Threat Roundup for July 19 to July 26

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 19 and July 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Win.Dropper.Kovter-7079842-0	Dropper	Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. It has been used to spread ransomware and click-fraud malware.
Win.Dropper.Qakbot-7079811-0	Dropper	Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Malware.Nymaim-7077794-1	Malware	Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Virus.Expiro-7077458-0	Virus	Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Trojan.Lokibot-7077039-1	Trojan	Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.Gh0stRAT-7073937-0	Dropper	Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Dropper.TrickBot-7071016-0	Dropper	Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Trojan.Tofsee-7067486-0	Trojan	Tofsee is multipurpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
Win.Malware.XtremeRAT-7070642-1	Malware	XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.

---

Threat Breakdown

Win.Dropper.Kovter-7079842-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE Value Name: DisableOSUpgrade	25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE Value Name: ReservationsAllowed	25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ssishoff	25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WindowsUpdate	25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUpgrade	25
<HKCU>\SOFTWARE\xvyg	25
<HKLM>\SOFTWARE\WOW6432NODE\xvyg	25
<HKCR>\7b507	25
<HKCR>\7B507\shell	25
<HKCR>\7B507\SHELL\open	25
<HKCR>\7B507\SHELL\OPEN\command	25
<HKCR>\.16a05d	25
<HKCR>\.16A05D	25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: vrxzdhbyv	25
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>	22
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Value Name: Blob	7
<HKCU>\SOFTWARE\9OVFKL4 Value Name: DC1iXk9	1
<HKCU>\SOFTWARE\IUV2K1GDZ Value Name: IxF25a	1
<HKCU>\SOFTWARE\IUV2K1GDZ Value Name: xSnk64X	1
<HKCU>\SOFTWARE\TYG6ZX Value Name: Y4d5jxtm	1
<HKCU>\SOFTWARE\TYG6ZX Value Name: 49rU6evnxC	1
<HKCU>\SOFTWARE\5WGIB69 Value Name: VR6KTbo	1
<HKCU>\SOFTWARE\5WGIB69 Value Name: VuVY43ROT	1
<HKCU>\SOFTWARE\0wn0hDCj1e	1
<HKCU>\SOFTWARE\0WN0HDCJ1E Value Name: CURAMV	1

Mutexes	Occurrences
EA4EC370D1E573DA	25
A83BAA13F950654C	25
Global\7A7146875A8CDE1E	25
B3E8F6F86CDD9D8B	25
\BaseNamedObjects\408D8D94EC4F66FC	24
\BaseNamedObjects\Global\350160F4882D1C98	24
\BaseNamedObjects\053C7D611BC8DF3A	24

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
50[.]146[.]204[.]212	1
94[.]30[.]53[.]92	1
75[.]127[.]77[.]20	1
202[.]102[.]245[.]233	1
34[.]209[.]49[.]182	1
92[.]45[.]45[.]116	1
54[.]81[.]147[.]123	1
145[.]176[.]133[.]219	1
146[.]220[.]4[.]69	1
85[.]110[.]127[.]16	1
108[.]101[.]90[.]162	1
217[.]139[.]102[.]35	1
223[.]4[.]245[.]214	1
46[.]26[.]51[.]52	1
2[.]28[.]17[.]56	1
179[.]50[.]78[.]173	1
198[.]59[.]65[.]159	1
173[.]197[.]223[.]51	1
115[.]97[.]126[.]95	1
73[.]83[.]125[.]50	1
91[.]159[.]138[.]54	1
201[.]209[.]158[.]28	1
37[.]128[.]128[.]198	1
20[.]253[.]19[.]194	1
141[.]85[.]236[.]229	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
www[.]cloudflare[.]com	5
www[.]beian[.]gov[.]cn	1
httpd[.]apache[.]org	1
bugs[.]debian[.]org	1
apps[.]digsigtrust[.]com	1
apps[.]identrust[.]com	1
music[.]taihe[.]com	1
www[.]hao123[.]com	1
vh74[.]timeweb[.]ru	1
cloud[.]mobiledatasciences[.]com	1
www[.]flaik[.]com	1
flaik[.]com	1
coolertags[.]com	1
hydra-pilot[.]skillwise[.]net	1

Files and or directories created	Occurrences
%LOCALAPPDATA%\39b03	25
%LOCALAPPDATA%\39b03\6a5cc.16a05d	25
%LOCALAPPDATA%\39b03\7cbdf.bat	25
%HOMEPATH%\Local Settings\Application Data\2501\1ffa.41d68	24
%HOMEPATH%\Local Settings\Application Data\2501\aae7.bat	24

File Hashes

Coverage

Product	Protection
Amp
Cloudlock	N/A
Cws
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
Wsa	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Win.Dropper.Qakbot-7079811-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\aqejpwsx	22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX Value Name: Type	22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX Value Name: Start	22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX Value Name: ErrorControl	22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX Value Name: ImagePath	22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX Value Name: DisplayName	22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX Value Name: DependOnService	22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX Value Name: DependOnGroup	22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX Value Name: WOW64	22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AQEJPWSX Value Name: ObjectName	22
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CRLs	1
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CTLs	1
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\Certificates	1
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CRLs	1
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CTLs	1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\Certificates	1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CRLs	1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CTLs	1
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\Certificates	1
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CRLs	1
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOTd7Q`\CTLs	1
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\AUTHROOTd7Q`\Certificates	1
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\AUTHROOTd7Q`\CRLs	1
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\AUTHROOTd7Q`\CTLs	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: djce	1

Mutexes	Occurrences
\BaseNamedObjects\393733234a	24
Global\eqfik	22
llzeou	22
eqfika	22
Global\epieuxzk	22
Global\ulnahjoi	22
Global\utjvfi	22
bzqjzpdrfpamvq	22
\BaseNamedObjects\vjviza	18
\BaseNamedObjects\Global\yfpeuru	2
\BaseNamedObjects\Global\uazov	2
\BaseNamedObjects\Global\orpoamc	2
\BaseNamedObjects\lwwveb	2
\BaseNamedObjects\Global\vyczm	2
\BaseNamedObjects\paoiea	2
\BaseNamedObjects\Global\uxxgniue	2
\BaseNamedObjects\Global\yusia	2
\BaseNamedObjects\Global\paoie	2
\BaseNamedObjects\uvkfavmyiwoktbx	2
\BaseNamedObjects\gpgpzbxkqqqpyc	2
\BaseNamedObjects\Global\ubezkvio	2
\BaseNamedObjects\Global\lqwii	2
\BaseNamedObjects\Global\nanwvx	2
\BaseNamedObjects\Global\ylijdnyu	2
\BaseNamedObjects\Global\ioyyjlyp	2

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
208[.]100[.]26[.]251	22
172[.]217[.]12[.]142	22
181[.]224[.]138[.]240	22
69[.]195[.]124[.]60	17
162[.]144[.]12[.]241	16
50[.]87[.]150[.]203	16
52[.]201[.]200[.]28	15
52[.]45[.]143[.]178	10
209[.]126[.]124[.]166	8
207[.]38[.]89[.]115	7
85[.]93[.]88[.]251	4
85[.]93[.]89[.]6	3
69[.]64[.]56[.]244	2
173[.]227[.]247[.]54	1
195[.]22[.]28[.]222	1
173[.]227[.]247[.]50	1
5[.]136[.]131[.]34	1
12[.]167[.]151[.]79	1
12[.]167[.]151[.]87	1
195[.]22[.]28[.]196	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
forumity[.]com	22
www[.]ip-adress[.]com	22
www[.]NameBright[.]com	22
zqpbnjvmfkfzbyko[.]info	22
uofdwoxezbdujgadioqvy[.]net	22
hibqrywwciwhbks[.]net	22
aqksafpuovjyfrzit[.]org	22
wupgkipgaiu[.]biz	22
ymoabqpo[.]com	22
erbqfnvqsahyshygeglwhxhvd[.]org	22
yaznaovutvzwgp[.]net	22
vljfhvniqpl[.]org	22
aulmkpipscpopgwrtzhlnqmjk[.]info	22
nwocsvuw[.]net	22
bmbtgoova[.]com	22
wlakhytkctowfowlzyehtt[.]net	22
pzsbodhuinrzhcjin[.]org	22
vwsbvkpkzgsvyhapfcm[.]org	22
cagkhrabktfwkuroydfwtta[.]org	21
doiknfcneeeydnyofyurzy[.]info	21
nbparking-lb-1977168523[.]us-east-1[.]elb[.]amazonaws[.]com	19
jkijlzrsvic[.]com	19
jueafvkiigmul[.]org	17
mgpepssjlpytbdktejekl[.]net	17
tvntnfczmfiewin[.]info	7

Files and or directories created	Occurrences
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol	22
%APPDATA%\Microsoft\Eqfikq	22
%APPDATA%\Microsoft\Eqfikq\eqfi.dll	22
%APPDATA%\Microsoft\Eqfikq\eqfik.exe	22
%TEMP%\~eqfik.tmp	22
%APPDATA%\Microsoft\Eqfikq\ceqfik32.dll	22
%APPDATA%\Microsoft\Eqfikq\eqfik32.dll	22
%APPDATA%\Microsoft\Yfpeuruf\yfpeur.dll	2
%APPDATA%\Microsoft\Yfpeuruf\yfpeuru.exe	2
%APPDATA%\Microsoft\Uazova\uazo.dll	2
%APPDATA%\Microsoft\Uazova\uazov.exe	2
%APPDATA%\Microsoft\Orpoamcr\orpoam.dll	2
%APPDATA%\Microsoft\Orpoamcr\orpoamc.exe	2
%APPDATA%\Microsoft\Paoiea\cpaoie32.dll	2
%APPDATA%\Microsoft\Paoiea\paoi.dll	2
%APPDATA%\Microsoft\Paoiea\paoie.exe	2
%APPDATA%\Microsoft\Paoiea\paoie32.dll	2
%APPDATA%\Microsoft\Orpoamcr\corpoamc32.dll	2
%APPDATA%\Microsoft\Orpoamcr\orpoamc32.dll	2
%APPDATA%\Microsoft\Ioyyjlypo\cioyyjlyp32.dll	2
%APPDATA%\Microsoft\Ioyyjlypo\ioyyjly.dll	2
%APPDATA%\Microsoft\Ioyyjlypo\ioyyjlyp.exe	2
%APPDATA%\Microsoft\Ioyyjlypo\ioyyjlyp32.dll	2
%APPDATA%\Microsoft\Yfpeuruf\cyfpeuru32.dll	2
%APPDATA%\Microsoft\Yfpeuruf\yfpeuru32.dll	2

File Hashes

Coverage

Product	Protection
Amp
Cloudlock	N/A
Cws
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
Wsa

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Malware.Nymaim-7077794-1

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\Software\Microsoft\GOCFK	18
<HKCU>\Software\Microsoft\KPQL	18
<HKCU>\SOFTWARE\MICROSOFT\GOCFK Value Name: mbijg	18
<HKCU>\SOFTWARE\MICROSOFT\KPQL Value Name: efp	18

Mutexes	Occurrences
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1}	18
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}	18
Local\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606}	18
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5}	18
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368}	18
Local\{9AF4643E-0898-BB80-6A14-0133AB3F8A5C}	18
Local\{AC7E1B07-D66B-D6D7-68B8-F1D274B98185}	18

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
GOBEZJ[.]IN	18
jqmxfop[.]in	18
ICSCHQDJWQ[.]COM	18
OINCXXQTDBH[.]NET	18
gxeiohsixfc[.]com	18
pmxwbnpc[.]pw	18
fzfpwupqpryc[.]com	18
wglcpwdbg[.]net	18
NFOOJZPDTSL[.]IN	18
OTQFOI[.]IN	18
ticfwfen[.]pw	17
qxeejy[.]pw	17
ahvcnjqki[.]in	17
wyftxsolryia[.]in	17
klwrihhgj[.]pw	17
ldssmbugesb[.]in	17
dobra[.]in	17
yeqmndxtavuf[.]in	17
txvzjzoosogn[.]in	17
euvee[.]com	17
gyxsvdvcilju[.]net	17
djxexguecx[.]com	17
euharm[.]net	17
jgpazdzh[.]com	17
lqtcrom[.]net	17

Files and or directories created	Occurrences
%ProgramData%\ph	18
%ProgramData%\ph\eqdw.dbc	18
%ProgramData%\ph\fktiipx.ftf	18
%TEMP%\gocf.ksv	18
%TEMP%\kpqlnn.iuy	18
%TEMP%\fro.dfx	17
%TEMP%\npsosm.pan	17
\Documents and Settings\All Users\pxs\dvf.evp	17
\Documents and Settings\All Users\pxs\pil.ohu	17

File Hashes

Coverage

Product	Protection
Amp
Cloudlock	N/A
Cws
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
Wsa	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Win.Virus.Expiro-7077458-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\CLASSES\.vcf	15
<HKLM>\SOFTWARE\CLASSES\.wab	14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 Value Name: CheckSetting	14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 Value Name: CheckSetting	14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 Value Name: CheckSetting	14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102 Value Name: CheckSetting	14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104 Value Name: CheckSetting	14
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.102	1

Mutexes	Occurrences
kkq-vx_mtx1	14
kkq-vx_mtx81	14
kkq-vx_mtx82	14
kkq-vx_mtx83	14
kkq-vx_mtx84	14
kkq-vx_mtx85	14
kkq-vx_mtx86	14
kkq-vx_mtx87	14
kkq-vx_mtx88	14
kkq-vx_mtx89	14
kkq-vx_mtx90	14
kkq-vx_mtx91	14
kkq-vx_mtx92	14
kkq-vx_mtx93	14
kkq-vx_mtx94	14
kkq-vx_mtx95	14
kkq-vx_mtx96	14
kkq-vx_mtx97	14
kkq-vx_mtx98	14
kkq-vx_mtx99	14
kkq-vx_mtx31	14
kkq-vx_mtx32	14
kkq-vx_mtx33	14
kkq-vx_mtx34	14
kkq-vx_mtx35	14

Files and or directories created	Occurrences
%System32%\notepad.exe	15
%ProgramFiles%\Outlook Express\msimn.exe	15
%ProgramFiles%\Outlook Express\wab.exe	15
%ProgramFiles%\Windows Media Player\wmplayer.exe	15
\SfcApi	15
%ComSpec%	15
%System32%\magnify.exe	15
%System32%\mobsync.exe	15
%System32%\narrator.exe	15
%System32%\osk.exe	15
%System32%\utilman.exe	15
%System32%\rcimlby.exe	15
%System32%\tourstart.exe	15
%ProgramFiles%\Outlook Express\msimn.ivr	15
%ProgramFiles%\Outlook Express\wab.ivr	15
%ProgramFiles%\Windows Media Player\wmplayer.ivr	15
%System32%\cmd.ivr	15
%System32%\magnify.ivr	15
%System32%\mobsync.ivr	15
%System32%\narrator.ivr	15
%System32%\notepad.ivr	15
%System32%\osk.ivr	15
%System32%\rcimlby.ivr	15
%System32%\tourstart.ivr	15
%System32%\utilman.ivr	15

File Hashes

Coverage

Product	Protection
Amp
Cloudlock	N/A
Cws
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
Wsa	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Win.Trojan.Lokibot-7077039-1

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\Software\VB and VBA Program Settings\HcMI61124620925\x60E5372900416	25
<HKCU>\SOFTWARE\VB and VBA Program Settings	24
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\HcMI61124620925	24
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\HCMI61124620925\X60E5372900416 Value Name: bnVpl1584056334	24
<HKCU>\Software\Microsoft\Windows Script Host\Settings	5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Registry Key Name	4
<HKLM>\Software\Microsoft\RADAR\HeapLeakDetection\Settings\LeakDiagnosisAttempted	1
<HKLM>\http://chartinductries.com/nwata/fre.php	1
None	1
<HKLM>\http://lapphuongshoe.com/dino/five/fre.php	1
<HKLM>\http://suksez-ab.com/cola/five/fre.php	1
<HKLM>\http://tqe2009.com/bjoe/herold/fre.php	1
<HKLM>\http://www.runtaichem.info/rick/la/fre.php	1
<HKLM>\http://www.willhelmsen.com/orange/rok3/fre.php	1
<HKLM>\http://www.exwelloilfleld.com/fresh/julxxx/fre.php	1
<HKLM>\http://galeadz.info/jp/five/fre.php	1
<HKLM>\https://granjepages.com/wpincludes/star/png/jpeg/wpcontent/fre.php	1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\40413c204bb0867c9e93f83dc86d23cfcd420485519ffe9d27557585677d66d6.exe	1
<HKLM>\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\40413C204BB0867C9E93F83DC86D23CFCD420485519FFE9D27557585677D66D6.EXE Value Name: LastDetectionTime	1
<HKLM>\http://zooptiyoupoiunert.tk/fre.php	1
<HKLM>\http://hszna.com/class/five/fre.php	1
<HKLM>\http://lapphuongshoe.com/deal/five/fre.php	1
<HKLM>\http://www.ferosdwitama.pw/osi/la/fre.php	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: cghjjfygjhkjhgfghjt	1
<HKLM>\http://versuvius.ru/java1/Panel/fre.php	1

Mutexes	Occurrences
3749282D282E1E80C56CAE5A	24

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
192[.]185[.]129[.]109	2
185[.]144[.]28[.]196	1
37[.]49[.]224[.]146	1
37[.]49[.]225[.]217	1
185[.]80[.]128[.]19	1
194[.]67[.]78[.]62	1
199[.]192[.]26[.]147	1
104[.]31[.]82[.]175	1
192[.]185[.]131[.]58	1
37[.]49[.]224[.]209	1
104[.]18[.]48[.]19	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
www[.]cloudflare[.]com	2
lapphuongshoe[.]com	2
chartinductries[.]com	2
www[.]ferosdwitama[.]pw	2
www[.]exwelloilfleld[.]com	1
www[.]willhelmsen[.]com	1
hszna[.]com	1
SUKSEZ-AB[.]COM	1
VERSUVIUS[.]RU	1
newmarken[.]tk	1
fundrises[.]com	1
pastipasterputgripe[.]tk	1
womarpool[.]com	1
TQE2009[.]COM	1
WWW[.]SCM-HK[.]COM	1
www[.]runtaichem[.]info	1
GALEADZ[.]INFO	1
GRANJEPAGES[.]COM	1
chikasixtus[.]ml	1
melia[.]cam	1
i9contabilidadeadm[.]com[.]br	1
zooptiyoupoiunert[.]tk	1

Files and or directories created	Occurrences
%APPDATA%\D282E1\1E80C5.lck	24
%APPDATA%\D282E1	24
%TEMP%\subfolder\filename.vbs	4
%TEMP%\subfolder	4
%TEMP%\subfolder\filename.exe	4
%TEMP%\cghjjfygjhkjhgfghjt	1
%TEMP%\cghjjfygjhkjhgfghjt\cghjjfygjhkjhgfghjt.exe	1
%TEMP%\cghjjfygjhkjhgfghjt\cghjjfygjhkjhgfghjt.vbs	1

File Hashes

Coverage

Product	Protection
Amp
Cloudlock	N/A
Cws
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
Wsa

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Dropper.Gh0stRAT-7073937-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SYSTEM\CurrentControlSet\Services\System Remote Data	11
<HKLM>\SYSTEM\CurrentControlSet\Services\System Remote Data\Parameters	11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA Value Name: Description	11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST Value Name: System Remote Data	11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA Value Name: Group	11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA Value Name: InstallTime	11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\System Remote Data	11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA Value Name: Type	11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA Value Name: Start	11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA Value Name: ErrorControl	11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA Value Name: ImagePath	11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA Value Name: DisplayName	11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA Value Name: WOW64	11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA Value Name: ObjectName	11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SYSTEM REMOTE DATA Value Name: FailureActions	11
<HKLM>\SYSTEM\CurrentControlSet\Services\SRDSL	3
<HKLM>\SYSTEM\CurrentControlSet\Services\SRDSL\Parameters	3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRDSL Value Name: Description	3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST Value Name: SRDSL	3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRDSL Value Name: Group	3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRDSL	3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRDSL Value Name: Type	3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRDSL Value Name: Start	3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRDSL Value Name: ErrorControl	3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRDSL Value Name: ImagePath	3

Mutexes	Occurrences
pzss.f3322.org:10010:System Remote Data	4
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18	1
\BaseNamedObjects\254143.f3322.net:10010:Apple SPPER	1
\BaseNamedObjects\254143.f3322.net:10010:apple.com1	1
\BaseNamedObjects\www.foxdos.cc:10010:System Remote Data	1
\BaseNamedObjects\separa.f3322.org:8002:saufjj1	1
\BaseNamedObjects\192.168.0.100:8001:SRDSL	1
\BaseNamedObjects\53ca.meibu.net:1993:SRDSL	1
\BaseNamedObjects\1321.f3322.org:10010:System Rem2ote Data	1
\BaseNamedObjects\39.109.5.112:8998:SRDSL	1
\BaseNamedObjects\123.129.113.61:10010:System Remote Data	1
\BaseNamedObjects\pzss.f3322.org:10010:System. Remote. Data.	1
\BaseNamedObjects\feng12763.3322.org:888:Poweri	1
\BaseNamedObjects\pass.5sfox.com:10010:System Remote Data	1
\BaseNamedObjects\688300.com:9999:svchost	1
\BaseNamedObjects\219.235.4.247:10010:System Remote Data	1
254143.f3322.net:10010:System. Remote Data.	1
pzss.foxdos.cc:10010:System Remote Data	1
wfs2015.f3322.net:1083:SRDSLr	1
121.41.74.174:8001:System Remote Data	1
jwl520.xicp.net:8000:Mttack wocaonimei Service test	1
27.202.226.109:10010:System Remote Data	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
111[.]74[.]238[.]109	3
119[.]29[.]53[.]144	2
61[.]147[.]125[.]184	1
117[.]21[.]224[.]222	1
115[.]49[.]170[.]77	1
61[.]155[.]136[.]233	1
61[.]160[.]41[.]103	1
39[.]109[.]5[.]112	1
123[.]129[.]113[.]61	1
107[.]160[.]240[.]196	1
219[.]235[.]4[.]247	1
119[.]124[.]0[.]7	1
121[.]41[.]74[.]174	1
27[.]202[.]226[.]109	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
PZSS[.]F3322[.]ORG	6
254143[.]f3322[.]net	3
cncert-sinkhole[.]net	1
jwl520[.]xicp[.]net	1
www[.]foxdos[.]cc	1
separa[.]f3322[.]org	1
1321[.]f3322[.]org	1
feng12763[.]3322[.]org	1
53ca[.]meibu[.]net	1
PASS[.]5SFOX[.]COM	1
PZSS[.]FOXDOS[.]CC	1
wfs2015[.]f3322[.]net	1

Files and or directories created	Occurrences
%TEMP%\-<random, matching '[0-9]{9,10}'>.dll	19
%SystemRoot%\SysWOW64\System Remote Data.exe	11
%SystemRoot%\SysWOW64\-<random, matching '[0-9]{9,10}'>.dll	5
%SystemRoot%\SysWOW64\SRDSL.exe	3
%ProgramFiles%\Google\28484.dll	2
%SystemRoot%\SysWOW64\System. Remote. Data..exe	2
%SystemRoot%\SysWOW64\en-US\svchost.exe.mui	1
%ProgramFiles%\Google\32640.dll	1
%ProgramFiles%\Google\29703.dll	1
%ProgramFiles%\Google\661453.dll	1
%System32%\660125.dll	1
%ProgramFiles%\Google\638859.dll	1
%ProgramFiles%\Google\693828.dll	1
%ProgramFiles%\StormII\668515.dll	1
%System32%\33625.dll	1
%ProgramData%\DRM\32046.dll	1
%System32%\30421.dll	1
%ProgramData%\DRM\36265.dll	1
%ProgramFiles%\Google\32812.dll	1
%ProgramFiles%\Google\33718.dll	1
%ProgramFiles%\Google\28281.dll	1
%ProgramFiles%\33234.dll	1
%ProgramFiles%\Google\32250.dll	1
%ProgramFiles(x86)%\-1672280194.dll	1
%SystemRoot%\SysWOW64\System Rem2ote Data.exe	1

File Hashes

Coverage

Product	Protection
Amp
Cloudlock	N/A
Cws
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
Wsa

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Dropper.TrickBot-7071016-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Value Name: Blob	23

Mutexes	Occurrences
\BaseNamedObjects\Global\TrickBot	20

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
207[.]35[.]75[.]110	22
192[.]189[.]25[.]143	20
36[.]37[.]176[.]6	20
216[.]239[.]38[.]21	11
216[.]239[.]32[.]21	6
216[.]239[.]34[.]21	6
216[.]239[.]36[.]21	4
54[.]243[.]198[.]12	4
54[.]204[.]36[.]156	2
107[.]22[.]215[.]20	2
78[.]47[.]139[.]102	2
54[.]243[.]147[.]226	2
54[.]235[.]124[.]112	2
50[.]16[.]229[.]140	2
23[.]23[.]243[.]154	2
50[.]19[.]247[.]198	1
23[.]21[.]121[.]219	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
myexternalip[.]com	2

Files and or directories created	Occurrences
Modules	23
client_id	23
group_tag	23
%System32%\Tasks\Bot	23
%System32%\config\systemprofile\AppData\Roaming\client_id	23
%System32%\config\systemprofile\AppData\Roaming\group_tag	23
%APPDATA%\client_id	20
%APPDATA%\group_tag	20
%SystemRoot%\Tasks\Bot.job	20

File Hashes

Coverage

Product	Protection
Amp
Cloudlock	N/A
Cws
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
Wsa

Screenshots of Detection

AMP

ThreatGrid

---

Win.Trojan.Tofsee-7067486-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas	25
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs	25
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig	25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups	25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI	25
<HKU>\.DEFAULT\Control Panel\Buses	25
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config3	25
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config0	25
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config1	25
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config2	25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>	25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Type	25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Start	25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ErrorControl	25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: DisplayName	25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: WOW64	25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ObjectName	25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Description	25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\fymsrzfu	4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU Value Name: ImagePath	4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\athnmuap	3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\buionvbq	3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BUIONVBQ Value Name: ImagePath	3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ATHNMUAP Value Name: ImagePath	3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\nguazhnc	2

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
239[.]255[.]255[.]250	25
69[.]55[.]5[.]250	25
46[.]4[.]52[.]109	25
176[.]111[.]49[.]43	25
85[.]25[.]119[.]25	25
144[.]76[.]199[.]2	25
144[.]76[.]199[.]43	25
43[.]231[.]4[.]7	25
192[.]0[.]47[.]59	25
172[.]217[.]10[.]36	25
144[.]76[.]108[.]92	25
172[.]217[.]15[.]100	24
213[.]205[.]33[.]63	24
64[.]233[.]186[.]27	24
209[.]85[.]202[.]27	23
213[.]205[.]33[.]61	22
213[.]205[.]33[.]64	21
211[.]231[.]108[.]46	21
69[.]31[.]136[.]5	20
74[.]125[.]192[.]27	20
96[.]114[.]157[.]80	19
212[.]227[.]15[.]40	19
216[.]146[.]35[.]35	18
104[.]47[.]53[.]36	18
125[.]209[.]238[.]100	18

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
250[.]5[.]55[.]69[.]in-addr[.]arpa	25
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org	25
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org	25
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net	25
whois[.]iana[.]org	25
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net	25
whois[.]arin[.]net	25
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org	25
microsoft-com[.]mail[.]protection[.]outlook[.]com	25
honeypus[.]rusladies[.]cn	25
marina99[.]ruladies[.]cn	25
sexual-pattern3[.]com	25
coolsex-finders5[.]com	25
hotmail[.]com''stat=0x0brsnds=4resp='s10s78i3'	24
etb-1[.]mail[.]tiscali[.]it	23
eur[.]olc[.]protection[.]outlook[.]com	22
tiscalinet[.]it	22
tiscali[.]it	22
smtp[.]secureserver[.]net	21
mx-eu[.]mail[.]am0[.]yahoodns[.]net	21
ipinfo[.]io	20
mta5[.]am0[.]yahoodns[.]net	20
yahoo[.]com''stat=0x0brsnds=4resp='s10s78a7'	20
mx1[.]comcast[.]net	19
comcast[.]net	19

Files and or directories created	Occurrences
%SystemRoot%\SysWOW64\config\systemprofile:.repos	25
%SystemRoot%\SysWOW64\config\systemprofile	25
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>	25
%TEMP%\<random, matching '[a-z]{8}'>.exe	25
%HOMEPATH%	24
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy)	24
%TEMP%\rqgcjfk.exe	1
%TEMP%\wvlhokp.exe	1
%TEMP%\utjfmin.exe	1

File Hashes

Coverage

Product	Protection
Amp
Cloudlock	N/A
Cws
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
Wsa

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Malware.XtremeRAT-7070642-1

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\XtremeRAT	5
<HKCU>\SOFTWARE\XTREMERAT Value Name: Mutex	5
<HKLM>\Software\Wow6432Node\Microsoft\DownloadManager	3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HKLM	3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HKCU	3
<HKCU>\SOFTWARE\P@-zxRM2	2
<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{W8E4P17Q-7F6G-I050-W34W-7RI0JXOG67T2}	2
<HKCU>\SOFTWARE\P@-ZXRM2 Value Name: ServerStarted	2
<HKCU>\SOFTWARE\P@-ZXRM2 Value Name: InstalledServer	2
<HKCU>\SOFTWARE\XTREMERAT Value Name: TDados	2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{W8E4P17Q-7F6G-I050-W34W-7RI0JXOG67T2} Value Name: StubPath	2
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Value Name: Blob	1
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	1
<HKLM>\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows	1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST Value Name: C:\Users\Administrator\AppData\Roaming\Microsoft\upnps.exe	1
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1BBB9B0D-C1D4-6CDA-BC8D-D19CCBC6ACD3}	1
<HKCU>\SOFTWARE\Microsoft\Active Setup\Installed Components\{1BBB9B0D-C1D4-6CDA-BC8D-D19CCBC6ACD3}	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: Taskhost	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Taskhost	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Taskhost	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{1BBB9B0D-C1D4-6CDA-BC8D-D19CCBC6ACD3} Value Name: StubPath	1
<HKCU>\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{1BBB9B0D-C1D4-6CDA-BC8D-D19CCBC6ACD3} Value Name: StubPath	1
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\ID Value Name: XEJJI3T7BL	1
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\DATE Value Name: XEJJI3T7BL	1

Mutexes	Occurrences
Global\5fc48401-ace7-11e9-a007-00501e3ae7b5	6
UFR3	5
XTREMEUPDATE	4
Administrator1	2
Administrator4	2
Administrator5	2
--((Mutex))--	2
--((Mutex))--PERSIST	2
\BaseNamedObjects\--((Mutex))--EXIT	2
STUBXTREMEINJECTED	2
P@-zxRM2	2
P@-zxRM2PERSIST	2
P@-zxRM2EXIT	2
CWSPROT20S	1
Local\https://docs.microsoft.com/	1
\BaseNamedObjects\CWSPROT20S	1
XEJJI3T7BL	1
9e47MGT34YL	1
9e47MGT34YLPERSIST	1
CoFsQ3su@	1
yrRJ1	1
yrRJ1EXIT	1
yrRJ1PERSIST	1
\BaseNamedObjects\9e47MGT34YLEXIT	1
\BaseNamedObjects\_kuku_joker_v4.00	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
217[.]69[.]139[.]160	3
23[.]62[.]7[.]138	2
208[.]185[.]118[.]89	2
13[.]107[.]21[.]200	1
204[.]79[.]197[.]200	1
172[.]217[.]9[.]238	1
94[.]100[.]180[.]160	1
208[.]100[.]26[.]251	1
206[.]189[.]61[.]126	1
192[.]30[.]253[.]113	1
151[.]101[.]0[.]133	1
72[.]22[.]185[.]201	1
193[.]166[.]255[.]171	1
152[.]199[.]4[.]33	1
65[.]55[.]44[.]109	1
20[.]36[.]253[.]92	1
151[.]101[.]64[.]133	1
151[.]101[.]192[.]133	1
85[.]17[.]31[.]122	1
178[.]162[.]203[.]211	1
5[.]79[.]71[.]205	1
85[.]17[.]31[.]82	1
96[.]17[.]236[.]131	1
104[.]107[.]7[.]25	1
23[.]32[.]81[.]118	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
smtp[.]mail[.]ru	4
whatismyip[.]akamai[.]com	3
5noseqwa[.]no-ip[.]info	2
a1524[.]g[.]akamai[.]net	2
mariokart[.]no-ip[.]biz	2
chan4chan[.]no-ip[.]biz	2
schema[.]org	1
www[.]google-analytics[.]com	1
stats[.]g[.]doubleclick[.]net	1
github[.]com	1
e13678[.]dspb[.]akamaiedge[.]net	1
ajax[.]aspnetcdn[.]com	1
img-prod-cms-rt-microsoft-com[.]akamaized[.]net	1
avatars0[.]githubusercontent[.]com	1
avatars1[.]githubusercontent[.]com	1
az725175[.]vo[.]msecnd[.]net	1
aka[.]ms	1
avatars3[.]githubusercontent[.]com	1
developercommunity[.]visualstudio[.]com	1
static[.]docs[.]com	1
6noseqwa[.]no-ip[.]info	1
avatars2[.]githubusercontent[.]com	1
entony[.]no-ip[.]org	1
absoluthack[.]no-ip[.]org	1
MRPIKO[.]WBH[.]HU	1

Files and or directories created	Occurrences
%TEMP%\x.html	3
%SystemRoot%\SysWOW64\hackersi.dll	3
%System32%\hackersi.dll	3
%TEMP%\~PI<random, matching [A-F0-9]{2,4}>.tmp	3
%SystemRoot%\SysWOW64\InstallDir	2
%SystemRoot%\InstallDir\Server.exe	2
%TEMP%\ïðåñåðâû.jpg	2
%APPDATA%\Microsoft\Windows\P@-zxRM2.cfg	2
%SystemRoot%\SysWOW64\InstallDir\Svchos.exe	2
%APPDATA%\Microsoft\Windows\P@-zxRM2.dat	2
%TEMP%\ .jpg	2
%System32%\InstallDir\Svchos.exe	2
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe	1
%APPDATA%\Microsoft\lorinsk	1
%APPDATA%\Microsoft\upnps.exe	1
%TEMP%\report_22-07-2019_20-15-23-4F87A9367435FE0BD80DBD46B859D933-ABCC.bin	1
%TEMP%\NO_PWDS_report_22-07-2019_20-15-23-4F87A9367435FE0BD80DBD46B859D933-ABCC.bin	1
%TEMP%\report_22-07-2019_20-15-23-4F87A9367435FE0BD80DBD46B859D933-FDGM.bin	1
%TEMP%\NO_PWDS_report_22-07-2019_20-15-23-4F87A9367435FE0BD80DBD46B859D933-FDGM.bin	1
%TEMP%\fcwxfBuH5r.ini	1
%TEMP%\7h2nNSO06Q.ini	1
%APPDATA%\Microsoft\Windows\CoFsQ3su@.cfg	1
%SystemRoot%\25440efbff3a567fe49111131c0266fab38.jpg	1
%SystemRoot%\25440efbff3a567fe49111131c0266fab38.jpg.exe	1
%APPDATA%\Microsoft\Windows\CoFsQ3su@.dat	1

File Hashes

Coverage

Product	Protection
Amp
Cloudlock	N/A
Cws
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
Wsa

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Excessively long PowerShell command detected - (1614)

A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

Madshi injection detected - (1552)

Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.

Kovter injection detected - (1374)

A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

Trickbot malware detected - (666)

Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.

Process hollowing detected - (381)

Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.

Gamarue malware detected - (183)

Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

Dealply adware detected - (130)

DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

Installcore adware detected - (49)

Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.

WinExec payload detected - (42)

An exploit payload intended to execute commands on an attacker controlled host using WinExec has been detected.

PowerShell file-less infection detected - (25)

A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.