Friday, February 23, 2018

Threat Round Up for Feb 16 - 23

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between February 16 and February 23. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

  • Win.Packer.Givelet-6454616-0
    Packer
    Givlet is a packer that compresses and obfuscates a malware payload. It has been used to pack ransomware like GandCrab.
     
  • Win.Packer.WizzPack-6454612-0
    Packer
    This .NET packer has been seen being used by Wizzcaster adware which will install unwanted applications.
     
  • Win.Trojan.Generic-6454586-1
    Dropper
    These samples drop additional malicious files on the infected system, including cryptominers. They also use registry keys for persistence. And perform some host environment checks to evade sandboxes.
     
  • Win.Trojan.Generic-6454615-0
    Worm
    Win.Trojan.Generic-6454615-0 is a trojan that will contact a CnC server and try to steal information from the infected host.
     
  • Win.Trojan.GenInjector-6443827-0
    Trojan
    This family is highly polymorphic and malicious. It injects into another address space and it uses process hollowing techniques. Moreover, it gains persistence through the Windows registry and it complicates the analysis with several anti-debugging tricks. This particular cluster is able to contact SMTP servers and sends spam messages.
     
  • Win_Trojan_Regrun_6454954_0
    Trojan
    Win.Trojan.Regrun-6454954-0 is a trojan that will install itself in order to ensure persistance, and will modify several settings on the victim machine in order to conceal itself (file extension and file hiding configuration), hook certain actions (registering itself as a file handler), disable Windows Shell, register itself as SafeBoot alternate shell, disable the registry editor, and other actions to prevent the user from repairing the infected system.
     
  • Win.Trojan.Startpage-6455053-0
    Trojan
    This trojan changes the browser's start page. The start page can be a single site or a set of sites that will be opened when the browser is first opened.
     
  • Xls.Dropper.Powershell-6454576-0
    Office Macro Dropper
    Excel workbooks that use the Italian message 'FARE CLIC SU "ATTIVA CONTENUTO" NELLA BARRA DEI MESSAGGI' with an unreadable image to convince users to run the macro. Powershell is used to download and run a malicious executable.
     

Threats

Win.Packer.Givelet-6454616-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
    • Value: qdobxoamsza
Mutexes
  • Global\pc_group=WORKGROUP&ransom_id=4a6a799098b68e3c
IP Addresses
  • 193[.]0[.]179[.]152
  • 151[.]248[.]118[.]75
  • 5[.]154[.]191[.]67
Domain Names
  • gandcrab[.]bit
Files and or directories created
  • %AppData%\Microsoft\motopn.exe
File Hashes
  • 10f2ed852befc9c9c15e5231b2167bbec66e3700c44bcf324312a32e932fa819
  • 1257a5650f02a4cbff43c190452517e17f4aa46284b7063162e4a54d318aff79
  • 14944d9db8baace4d7fb97cdf285009b5e0472bd6aa4d9cb530a1f3893287682
  • 17d14ca09aa5f447fca0d8d5d1ae9dee5731846588d1c15987eb3de5cd57e90d
  • 184ccb64f12601a3797e9c73ce77c89d05b50f2a668f94ec8cfd1c7414906c0e
  • 18635915a4453bd1c68de152c139326023a165c0ae191ef501a6425615aa5d84
  • 18dd0a662f77ca2ec235b3ae761cf7f4e6a3adb3fe32b2c994c080b6b7f10389
  • 19519e38242877d2a689efaddecb8b8699d122051cd4b189de6466a83422f7c3
  • 19cebd1722376f2c62a1922214903052a964ad1d2505fa698376c5f3b4d0594b
  • 19e5e3d8fbf0db27d943090114c88051294bb918f0c9ce2d4894d9c8c290c21b
  • 1ddca770b20bf8748a2a0435cf4f7316167ee4dbc7311fd3fd8e9600c79fc7ec
  • 1e7eebcaf485682da709a94fb1c679555a9090592cfe54564f5eb396c7458044
  • 1eae0edf899f881fd86f0500b58f9b6497d5b94a99ac439307d61c0f24cb1573
  • 2155517a296dd90f86ef3bb09455444c387d9b1384bb435c997105acd88a281f
  • 29ce80f75b8877e22cdcdf3fbecb01d2d1a65161f18311facdbbd090769b5ee6
  • 29ff9ee8e9d85e836de88304ee4251ff373bcec4abc5c45496192952ad08a0a5
  • 32ee0ff7fbec042edbb9420e522eda1a126e1872da2b7a13b0627a03be4d1d59
  • 336e7c9dfef94fecf00c1c0b2a539c7332453e72367efc0b25c5115d90d94180
  • 3570b95ea454efd6735bf4942d69521d608ab7d0c9745cfa636f1107acc6a23c
  • 3732c9fd5ff38c31fda2492dd81584819f12cce5731f7361f536bdf8040c724d

Coverage


Screenshots of Detection

AMP


ThreatGrid







Win.Packer.WizzPack-6454612-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • RasPbFile
IP Addresses
  • 94[.]23[.]252[.]37
  • 46[.]105[.]121[.]115
  • 94[.]23[.]199[.]17
Domain Names
  • asedownloadgate[.]com
Files and or directories created
  • \Program Files\S941OEL096\uninstaller.exe.config
  • \Program Files\S941OEL096\S941OEL09.exe
  • %SystemDrive%\Program Files\P56VHIGDGI\P56VHIGDG.exe.config
  • %SystemDrive%\Program Files\P56VHIGDGI\P56VHIGDG.exe
  • \Program Files\S941OEL096\uninstaller.exe
  • \Program Files\S941OEL096\S941OEL09.exe.config
  • %SystemDrive%\Program Files\P56VHIGDGI\uninstaller.exe
  • %SystemDrive%\Program Files\P56VHIGDGI\uninstaller.exe.config
File Hashes
  • a7bca25940ec920dbbcc05ef606b1d0a1192d46de612b432a1072d3aa1fa5a07
  • 22a96cc3fcc81a7475fc4c6253fd8e39bda56bd97afc5c98864c1eab9c2f625f
  • c9bd472f6fa6af9f0ba855967c4a061e6e559e48734b4e85c30742a14274a5f8
  • ea4ddb43aa08c17216262c7251fb47d6f8c2c3f2369c6efed6c7914d9f0e16c1
  • 17873809b8b5c0df00a414ed8ac4ccd356d46bb5726d79552c3e5d5f0e63c889
  • e63962df00ffdc4e99d59019b588c0b34a0c56368bedb9736cb684274fac3833
  • 3c7d21d1ae2103a9610f3073c3e805ef76adfc978c13c19585830d2e17d3c912
  • 9eea6555c0fbc9753b5a7f68d367269872538850b326a2eea3ad4c26fe910073
  • 0c0124adc78b717b24505119f4faa70b1ce9fd217d7c5fee574b77eccd13d755
  • 11d808a9eb56223bdb3e1a66a3d55a8ea12f077bb5ee2db66d193cb779a02f62
  • a085a4dac6d01166072c7296ec4e4089e50a45ed0027a691854c62ed0c5be611
  • e05db1be09272fb01803d46ca5b9b55e324776058a87f9695e1b39f8f9bd3e17
  • f8f7422827e5874604c69ab1d2de11d893f7432a6b346b1a6d0feddce700d24d
  • 2815d64f1dcbb9ea459b969da34c7d319440c854fcee7d5b12b138f5540f7a10
  • f6bddc85724ff45d2b64f17685dcce98c7e5f7435d9b268debd523cbebc14260
  • 899a119818fbdd16989380e5e4a62998e2d68865dc5f5dba82c2931e6d20bcbd
  • f2dbc26b7b7dd8f552e954ce4e8b685a9600506a633a90c2735a303aec80e0a0
  • 4727f0952de54fb024c30de9188d2e6e81ee0a675f229159013b6d753e985a6e
  • 8e8bdb56d72a73da3d4367a59ca2235495fc7837aa48dd15201a6a0ff1a8d7ef
  • c59a5a9e3cb8bc3794d17a480e4709b1b96b28a469c2a1ff1d9ab4972f7a043d

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella






Win.Trojan.Generic-6454586-1


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: AudioHD
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
Mutexes
  • Local\MSCTF.Asm.MutexDefault1
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %TEMP%\svchost.exe
  • %AppData%\AudioHDriver\AudioHD.exe
  • %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\AudioHD.url
File Hashes
  • 013ede62c35998c847f9248bcede46dce801480743a064d488341f95094c0d4e
  • 166ee27653415896013b0e775c03ffc27db5a7b6daa7a4c78976fdd7bc166416
  • 1f1ec9a132226bc4eac25a6e999cc9b937718cb356c8d41b2bb08266ca1c5a38
  • 2d1cfd1ae428729b32af03264179cb7640d4aa7b1e3c299cb106a77cfe42d216
  • 38cf958875c3eb34a07f15163e7ceb8294ada5eccb765aa37ea69aba4fe79cd8
  • 3b0e9faf07e32d593b54cdfebd725707988bdaa7d81ab2ab396630384127fdc9
  • 3ff03a32f5a944c6655789bbfa124a7d52bb17df771c975685a5dce69c124d04
  • 45b40df9bc6508a11c7fdf06de88a039485dca91d985fb667a91a4af35a08b2a
  • 4ca97c879d841e79a5588f350cea663272bdfab1a1e7761b109c6bc72da523fe
  • 5943eb982b5def7773628c728369398d5722c39f67b978c10782311eb00a50bf
  • 9414096ebca4dd3e948014b7348578e5adfec4729e5a9f15f6b06dfffbd13408
  • a6a9ec0af4abe94b72e557f4b9c9d4d0b59b4296aca3175a1551b84efefed856
  • ab1c0fd38656ae73d1ec96bb5b3ee5e354022feca924653c606ad5dbc3ae0c47
  • fddbec3a6e8fca4f3f388ff5856b8030005339967ffda594035f9353f5c71bd2

Coverage


Screenshots of Detection

AMP


ThreatGrid







Win.Trojan.Generic-6454615-0


Indicators of Compromise


Registry Keys
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\eapqec.dll,-102
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\eapqec.dll,-103
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\eapqec.dll,-100
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\eapqec.dll,-101
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\dhcpqec.dll,-102
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\dhcpqec.dll,-103
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\dhcpqec.dll,-100
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\dhcpqec.dll,-101
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value: PnpInstanceID
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\napipsec.dll,-1
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\napipsec.dll,-3
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\napipsec.dll,-2
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\napipsec.dll,-4
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\tsgqec.dll,-101
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\tsgqec.dll,-102
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\tsgqec.dll,-103
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: @%SystemRoot%\system32\tsgqec.dll,-100
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: 35f4cf4b9d22a75d4f44d45247335d79
  • <HKCU>\SOFTWARE\35F4CF4B9D22A75D4F44D45247335D79
    • Value: [kl]
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: 35f4cf4b9d22a75d4f44d45247335d79
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500
    • Value: di
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: LanguageList
  • <HKCU>\ENVIRONMENT
    • Value: SEE_MASK_NOZONECHECKS
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
    • Value: ParseAutoexec
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI
  • <HKLM>\Software\Microsoft\Fusion\GACChangeNotification\Default
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
  • <HKU>\Software\35f4cf4b9d22a75d4f44d45247335d79
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
  • <HKU>\Environment
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
  • <HKU>\Software\Microsoft\Windows\ShellNoRoam\MUICache
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
  • <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
  • <HKU>S-1-5-21-1258710499-2222286471-4214075941-500
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\Shas
  • <HKCU>\Software\35f4cf4b9d22a75d4f44d45247335d79
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups
  • <HKLM>\SOFTWARE\Microsoft\Tracing\FWCFG
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs
  • <HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig
Mutexes
  • 35f4cf4b9d22a75d4f44d45247335d79
  • Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7
  • \BaseNamedObjects\35f4cf4b9d22a75d4f44d45247335d79
  • RasPbFile
IP Addresses
  • 52[.]15[.]72[.]79
  • 52[.]15[.]194[.]28
Domain Names
  • abdullahxd[.]ddns[.]net
  • achreeff[.]ddns[.]net
  • fatehtawba[.]hopto[.]org
  • youdkme6[.]ddns[.]net
  • boubou14789[.]myddns[.]me
  • hixx[.]ddns[.]net
  • hoangvanloi[.]ddns[.]net
  • hackingisis[.]ddns[.]net
  • aymandz[.]hopto[.]org
  • deface666[.]duckdns[.]org
  • ramzy778[.]ddns[.]net
  • adsvcksl0[.]hopto[.]org
  • hostalukkzattack[.]ddns[.]net
  • 4mmujnm11[.]ddns[.]net
  • love-5aled[.]ddns[.]net
  • njrat511[.]hopto[.]org
  • rootbot2[.]ddns[.]net
  • force-ss[.]ddns[.]net
  • aadlallame00[.]ddns[.]net
  • ksa-99[.]ddns[.]net
  • updateservice[.]ddns[.]net
  • forever12qut[.]hopto[.]org
  • wydad2002[.]ddns[.]net
  • feedback007[.]ddns[.]net
  • sniper1994[.]hopto[.]org
  • falcon777[.]ddns[.]net
  • pikhateamspeak[.]duckdns[.]org
  • krkr-7rb[.]ddns[.]net
  • sagadegemios[.]ddns[.]net
  • sniper04[.]ddns[.]net
  • omerbahram00[.]ddns[.]net
  • koshtmna[.]ddns[.]net
  • colorado[.]ddns[.]net
  • minhahostvitimas[.]ddns[.]net
  • zkiller[.]ddns[.]net
  • 1[.]tcp[.]ngrok[.]io
  • hussein1984[.]ddns[.]net
  • sniperusa[.]ddns[.]net
  • sodotest[.]ddns[.]net
  • notfoundd[.]ddns[.]net
  • portaclore[.]ddns[.]net
  • al38lal56er[.]ddns[.]net
  • paubrasil123ei[.]ddns[.]net
  • samuli[.]ddns[.]net
  • droid[.]ddnsking[.]com
  • naoe1noip[.]hopto[.]org
  • njrat98[.]ddns[.]net
  • windowssystem2017[.]hopto[.]org
  • dndon[.]ddns[.]net
  • plon[.]ddns[.]net
  • kskhtk[.]ddns[.]net
  • belegugamaniawr[.]hopto[.]org
  • boubou14789[.]hopto[.]org
  • samirsuheib12[.]ddns[.]net
  • machouche17[.]ddns[.]net
  • menescraftson[.]ddns[.]net
  • tronn[.]ddns[.]net
  • zombi16[.]ddns[.]net
  • hamaditigwan[.]ddns[.]net
  • r4y3n[.]ddns[.]net
Files and or directories created
  • %SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\35f4cf4b9d22a75d4f44d45247335d79.exe
  • \TEMP\R8v6FbJV.exe
  • %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\35f4cf4b9d22a75d4f44d45247335d79.exe
  • %AppData%\server.exe
File Hashes
  • e537ffeb2bc202f2a8289e9c96115c5c03280cdbda5a82a81d83b97570ccfcce
  • eada793b386002f297ad511a2ae780cd011b189f1dccbd6ca62d89345095d6e6
  • 49fbf92ef158694f0ed792403f7a066d88831ba71e5f4018f707010f2627210d
  • 4c54271a9c1fc98d0561c6f8ab45be77121bb382453e07d49f2b56d89bd263ab
  • b6712bdb9c15e7e3cbeb71a32cd2103c1286509a85e7db870baed53d71b0dcc2
  • 15fa9fff9515ae191c98aabd7a870699d3683ad9ae0b9fbdb4fb875e35c43183
  • 8def70bf3014498d6c05556fd1b5b72982205423bb5bfa9d25ab4288ecbb506f
  • 658e4b5c23b609d535abc535901b848569dd294f26952fb07a25dc3537116bf8
  • a4b0b9b8b4240370b6c9f030eaac7b852f10da8069b36d3387fd1b96e472d73a
  • 2f2e7e92f633924afa45b5da925e217643ed08e605ced40949f0ca78adb36d6f
  • a1d8135b1ff1c5d8c28016b4ff09bb47606f04f815a4f268c6d82d25398f7bec
  • 46a5a182b94569e4db66ae877064a18a1ca470aa0302d400eaed02545d83c1eb
  • 9bce170ab8da2c93a54bac556b0666f93ab09bfa9965b03bdbc7861ee413448e
  • 90e7a37c2183bd83b02d3a6ac8af8a3afd19e0a1561bf16f2338476802dcfefa
  • e1673a3ed97150082c0e89712386c71f6feb8fd1d7428fe633cfae0d1ca9baba
  • ba1d8858e7863db19f04cf44cfa92906887833a84099f2bc810ed5c6863b46b1
  • 59a56a0d81bac39e5a7a9299ae700b5734b1b038fa800c006463c5592620107d
  • de3357a9ab3d0f03cb4025862a0f0a38f1eb2e0d2909f9537597c4e341cc14be
  • bc9c84da6bac2680ae866d540768af8f744c321d2cedcccd97fb17299d5904c6
  • 2e7b6747e309c3d8fb98ebe25eeeb9f4644162084b304a68ef00a5690be27b46
  • 8d3b285e6b1a0c1f21e9a950ab580800f184b0d6456dd117c74edc37020c31f3
  • b371a4708ba510da541267981d4b05bb6dafbe4b07b387952c582db4ea691e26
  • dde1cc674ef61703752be1d3354f0f766724678aa0fdeb6376e7448a901d7f78
  • ff2269482bf29fef74fdb1d15cfae2417955f1aaa80cd8e3c296d21bec23bf98
  • ce533f8f084a79294aa1254db01fd630dab95ccff22124d9fb4c51fe16a2948a

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella







Win.Trojan.GenInjector-6443827-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
    • Value: FileTracingMask
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
    • Value: FileTracingMask
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
    • Value: MaxFileSize
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
    • Value: ConsoleTracingMask
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value: PnpInstanceID
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
    • Value: LanguageList
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
    • Value: MaxFileSize
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
    • Value: FileDirectory
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
    • Value: FileDirectory
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
    • Value: EnableConsoleTracing
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: FSjrvbtr\s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0s\\0
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
    • Value: ConsoleTracingMask
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
    • Value: EnableFileTracing
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASAPI32
    • Value: EnableFileTracing
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\REGASM_RASMANCS
    • Value: EnableConsoleTracing
  • <HKLM>\Software\Wow6432Node\Microsoft\WBEM\CIMOM
  • <HKLM>\Software\Wow6432Node\Microsoft\Tracing\regasm_RASMANCS
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\Software\Microsoft\Fusion\GACChangeNotification\Default
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\SOFTWARE\CLASSES
  • <HKLM>\Software\Wow6432Node\Microsoft\Tracing\regasm_RASAPI32
  • <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
  • <HKLM>\SOFTWARE\Microsoft\ESENT\Process\regasm\DEBUG
  • <HKLM>\Software\Wow6432Node\Microsoft\Tracing
Mutexes
  • \BaseNamedObjects\7261cb8c-207c-4c90-b816-c6717f9f50fe
  • 7261cb8c-207c-4c90-b816-c6717f9f50fe
  • RasPbFile
IP Addresses
  • 208[.]91[.]199[.]224
  • 37[.]187[.]116[.]23
  • 208[.]91[.]199[.]223
  • 192[.]168[.]1[.]255
  • 208[.]91[.]199[.]225
  • 66[.]171[.]248[.]178
  • 208[.]91[.]198[.]143
Domain Names
  • glop[.]me
  • us2[.]smtp[.]mailhostbox[.]com
  • smtp[.]tridentsaefoods[.]com
  • bot[.]whatismyipaddress[.]com
Files and or directories created
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp3.tmp
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp2.tmp
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp5.tmp
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\8a30b2df-789d-2a28-7167-76c811ca3a9f
  • \TEMP\IMG-PRO-FORMA INVO.2017.1.11.exe
  • %AppData%\FSjrvbtr\AVetZPQw.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp4.tmp
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp7.tmp
  • %System32%\wbem\Logs\wbemprox.log
  • %TEMP%\a998c159-9477-9c4d-f909-8a857896ecad
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\tmp1.tmp
File Hashes
  • 021492b2cc3c242851207e402e9ba284ed32350379deac649f38426130b2c01f
  • 048800615c3449d53e8b3c28489fabb4e8f4d758ace9f585f8f2ea585d3c7fad
  • 18d5300979ddaa3b65ff7579aa3725921b44e945e40ed54e55a0396add9d3323
  • 2cd6fc2a4572f4b1a39371a8df8c664eabe119608908d441257e72eb203737f4
  • 6346200d4e21bcd391e3557b72791f033c51fc72ebfeb359498b63c1c8d832ca
  • 7ad83d75a4223be0dec837d26fa78e4d7a69e4379c01c3ae31f3aa82483fbd2d
  • 90cd726b06dffb129795b132f92d39750492d168206ef22b0ee422a6a55663cb
  • b111124ced4570df72cefd1b5d0d1afc1f1dae7db1319c4e720f52c23b76c0ad
  • b9a43f89e0b974b2f2b2af15e80353b10175ed3e9d4e015d85f96d7d38e65c6c
  • be9f065d0330585bc300e3a56c7ade7da01a48af2d1c7634e20c2896c45a2024
  • d90dc3f22cc7bd92f22bafa9d77b0e373849386eae57606b42239f915357084a
  • e128f7ad54a882d2d269733a956f49e5b1bf2b182781f24f98f058f2d8f48787
  • e4b1ee306ab7080c48b05746da8130fdeede8730214e00778c8231f6d8d6e7c0
  • fb237b7fc75cec8180f4d853c44911dc0dbdb705be39c3e6f1f2a523b79ff9d5
  • 7a7afe3c990a21f1076dd57769d2e199e081ef04f5fb250da5c6d4d109034dc0
  • a9657835057ff11177054c128e834217fd6ba5e55279caab16391f12147c0757

Coverage


Screenshots of Detection

AMP


ThreatGrid







Win.Trojan.Regrun-6454954-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER
    • Value: DisableMSI
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: System Monitoring
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
    • Value: NoFolderOptions
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
    • Value: DisableCMD
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
    • Value: DisableRegistryTools
  • <HKCU>\CONTROL PANEL\DESKTOP
    • Value: ScreenSaveTimeOut
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE
    • Value: FullPathAddress
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: xk
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
    • Value: DisableConfig
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT
    • Value: AlternateShell
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG
    • Value: Debugger
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER
    • Value: LimitSystemRestoreCheckpointing
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
    • Value: Userinit
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
    • Value: DisableRegistryTools
  • <HKCU>\CONTROL PANEL\DESKTOP
    • Value: SCRNSAVE.EXE
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG
    • Value: Auto
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
    • Value: DisableSR
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
    • Value: HideFileExt
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
    • Value: ShowSuperHidden
  • <HKCU>\CONTROL PANEL\DESKTOP
    • Value: ScreenSaverIsSecure
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: MSMSGS
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: LogonAdministrator
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
    • Value: Hidden
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
    • Value: Shell
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
    • Value: NoFolderOptions
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: ServiceAdministrator
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System\
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
  • <HKLM>\SOFTWARE\CLASSES\lnkfile\shell\open\command
  • <HKCU>\Control Panel\Desktop\
  • <HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore
  • <HKLM>\SOFTWARE\CLASSES\batfile\shell\open\command
  • <HKCU>\Software\Policies\Microsoft\Windows\System\
  • <HKLM>\SOFTWARE\CLASSES\piffile\shell\open\command
  • <HKLM>\SYSTEM\CurrentControlSet\Control\SafeBoot\
  • <HKLM>\SOFTWARE\CLASSES\LNKFILE\SHELL\open
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
  • <HKLM>\SOFTWARE\CLASSES\lnkfile
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Run\
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  • <HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Installer
  • <HKLM>\SOFTWARE\CLASSES\exefile
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
  • <HKLM>\SOFTWARE\CLASSES\exefile\shell\open\command
  • <HKLM>\SOFTWARE\CLASSES\LNKFILE\shell
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\System\
  • <HKLM>\SOFTWARE\CLASSES\comfile\shell\open\command
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %WinDir%\Tasks\SCHEDLGU.TXT
File Hashes
  • d86831a343b89136da7a224b0abfae57a79b1ce5d0ae3447bef628d262fb0f12
  • c137279e9650a0112f3a3460172a41f307e32aba43016c6d85b1d33859079bba
  • 060bf8faec0beb953af3c72b54ea334abc1057f5bc96a65a140810ac55d2e6ce
  • b6a80a6ed3bc851a1685ef19dc3a89424813b93a10b25a0684631a532dea71ca
  • 13cf35842c9ef3f362bb7d3c6c8c50957f5b156e865b45b57e2e420416a3f656
  • e6f2a103d62c0dd55cdbd3776578fd8ff3ea28532404a811c0dcd9ed7df473c0
  • ddc14512ed0a1c00988ef4ea0ea59b832d4e17a25500e7a2f7d5caaa6aae0245
  • 4a66e0bfcdd2addfccd8ba68c50d2b803beb2b8120a6cf4f8fecf4a0b0cf1678
  • 9dda2f8f7543c8074f4c284c00e5310a599b364def138a99d7425ec1b205b7e0
  • b2d99e9bb7d597d69b139b07c3ac03aeb37f959094ab0f50bc2a8269d340b8b6
  • 59695cfe42cc0d5418a4568d946949af5fd9de14bdc160d1a5d12d5916a9b411
  • 2c4d182d15533ea845e2d8741a3012998f339a3a6411735a07e4a5722ed0738c
  • 80fd45667ccd54a83e5a54339fa4f5260929bc59f1a57be49251e3ebdcd5abce
  • f0c6a8ed12cb35d5986a1ad51f035f684f0b2953c8b4738e5243777920d23169
  • 04b54cac517f204d2f4159a819b63825a8be41a0470d9666ea2110607888c857
  • 3c7e07a560d5cd46a054d44663440f7ef38b48157ae16c39e7a8c8859d517d80
  • 6262f5c8735e38bc8ab646dc1edb6f989478c3d50abadd7b9b58a5e63d558dc1
  • 5d5175472fbb0a943818f84a6b2423c410c212390310daca531e6f0f880c336d
  • 57b930abca5b4f3cdd3c7c50b77224ea732dc5d44d2e8443c9199b7701a8307d

Coverage


Screenshots of Detection

AMP


ThreatGrid






Win.Trojan.Startpage-6455053-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{69910372-D455-48F9-811C-B1191062C1B7}
    • Value: URL
  • <HKU>\Software\Microsoft\Internet Explorer\TabbedBrowsing
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore
  • <HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value: LanguageList
  • <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{69910372-D455-48F9-811C-B1191062C1B7}
    • Value: SuggestionsURL
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{69910372-D455-48F9-811C-B1191062C1B7}
    • Value: DisplayName
  • <HKU>\Software\Microsoft\Internet Explorer\User Preferences
  • <HKU>\Software\Microsoft\Internet Explorer\Main
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
  • <HKU>\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
  • <HKLM>\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Uninstall\{28e56cfb-e30e-4f66-85d8-339885b726b8}
  • <HKU>\Software\Microsoft\Internet Explorer\SearchScopes\{F7067876-A17A-4A11-A92B-185B2E8D39B6}
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
  • <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\trust
  • <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\CA
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLs
  • <HKCU>\Software\Microsoft\SystemCertificates\TrustedPeople
  • <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{69910372-D455-48F9-811C-B1191062C1B7}
  • <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\trust
  • <HKCU>\Software\Microsoft\SystemCertificates\Disallowed
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
  • <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\CTLs
Mutexes
  • {5312EE61-79E3-4A24-BFE1-132B85B23C3A}
IP Addresses
  • 1[.]1[.]1[.]1
Domain Names
  • N/A
Files and or directories created
  • N/A
File Hashes
  • 6daffa157bd0a686cec232c2d1ffc764b7b85d7a94a6c2b13b46e3903fcd78b8
  • 60dbf376cedaecb73bc2bd558024a2af9a95a3044d7343850a7ca03d098943f1
  • 9eea8a80c3d01e16ab4ed53e9743d1dee0351b9ce6dd632dad938b71d78f8cce
  • e74e9dd028c909ebd85012866f2e9ac33bc1db243499230d0e0c225eee9adb1b
  • 18afad450f4b7816ddf1451e48684cefce677671ae5d6747fe90be2c3d8bd82e
  • ab15bfd82688bd582807715e61aaa40f018f80fa0e99bbd018bc47a6c1aa80f4
  • 399c3b0534f83e5778e2e1f65633d12e92b7b395d38315d964a640df646d32d8
  • dbc1311001ddb6e3069e7b6d5dce0ce3618d736e1603f0271ffc52abbb8e2f0c
  • 32bcd39615ac8e11e42b24925b24e74f4a4540acc763c5255c7bde0a00e1f253
  • f31f9f266b453ddde95d2bab56548a32269b12d8c54c6efc7a91628b2a72273e
  • a0014494734eb608b9f7af9f3c71057babf7f486e19745286bc574f766b4760c
  • 228a8c340397acc65c36004acac69a29204840167527deb1f6ed02b75c8cbf1a
  • f9552c1892cb3bd49289fb7eb541353027e6d431194d326c24b231b529adc0ba
  • 62d5c29939f8c70c80797165dcff9b9170a77a82354bc0d2a5625c115a7dbc6f
  • cc8a88dc216648a8ea78174b04c0c874cecbec2a2e6b93a742eaa530264cb563
  • ab8cc1d317663161a27eba9a23d54f3c6d71bfb774dda248eadc052062e76cb1
  • 13b51f0088c3c341d59467f89601703b20f160585d6008707572b12862ae894d
  • 91fd6e5bf7737e284fc80757fbdf0e141564d37c0e50e447e1b7dc2ce1cb7a2e
  • abc0a5ea42a72483a16308ea888d1a56f27c8e8c02b6a93d816339e7acab9c49
  • 33033fc8af66d92c077aeeb997043c90a64d4aba8840779dedb4f446be7b94f4
  • d463ae2543a2a81dc89d84b6ca9f195c430d65cf25fb753a9e4ab5fad1b4df2e
  • 0b11ccc6fc403eeebd9edd0e9087406beeaf5aea9b38cfd7d4a57139e777619f
  • 6b148642e7d64be68a97a13d776b03a76406bd2553ef0314b5afcb5906ad43d1
  • 278cda56d3b11ab3712751f7c3848465a728aa13cf07980722509b04d992626c
  • e32a73c2356c41a50e83cd9e7bac747249aed1fe68f17ee71d0a90887c3c1401

Coverage


Screenshots of Detection

AMP


ThreatGrid


Screenshot






Xls.Dropper.Powershell-6454576-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 192[.]168[.]1[.]114
  • 192[.]168[.]1[.]255
  • 192[.]168[.]1[.]1
Domain Names
  • bitcloud[.]gq
Files and or directories created
  • %TEMP%\CVRA534.tmp.cvr
File Hashes
  • 1955b36980486ceb95b0194fe10ed7aa9b317b7c3d6f79f152ff4f0aebba50eb
  • 471c4a3ac3ee5f32cad237e320bbacc99c0b1cc52cadd351a9cd35eebc36ea97
  • 1e0c9247ec3bb3d9f0e7a9e422aea3263ec32db17ffed0b4ae6a6e4b791fa195
  • 9adfcba2c8a8e25433eb3cb88593d22314d59e0d420f1735df2908df7e7b8881
  • 2241ad38594e08c9a72417e1f232ae1256c551f3b466d53a3ecf0fe4b3ac976f

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


Screenshot

No comments:

Post a Comment