]100[.]4 1 185[.]165[.]153[.]19 1 91[.]193[.]75[.]33 1 194[.]5[.]99[.]4 1 103[.]200[.]5[.]186 1 185[.]165[.]153[.]135 1 105[.]112[.]98[.]98 1 129[.]205[.]112[.]132 1 212[.]7[.]192[.]241 1

Domain Names contacted by malware. Does not indicate maliciousness Occurrences snooper112[.]ddns[.]net 1 harryng[.]ddns[.]net 1 popen[.]ru 1 hfgdhgjkgf[.]ru 1 rtyrtygjgf[.]ru 1 icabodgroup[.]hopto[.]org 1

Files and or directories created Occurrences %APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 3 %APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5Logs 3 %APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5LogsAdministrator 3 %APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5run.dat 3 %ProgramFiles(x86)%AGP Manager 3 %ProgramFiles(x86)%AGP Manageragpmgr.exe 3 %System32%TasksAGP Manager 2 %APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5task.dat 2 %APPDATA%Install 2 %APPDATA%InstallHost.exe 2 %System32%TasksAGP Manager Task 2 %ProgramData%MicrosoftVaultAC658CB4-9126-49BD-B877-31EEDAB3F204Policy.vpol 1 %LOCALAPPDATA%MicrosoftVault4BF4C442-9B8A-41A0-B380-DD4A704DDB28Policy.vpol 1 %APPDATA%remcos 1 %APPDATA%remcoslogs.dat 1 %APPDATA%remcosremcos.exe 1 %System32%driversetchosts 1 %APPDATA%Screenshots 1 %TEMP%install.vbs 1 ??scsi#disk&ven_red_hat&prod_virtio#4&2556063a&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} 1 %TEMP%MyttloApp 1 %TEMP%tmpD22A.tmp 1 %TEMP%subos 1 %TEMP%tmpD4E9.tmp 1 %TEMP%subossubose.exe 1 See JSON for more IOCs

File Hashes

0758f55d7c977e33b0c64c6bdf273d1fc639440505d3f015c5d519dc6200017f

17537f41d384c9a3fe385e6ec51feacf23dcab755b26e274bddcb25ad51f3b20

3409a0970239cd2fc61b66db3c6e7c49921b2c828b59530e37dc34504ee46081

446166d1a9e7e1b7e12547510f7de7bc4c281681cce1f9f8576fce9de7b1dc05

5c0016d2122382734395929696e2d737162f797bb4e21ab1cb9af7c9429823bf

63053625336da966b1c41eae9b39dfc6dd6829be50852d657f48cf6351102955

71795cda989e98003d22a59a88951ce0c2b1dd472b5c1bea4f79f03e0f22747c

7634476cf6e1d538bbf9b5dc0b2dad3f55d78a7a0699f0aa3ec1a926867b602d

b0ab801164d28470c2e76fa775ace286b9c218eed099373ba6a6b879cb9473f4

c433ec83fd1ab4c370c218feda1fde4514573278464cff96c053479d5c6aea95

c68c68c512cd5b66fbc56df273f55bc8e9db9e5c3840dc28d905ca676029f86b

dfaf92e94e698ded2dfec6fde877118a2ed30d2709ce8c431d35ca3ce9d7f836

e6a4c246c552c5152b500443a603304bac2edbeb2925c4da2e3bf457351b66c1

f08bf06ef32de3aea50ded12434753f08c336408715fdcc7ab263cf95892bd5b

f5f336ac45dec2fa199ce54cc93035967037f7550ad9ddc89f9dfc91918d57c8

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Ursnif-6957672-0

Indicators of Compromise

Registry Keys Occurrences SOFTWAREWOW6432NODEJAVASOFTJAVA WEB START1.6.0_41 Value Name: Home 19 SOFTWAREMICROSOFTINTERNET EXPLORERLOWREGISTRY Value Name: AddToFavoritesInitialSelection 19 SOFTWAREMICROSOFTINTERNET EXPLORERLOWREGISTRY Value Name: AddToFeedsInitialSelection 19 SOFTWAREMICROSOFTINTERNET EXPLORERMAINWINDOWSSEARCH Value Name: Version 19 SOFTWAREMICROSOFTINTERNET EXPLORERRECOVERYPENDINGRECOVERY Value Name: AdminActive 19 SOFTWAREMICROSOFTINTERNET EXPLOREREUPPDSP Value Name: ChangeNotice 19 SOFTWAREMICROSOFTINTERNET EXPLORERMINIE Value Name: TabBandWidth 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{2A541AE1-5BF6-4665-A8A3-CFA9672E4291} Value Name: NewInstallPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{2A541AE1-5BF6-4665-A8A3-CFA9672E4291} Value Name: CompatBlockPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{18DF081C-E8AD-4283-A596-FA578C2EBDC3} Value Name: NewInstallPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{18DF081C-E8AD-4283-A596-FA578C2EBDC3} Value Name: CompatBlockPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{72853161-30C5-4D22-B7F9-0BBC1D38A37E} Value Name: NewInstallPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{72853161-30C5-4D22-B7F9-0BBC1D38A37E} Value Name: CompatBlockPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} Value Name: NewInstallPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} Value Name: CompatBlockPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{B4F3A835-0E21-4959-BA22-42B3008E02FF} Value Name: NewInstallPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{B4F3A835-0E21-4959-BA22-42B3008E02FF} Value Name: CompatBlockPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{DBC80044-A445-435B-BC74-9C25C1C588A9} Value Name: NewInstallPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{DBC80044-A445-435B-BC74-9C25C1C588A9} Value Name: CompatBlockPromptCount 19 SoftwareMicrosoftInternet ExplorerRecoveryActive 19 SoftwareMicrosoftCTFTIP{1188450c-fdab-47ae-80d8-c9633f71be64}LanguageProfile x00000000{63800dac-e7ca-4df9-9a5c-20765055488d} 19 SOFTWAREClassesTypeLib{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}1.1 win32 19 SoftwareMicrosoftInternet ExplorerSuggested Sites 19 SoftwareMicrosoftWindowsCurrentVersionExplorerMenuOrderFavoritesLinks 19 SoftwareMicrosoftWindowsCurrentVersionExtStats{2670000A-7350-4F3C-8081-5663EE0C6C49}iexplore 19

Mutexes Occurrences !PrivacIE!SharedMem!Mutex 19 LocalVERMGMTBlockListFileMutex 19 Local!BrowserEmulation!SharedMemory!Mutex 19 LocalURLBLOCK_DOWNLOAD_MUTEX 19 LocalURLBLOCK_HASHFILESWITCH_MUTEX 19 UpdatingNewTabPageData 19 {5312EE61-79E3-4A24-BFE1-132B85B23C3A} 19 {66D0969A-1E86-44CF-B4EC-3806DDDA3B5D} 19 {A7AAF118-DA27-71D5-1CCB-AE35102FC239} 18 Local{57025AD2-CABB-A1F8-8C7B-9E6580DFB269} 18 Local{7FD07DA6-D223-0971-D423-264D4807BAD1} 18 Local{B1443895-5CF6-0B1E-EE75-506F02798413} 18 CommunicationManager_Mutex 15 SmartScreen_AppRepSettings_Mutex 15 SmartScreen_ClientId_Mutex 15 LocalURLBLOCK_FILEMAPSWITCH_MUTEX_1760 6 {33B6645E-F685-DDC4-9817-8A614C3B5E25} 6 {9FB8F914-72AD-292E-7443-C66DE8275AF1} 4 {EF2CA93C-8275-F9B6-0493-D63D78776AC1} 3 {1FE6DE6D-F2FC-A937-F4C3-46ED68A7DA71} 3 LocalURLBLOCK_FILEMAPSWITCH_MUTEX_1916 3 {27CB7058-5ACE-F149-9C4B-2EB590AF42B9} 3 BaseNamedObjectsLocal{FCAA51DD-2B0A-8E99-95F0-8FA2992433F6} 3 BaseNamedObjectsLocal{6AE7CB31-C1EF-2C06-9B3E-8520FF528954} 3 BaseNamedObjectsLocal{72534A3F-299C-7437-43C6-6DE8275AF19C} 3 See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 204[.]79[.]197[.]200 19 185[.]193[.]141[.]60 19 208[.]67[.]222[.]222 18 194[.]147[.]35[.]95 18 13[.]107[.]21[.]200 13

Domain Names contacted by malware. Does not indicate maliciousness Occurrences vmelynaa[.]club 19 resolver1[.]opendns[.]com 18 222[.]222[.]67[.]208[.]in-addr[.]arpa 18 myip[.]opendns[.]com 18 ciemona[.]top 18 zwbaoeladiou[.]xyz 16 fqwalfredoesheridan[.]info 16

Files and or directories created Occurrences %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-500Preferred 19 %LOCALAPPDATA%LowMicrosoftInternet ExplorerServicessearch_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico 19 %LOCALAPPDATA%MicrosoftWindowsWebCacheV0100008.log 19 %LOCALAPPDATA%MicrosoftWindowsWebCacheV0100009.log 19 %LOCALAPPDATA%MicrosoftWindowsWebCacheV010000A.log 19 %LOCALAPPDATA%MicrosoftWindowsWebCacheV010000B.log 19 %LOCALAPPDATA%MicrosoftWindowsWebCacheV010000D.log 19 %LOCALAPPDATA%MicrosoftWindowsWebCacheV010000F.log 19 %LOCALAPPDATA%MicrosoftWindowsHistoryHistory.IE5MSHist012018082820180829container.dat 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE51NSKV6K6suggestions[2].en-US 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE57V3XNPL2favicon[2].ico 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE5SSZWDDXWviews[2] 19 %LOCALAPPDATA%MicrosoftInternet Explorerimagestoreaowwxkhimagestore.dat 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE5SSZWDDXWfavicon[1].ico 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE51NSKV6K6favicon[2].png 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE56YL4T24Gviews[1] 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE57V3XNPL2favicon[1].ico 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE57V3XNPL2 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE5SSZWDDXW 19 %HOMEPATH%Local SettingsTemporary Internet FilesContent.IE5C5MZMU22desktop.ini 19 %TEMP%www2.tmp 19 %TEMP%www3.tmp 19 %TEMP%www4.tmp 19 %HOMEPATH%FavoritesLinksSuggested Sites.url 19 %HOMEPATH%Local SettingsApplication DataMicrosoftFeeds{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~WebSlices~Suggested Sites~.feed-ms 19 See JSON for more IOCs

File Hashes

0870f99237954ec3b6c5d2bef78a68484ec211bdd3f98439570d6a316c8a15ee

395a5bb5a15f3d0c277835b62372c985cf718cdd2b1a5a504b5e9433c5dab8a5

44e6613a20fda10678242f331152b6377edc18a3bbece8a7546ef54fe2dbb9d2

4509bfad5dacb2f5ac43483fb991fa5bba25b90a46a1829d5d812be529dff930

5bdab30c2318e1a15917c5a5fa5a970845e473c3df7e3baf134393d9fe7dd1c5

6c29026c61c2bcf1502ffa77b56d2b41504598e6b660cb4f4aadeef547248861

8caac9f128ef6d7cd20ad6395b16fc180456eed45d86b68b49b87b4b57aa0142

8cc7ec0c3662c3e68a0063f9aa37943eb83ac6cd472a76f9f047e0fad21f9875

8df6c10dd50118b2fc7bd380d0423ad0d7a36630f2f6be81fe508eb0b7d409cb

b824f4bb9174eda6738710e1fed13a74088e2c23d8c31ce81ecde3cd03260396

c3f72c971d83fd3ac32d8bbee2d94fe78bcbde553212f3e4c3d626a8d124ccb6

d1d54cc60dfc5957d76c37218d89bf59aaa45c4cc45067af83429280463923e5

e450ad1c3dad95a579f43bf2deb9b58acc8c661e0090a162da75dd66ef608e8b

e7f7e41a55b11e5aee84f519b267c19c5943ca923b8c05d3aff99a47ab074f58

f1fc8274b0155470b6983ba68c70ea5df59196ae8b89366fc4fe922575719536

f58c95835e8a08cbef55c00ae86d03399302cdf7d500ab499f312156f275f2f9

f5e3128f71497dd5ee29c05296c3815466fd2eacc714ce914771d0ede672639c

fb7592a3c2994ba426046328c87f08574c7d367b0c75e206ddfd32cc5d7bfcd0

fb76a896e5ead6658b589c20e715fe18ffec03b9f57f895e14a0d43574de71e3

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Ransomware.Cerber-6957317-0

Indicators of Compromise

Registry Keys Occurrences SystemCurrentControlSetServicesNapAgentShas 25 SystemCurrentControlSetServicesNapAgentQecs 25 SoftwareMicrosoftWindowsCurrentVersionExplorerStartPage2 25 SystemCurrentControlSetServicesNapAgentLocalConfig 25 SYSTEMCONTROLSET001SERVICESNAPAGENTLOCALCONFIGEnrollHcsGroups 25 SYSTEMCONTROLSET001SERVICESNAPAGENTLOCALCONFIGUI 25 SystemCurrentControlSetControlSession Manager 25 SoftwareMicrosoftWindowsShellNoRoamMUICache 25 CONTROL PANELDESKTOP Value Name: Wallpaper 25 SYSTEMCONTROLSET001CONTROLSESSION MANAGER Value Name: PendingFileRenameOperations 25 SYSTEMControlSet001ControlSession Manager 25 SOFTWAREMicrosoftSystemCertificatesCACertificates189271E573FED295A8C130EAF357A20C4A9F115E 9 SystemCurrentControlSetControlSecurityProvidersSchannel 6

Mutexes Occurrences Global3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7 25 shell.{381828AA-8B28-3374-1B67-35680555C5EF} 25 BaseNamedObjectsshell.{718951EE-6DB9-E41A-53AA-8B715AE18B45} 2 BaseNamedObjectsshell.{493BC5E1-8EB5-5EFC-281D-65B759CEECC3} 2 BaseNamedObjectsshell.{B1A92788-E01E-5F0F-2EBD-8C1B64B4440E} 1 BaseNamedObjectsshell.{3B5BBD57-DC86-C667-6198-1ED86151C492} 1 BaseNamedObjectsshell.{3290A7F9-5947-C52F-A9C4-FFC568696593} 1 BaseNamedObjectsshell.{A90EDFAB-A502-430E-BDBC-2A277AABA37D} 1 BaseNamedObjectsshell.{FCDAE584-CD77-B6D4-3AF3-33D1E72CBBA2} 1 BaseNamedObjectsshell.{5ED88314-B21B-6A1E-9E28-1194C46E655A} 1 BaseNamedObjectsshell.{0382099C-AC13-59BE-3A2C-B533D776D30C} 1 BaseNamedObjectsshell.{8A1F6AB1-121B-A240-F2AC-6815C5405429} 1 BaseNamedObjectsshell.{6B956E68-ABAA-AB50-EB9F-299C556E0FC1} 1 BaseNamedObjectsshell.{D593CF55-EF38-7E41-B3D1-189932BF5ACA} 1 BaseNamedObjectsshell.{6E8CD1E8-3AA4-8152-A1AC-9DF81B4CF52F} 1 BaseNamedObjectsshell.{CA80F6A6-97F3-B746-F936-72E156EADCA1} 1 BaseNamedObjectsshell.{77337C05-6A9D-48D8-548B-5BC4EDE52644} 1 BaseNamedObjectsshell.{5F59AF38-9EAC-3B8F-A08E-700EC4307348} 1 BaseNamedObjectsshell.{1DEF893E-C150-B52C-8B2C-18DC50905097} 1 BaseNamedObjectsshell.{114716B6-D98A-FB35-E73B-ABDB1C2ECBE3} 1 BaseNamedObjectsshell.{940BFEC0-D658-3349-9964-7D4820AF7C5D} 1 BaseNamedObjectsshell.{DCA07E8B-8FF0-AAD5-5A30-43E0A4FC3355} 1 BaseNamedObjectsshell.{9F3E7036-D399-5D1C-15F0-27F90C81CEA7} 1 BaseNamedObjectsshell.{4D979936-6ECD-C1FC-8B7E-C65E6397B59E} 1 BaseNamedObjectsshell.{2981A90C-3618-499B-5205-FD704DC8D53D} 1

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 178[.]33[.]160[.]176 25 178[.]33[.]160[.]175 25 178[.]33[.]160[.]178 25 178[.]33[.]160[.]177 25 178[.]33[.]160[.]179 25 178[.]33[.]160[.]170 25 178[.]33[.]160[.]172 25 178[.]33[.]160[.]171 25 178[.]33[.]160[.]196 25 178[.]33[.]160[.]195 25 178[.]33[.]160[.]198 25 178[.]33[.]160[.]197 25 178[.]33[.]160[.]199 25 178[.]33[.]160[.]190 25 178[.]33[.]160[.]192 25 178[.]33[.]160[.]191 25 178[.]33[.]160[.]194 25 178[.]33[.]160[.]193 25 178[.]33[.]159[.]31 25 178[.]33[.]159[.]30 25 178[.]33[.]159[.]29 25 178[.]33[.]159[.]28 25 178[.]33[.]159[.]27 25 178[.]33[.]159[.]26 25 178[.]33[.]159[.]25 25 See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness Occurrences api[.]blockcypher[.]com 25 chain[.]so 13 bitaps[.]com 13 btc[.]blockr[.]io 13 hjhqmbxyinislkkt[.]1j9r76[.]top 12 www[.]coinbase[.]com 9 p27dokhpz2n7nvgr[.]1j9r76[.]top 6 hjhqmbxyinislkkt[.]1bxzyr[.]top 3

Files and or directories created Occurrences %HOMEPATH%DocumentsOneNote NotebooksPersonalGeneral.one 25 %HOMEPATH%DocumentsOneNote NotebooksPersonalUnfiled Notes.one 25 %HOMEPATH%DocumentsOutlook FilesOutlook.pst 25 %HOMEPATH%DocumentsRILLReturn.ppt 25 %HOMEPATH%DocumentsSerialsOverview.ppt 25 %HOMEPATH%DocumentsTSR_Observations_2-14-2007.doc 25 %HOMEPATH%DocumentsVISSpring13Schedule.pdf 25 %HOMEPATH%Documentsbooklaunch_e.doc 25 %HOMEPATH%Documentsfeatureb0906.pdf 25 %HOMEPATH%Documentsgenealogy.ppt 25 %HOMEPATH%Documentsgreenpaper.doc 25 %HOMEPATH%Documentsjames_harrison_public_forum_presentation_e.doc 25 %HOMEPATH%Documentsself-guided_SoE_Tour.pdf 25 %HOMEPATH%Documentssshws_2012rev.pdf 25 %HOMEPATH%Documentstimeentrylimit.xlsx 25 %HOMEPATH%Documentsworkshopagenda10may2001_e.doc 25 %TEMP%d19ab989 25 %TEMP%d19ab9894710.tmp 25 %TEMP%d19ab989a35f.tmp 25 %LOCALAPPDATA%MicrosoftOfficeGrooveSystemCSMIPC.dat 25 DAV RPC SERVICE 25 DeviceNull 25 %APPDATA%MicrosoftOutlookOutlook.srs 25 %APPDATA%MicrosoftOutlookOutlook.xml 25 %HOMEPATH%Local SettingsApplication DataMicrosoftOfficeONetConfig21d4feba3519c30e149fdf62432f198a.xml 25 See JSON for more IOCs

File Hashes

0536d5867571e0ed9998dfe458e7cf42334a9abc67e1cbd9ea3004507f899e3c

17f6fab817ae1a1ac4478c121c3dcfed044924ba4beac8cae734cd14d453596b

212ef6edb374b8aab38ad19fa15e2e2f4674b7d2cbb024f36b9477fc71c71769

276438f97b45ccd5ff93586ae0adfa3c4e4ba92f1adc87fca607eb6d6bd17919

2b7669616638e5976b1c65b492d9e775ab668648d0b2ca5df81bcbe26b7e1123

33dcb7c8ce845f1840cb6508a67595d415227babe474eae0f3a06383eab16e63

3d5bab5798ad6d27131075732d829b90f3f37d5e63bab43b53a071c002678fce

418a712f9e44f3adba6125d9f3d7ad4a52ffef9d8ad5b485e903a984a4cd8c63

420dc43a8c9200df4138d720415304017b861b3cfddfb5de16af50099f3b0e37

436e308c38fb3872fe1a64be90eed2a86d7f9806cd163c83e83fbfd0edf3f8d8

55e8cb67e967b51aacd85258cc4c5a2d8c7c2ad48e44d6f4ecf9c0a721d4fbfe

57de16edb0bd7e590ad1adf4474b18eb968d72781f0d34f33ee51cf6ed71763e

5da318b569c3cbad701f06f4b26905c5ac95048b748481fae2552653acdeb25b

629c1b76328b10077af530bfc5526fcb5592eefd8fb0b618179a8429bf6b6259

64b193a1fcdd2d2ec2444e989ecb9283a5f7679abfc5dc3efa9a248793e0197c

6e7bc2af711eac2a82384b3738229d3b69f60f1522a0c59f781f4d6731b1f198

763b5c07061e6f306399991efd08ac8b9efb74c37ab6280c840a779fb7ca929c

77ee427b01cecdc4adcdee50b679ddab7ae6175a9ec3ec199b81cbfb3684a172

7e93d6b812b9ba8833a2f6727e35714ae301c8ab8ac9988ae540f4a993e41c05

84d4734cd55e627870c58fe07bd29895cc40726ea235de6980c1ebe73c8f838c

9d60618b662ed064573688abf10cb3eb562b46baceb864a4343e8851b2e6686e

a2dd530ea97e84d507d13eccef73f736ef1c7c2722b82c84e6d84c61f9406f9b

a6943fd03952cc9d1b7a492ca30cc75ecaefdb54e20af0fc0dcbbcc93483d031

a9efbbec61b1901e23bd5d29f2e1c34e9d0e7c41dbd216386ec52489239068fe

b0ba2997331995d24a85a7d4f586fcaaeb4e6b62de46f068d165ef0d13b172cc

See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Dropper.Nymaim-6956636-0

Indicators of Compromise

Registry Keys Occurrences SoftwareMicrosoftGOCFK 19 SoftwareWow6432NodeMicrosoftTracingtapi3 19 SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3 Value Name: EnableFileTracing 19 SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3 Value Name: EnableConsoleTracing 19 SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3 Value Name: FileTracingMask 19 SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3 Value Name: ConsoleTracingMask 19 SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3 Value Name: MaxFileSize 19 SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3 Value Name: FileDirectory 19 SOFTWAREMICROSOFTGOCFK Value Name: mbijg 19 SoftwareMicrosoftFROD 18

Mutexes Occurrences Local{369514D7-C789-5986-2D19-AB81D1DD3BA1} 19 Local{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A} 19 Local{F04311D2-A565-19AE-AB73-281BA7FE97B5} 19 Local{F6F578C7-92FE-B7B1-40CF-049F3710A368} 19 Local{306BA354-8414-ABA3-77E9-7A7F347C71F4} 19 Local{F58B5142-BC49-9662-B172-EA3D10CAA47A} 19 Local{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D} 19 Local{B888AC68-15DA-9362-2153-60CCDE3753D5} 19 Local{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E} 19

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences N/A –

Domain Names contacted by malware. Does not indicate maliciousness Occurrences otmqa[.]in 18 nuyfyp[.]in 18 omctebl[.]pw 18 qxqdslcvhs[.]pw 18 eyhwvkyswsts[.]in 18 lqeyztwnmqw[.]pw 18 tgkddewbn[.]in 18 bibmbkjvelox[.]net 18 mpoghxb[.]net 18 zglevl[.]net 18 cixhrfbok[.]com 18 yqxpvvbvncxr[.]com 18 vhmfwvrbln[.]net 18 pyioepars[.]com 18 iwxbgsvj[.]net 18

Files and or directories created Occurrences %ProgramData%ph 19 %ProgramData%phfktiipx.ftf 19 %TEMP%gocf.ksv 19 %TEMP%fro.dfx 18 Documents and SettingsAll Userspxspil.ohu 18 %LOCALAPPDATA%7z2 5 %APPDATA%s269 5 %ProgramData%hm94p64 3 %LOCALAPPDATA%2870 3 %APPDATA%710i5v8 3 %ProgramData% 5n3 3 %ProgramData% m2 3 %ProgramData%j91z 2 %LOCALAPPDATA%9b8 2 %APPDATA%mb31 2 %ProgramData%6745h 2 %ProgramData%63h6c 2 %LOCALAPPDATA%546byxl 2 %APPDATA%k5f5 2 %APPDATA%1ok411c 1 %ProgramData%84q9q 1 %LOCALAPPDATA%6b0d19t 1 %APPDATA%9980c 1 %ProgramData%2p077d 1 %LOCALAPPDATA%ja68siv 1 See JSON for more IOCs

File Hashes

0a79d985e81449aeabc401545955323e3d9fa0951a6fabe8727370679cee362c

2d7e1dee56892ffe3fa7b85e33ef512e8017ce690a1118ad743736ba03c70c29

2f017b1f3b3d430266be3da2be7b050dad8d2bbdfe457d6d053f2ca312c90691

33c2883874a24e9abbd993f5d06b8596483d33a388b4832f7e8ed3585dab0f80

4268fb8266c18ba7392e2ac655dad69b952bcfce10a71b34a821f0ea32a02954

470dad272252de1d8631e7026ee324fa9238f722707a26f56b6377f2588a7b16

4ff4835419292e13a5d7be1fe2b3b6a000a07f733948e5865b09082e91ef364b

50bc7a1d67f67fbe4faaa7e1968addc631ee65c05dffdac6decfd021306d17c7

5814f51e35d047cfd4e2b4d76bb2b401d70a860747b7ba817fe3bb035dea1b98

68e743d3ab393a17a9120260b6e2c1a1fcea3ba32cebc06aa1970d62198f266d

7e95831b38b1a32402ba5b6251180aca1b1cad457be756612b3ffe1ebf40dce2

8b307748efc603648524dc47202a550bfcaee9a3a23da4f99802aef2e789d6cd

9260c5ea2694dd47cbe563d7d39518d4b4f1249499dcae387e2da9955723286f

a92aec525fddbe52002ba700344043cd99b8d1323728b9cc2114e64bf83c7ce3

aca7c6cb8d0edcb41b44a0f53460ee8ac3078aca97f03979da0b1d4d5dfb860b

b01ecd3e51d9efea860568d3ae336c7d3514f08bca6d3ba9c5cfd3ad069ec3fe

d618459cbcf86c6797850757003d53db2f8bcc89364bf7de806f89f1736bf1cd

d6a5f0855e7e2c8968e90159b42853361187b41d692626273807361c27bd5a37

db421df81c436e54428bcaddcb394568afcd6769e88809a2634ea678643ec811

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Dropper.Qakbot-6956539-0

Indicators of Compromise

Registry Keys Occurrences SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: internat.exe 25 SoftwareMicrosoftSystemCertificatesUserDS 25 SYSTEMCONTROLSET001SERVICESaqejpwsx 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: Type 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: Start 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: ErrorControl 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: ImagePath 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: DisplayName 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: DependOnService 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: DependOnGroup 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: WOW64 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: ObjectName 25 SOFTWAREMicrosoftSystemCertificatesDisallowedCertificates7D7F4414CCEF168ADF6BF40753B5BECD78375931 3 SOFTWAREMicrosoftSystemCertificatesDisallowedCertificates637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6 3 Note that other Registry Keys are leveraged that may contain unicode characters. See JSON for more IOCs

Mutexes Occurrences Globaleqfik 25 llzeou 25 eqfika 25 Globalepieuxzk 25 Globalulnahjoi 25 Globalutjvfi 25 bzqjzpdrfpamvq 25 BaseNamedObjectsGlobaluvesyw 2 BaseNamedObjectsGlobalvqxcpp 2 BaseNamedObjectshxsgmprzlpnnqw 2 BaseNamedObjectsGlobalimyuiwlg 2 BaseNamedObjectsGlobalvtqux 2 BaseNamedObjectsimyuiwlga 2 BaseNamedObjectsyspopald 2 BaseNamedObjectsGlobalrhjga 2 BaseNamedObjectsafalya 2 BaseNamedObjectsiykps 2 BaseNamedObjectsGlobalilkcmoq 2 BaseNamedObjectsGlobalafaly 2 BaseNamedObjectsGlobaldgialgoh 2 BaseNamedObjectsGlobalyvbnyn 2 BaseNamedObjectsGlobalknpog 2 BaseNamedObjectscrcbzy 2 BaseNamedObjectsGlobalesroi 2 BaseNamedObjectsknpoga 2 See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 172[.]217[.]12[.]174 25 69[.]241[.]80[.]162 21 209[.]126[.]124[.]173 21 69[.]195[.]124[.]60 20 162[.]144[.]12[.]241 20 50[.]87[.]150[.]203 19 181[.]224[.]138[.]240 19 35[.]225[.]160[.]245 18 172[.]217[.]164[.]142 18 45[.]38[.]189[.]103 18 68[.]87[.]56[.]130 18 85[.]93[.]89[.]6 10 209[.]126[.]124[.]166 6 207[.]38[.]89[.]115 5 85[.]93[.]88[.]251 5 69[.]241[.]74[.]170 3 69[.]241[.]108[.]58 3 69[.]241[.]106[.]102 3 64[.]34[.]169[.]244 2 208[.]100[.]26[.]234 1 216[.]218[.]206[.]69 1 216[.]58[.]217[.]142 1 173[.]227[.]247[.]49 1 173[.]227[.]247[.]54 1 69[.]64[.]56[.]244 1 See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness Occurrences jpfdtbmvuygvyyrebxfxy[.]info 25 hknkmwfdngcfavzhqd[.]biz 25 ywubouysdukndoakclnr[.]org 25 uwujtnymeyeqovftsc[.]org 21 kaaovcddwmwwlolecr[.]org 21 ijdlykvhnvrnauvz[.]com 21 www[.]ip-adress[.]com 21 stc-hstn-03[.]sys[.]comcast[.]net 21 boston[.]speedtest[.]comcast[.]net 21 houston[.]speedtest[.]comcast[.]net 21 sanjose[.]speedtest[.]comcast[.]net 21 jacksonville[.]speedtest[.]comcast[.]net 21 lunkduuumhmgpnoxkbcjqcex[.]org 19 hsyglhiwqfc[.]org 18 forumity[.]com 18 zebxhuvsz[.]com 18 yxssppysgteyylwwprsyyvgf[.]com 18 fcptxaleu[.]net 18 olosnxfocnlmuw[.]biz 18 cbqjxatxrumjpyvp[.]biz 18 sproccszyne[.]org 18 uschunmmotkylgsfe[.]biz 18 wgysvrmqugtimwhozoyst[.]biz 18 tkpxkpgldkuyjduoauvwoiwcg[.]org 18 cufgghfrxaujbdb[.]com 18 See JSON for more IOCs

Files and or directories created Occurrences %APPDATA%MicrosoftWindowsCookiesQA752KCC.txt 25 %APPDATA%MicrosoftWindowsCookiesQP9V2VPK.txt 25 %APPDATA%MicrosoftWindowsCookiesQTOORX9Q.txt 25 %APPDATA%MicrosoftWindowsCookiesRPE3LD3D.txt 25 %APPDATA%MicrosoftWindowsCookiesRYU7B1BB.txt 25 %APPDATA%MicrosoftWindowsCookiesRZ1EYTQG.txt 25 %APPDATA%MicrosoftWindowsCookiesSCT1A3Q5.txt 25 %APPDATA%MicrosoftWindowsCookiesSL2DQ447.txt 25 %APPDATA%MicrosoftWindowsCookiesSUA0P3GL.txt 25 %APPDATA%MicrosoftWindowsCookiesT28YM23R.txt 25 %APPDATA%MicrosoftWindowsCookiesTC61OXS2.txt 25 %APPDATA%MicrosoftWindowsCookiesTWNEP5LZ.txt 25 %APPDATA%MicrosoftWindowsCookiesTX9TW6ML.txt 25 %APPDATA%MicrosoftWindowsCookiesU5T0RELM.txt 25 %APPDATA%MicrosoftWindowsCookiesUCPG9KND.txt 25 %APPDATA%MicrosoftWindowsCookiesUD8XCJVS.txt 25 %APPDATA%MicrosoftWindowsCookiesUGY2NFKJ.txt 25 %APPDATA%MicrosoftWindowsCookiesUOVVJUXY.txt 25 %APPDATA%MicrosoftWindowsCookiesUVFN9CGJ.txt 25 %APPDATA%MicrosoftWindowsCookiesV6G9AWM4.txt 25 %APPDATA%MicrosoftWindowsCookiesVFVD9E5C.txt 25 %APPDATA%MicrosoftWindowsCookiesVK4YOOAG.txt 25 %APPDATA%MicrosoftWindowsCookiesVP01LDK3.txt 25 %APPDATA%MicrosoftWindowsCookiesVPK8RY5C.txt 25 %APPDATA%MicrosoftWindowsCookiesVYUA6F7D.txt 25 See JSON for more IOCs

File Hashes

04a19e4e2d700292ba4ce5659e97413112bd079dacdbaf8a2387e6f6559dcba3

117466b3e9dabd69d510d9e034eec875d9ca2ad9dbb8c5d123b388ac2a65ebbf

17d23f910311aeb341ee348586bb212d1cddb70152bc4d1bc31ac579693d7741

1b0573fb381b291b12cf7db4bfb6deb78e688c9c3076908e8581199169b8514a

1c0c7d00ccfb9f12299fd7df7ec2ad497cb6c8fa60b903694f2d2bf54af7c30c

278bc2f23ef0a5a79e36f1dca261bbf67f87aef637e76373061654353fc3f716

33ba38fa1bfaab98c6ba48eb2a2fb3155b51118e9ef79642418e0903e2b2e008

51390b6bde9196f7c0319c1253d08233202f6b4110b8c33557a2d2895f868769

548c5b819c109a61e1ff6bc74bd43ad2702ed44e479dd6600da3bb9d5a9ca72e

5b3cd274c3c0349f7d67238994e53e4a842a82e9e15905510a93b4d6643621e7

611f34dcdcce11b0e48779e0fcfd950437614e603673903c8b342bdd2a34ce1a

620e4f53e698c59971f4633cad4c7966f3432aeec0a6315b82a5dae8c13577c9

6f6e53de5fb48c34cce494113f04e1b32d3dd85d8071023b2dff1febb1686c7f

6fd63887adf0e0d4894d3b648e8be0d20474579f60138915b5e3e3a9761f43bc

783a7e50bddf9b5c9547a8fabc7470fabdbe4410df76148dd6c5c81dfb7e6506

7e7e09137fda05e6292d8d9646ab5bc18fd136b06aa77833819ccc46d79c4859

7e9ab6bf4ee2141f4702e0cf4348340293c429416f7676c7946e940321220375

8412cd2e7e60ac2d32bf43f350f8ce806876f54c2ed9b6d0f895179d289a1803

84e0ad1b2d1ca15e2ea16d6d57b81a63af18f664b171ad9d144e710ad2e3cb75

8786a734c5f7fccca5b87c04c5531bff6ec323a29860063c2ba31941706c83a3

914960db7ffbdd3a5a5a98b740f724c0ab9469fcbdd547561622809e5d3c6396

93ac57e8f8e341c84e25dd0c14f014d23f55e24a175b443f4cd399a086e70965

98170c08d421f79a308074befb2c4e799db06e28ce10cea9d435c5868d1e6f36

9d8dfe92711ea955120f4fdbb3b2d0cf37ff79ac74572c867c44da7d404213fa

a0903affbe9bd3176863d83a9e57808aa55a3ea8695d09dbbd2d8f3f1d22e812

See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Tovkater-6956309-0

Indicators of Compromise

Registry Keys Occurrences SystemCurrentControlSetControlSession Manager 25 SYSTEMCONTROLSET001CONTROLSESSION MANAGER Value Name: PendingFileRenameOperations 25 SYSTEMControlSet001ControlSession Manager 25

Mutexes Occurrences N/A –

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences N/A –

Domain Names contacted by malware. Does not indicate maliciousness Occurrences caribz[.]club 10 fruitnext[.]top 9 mirraclez[.]club 5 liquidmiracle[.]top 4 SMILESAWAY[.]TOP 3 duckandbear[.]top 2 skycrimes[.]top 2 fowlerfootball[.]top 2 gratify[.]triobol[.]ru 1 shipboard[.]dicier[.]ru 1 giroboard[.]top 1 skeleton[.]walforder[.]ru 1 shadeunit[.]club 1 strangerthingz[.]club 1

Files and or directories created Occurrences imasrr13.exe 22 %TEMP%nsw2.tmpnsJSON.dll 3 %TEMP%nso74D7.tmpINetC.dll 1 %TEMP%nso74D7.tmpnsJSON.dll 1 %TEMP%nso74D7.tmpxantacla.exe 1 %TEMP%nsuC6AE.tmpINetC.dll 1 %TEMP%nsuC6AE.tmpnsJSON.dll 1 %TEMP%nsuC6AE.tmpsantacla.exe 1 %TEMP%nsj9A32.tmpINetC.dll 1 %TEMP%nsj9A32.tmpnsJSON.dll 1 %TEMP%nse1441.tmpINetC.dll 1 %TEMP%nsj9A32.tmpxantacla.exe 1 %TEMP%nse1441.tmpnsJSON.dll 1 %TEMP%nse1441.tmpsantacla.exe 1 %TEMP%nsa3ED.tmpINetC.dll 1 %TEMP%nsa3ED.tmpnsJSON.dll 1 %TEMP%nsa3ED.tmpxantacla.exe 1 %TEMP%nseEB6D.tmpINetC.dll 1 %TEMP%nseEB6D.tmpnsJSON.dll 1 %TEMP%nseEB6D.tmpxantacla.exe 1 %TEMP%nskC2A9.tmpINetC.dll 1 %TEMP%nskC2A9.tmpnsJSON.dll 1 %TEMP%nskC2A9.tmpsantacla.exe 1 %TEMP%nsp547C.tmpINetC.dll 1 %TEMP%nsp547C.tmpnsJSON.dll 1 See JSON for more IOCs

File Hashes

0b1c46b5535b4fc30fd8d813255220d3715d0bd7623e094e684af13a1c12f579

0d806734aacf391b1c304155e8f186d7c354c46d08b5f2cb70c2a6029dba2e0e

1187cf65c782ea451e0a46f8e5ea18f8133cc209d58db1c08793bb086b96df4f

21a9fb85cec099bdc2bf419b9bc07dbe6f9b1dc40b8e2853c119093706d1a3a8

2e23eb71950087f2212e0e591fa462b1706571fe55c87454de7003de4a982d95

30d525e4acb5cbd5dd5fe9508cb0cf053c4b0480ab53168e9a06e58c2e9b323b

35dae148e6507526256336e36eb9858dcf17c73f86c332582cd53af43c887f0a

368e24183133ba0c4a7fb06b255458754e6662d6be0df18f44b7304b7f1438d7

3dc644f5a69d86aeab33c6879bb508b59049d17a74cca73f15b160578ee0a358

42f86e50ca2180192d30c556d001cf8720d17094850164e811872f1c864f10cb

43150f037e396e69ff8e1e1d1da7e33614f100fba6b6133a99174a8bcc56d8c5

46e6b3d8c0cff0c9dca7ee7fae9b15c7b23865f546533ee00be0d594f6d03a40

4b0232b305a8504700570c6e177d0c1815924031908f2f2d5fe61510174804c5

52e70ec3517105cdabea6b3448d4568fbca560683e7e90070d0209ea1a002de7

5b1a72a9d50e9e41662848965957cf3b537a923f12a02d022d7e40bc76d6a59d

5f16228ceca9d4d628bcddf5da07ddd8140b19c3458ba287b5e0a9a4533929c9

626f2dbe08fcf4192f709111ca3f2ce5975cb9ac7bac7b007158b8e74070c403

62bae87f17d56c22f89ec9c41c2e3bf76139df7a4a4c710e088ec9483918cf9b

63d3a47aa0f89009ecc37199d269c8c3184d32e0632c3f1c1857dafd2aee7ae4

67b73d01d619d30bc56d0f772207df38b68a433b1050137bb93a54e746c1c34f

67ffbd39d1ebbceb4936645c822a10b6b71dc289acd026b1b4259f01c2168e8f

6c2eae55f0ff4cb79a53f932a481812c7b8c5d61ff0aadf47c4211d676cc97b4

6d0f17cdc45a3867ec8c89ae3cf9ef2264b4889fc135417857e04d8109ec62ec

7b4c241497ba6cef5a8abc35d4c795e7c8b0b3d4a292a843d14d4389ddef57b7

7dbb52a1de75d201b0565062452e81a210cc597ac4626aa95bf478562aa082cd

See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Doc.Downloader.Powload-6956274-0

Indicators of Compromise

Registry Keys Occurrences INTERFACE{8BD21D42-EC42-11CE-9E0D-00AA006002F3} 29 INTERFACE{8BD21D52-EC42-11CE-9E0D-00AA006002F3} 29 INTERFACE{8BD21D62-EC42-11CE-9E0D-00AA006002F3} 29 INTERFACE{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} 29 INTERFACE{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} 29 INTERFACE{79176FB2-B7F2-11CE-97EF-00AA006D2776} 29 INTERFACE{4C5992A5-6926-101B-9992-00000B65C6F9} 29 INTERFACE{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} 29 INTERFACE{47FF8FE0-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE1-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE2-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE3-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE4-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE5-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE6-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE8-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE9-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{5CEF5613-713D-11CE-80C9-00AA00611080} 29 INTERFACE{92E11A03-7358-11CE-80CB-00AA00611080} 29 INTERFACE{04598FC9-866C-11CF-AB7C-00AA00C08FCF} 29 INTERFACE{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} 29 SYSTEMCONTROLSET001SERVICESsourcebulk 29 SYSTEMCONTROLSET001SERVICESSOURCEBULK Value Name: Type 29 SYSTEMCONTROLSET001SERVICESSOURCEBULK Value Name: Start 29 SYSTEMCONTROLSET001SERVICESSOURCEBULK Value Name: ErrorControl 29

Mutexes Occurrences GlobalI98B68E3C 29 GlobalM98B68E3C 29

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 159[.]0[.]130[.]149 29 191[.]92[.]69[.]115 29 69[.]25[.]11[.]28 29 88[.]198[.]20[.]57 29 212[.]129[.]63[.]132 24 198[.]58[.]114[.]91 18 74[.]208[.]5[.]15 16 209[.]85[.]144[.]109 10 77[.]111[.]149[.]55 9 74[.]6[.]141[.]50 8 173[.]201[.]192[.]229 8 74[.]208[.]5[.]2 7 209[.]85[.]144[.]108 7 17[.]36[.]205[.]74 7 182[.]50[.]145[.]3 6 67[.]195[.]228[.]95 6 196[.]35[.]198[.]134 6 54[.]88[.]144[.]211 6 149[.]255[.]56[.]242 6 184[.]106[.]54[.]10 5 64[.]26[.]60[.]229 5 173[.]203[.]187[.]14 5 205[.]178[.]146[.]235 5 212[.]227[.]15[.]167 5 212[.]227[.]15[.]183 5 See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness Occurrences ises[.]com[.]pl 29 ingenla[.]com 29 hicast[.]tn 24 smtp[.]mail[.]com 16 secure[.]emailsrvr[.]com 14 smtpout[.]secureserver[.]net 14 smtp[.]office365[.]com 13 smtp-mail[.]outlook[.]com 10 smtp[.]1und1[.]de 10 smtp[.]aol[.]com 8 smtp[.]emailsrvr[.]com 7 smtpout[.]asia[.]secureserver[.]net 6 smtp[.]1and1[.]com 6 smtp[.]rediffmailpro[.]com 6 smtp[.]comcast[.]net 6 smtp[.]263[.]net 6 spam[.]pantos[.]com 6 mail[.]longi-silicon[.]com 5 smtp[.]prodigy[.]net[.]mx 5 mail[.]huaqin[.]com 5 betmngr[.]com 5 smtp[.]yandex[.]com 4 smtp[.]zoho[.]com 4 smtp3[.]netcore[.]co[.]in 4 smtp[.]mweb[.]co[.]za 4 See JSON for more IOCs

Files and or directories created Occurrences %SystemRoot%SysWOW64configsystemprofileAppDataLocalMicrosoftWindowsTemporary Internet Filescounters.dat 29 %HOMEPATH%423.exe 29 %SystemRoot%SysWOW64version.dll 1 %SystemRoot%GlobalizationSortingsortdefault.nls 1 REGISTRYMACHINESOFTWAREClassesWord.Document.8 1 %TEMP%CVR90.tmp 1 %SystemRoot%SysWOW64sourcebulka.exe 1 %SystemRoot%SysWOW643HqWfmuWUBgMP.exe 1 %SystemRoot%Temp76D.tmp 1 %SystemRoot%SysWOW64jq9Mk4Che.exe 1

File Hashes

1e0b73c5ec4b9516709c10ec708fc295df021451f958a89144d79d99604b3664

325701284bf17203d71a9c5b4d46e4f7b651164ab92c643fe64a3e3bc2844dad

3537f5cfc0ad20b8061b67f82dc43a7ac1856391bece8158023fcc3d6699f75a

35965e3b9cff6a78e1331ed07f5e327a91301b5b023b20fb0c107bc3574b3a08

3889458cad2eccfcd7f8ec5c842dd30edec24f36a37abde0e9359dd7117524e7

3eb7c725b886abf672613a63d1c17c479f1144f1262a6c3cd66a44fe74581383

407f21c8583dbf70a0069162b9f7c0ec142b63e05d4d94ec8e4c85345bf759d9

51ee3cc17fa697ec7de8a60ea5ad2af4195de73c95401b1b17e7b9c346ed9c1a

5a33cba1e854fb298486fe6ba6ebb071e045cb698aec109561178b2a66567662

5eefdd75abcd812db0c1fe74f071dcb2c50ac7c9b73144900b9918fe8930af2b

601804d1434691765b258649f0a9c8924bb1b28b5ff0dc2bafb3039b2c78f6a3

65344e20c9e346e62bec15f369fcdbb619d64b362483feb36a6d60e3007c22db

6f5795d34e8fa33548042554f0b05b6e79e9a68783f28a196476261a0de0e068

72966d743059492c8caf5689758cdf98275e087cf5bf9d0e7914db1e4472fc05

751ccbeabee910ea022ebc97fde11d5e1c3bba9f83b6d2df09a927924eb1e60e

77ccc470c377e4a22e0091d0abd3f91cec17b6e06c0e17d8f87dbbbd735bfe0b

7bfa867554a7f1a6a891712cfdaaf519bd44bdf53e0047930890495c9655ab7e

8391f3706e60079dbdbeee083f8bda85915cc763bd683bb00270f694a031c66a

9e40d6af4d13a6d65e179c109b4676c691fbf0b2de6deb0d84625e654989fa0d

9fe28f27c0db9df3580f65069affb7f47171d910f69035ffdeeac5a545ab4ec9

a1be08364eef857af56f506b206e780c803c212b76dbac8dc17e7983d08f65ff

a50d314e9c13d667641b11c73695980d1fd4cc0020cd7f760bdbd88bf95b1c3c

a95ddd15ef6f38762fbc16ca31539aabbf15c3c10d0c103cb4c204c88bfbbadf

ac957b3a3b4e8d75ead5dabd4b70e28e27a697a719322071d66cfb796d3b28f6

b1709a55b71ba9559aa839eb5304e2fc2388ae6275771b6cbbf8f49ac3e355fa

See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Dropper.Kovter-6956146-0

Indicators of Compromise

Registry Keys Occurrences SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: internat.exe 25 SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATE Value Name: DisableOSUpgrade 25 SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEOSUPGRADE Value Name: ReservationsAllowed 25 SOFTWAREWOW6432NODEXVYG Value Name: xedvpa 25 SOFTWAREXVYG Value Name: xedvpa 25 .8CA9D79 25 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: vrxzdhbyv 25 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: ssishoff 25 SOFTWAREPOLICIESMICROSOFTWINDOWSWindowsUpdate 25 SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEOSUpgrade 25 SOFTWARExvyg 25 SOFTWAREWOW6432NODExvyg 25 c3b616 25 C3B616shell 25 C3B616SHELLopen 25 C3B616SHELLOPENcommand 25 .8ca9d79 25 SoftwareMicrosoftInternet ExplorerMainFeatureControlFEATURE_BROWSER_EMULATION 25 SOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_BROWSER_EMULATION 25 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 Value Name: CheckSetting 25 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 Value Name: CheckSetting 25 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 Value Name: CheckSetting 25 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102 Value Name: CheckSetting 25 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104 Value Name: CheckSetting 25 SOFTWAREXVYG Value Name: tnzok 25

Mutexes Occurrences EA4EC370D1E573DA 25 A83BAA13F950654C 25 Global7A7146875A8CDE1E 25 B3E8F6F86CDD9D8B 25 BaseNamedObjects408D8D94EC4F66FC 24 BaseNamedObjectsGlobal350160F4882D1C98 24 BaseNamedObjects 53C7D611BC8DF3A 24 BaseNamedObjectsGlobal9F84EBC0DC30D3FA 1 BaseNamedObjectsCF2F399CCFD46369 1 BaseNamedObjects8450CD062CD6D8BB 1

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 107[.]160[.]89[.]93 2 123[.]94[.]5[.]73 1 6[.]179[.]232[.]209 1 132[.]130[.]129[.]202 1 87[.]221[.]222[.]176 1 222[.]187[.]133[.]238 1 126[.]207[.]27[.]58 1 191[.]12[.]150[.]189 1 92[.]253[.]215[.]124 1 53[.]136[.]182[.]72 1 188[.]232[.]142[.]236 1 75[.]134[.]228[.]137 1 15[.]17[.]189[.]214 1 218[.]10[.]226[.]184 1 160[.]60[.]207[.]38 1 107[.]98[.]132[.]113 1 134[.]68[.]158[.]4 1 56[.]177[.]25[.]24 1 52[.]196[.]162[.]138 1 133[.]251[.]164[.]106 1 108[.]118[.]74[.]142 1 33[.]198[.]16[.]9 1 18[.]75[.]88[.]134 1 58[.]184[.]135[.]77 1 77[.]189[.]216[.]194 1 See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]cloudflare[.]com 1 bleez[.]com[.]br 1 lojadeunatelha[.]com[.]br 1 revenda[.]lojadeunatelha[.]com[.]br 1 easyfax[.]nrtnortheast[.]com 1 www[.]username[.]n[.]nu 1 www[.]n[.]nu 1 staticjw[.]com 1 www[.]acquia[.]com 1 network[.]acquia[.]com 1

Files and or directories created Occurrences %LOCALAPPDATA%4dd3cc519d0f.bat 25 %LOCALAPPDATA%4dd3cc8e9866.8ca9d79 25 %LOCALAPPDATA%4dd3ccd95adb.lnk 25 %APPDATA%b08d66 b3c0b.8ca9d79 25 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-500Preferred 25 %LOCALAPPDATA%4dd3cc 25 %APPDATA%b08d66 25 %APPDATA%MicrosoftWindowsStart MenuProgramsStartup91b4e5.lnk 25 %APPDATA%db7ac227.a7783 24 %HOMEPATH%Local SettingsApplication Dataf4fa97ea.lnk 24 %HOMEPATH%Local SettingsApplication Dataf4fac0ce.bat 24 %HOMEPATH%Local SettingsApplication Dataf4fad5a9.a7783 24 %HOMEPATH%Start MenuProgramsStartupd733.lnk 24 %HOMEPATH%Local SettingsTemporary Internet FilesContent.IE5C5MZMU22desktop.ini 3 %APPDATA%MicrosoftWindowsCookiesS2KTL2FI.txt 2 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fd8-6118f60c376b 2 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fd0-5619f60c376b 2 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fdf-6619f60c376b 2 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE5SSZWDDXW1E8X74FH.htm 2 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fdf-5e19f60c376b 2 %APPDATA%MicrosoftWindowsCookies TSDIW0B.txt 1 %APPDATA%MicrosoftWindowsCookiesUGH0HZQB.txt 1 %APPDATA%MicrosoftWindowsCookiesZLTD4G06.txt 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fd2-6219f60c376b 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fdd-6619f60c376b 1 See JSON for more IOCs

File Hashes

0699fc68be026ed52555783f4ca395dcd68dd93898e9ee1756e0ffe9493c300a

06a3a8ebf6965042378a003857434f775a014293830a3d02d468b02b02f13329

0826313d6cdb1c85d39edf77f5faeaff0241f09a8bc6ad8ea4453cab46628dd6

2adfbe4ebd34d062e774d20d300e80ec31cdf4d59b018be2a45e644341c55f97

2e7aa46acaacad3f7e1675d3090ae7669efcffb91beb976cdf93d69782fe5453

2fbdb93de7475386719d620bd685b955ec05cca0f458579daa9932023351040b

31d170788a623341e4d6636e1dec87b9812a1967441415bcb8097d3b4a4bdfee

3337a63c7f42977759f9a961af5c7265abfe0489d68c48f90d066b40d84c0ddd

3754208c5f620f262726467daac435fbcc3a262dde1620c876b72459750fc90d

39b74f9fad057cc9603e2a7a716236c9671dc08abdf7e64c37ef2d2b53acf691

4297d27c8909c9c40b311827f40bf195ffbb6c1ee8bef5f9203465cb10cab9bc

477c74758b4c59334fcdb2051089efbe191d2cda4252aecea59b13bb93bfb101

4802c24fcb2d97233d22b26077714ca09fe47f6602586da0f96965af41adecb6

4be5d24a7846b4ef102b47c0488140194b49c145353259fc581fa0da4068d84a

4e3b31344f80b1693ee28cedb5109a9a4e522c8ef225f6087e480954fa76b3d6

5061a14b94f0794e79e4cc57a49a38c422cf30171df07282a5de10fbac455b01

50939d9ddcc87d1d2e8a3c81a7683b42beeb86471fd2e4da903f062086203d5e

58f3ac23dd98672c20e01c5963b11fba8b077031c7ac41f156a37d2306b812aa

66d2f5f39b4fbb1cab2a4c23d696add166f6dec3ae4dcba20a1c2f89b35d4b08

7199c5b3a081ae13f6b6fc457196f62ecaf3240b39b728f1255f9d3ccc86f853

812e4481d2e23732e41d4e58cd19eccbd53fceba8273ea9bbd1bcaf3da13766f

822bf74cf43fdfd74ef7edd6a4c52dc2ca32dd8a866afbdbd4ae933cd531dd6e

8580001fd28261a74f92594fe42a01012e202e3322a35004857b6881fa73ee9a

8e9f427bca537dfa11df3360b71788dc2dd70cfad927d852094f1c07e8cf2c64

94ff1192ecf870614b1f98103ade1ba1ad46153ddeb8a0c3a07a76ab4461e377

See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.Razy-6956092-0

Indicators of Compromise

Registry Keys Occurrences SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: internat.exe 25 SYSTEMCONTROLSET001SERVICESavkaxoq 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: Type 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: Start 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: ErrorControl 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: ImagePath 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: DisplayName 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: DependOnService 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: DependOnGroup 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: WOW64 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: ObjectName 19 SYSTEMCONTROLSET001SERVICESaqejpwsx 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: Type 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: Start 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: ErrorControl 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: ImagePath 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: DisplayName 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: DependOnService 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: DependOnGroup 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: WOW64 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: ObjectName 6 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: mrldn 1 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: ovsuw 1 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: twgqm 1 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: eqlshtrx 1

Mutexes Occurrences llzeou 25 Globalamztgg 19 amztgga 19 Globaleqfik 6 eqfika 6 BaseNamedObjectseucofa 1 003c194a95c7849375590c48f1c5bc5fÐ÷XAdministra 1 02b5f67a3eba31421dc595a7efed8e0a 1 0e390dd0547334471c08c3b8b4e7ec3aÐ÷IAdministra 1 087ddce345ea3ed2fed8d02dd466026cÐ÷QAdministra 1 14a95d66f90495fcc278258097ed704aÐ÷ Administra 1 10435b4efc8049d260d4b36673f7d656Ð÷.Administra 1 1dd13f0648a70754c883c6262c3633c1Ð÷CAdministra 1 3afec20c013fca0abef646a7a6f0f5cdÐ÷dAdministra 1 385f6390936d000f4d9db3e30b117aca 1 3dede5abeacdabc758f70beef2984aca 1 3f61be1a4bcb773c48a6dc7ed4898387Ð÷:Administra 1 401b399a3aa67d42306ce7291299b7f2Ð÷6Administra 1 897b0a510174cbc4757982703e42a0ca 1 76097734f64ce5ae9b008273431fa4c8Ð÷9Administra 1 8ae8d944960e54c7a833875f71bdae62Ð÷2Administra 1 88cb1af973183aa93bf10d74440333b6Ð÷/Administra 1 BaseNamedObjects380065180a 1 BaseNamedObjectsgetnia 1 BaseNamedObjectsxabzsenoa 1 See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences N/A –

Domain Names contacted by malware. Does not indicate maliciousness Occurrences N/A –

Files and or directories created Occurrences %APPDATA%MicrosoftAmztggm 19 %APPDATA%MicrosoftAmztggmamztg.dll 19 %APPDATA%MicrosoftAmztggmamztgg.exe 19 %TEMP%~amztgg.tmp 19 %APPDATA%MicrosoftEqfikq 6 %APPDATA%MicrosoftEqfikqeqfi.dll 6 %APPDATA%MicrosoftEqfikqeqfik.exe 6 %TEMP%~eqfik.tmp 6 %APPDATA%MicrosoftIlgqylilgqy.exe 1 %APPDATA%MicrosoftDuazxlbuduazxl.dll 1 %APPDATA%MicrosoftDuazxlbuduazxlb.exe 1 %APPDATA%MicrosoftJeofzejeof.dll 1 %APPDATA%MicrosoftJeofzejeofz.exe 1 %APPDATA%MicrosoftSsfsnsssfs.dll 1 %APPDATA%MicrosoftSsfsnsssfsn.exe 1 %APPDATA%MicrosoftDcpptfmacdcpptfm.dll 1 %APPDATA%MicrosoftDcpptfmacdcpptfma.exe 1 %APPDATA%MicrosoftTaozsataoz.dll 1 %APPDATA%MicrosoftTaozsataozs.exe 1 %APPDATA%MicrosoftEucofueuco.dll 1 %APPDATA%MicrosoftEucofueucof.exe 1 %APPDATA%MicrosoftGetniegetn.dll 1 %APPDATA%MicrosoftGetniegetni.exe 1 %APPDATA%MicrosoftXabzsenoaxabzsen.dll 1 %APPDATA%MicrosoftXabzsenoaxabzseno.exe 1 See JSON for more IOCs

File Hashes

003c194a95c7849375590c48f1c5bc5fa23099976e09c997f29b22b367c1d3d2

005055ca28d6866f033aff3753a1ef7c4064b5e094eaa663953407a9b19c6a71

02b5f67a3eba31421dc595a7efed8e04834e9f0121c8bcd0186e99dba9781171

087ddce345ea3ed2fed8d02dd466026c0fc0fa5aa7749b392683311fd97a80e2

0e390dd0547334471c08c3b8b4e7ec3ad1d8fe4facabdb5df674af76c8e149d0

10435b4efc8049d260d4b36673f7d656b9fa7163d00840acd0860175e2a79f47

14a95d66f90495fcc278258097ed704aca265dd6bbb966903abe00dd7225cd11

1dd13f0648a70754c883c6262c3633c19aeffa4e3558f0f16da78fc796a76cf1

385f6390936d000f4d9db3e30b117ac382f70f4b7d1f3f4af06808e26683bf3d

3afec20c013fca0abef646a7a6f0f5cdd3826541587cfd93c25033a35e588cb2

3dede5abeacdabc758f70beef2984ac184bbec3112be97e891bb64abb2981373

3f61be1a4bcb773c48a6dc7ed489838796a6b512bc14a517a667fb28a2a8e3ee

401b399a3aa67d42306ce7291299b7f25a24345a980a7bd719c96a6834b9bf48

52c90c5917cb1c6955f68c5b03e448b976ec3f1c258eb6039c5da399b2fd41db

581d9e271871b1948191755bc99e2e9ec5346408f39613aec5c3b1e52d0449bd

649e6217744762016fadb2f7f36a654c607ad160d136714946aa6e0478dc7a87

673e3e8e62b09e39c161091ee70f046c038ba6f24f2a1da135af23bcc1701c20

69c3c4ee664fc814ef070ae902ebaa305eda6ffd23a10e5b97afe49c1300ebff

69d9d27ab1c802cd322c1b7795bda4de65cc7447982076f1e2d6873a8423d57f

6aad36b27c188e73090f3b79352750489a1dce20f5396e63b2af3e998eba0f0a

6e01014528a359c81851b2197a4656e13d87b15424dc961cc6d770e4d4c747ee

76097734f64ce5ae9b008273431fa4c81e32b05a9b8586c39b80e68ee70d0a8a

88cb1af973183aa93bf10d74440333b622206be6d0bd77322c6f8689f2cf24ec

897b0a510174cbc4757982703e42a0c14c4bdba0e6bf77db5a6f94a3c2651f3a

8ae8d944960e54c7a833875f71bdae6243e7fa380ae3fd8176b07cb7d7819508

See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Exprev

Kovter injection detected (4469) A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

Madshi injection detected (3542) Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.

PowerShell file-less infection detected (2488) A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.

Process hollowing detected (541) Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.

Gamarue malware detected (240) Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

Dealply adware detected (221) DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

Suspicious PowerShell execution detected (156) A PowerShell command has attempted to bypass execution policy to run unsigned or untrusted script content. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

Installcore adware detected (65) Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.

Atom Bombing code injection technique detected (65) A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.

Excessively long PowerShell command detected (57) A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

Go to Source Author: Threat Roundup for April 26 to May 3 Original Post from Talos Security Author: Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 26 and May 03.

#Talos Security

0 notes