Today, Talos is publishing a glimpse into the most prevalent threats we've observed between January 05 and January 12. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
The most prevalent threats highlighted in this round up are:
- Win.Adware.Coupons-6417934-0
Adware
The Coupons malware family, frequently seen as adware too, is known to injects vertical and horizontal advertisement banners into websites. The malware has the capability to install additional malicious binaries. - Win.Downloader.Downloadguide-6418258-0
Downloader
Downloadguide is commonly bundled with other software. It may install unwanted browser extensions that can negatively affect the users browsing experience or by injecting ads, or share private browsing information. - Win.Trojan.Agent-6418378-0
Credential Harvesting Trojan
This obfuscated .NET trojan self deletes and migrates around in memory. It collects system data including Outlook and Firefox stored information and a machine screenshot. - Win.Trojan.Bancteian
Trojan
This cluster contains samples belonging to the infamous Bancteian family. This trojan has many features and it is persistent. It modifies systems files and disables UAC as well as hidden files listing. Moreover it performs code injection and it should be able to download and execute files downloaded from remote servers. - Win.Trojan.Emotet-6418193-0
Trojan
This dropper is delivered through different mechanism, most of the time the victims is redirected to a website to get it through malicious pdf, http iframe injected. Once running on the computer the binary is gathering details on volume disk drive and other details, injecting process, dropping itself and contacting internet to execute more. Websites observed delivering ransomware and trojan banker. - Win.Trojan.Generic-6417450-0
Trojan
This cluster focuses on .Net Trojans that make use of process injection techniques to mask malicious actions. - Win.Trojan.Generic-6417989-3
Trojan
Win.Trojan.Generic-6417989-3 is a trojan that will contact a CnC server and try to steal information from the infected host. - Win.Trojan.Rincux-6417593-0
Trojan
Rincux is a Windows trojan distributed to act as a downloader or contribute to DDoS attacks. This variant relies on the Armadillo packer for added protection against analysis attempts. It will also fork off into several child processes based on binary drops to the Windows root directory. - Win.Trojan.SocStealer-6418271-1
Trojan
This malware is a trojan spy. It will extract information from the victim's PC and send them to the malicious actor behind the threat. - Win.Trojan.Zusy-6417556-0
Banking Trojan
This trojan uses Man-in-the-Middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user access a banking website, it displays a form to trick the user into revealing personal information.
Threats
Win.Adware.Coupons-6417934-0
Indicators of Compromise
Registry Keys
- N/A Mutexes
- N/A IP Addresses
- N/A Domain Names
- N/A Files and or directories created
- N/A File Hashes
- c3b5af2487af32916f57f8d42431bc06b88df20e72b38221b5f5f6464b82f01d
- db8d472d6437ef578ea0af7222af606288b247e847ff6ea08f830f9a3c919698
- 1b776ccc9d8ce5f83cf8d99e40c3b60f208bb3eb09a723fb844d4377b8af0e4a
- a6da7c7869f82a146a27bf06b2076d9e3929a6c20e413c7a9734641058b89e40
- edfc4ae651f3b9c858902791db52608036bdfcd2c23dbb4417c33b0852265f1a
- 83e58852442ed18b48c40e5c2f49fca174ae4007df7b6738ecd66663c9ccd88c
- 7100cb4b1cb6fa8e6a1897a9e3675ad0bae2ee82b63264ade40ce00bd7056606
- 2e9fa9b027d355a1fc50ca77bd7b7850a3a1d56122de5894bda5dc1579708fad
- eaa3e4886140186455fd515ecbe44e98c37f19e5353a3f2362cdc94b4e3178c4
- d7cc319288f079faa2f078d68ad3058890893e0952aae677652dbadc8ef7ada3
- d60409eb6b57d6f3b863da3a5ea8e0cb3dcec11f51324f6f110259dcbabb2b54
- 7086cae185896225b4924cc5e46e8e6edf2abfc78de1f4f695541b124d7bd795
- 19e971270674fd66f23747bec75bceac78431ea120a0338aa71182d36c3c4fa0
- c6444613969c7ad0b4fea1bfec260200ab8378a496bd77f2f04ea87dfec110ab
- 6c370706286c012d9e9f7f17ef6bd27f17a5d6f54232e94efcf507e45148abf3
- 0311c1383a2112b46ad9821c49a6aa5424776a37f207db4fd88f689ae061715a
- 97d422a62763ac81fa5007768c98b45adbf8107bcfe46cfde873fdf7395f3947
- 0347385888c90f292574903ebb72cd3d1e6b900796100cd130ff46d27de5cf09
- 328c1c54df14ccd6ca36d14ad981b9139807020979bd371eaf916c28027776c4
- 62ec31504f1dcb2a64891dcd2f5926bf6ad147b4c36358951f0b67fd0b77e689
- 85e3d4996b42c5d0c558195e5699ec62e24a94d4f4b5431cd440c9a4c2e4180b
- 48c15084f2a9f83831b9dc2811156e81ad18890b0d059c2ca7c3cc40eb243deb
- 61e8eff89c7b7c26454deb86170d3c6a38be3dd077f59d0f827fbddc6d60404a
- 8966c6c67b61def5d4e72129507f5ba9a16a27593357ddcec5e51b1cafe92207
- 40d2277549bb5b079c154dae83dd462d89f1036947a211112fba988e0f51e046
Coverage
Screenshots of Detection AMP
ThreatGrid
Win.Downloader.Downloadguide-6418258-0
Indicators of Compromise
Registry Keys
- <HKCU>\Software\Microsoft\Internet Explorer\Main\WindowsSearch Mutexes
- DlgCpp IP Addresses
- 23[.]102[.]60[.]206
- 104[.]40[.]156[.]71 Domain Names
- dlg-messages[.]buzzrin[.]de
- dlg-configs[.]buzzrin[.]de Files and or directories created
- %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DLG\ui\offers\fd286b8d7f971e3468eba12c41b59383\uifile.zip.part
- \TEMP\download-downloadspeedtest.exe
- %TEMP%\DLG4547.tmp File Hashes
- f0d58b5f95df0334943a6ddfe69002d76d014402050001bd0e49dcda87e235a4
- 23b495217cfeffa3c5ec8a842e109c281e3e56ceda74c3aefa772ed35028269c
- cd2cf4cf6f86568ae34da56e46245a2569b06cc8098055292576e1516d682239
- e1a193f844881ac3215a237323e3cfef179e907cd175bf5f644e4991b849bee4
- cc9581cbcd550ffc661f505b39fa0dee831014101fec1bdd0773647754337e60
- 4f5ccef0a56e46ed4c4cee2d255e3805c45924bba2e915fc076fe9009b84ea59
- 948e8e7cdcdc56ac33c9d3609f43b601aa01b56651f6bbc120fb2aabc50fae0a
- 220f1b3998fdf561501bfd979dd123f4c5881bd30ae040d215fd108c2f191b99
- 5a50f0badf17522ee97f07add6533362b0c203b894d3d8aee9415c6889cbdf8a
- 31297810592b4b0363d5b5789bad3b5da3dfd3c633ad8b9e5d1e8c7f9acb7ef2
- ea95d29ba35dd2d85d1a51e6bd3512e426962f2ce44d8f1e666d5a48f341ae59
- 4dfcf69e32b2e896a50fa784e8a4868384254ab5f53da7e7c1ab1d5db0081f01
- c8729c7f479bcadeb3677aba3308154a45c731c74278943e1d22a439f8fa8aff
- 1049e9f4052a0b7c9ddc141f0b6ae6a65588d948e9303458d377c0169bcb2654
- db4b0afd6e8fffe1de96f59f6e54c98b47b207f9e3606347bfea74ac1125fc0f
- bdf2bb0d4008cac0d2aceb8c3653342aaa5c7543209819f55708d0a2c66d8cc0
- 36d797122a02e757a4f18bfcdbd95fc2648fc6f1a99472722b8cab48d300c969
- f0b71d1a0e281dd5927fb2c5a82cf90938feffe7587dece0a3e7885c8a2a681a
- 4128737ed9fd6ec454b6284b3fdb9d9152606b7e1f12d83138fba669425574b9
- b1971317dd3567c839e6aa0a0082b18af101c9cbd7aa52177a55e2c00154a542
Coverage
Screenshots of Detection AMP
Win.Trojan.Agent-6418378-0
Indicators of Compromise
Registry Keys
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: _ObjectLru_
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: _FileId_
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: _ObjectId_
- <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
- Value: PnpInstanceID
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- Value: CachePrefix
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- Value: CachePrefix
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- Value: CachePrefix
- <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
- Value: L4XTIT8X0X1
- <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
- Value: LanguageList
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST
- Value: CurrentLru
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: _UsnJournalId_
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
- Value: 10000000090A2
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\10000000090A2
- Value: AB5
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: _Usn_
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: AeFileID
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
- Value: ObjectId
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
- Value: ObjectLru
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE
- Value: _CurrentObjectId_
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: AeProgramID
- <HKCU>\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\
- <HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4c8f4917d8ab2943a2b2d4227b0585bf
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ecd15244c3e90a4fbd0588a41ab27c55
- <HKCU>\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9e71065376ee7f459f30ea2534981b83
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
- <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\33fd244257221b4aa4a1d9e6cacf8474
- <HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\20.0.1 (en-US)\Main
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\a88f7dcf2e30234e8288283d75a65efb
- <HKU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\10000000090A2
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\Indexes
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
- <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer
- <HKCU>\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\82fa2a40d311b5469a626349c16ce09b
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e
- <HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5309edc19dc6c14cbad5ba06bdbdabd9
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
- <HKCU>\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook_2016\
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\df18513432d1694f96e6423201804111
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d33fc3b19a738142b2fc0c56bd56ad8c
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} Mutexes
- 8-3503835SZBFHHZ
- <3 character prefix>RTU088V35CE4z IP Addresses
- 208[.]91[.]197[.]39
- 198[.]251[.]84[.]92
- 198[.]251[.]81[.]30
- 173[.]44[.]37[.]208
- 45[.]58[.]190[.]82
- 103[.]47[.]81[.]80
- 104[.]149[.]163[.]27
- 46[.]23[.]69[.]44
- 64[.]32[.]22[.]101
- 70[.]39[.]125[.]243
- 188[.]164[.]131[.]200
- 104[.]27[.]176[.]2
- 209[.]141[.]38[.]71
- 104[.]27[.]177[.]2
- 192[.]161[.]187[.]200
- 68[.]65[.]121[.]51
- 104[.]221[.]251[.]226
- 198[.]52[.]124[.]90
- 192[.]0[.]78[.]24
- 192[.]0[.]78[.]25
- 107[.]161[.]23[.]204
- 66[.]96[.]147[.]117
- 204[.]188[.]203[.]154
- 95[.]183[.]53[.]20 Domain Names
- www[.]atopgixn[.]info
- www[.]szsyxsy[.]com
- www[.]9u82eum[.]info
- www[.]doors[.]property
- www[.]pilates-sunbury[.]com
- www[.]jmtravelconsultants[.]com
- www[.]dangkytaikhoan[.]net
- www[.]whoever[.]group
- WWW[.]YHCF88[.]COM
- www[.]dontdodebt[.]com
- www[.]jieleshxijie[.]com
- p2017090801-dns01[.]junyudns[.]com
- www[.]flevocoachingenbemiddeling[.]com
- www[.]armortechnologylimited[.]com
- www[.]yhcf88[.]com
- www[.]020jiezhuang[.]com Files and or directories created
- %AppData%\<3 character prefix><5 characters>\<3 character prefix>logim.jpeg
- %AppData%\<3 character prefix><5 characters>\<3 character prefix>logrv.ini
- %AppData%\<3 character prefix><5 characters>\<3 character prefix>log.ini
- %AppData%\<3 character prefix><5 characters>\<3 character prefix>logri.ini
- %AppData%\<3 character prefix><5 characters>\<3 character prefix>logrc.ini File Hashes
- e9c1fa94dd30f4ef9ca613f62acb3fcf2fb61c4c3fac0b866ae484cd5dc578d7
- 55ebfbbffe1cb77efa39b0c7b5348b0aef03a251349c88cb8bcf4358bbe73558
- 5b6e111a37e7c0fdaefd543ea45ff37f162bfeda2b58ce60783091ad6129f11a
- 3ad3991209de094faf8bbfac835ec38ac57318fa78c3ef11eee5d4acd0118460
- ea9eb1d7b61d711807c4609bf55f62af5bd6049585e086b75385963868ca31d6
- 38318b262a6d85673fdf8fdcf4ddd5666f438f18dbeed8569a4d769f42ae05c2
- 59571268f235c8094036ab44f5f5c2be3819fd72888cbbfda2150e336549b2a8
Coverage
Screenshots of Detection AMP
ThreatGrid
Umbrella
Win.Trojan.Bancteian
Indicators of Compromise
Registry Keys
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- Value: CachePrefix
- <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
- Value: PromptOnSecureDesktop
- <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
- Value: Shell
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- Value: CachePrefix
- <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
- Value: LanguageList
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- Value: CachePrefix
- <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
- Value: Userinit
- <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
- Value: GlobalAssocChangedCounter
- <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value: Microsoft Windows
- <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
- Value: ConsentPromptBehaviorAdmin
- <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value: WinDefend
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
- Value: ShowSuperHidden
- <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
- Value: EnableLUA
- <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value: Host Process for Windows Services
- <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- <HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer
- <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
- <HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- <HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Mutexes
- Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs IP Addresses
- N/A Domain Names
- N/A Files and or directories created
- %AppData%\RCX3.tmp
- %WinDir%\wininit.exe
- %WinDir%\wininit.exe (copy)
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\svchost.exe
- %AppData%\spoolsv.exe (copy)
- %TEMP%\icsys.ico
- \TEMP\03479bf7ca41f9cb7a1243103b8cc49b4963489b4fce9d80237d93ce1439fcc2.exe
- \Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V01.chk
- %WinDir%\RCX1.tmp
- %SystemDrive%\documents and settings\administrator\local settings\application data\svchost.exe (copy)
- %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\icsys.ico
- \Users\Administrator\AppData\Local\svchost.exe
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\RCX2.tmp
- \Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V0100010.log
- %AppData%\spoolsv.exe File Hashes
- 03479bf7ca41f9cb7a1243103b8cc49b4963489b4fce9d80237d93ce1439fcc2
- 086928aa133cd03aa950e0172ea060f51794f74dceb0974fe335d68d8762cc31
- 1fc56d9b169a79fa34565f7dc1ffe85501da06abfead4beb4add8f0d77dfa61a
- 2893f28740ab0a01fdc40dcdee227649b8d930af288e5a43fd989195441b6029
- 29c488b4cdbf1023b9aebe15c5e3b56280e3424ee02d9f38d82ac47221688853
- 4b32a37e27c5d21cda8349829484736ad79c5f5559d81e709a9fabb064793eff
- 53907dc338e0d219b3b0a38ff28958b1a2c862a4ef0b8bf2ebaad9ba9c032399
- 6b11929c8b220ab7557d999c74aa27773bf6ecf975a5b4309fc39fff95b76ed9
- a585c8eb9366029b147b5e027b136420aa214183d3ff200e6899324faa02bbe8
- ac0cf677808ee093e27a20511b8346e127931310d65af1b61c65dfcfb5f543e6
Coverage
Screenshots of Detection AMP
ThreatGrid
Win.Trojan.Emotet-6418193-0
Indicators of Compromise
Registry Keys
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- Value: SavedLegacySettings
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: IntranetName
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: AutoDetect
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: IntranetName
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- Value: CachePrefix
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- Value: CachePrefix
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- Value: CachePrefix
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyServer
- <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
- Value: LanguageList
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: UNCAsIntranet
- <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOWREGISTRY
- Value: AddToFavoritesInitialSelection
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- Value: DefaultConnectionSettings
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: ProxyBypass
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: ProxyBypass
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: AutoConfigURL
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyEnable
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: AutoDetect
- <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOWREGISTRY
- Value: AddToFeedsInitialSelection
- <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
- Value: PnpInstanceID
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyOverride Mutexes
- Global\AmInst__Runing_1
- Local\ZonesCacheCounterMutex
- Local\MSCTF.Asm.MutexDefault1
- \BaseNamedObjects\Global\AmInst__Runing_1
- Local\ZonesLockedCacheCounterMutex IP Addresses
- 198[.]54[.]117[.]212 Domain Names
- www[.]selfdislikedfarfet[.]site
- www[.]quaintspokenracketiest[.]site
- www[.]millesimalnonremuneration[.]site
- www[.]secularistsarakolet[.]site Files and or directories created
- \TEMP\0533852f18624569fbef4cf6677063a92fbd695b3ea36e003da95999d6c8d9cb.exe File Hashes
- 0533852f18624569fbef4cf6677063a92fbd695b3ea36e003da95999d6c8d9cb
- 0a3c71a1b1e82e87de944e0c2672f97db0e78a076124b00692233414a8054cb8
- 0b49337bc87bdcef167fa6b7313c23a836e9a5a45f827ba0eca7262901b9770c
- 2299fb45a9a7f48d618c33d665bb0c88ea5545c86ba4ea05fbdb73dc38de96a5
- 24bd0b9517591458af75b8f1ad1b59e57fc6fe9eeaa41086d31c55a4c259e12d
- 27ef5e8a51c44b6351ea13af6454ce7c34d506c604d9eb6366c7b98ce70a37b4
- 293580f6560d8d9b4d3a413dedd347f2cad79bf7e9f22519d9b60cfdb0f52fc6
- 2d2582eba24d58be4ca332a30daf4fd42d95e25986446b464f465c8dbcc08572
- 30f73c131ca8864f57d5c3501ad7e75be30eb8bafb79f9ce0c9becca4813c7fc
- 33dc66ca6d18acaff3ee13baa7a2f925f5b0bd4dc8ea9436e4e5aecc57775fe0
- 3726d3185b6aa67c425b7e1866ac424284737df53df1c83e9a040428837c4a8c
- 37d65942c6ae66de3fbcbbbab3e184f4c566cbb4cc0c6bc3060dab27df15da5d
- 563a41f03cd9f6e1917b486ec1de9ef941f7449f3bf2635f7fa6186455db01c5
- 69137a62cfc2e60c5d2915d919fe987fa94c1510bdd180bc3079330f1897bb64
- 725f01277f2b4f35a17ea0d3e61a910b8c118ec5f70405fa359a1a0ee0e4e525
- 72c6f63cd23d2de81ca96f7246efc9e11a1c8ae9e8f41755aea03ef067ae484b
- 831cc8a05f15820256cc41705cd3fe96f38bf3dbb61372b48d229b81922b15dd
- 90d6515b29f9f59d551f8f170b731f9831ab63a2a8f6d70358cee6d5df519efa
- 9ddb4d20633a371d2ab3858f4c74ce2c2d55804c40aedde9b46afcc98db8f709
- a5716b4266066ed231e6c207cf2850627c3c8fa84d2e96e8ebf65f8f918538d6
- b9121f992ba17130ce6429aba0c47138b059b0c8aec2cb36ab446361c95eb238
- bc2451362e8658b64bdf2421c4c73e9c35cfbdcf370944e9482fa496b6a91d5a
- e9757f25588b668b1708788639ba3dcc0c5a0010f425d19ca667e5d70e0e5939
- ee2b22547da7ebcef73af0dcd8dccb1b25bb2a13f09b2b563015b34c24562ebc
- f13483a7ec5d329e5da2901fa9f3fcea6eff6e4cb1724200df114d214a8cd0bf
Coverage
Screenshots of Detection AMP
ThreatGrid
Umbrella
Win.Trojan.Generic-6417450-0
Indicators of Compromise
Registry Keys
- N/A Mutexes
- N/A IP Addresses
- 104[.]27[.]162[.]68 Domain Names
- c[.]lewd[.]se Files and or directories created
- N/A File Hashes
- 26164675ee05afb06a76f8d9a8b27b11562b3576aee5bffcc4d83e9e7c3a7a16
- cd60a72e6afe723faf2a470d4c664f91c15691f149cb03db96e9e0e6806e3897
- 4a07fa4e68366bebf3873736b28354500000814d63154538e66f65e6aa70a853
- a148d91ebbc97e53b4febc23960ee0d1f3170bb4625c94deeb0ad32e7ac28ee3
- a86662848047586347e4fe38341e67c43eef8c83738e22376a7bd992d11f26b6
- a555f788fabda605dd622c7a3320ae31840fb302b82a7d05a981e37cee0d11b2
- 243359e04224afa42981cfb9a24c269ddb8adc0c1d49839aa7ad8a929c22e3c7
- 007be09ba9b3ad3beb5e6ba63a1cec3ea9985b6bb261c7152de3f8e9f558ce2d
- 7bf374cf242a630ca540616e870b575fb63e674c90d24626c656c148b2156ee6
- 3ef315249309fd118662b78bb1923afd71d7f7876fbed516d573ccf6e70182c1
- 0d8031a8b9e1f5aa16fc7c82115565d1d468a8f4f3a828339eceb901f76b5577
- 9a5cde6f48c1fb2b1fcdce11e8b9e72a0f23910c05b6420c78e3c027033e09c0
- 59b04b8760f88213171dd6b45b5d4d85dc7b9b5f86a976a3eff2e9c27f135929
- ce533f8f084a79294aa1254db01fd630dab95ccff22124d9fb4c51fe16a2948a
- fe04dde6a78fdb8029ead6f87d072ec7b2b9f530e6d4913e296903b34ea64176
- 49fbf92ef158694f0ed792403f7a066d88831ba71e5f4018f707010f2627210d
- 698b7960c7aa2703b7468a6867adfc13a68c31390ae47132de34efb2dab7ae39
- 4dd1f3fd4c4548bd757bf4f88d8d0a3d6e4359a5c41f8b4dbf0a44028a2d73ae
- 56a0ecc8d86810358cdacd8ea41f6dfce683c5121226d906a418b5a15060b9f9
- 58c6f5ef2df1e08a36a51ed36a3ae15ee2ab05b3046ccca1a09526640316e079
- d1e6d2ba273fed39c272d2d944dd244bd6566f38b5dad94637af147c44355e80
- c4b6809128e9a17a0b5032ea34b373095940f488544bd0350293a175e0079b2b
- fb39b3f2ade2fa2754493d3d1208facf01c2ece961aa7c6e1e1f10607c9d4962
- 018fad91a80cd1ff5328bf6ee3fe613b563eea547d23d22cd708d76cedbc578b
- e1673a3ed97150082c0e89712386c71f6feb8fd1d7428fe633cfae0d1ca9baba
Coverage
Screenshots of DetectionAMP
ThreatGrid
Umbrella
Win.Trojan.Generic-6417989-3
Indicators of Compromise
Registry Keys
- <HKU>\Software\Microsoft\Windows\CurrentVersion\Run Mutexes
- DBWinMutex IP Addresses
- 216[.]218[.]185[.]162 Domain Names
- cbunahtesting[.]com Files and or directories created
- %AppData%\5145C9BD\bin.exe File Hashes
- 05beeee9353e581e5e0fad00ef8b88f90f911a45411dd52b620fc2cc73ba1e85
- 7ca99c0c24283ff2b6f8e0f81ba7edcb17948e4fee7bc8c3cc22d5026c455f4a
- c247197bf71c4fadbc4e267888f6c416f4775c07a1fc8aa8d0d1144b5ba1db36
- 100c808616f05668a9c73101e9dce21702e8bf241f82374eb5aa5f0646cca3e4
- 744a6e99676a89e8cfd2b0ff2c540f2500f1afc5dc541e3611b0dc04973244ef
- d8781d7dd2e9cc4b029a9147cf5691c8622b15b1bdbd438f8cd1443e9c268a31
- 7f7b2e315d47d3b8874517443888e229aa738f211e3ebcaa67d6859539e439bb
- 3ab29f60bf807759931c817cb40a42140296364fa8a5e0b032e8a6851accce5c
- 4bbf688503c81af93e8c598242c0a087b57aaa4c95fedb3193e4a021e535fde0
- 2e965a7d0769b37a6e4af06db67592b3b0778b6929936bf8b4af8ef370af7eca
Coverage
Screenshots of Detection AMP
ThreatGrid
Umbrella
Win.Trojan.Rincux-6417593-0
Indicators of Compromise
Registry Keys
- N/A Mutexes
- N/A IP Addresses
- N/A Domain Names
- N/A Files and or directories created
- %WinDir%\{BCE28CAE-5ABE-4a95-871F-99EC11C0AA0A}.exe
- %WinDir%\{21581114-3E37-4566-BDFF-D20147EC1489}.exe
- %WinDir%\{CB20A050-980B-4166-80A0-C40DD09170BD}.exe
- %WinDir%\{A2201725-11C8-4a99-97BF-FF6A9C385D0B}.exe File Hashes
- e1447fc8b4e8dbf342f8d89c291979bcf1102244f432e25c704d2d504458276a
- 5cf36cb510ce50c61e02f273439987e413f8de1d71a85788e9fcc0639bab0947
- 4e6d866520ad1ac811b2ccfe95376194d39c5b4fbd110f0d8135d2af69aeb3ce
- c863e0b35242e38e72d82cb5e1aae245816405583e800dedbb3705e42ca66290
- eaa28566211fb0784bfdb173b4685dfb57d644a82559c5e6402f024e04cb1f86
- 7e21525165a5c2314e80458cee08d1bfcbbbf27ebb4b4dfb838f0a957b2053fb
- c688f5d47654368b1497692d2a50ba1b1e57624452f7f359f85db65ce1fbd2ca
- f97592b069b8bc6a26af88d312e3af83da88d483ad76aeb5a6a782a5e5dc8a54
- f480682591f7bb7a5c66f32c0ae20bf47c6f8fb4dfefac1e27e0ab7fe1d9fe69
- 69fb4279770e54269e5e60f47e8d015f01e79da5e4ea80a9e896ceb2176505dd
- f48445efb3d70f7578ff1cb60508d3dc57e5a5240ab3196694a25e5a99355cdf
- c99f8764e6e4c11773b2d229a3dc335aca8783630c5a4620c5671d6b8cde3dfd
- f463eeeccc175d90def65b4e65e504fe50c9fb413aa9f8178d8fa777062216e0
- c4d2b74d66362f926e99ab1a89f46e311d789e28eafabffb9668278422403c01
- f816a1a589c791c36a2724551a5cd76590415dc449f27b1dff724af73f216382
- 45198fe505ee4983fd007576cefeb56502f04d1787fde7d446d2263334fad33a
- 4dc57fce4bfd27dc132183e62d5f52aff7dfebca2e5787075eaa6193ad5a4215
- 28c348a5c96ca0464bc972e574b31cf4ee57a4955e99d8966b6bdee8b16652ac
- eef8802720faea54224cdd4147c7b19db4af84a4dac310322ade1d374436436c
- 90559e71cf6d6a27a9ff490a31d2b10c914708f2288fee837e2b7fabdbeb350d
- a244aea82e33f99002238bf84ed4e17bbcf45857393056c96f1294bda1b5fdcc
- 99b1a18b219ff4f709586e736b9dc93d8fa0f31e0ab8ac97db2553411fab5329
- 598cb724819f5dd1ddb7921c9f1ebc3a5b37380f3ab812dd22d89c085c489b8c
- 85cbd0c99f4e8293c2a0edfc759baade5a536e983c24cd5e0a9cb869725e4cf3
- 26a8d667aee3819c597636a1643413f3146262343ef6442cbdef681f0f6c75e1
Coverage
Screenshots of Detection AMP
ThreatGrid
Screenshot
Win.Trojan.SocStealer-6418271-1
Indicators of Compromise
Registry Keys
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- Value: CachePrefix
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: AutoDetect
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- Value: CachePrefix
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\HNSERVICE\PARAMETERS
- Value: ServiceDll
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: UNCAsIntranet
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyEnable
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyServer
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\HNSERVICE
- Value: DisplayName
- <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
- Value: PnpInstanceID
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- Value: SavedLegacySettings
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: IntranetName
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\HNSERVICE
- Value: Start
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- Value: CachePrefix
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\HNSERVICE
- Value: ObjectName
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyServer
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- Value: SavedLegacySettings
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\HNSERVICE
- Value: Description
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\HNSERVICE
- Value: WOW64
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: ProxyBypass
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: IntranetName
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
- Value: HNServiceGroup
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: AutoDetect
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- Value: CachePrefix
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: _ObjectId_
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\HNSERVICE
- Value: Type
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- Value: DefaultConnectionSettings
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\HNSERVICE
- Value: ErrorControl
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- Value: CachePrefix
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: AutoConfigURL
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyEnable
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: AutoDetect
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: _FileId_
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- Value: AeProgramID
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyOverride
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\HNSERVICE
- Value: ImagePath
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- Value: ProxyBypass
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- Value: CachePrefix
- <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
- Value: LanguageList
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
- Value: 10000000095A9
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- Value: DefaultConnectionSettings
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: ProxyOverride
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- Value: AutoConfigURL
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
- Value: ObjectId
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CTLs
- <HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
- <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
- <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLs
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CRLs
- <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
- <HKU>\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\CRLs
- <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\SmartCardRoot
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\Certificates
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\CTLs
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
- <HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\CA
- <HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\TrustedPeople
- <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Disallowed
- <HKU>\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
- <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
- <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
- <HKLM>\SYSTEM\CurrentControlSet\Services\HNService\Parameters
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\CTLs
- <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
- <HKLM>\SYSTEM\CurrentControlSet\Services\HNService
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
- <HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\trust
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
- <HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
- <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
- <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
- <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Root
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\CRLs
- <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
- <HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
- <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\trust
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CTLs
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
- <HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\Root
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
- <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
- <HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\My
- <HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople
- <HKU>\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
- <HKLM>\Software\Microsoft\RAS AutoDial
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
- <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
- <HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\CRLs
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\Certificates
- <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
- <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CTLs
- <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Root
- <HKU>\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\CTLs
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
- <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\TrustedPeople
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\Certificates
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\Certificates
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
- <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\AuthRoot
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\Certificates
- <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\HNService
- <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
- <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\Certificates
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\CRLs
- <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\CA
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\CRLs
- <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
- <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
- <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\CTLs
- <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Disallowed
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\Certificates
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
- <HKLM>\Software\Wow6432Node\Microsoft\DownloadManager
- <A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
- <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\trust
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
- <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
- <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\CA
- <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLs
- <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Root
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
- <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\trust
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\Certificates
- <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
- <HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
- <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\CTLs Mutexes
- Installer20171023 IP Addresses
- 104[.]238[.]156[.]230
- 45[.]76[.]142[.]144
- 52[.]85[.]146[.]50
- 157[.]240[.]18[.]35
- 45[.]76[.]241[.]231 Domain Names
- api[.]new-api[.]com
- m[.]facebook[.]com
- d3vzyycpfbk7qm[.]cloudfront[.]net
- api[.]kkkkkdajlhlkjhsdewgtuv[.]com
- down[.]kaidandll[.]com
- rep[.]pe-wok[.]biz Files and or directories created
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X1IF8CSM\report[1].txt
- %AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\new_cookies.sqlite
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X1IF8CSM\dll_x86[1].bin
- \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\dll_service[1].bin
- \net\NtControlPipe10
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\report[1].txt
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TQM3V6S2\dll_service[1].bin
- \winlogonrpc
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\winhttp.dll
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\AdService\AdService.dll
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\ip[1]
- %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\track_dre[1].php
- \Users\Administrator\AppData\Local\AdService\AdService.dll File Hashes
- 73ed012536499f859ac55c2fb0017e65255f2462f13b663ed1d85e552c13740b
- b6b43b0e6488b384a3ad695ceb1d6b576910ce721079346cfd1d12dd9eea5108
- 043d07796535fa5f9ee2bd33139d442c824b5e251471f8d4b54c8f15bc2d0165
- 4d094bb5a93660f8e897ce8f191089cd9f76af8b6dd806fc2681acf2a3d70f38
- 0bb012ff4961c880d3df768e1374ae4bafeabf453dd3d7ae2d4065bc58f52bcf
- d083fbd8b7f1ad561aaaceabfcc601616ed3fdbf076ff845bef53fd178ca6a34
- 3389df5d81737fec0e3eeb43c94e2210a14b4227b88c94d7fcff32474d38a19f
- 34e4890aaf63d57d686cbb8c9722f5bdef9a41fb127b56d895c5bd87b7ce92ba
- ebba38b2a422277646ea55484f41cd919d0bd2d619e8d45bfd9585aac8986369
- 51243602a1bb3c7784373c17b430ff2491d1679ae6e169175c45907f0313b76b
- 078baebe5ee2cadda00cd0142280a7bd1034494e79819f16d22a4fe961b3dc84
- e134c3dd3e4e39e6c6a373416f5969ec56dfb90c53b6ba847dcfc4f7626de995
- b5d5a2cc7f8a796009674981f60c76fb99eb6cceb6a19f276e13c0ce9b22ef4c
- 45b6a109d001e4dc2e66d4570c19384d7aa44332e906feef739649b9ebc77bb0
- 89e5effdd6426658db77526775b5ddb6f51487dbd80f7f55e79c2fce32a8abea
- 026764bc699841080691463758db461d64138343a310b918bac027cf67ffaf34
- aecf6184c2b620a198f0415a16d6ae824f09df25bbc310b24edfbf5ee0b7c3a5
- 04fafb357ccdd1f9aac6db2c62ae274f58f6fb5b569b10f15e3b3a94fc1ae899
- 115767f49767127544b6365e2551f5b3977af593b222619d8ebe1603b550a4e1
- b5da35a9a483d86c19d4d450006698d2bd6c41b9eaa9783d563e1522c6ef11a4
Coverage
Screenshots of DetectionAMP
ThreatGrid
Umbrella
Win.Trojan.Zusy-6417556-0
Indicators of Compromise
Registry Keys
- <HKU>\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value: DFF7E57F
- <HKU>\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value: internat.exe Mutexes
- N/A IP Addresses
- N/A Domain Names
- N/A Files and or directories created
- %AppData%\Roaming\DFF7E57F\bin.exe
- %WinDir%\setupact.log File Hashes
- 02d99600a3bc049905479aaf281baa9611e3116ac1055cf90f5af317f2abee7d
- 0546853f1fa7e7715f1f80e8d544f19055b9c118672d8fe07843b3bcc9b5a212
- 0571a872f9ae83ad0c1a618cd702e4804bef66dc75771d12d0d343086b692edb
- 05d0bd7260555bed0b868b76e03bfc2e7b667fb50f6b2926a57e06eca75bd948
- 0820695810d62160ede23b19ae1a9a28955136b79122c6fea4e316508241ee8a
- 08764af08c10eadace45a49d3a9d77ddcd815a9bb5f6a00b25d09f161b9ce799
- 08e5be88de6cd4a641747552eee45a7f4a77e30afc514447c2e3b95ebf2f348e
- 0a089121a2c7e5fcfb86a1ed4ed7f60e0e7d0a795294d0de3c96869ec94f0d46
- 0b025f4e1d6521bc0ab29c4ea6ac2e32dc26585dbb367389e550229c0db783a8
- 0c19771b538e6bcc23afc97d52763f0cdc95aeb5329acb03697f235dbc93611b
- 0c7e05eccf846610557f9a5ca087ff4842cb7973850e6f6da4fa28e5973a365a
- 0d9a1563b9f7aa42224cc8148741e54f040fbf566fdab0f7c121a8b015e24ee3
- 0eba1ccd4bd977ad336204abf2dd6757828ff13d7bc3ebaca3ed9a9eab275951
- 0efdd84b7916529809d3facfe81897f2f03b239cef6899ae501386acbc8a8e04
- 0f04e601a9cf2a9f6cb422a257c3616f0a8b9884de52dd3f6a0ac944ded2a435
- 0f0560851aa49ff627a08246af165ba0af6b1be58058b8f9c675bd758f606b68
- 12f52ad98e75c8d57a457b6b4e02767da04ce051ef7abc59ac975c45358d2cc6
- 17006395b5609f935fea89d8186649ba59a1b1ae2ff19437c85420d5ca5315c5
- 197fa42138b01d074fdac0c5eee8a3aa67baaa26fe243a293e5e7eb57f37d384
- 1b609587a5a8896a37087737e481d79d4a097e3a1a75d46c5f0bf408c8561280
- 1c74cbf79258ca7906b431f4f6efeefc085d66b5032bcad4ec7a9b3960ae9b8f
- 1e470e2602e1bcc9c2470c4a375008b3493c181a3e659df5bdf22fc62382d851
- 1e5b4e6b02aea1d466b2851583a2c7102083a9c0288f580e9fd8606136003a17
- 1ebddb51a2cbce90cdaab17cad42dd3178109bdeaaf342bcb02d82e48992c8f8
- 2391a31b7dc07f209a6039044a1d0f11bfcb3b628716b6f842e959f7e90042e8
Coverage
Screenshots of Detection AMP
ThreatGrid