Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 08 and Feb. 15. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Virus.Expiro-6854765-0
    Virus
    Expiro is a known file infector and information stealer that hinders analysis with anti-debugging and anti-analysis tricks.
  • Win.Malware.Swisyn-6854761-0
    Malware
    This family is packed and has anti-analysis tricks to conceal its behavior. The binaries drop other executables that are executed and try to inject malicious code in the address space of other processes.
  • Win.Dropper.Ribaj-6855378-0
    Dropper
    This family is written in .NET and is highly malicious. Once executed, these samples drop files in Windows directories, modify other applications and spawn several children. These binaries also change the internet settings and the certificates of the victim's machine as observed in the Windows registry activity.
  • Doc.Malware.Valyria-6855449-0
    Malware
    These variants of Valyria are malicious Microsoft Word documents that contain embedded VBA macros used to distribute other malware.
  • Win.Malware.Cgok-6854725-0
    Malware
    These binaries are able to detect virtual machines and instrumented environments. They can also complicate the analysis with anti-disassembly and anti-debugging techniques. This family can install additional software and upload information to a remote server.
  • Win.Malware.Noon-6854584-0
    Malware
    This family is highly malicious and executes other binaries. These samples contact remote servers, upload information collected on the victim's machine and have persistence.

Threats

Win.Virus.Expiro-6854765-0

Indicators of Compromise
Registry Keys

  • <HKCU>\Software
  • <HKCU>\Software\Microsoft\SystemCertificates\MY
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
  • <HKLM>\SOFTWARE\Microsoft\Internet Explorer\Setup  Mutexes
  • TermService_Perf_Library_Lock_PID_194
  • kkq-vx_mtx87
  • \BaseNamedObjects\gazavat-svc
  • \BaseNamedObjects\kkq-vx_mtx1
  • \BaseNamedObjects\kkq-vx_mtx29
  • \BaseNamedObjects\gazavat-svc_29  IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A Domain Names contacted by malware. Does not indicate maliciousness
  • N/A Files and or directories created
  • \ROUTER
  • \MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
  • \MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
  • \MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
  • %ProgramFiles%\Outlook Express\msimn.exe
  • %ProgramFiles%\Outlook Express\wab.exe
  • \SfcApi
  • %ProgramFiles%\Java\jre7\bin\java.exe
  • %System32%\tlntsvr.exe
  • \net\NtControlPipe14
  • %ProgramFiles%\Internet Explorer\iexplore.exe
  • %ProgramFiles%\Outlook Express\msimn.vir
  • %ProgramFiles%\Outlook Express\wab.vir
  • %System32%\narrator.exe
  • %System32%\utilman.exe File Hashes
  • 0759d83a9d783572b6f1f57399525c8f901ffdb41b536c19e6e70b7764ea8b78
  • 182fe9f51e9347bae5930e28b842f6b0558dae8bf0b2c108704465b971fcf6bc
  • 2d2c5852cbe5414ba1a9775295556499f44850e5b8c5162b6a7d9a5a4a877c99
  • 3de0bb06e54b51c42eebc77788e36675e9ec8bab5b31cba456411e507b80c1eb
  • 56498da2cafc996346f167c1f1abfd0e6c4011870a6981607b4eaa520eac3f37
  • 58571a14a78bfe4d51116c1e2a6127446c98a43e4779a769028b84199b349152
  • 7a72f9e0562311df35d0f40a609aaedaa3027455197180c0c5a931651c1fe600
  • 8adbf00c308922f3c064644c3ade097501cb2be2e79f77b1b32cfee91f140121
  • 93dcbe4d4d2bb9f6b0a454312008914485882521ac9ed7fe109cf5e4dd161427
  • b3795e744b4ba084946e43e66bb01f05dff180f1302e6219c9f196a220ef7f09
  • bcc7a15e9397bf7a58ce3b00bc5cba858738c292f501f376795e7f17fa019325
  • ffee8a3dcc7f1eea25d35586024db359dbe4bcd6e8d6ad5aecb55a8b82ee5487

Coverage


Screenshots of Detection AMP


ThreatGrid


Win.Malware.Swisyn-6854761-0

Indicators of Compromise
Registry Keys

  • <A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\IndexTable
  • <A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\LruList
  • <A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE
  • Value Name: _CurrentObjectId_
  • <A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
  • Value Name: _ObjectLru_
  • <HKLM>\SYSTEM\ControlSet001\Services\RKREVEAL150  Mutexes
  • RasPbFile
  • Local\WERReportingForProcess1908
  • Global\41010221-308a-11e9-a007-00501e3ae7b5 IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A Domain Names contacted by malware. Does not indicate maliciousness
  • N/A Files and or directories created
  • \srvsvc
  • %WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
  • %LocalAppData%\CrashDumps
  • \net\NtControlPipe10
  • %LocalAppData%\Temp\ZGHVFQ.exe
  • %LocalAppData%\CrashDumps\e94034199ba3413b2180bdd135a7341b52a293c33b0c45640ba12f6578d3a1e0.exe.1908.dmp File Hashes
  • 073fedd91f616c324ba2ed839162c6f6a963afd0a35034e5fc07cbecbbdcb469
  • 19f91a303132a80a4f929f27c415ecd9dd156313ba425942d1c7fc34ad95a863
  • 218ff9378f7808cd0085846dcc2564178c632ffec5f7069e2c9963b4be53aecd
  • 32fbfbf5bb78c2448741bb11a39411b529f025d9069192186556362f530112b9
  • 394dc1c6011efacd4759251c0449b2fb87a8b4eb001c1b7cf6325ea712207d46
  • 3a3aa457427f914f24156be2274b348a52d5551ee340e472d21783f7366086b3
  • 458e2d0b5ef4b6b83c729ff109391a6073c3694765cc9d08e16774f8e82f9de8
  • 56780c038c42e3d7f71e8f790b5a34fb9a680155d979fd58bc6483843ad6489a
  • 5e16bfd4bab0dc29173e9a15d6ef6b98c701eba6dd48241c148605f6fc8fb5a7
  • 6468ae9613dd9fac6ef25cb4afa961c2930c358566019f24a320f7910f29bdb0
  • 822708cc727fc05d090589e46b6f69cec3b806508bd319557f3d26bd1e686b9c
  • 8667a433b1e44b529ee76512bf82b666fdedfa3098ad55e36c8668c883202b38
  • 8ca3fe8ed13101a815d8cca3ee74c7e42da394a822339d419a11d83b18660bb7
  • 9390e81e988e37d9638ca6a1d2f3c7c1259dbea491173c41ad78782cda620313
  • 948db0d6b2a45f4ccd9a7bebe08b20c1613c577bf8d0abd0717f1a5c1c7276ad
  • b789a641395003148f0d8128e8ae8227e43b6261c50367fb1e55f065d79dd508
  • bccb8cbfc7987c8814534d8fbdd9ae01acdfc7b6c987450a769de7e702cfdeb4
  • c822b45d0eb29beaba494f6a61fa616ccd4f71c9d823f6705cadb521b18473e1
  • e94034199ba3413b2180bdd135a7341b52a293c33b0c45640ba12f6578d3a1e0

Coverage


Screenshots of Detection AMP

ThreatGrid

Malware

Win.Dropper.Ribaj-6855378-0

Indicators of Compromise
Registry Keys

  • <HKCU>\Software\Microsoft\SystemCertificates\My
  • <HKCU>\Software\Microsoft\SystemCertificates\CA
  • <HKCU>\Software\Microsoft\SystemCertificates\Disallowed
  • <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
  • <HKCU>\Software\Microsoft\SystemCertificates\Root
  • <HKCU>\Software\Microsoft\SystemCertificates\TrustedPeople
  • <HKLM>\Software\Microsoft\SystemCertificates\CA
  • <HKLM>\Software\Microsoft\SystemCertificates\Disallowed
  • <HKLM>\Software\Microsoft\SystemCertificates\TrustedPeople
  • <HKLM>\Software\Microsoft\SystemCertificates\trust
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections  Mutexes
  • RasPbFile
  • Local\MSCTF.Asm.MutexDefault1
  • Global\CLR_CASOFF_MUTEX IP Addresses contacted by malware. Does not indicate maliciousness
  • 91[.]134[.]147[.]134
  • 46[.]4[.]111[.]124
  • 79[.]137[.]116[.]43
  • 151[.]80[.]42[.]103 Domain Names contacted by malware. Does not indicate maliciousness
  • N/A Files and or directories created
  • %ProgramFiles%\Hnc\HncUtils\Hmedia\AlbumMaker.exe
  • %ProgramFiles%\Hnc\HncUtils\Hmedia\PictureStyler.exe
  • %ProgramFiles%\Hnc\HncUtils\Update\HncCheck.exe
  • %ProgramFiles%\Hnc\HncUtils\Update\HncUpdate.exe
  • %SystemDrive%\x997y.exe
  • %LocalAppData%\Microsoft\Windows\WER\ReportQueue\AppCrash_p606h.exe_4863d852a7d73cfde1714dd63e191d3b678536_650ba745
  • %SystemDrive%\TEMP\x810y.exe
  • %LocalAppData%\Temp\suqv362h.cmdline
  • %LocalAppData%\Temp\suqv362h.err
  • %LocalAppData%\Temp\suqv362h.out
  • %LocalAppData%\Temp\suqv362h.tmp
  • %LocalAppData%\Temp\suqv362h.cmdline
  • %LocalAppData%\Temp\suqv362h.out
  • %SystemDrive%\TEMP\x915y.exe
  • %SystemDrive%\p155h.exe
  • %SystemDrive%\x458y.exe
  • %SystemDrive%\x578y.exe File Hashes
  • 06a416703a26e095bc95fec44dc4751c5791ab9e1c99018c95e9d09282e3d4b0
  • 0b29c1eecbeada06924782aec009d8acf4a76893bd773a269b64a45fb3100ace
  • 1470b0737d00fde7f9fed30d1a8b314715309fb71363e6eb06fa36a88c20061e
  • 18c7f1d80af84c6b22941d0a0faf3ceb1b345254917573e217342041b3eabba3
  • 1e33909178e6080fd417f24631710b3878814dfcaf447a71037c4a5e7461f3d4
  • 1f993367b585974f87a7ab1d47979c64631e586ffcfc45a4abb641249ef3c2b6
  • 2dc55ee6064851769cd403581967517abd947cc5895ae986e4ed0c4f88468cc6
  • 2ea96a2c655d5f315b8dc22929924e7760ac083b92952f7c46d8b885060bede5
  • 2ecaeaa9bc1fdd5f1f8ab0d9d775d6f606280f8a86f3c9944925a3ed39e5e26a
  • 308b3c1dc4b2d19860c4dbe0ecb3bff55e2665c0121ebecf66cd5ae10d643cdb
  • 4158285e5c3569543876349c0db59e5a8f341eed5e2795ce864d3943f04a0f6c
  • 492e76881ff64ed066405ba7550bfe1f1d38a1e464af5e07bd3cb5f44277f2f5
  • 50ee79ea155621b2bc0952e66aa451348ac393030ba11b521f55eefa5de85dd6
  • 54396b08903dccb3cea7039b505912cadbf0ef36ddf025f7c3cbf3618b3fd1ca
  • 5488a6601bac36620c48be50c3ee1c41831cac6f64aac8f7fbbfaeebe2e290e1
  • 5687568d18019b9a391437e0d2fcb2a1e36eecb0ea8cc0d143d15389d0d63fd6
  • 57e539645e32c6fe261abaa56e8dd56a9ca2ae147a2035a933bed10e1e97439a
  • 58c46b39d71971b1ce3643264918d3292607841800656cfda6f6b0b89a682a85
  • 5dab3d191197694361d12090ac15228ca26f5658412e7fa51f6afe8b2a28ff81
  • 6047bc6f35d9bda3eedd9615cdd78f873a7318a0fca92733d4ade714ee264928
  • 68edeb326a914ea915a293ada3dc5341923698889080a8a1be321f2229ba88ae
  • 6a752d266112e05196a77043058317a5a0e53151613cf067521ff93f4b904818
  • 788132452a60297f0b2736e4dd1ed7f10f69599eaba6ae93914b87eb858bb470
  • 7a9a1476d383517377cbb03e480ea1880efb51eef39e70fb5dcd29b1ab859a8c
  • 7c3f98328eebdafc2a245deb4eacdc79fc69f671da80168fce96a755a31b882b  

Coverage


Screenshots of Detection AMP


ThreatGrid


Doc.Malware.Valyria-6855449-0

Indicators of Compromise
Registry Keys

  • <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\Certificates
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates  Mutexes
  • Global\552FFA80-3393-423d-8671-7BA046BB5906
  • Local\10MU_ACB10_S-1-5-5-0-57527 IP Addresses contacted by malware. Does not indicate maliciousness
  • 112[.]78[.]117[.]186
  • 185[.]165[.]123[.]206
  • 203[.]143[.]82[.]157
  • 136[.]243[.]80[.]123
  • 201[.]148[.]107[.]187 Domain Names contacted by malware. Does not indicate maliciousness
  • syonenjump-fun[.]com
  • tehranautomat[.]ir
  • www[.]tfmakeup[.]com
  • soportek[.]cl
  • mebelove[.]ru
  • tfmakeup[.]com
  • tilda[.]cc Files and or directories created
  • \ROUTER
  • %UserProfile%\971.exe
  • %SystemDrive%\~$8325604.doc
  • %LocalAppData%\Temp\CVR9952.tmp
  • \TEMP\~$8b14c4fe8c25557a0a8a9061cc9eda7c97bb0f89f8f4ae4f645d6c1d996d4e.doc File Hashes
  • 048e2a3852452f990da142fd74095f16dc2e419346567a988c69b3d8ee62014a
  • 0ddd6eca67f679e7767d6b834afd489009bdfed0aa0fcde6cd3293f8ffe1a0bc
  • 13f7dfeb4ca314f5a738c4667968551b31a3f11efa864c97cb36dc68932d636a
  • 168308817df0b5f51a942117a0a736ecbbb5642648b480803d0fe70c5473983d
  • 2e53f63e8ae62b54fa5cb3378ed0252f202c144dcab869e642b96605765c2651
  • 59fb51c98a77c782fed98fd718b5292ae7c980b60069a733175a39513237cdfb
  • 6c552b50dd293986580d928225c05220c4fdfc246a40efbe514cdd118ea19fe5
  • 6f59607f97d7242934de29fedd6cd1ac0efd74c99e7ca212b68c042ffb8bf9c6
  • 8dedf65f3f2d21cf53781e7837e779a15753bda1f0ace6cb3f23523c2bb97225
  • 9638653f353c805aad3d99d7f76e91733ddc7982a517ef1260f401de16d970fc
  • a8ecd3c1fcc6e41d4a24c4d8c39f1d7696a83ba28d148511e92c2fd13bfddbf6
  • b8bf2e3308ef42d8649aa1b2a7f05e16ba8c04d42e495bb1223f5fc6d3d7b2a0
  • c1982d4406ae41e126221026a549358fe967761e868e358a1b1e9e2c6a9f0113
  • c6c1e7aa4fe9ae0b12caa5143b3d9c7b541d6d94bc9341c6a349de1a973c2713
  • d358c4836374c3c6869b731c42249fad48aeaef089f7959cebb989be9a78b056
  • de883059dc699081ae98bd4b295be8972f4a3bf5e699265a97a422a91d8acfbb
  • e33244791d5d6972de721c5dbf114f8b2921cd5fc407a1f1b7e23119c0d07504
  • e496c2b0549e81380e1be0df042c849989474071d1f3b3ec7513b40fa0e7e546
  • e88b14c4fe8c25557a0a8a9061cc9eda7c97bb0f89f8f4ae4f645d6c1d996d4e
  • f299cb65e5c336cb1a31b5cd73948d07dd68780e7329248bfc5d080d75b43070
  • fa24a0c05815300726dd268426b28397471f067cdedcdb2f3258df75af169c28
  • ff7898391c17d84e6acf87e8106c8947bb0924815e90809cd645aa1fb35d0b6a

Coverage


Screenshots of Detection AMP


ThreatGrid

Umbrella


Malware

Win.Malware.Cgok-6854725-0

Indicators of Compromise
Registry Keys

  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
  • Value Name: ProxyBypass
  • <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOWREGISTRY
  • Value Name: AddToFavoritesInitialSelection
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections  Mutexes
  • Local\ZonesCacheCounterMutex
  • Local\ZonesLockedCacheCounterMutex
  • Local\MSCTF.Asm.MutexDefault1
  • \BaseNamedObjects\Global\AmInst__Runing_1
  • Global\AmInst__Runing_1 IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A  Domain Names contacted by malware. Does not indicate maliciousness
  • www[.]millesimalnonremuneration[.]site Files and or directories created
  • \srvsvc
  • %WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
  • %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat
  • \lsass
  • \ROUTER File Hashes
  • 00dab31016dd49471a3cb73d13eefcc8811ac389d26f06f383b905e6850c6abe
  • 013689006fd96ed4ec46592ce46e9c5a6e0af74040519991d8d550127c11e353
  • 0253ad922dcd84936c68d68d7524979ba468fc654344a772dbbe17c528037ec0
  • 02bb34fc8bf07578357ad6d771cf91a0131e7e99dbe8298b64555e38e7e9a2cc
  • 02d28b601b87806ed74a5bcb9fa04d6634f3b7f9949b4393aa4379649997dc88
  • 02dd9c6fb756466cbd12e13d0a962b64670b49d1fc596e18fdbaded971b0b667
  • 0372d2b10999c791b93b17c484ce4611f31fd833ca235276748d7ffe512601d5
  • 0492856e08c5f50c72cda713d77ade79eefd4cd89f611de92c47b4fff249db17
  • 04b6c948af264febc278760d73efafcb3fa814b659a7c811f8b2053e4e957966
  • 0509780a1a8a14666ddd7592f4a787f2b5d4bfb599b838fa4e73676fdd234e70
  • 05f245d3ef7f2e527949285fa93acd2d9e0ab7a6fb95e565798eb751d3358712
  • 06ab46bc303dd3716be11e5066687c9500b7ca4bfeefc261a3bb168000835fd6
  • 0732d16625b8f1b1a4b489cd123d1d8e1ce89cb61a71c8ef00bb1b37bd294f6e
  • 078332f7ce5dd623750c9f7b7a148e04a3f499a2abd45e9c756c63ec4906ebaa
  • 07cb4ed6fb479abb07137e49c090d623a3b21762496c98fb0885176d9702553a
  • 07dfb8670514998cda1a27e5076d9b80febc39c201d9a85652e96ca39572b8c7
  • 09be7b1275949afd71f1c26965bd079a61c7cefba97086fe3d423c7c669ca1df
  • 0aeb055d03bbc6f637944e8a82de7a36e959e3ae1ef3c9b04217ea91a9966fd7
  • 0b2eb1d35ee7076f18cfab589df2432afb4ad1af19590b15b09eb18e8e68abf2
  • 0b38bc30f470e19ff3e973f5d8b0ca196e58c7cdb49ee1ccc1769ad8422cd356
  • 0c45267be8dd1bee444bedce0f29f9c6f6537f9cc14f14eb3d189c6ab7df053a
  • 0c72e02a1a7ad5f3140c57b9e6f3650afe09692d452fff294a4658a4e33573b0
  • 0cd3b49efa9072f463402e1d5d887cf38a5d6ac1a26dacb508739c3b2e15c4d2
  • 0ce65debee6f89d18a75d99d5ee271d8cf1fe948833c657d6dc64c85666aae0f
  • 0d73b17699c07d1b2f04c8b3ec883138e1133ff9ff2f0b13dddfe04ae6e52e0b

Coverage


Screenshots of Detection AMP

ThreatGrid


Malware

Win.Malware.Noon-6854584-0

Indicators of Compromise
Registry Keys

  • <HKCU>\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\
  • <HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
  • <HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
  • <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion
  • <HKCU>\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • <HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run  Mutexes
  • 8-3503835SZBFHHZ
  • 30NAO081CA46913z IP Addresses contacted by malware. Does not indicate maliciousness
  • 198[.]187[.]30[.]49
  • 69[.]172[.]201[.]218
  • 81[.]19[.]145[.]88
  • 94[.]46[.]164[.]14
  • 98[.]124[.]199[.]103 Domain Names contacted by malware. Does not indicate maliciousness
  • www[.]klomaxbv[.]com
  • www[.]chamberoffortune[.]com
  • www[.]holdf[.]com
  • www[.]giantbuffalo[.]win
  • www[.]quantiz[.]tech
  • www[.]ciercglabslush[.]win
  • www[.]wcqr[.]info
  • www[.]asfloorsolutions[.]com
  • www[.]i-executive[.]com
  • www[.]saintjohnmarketplace[.]com
  • www[.]saintjohnonline[.]com Files and or directories created
  • %WinDir%\win.ini
  • %SystemDrive%\Documents and Settings\All Users\Struggleres.exe
  • %AllUsersProfile%\Struggleres.exe
  • %AppData%\30NAO081
  • %ProgramFiles% (x86)\Pkz7dkzi
  • %ProgramFiles% (x86)\Pkz7dkzi\Cookiesnrqhbx0.exe
  • %LocalAppData%\Temp\Pkz7dkzi\Cookiesnrqhbx0.exe File Hashes
  • 0943a587d42f975d917bc60f8f005b792bd48eabe54536c61eaef36ee584dcc0
  • 162872c960b6e48b45ea369bfa3d258eee4f479b4b498e5255fbb4c9c269a267
  • 371a044bdd6f70866e13bf6390da862b5e50a763237d9f2fbb24819a3d861ac5
  • 40094d7e1dad49a198122dcbaa478f6ad209195afa1376ad5977e374c798fbb2
  • 4a412b49a26f49678d097725e5ce59da94264662241ed0b7945cce02f366c033
  • 734e94e32e2c0418e3216ec25e2065433caf355674867a5d55919079a6ec5938
  • 760a0c53b23f3d82ff54acb3c49b1fbe2d33d486ad7a8056be3cb7a495391758
  • 8acfe115a997dc4cb24fcab62c80eef8fd3580c0aa1bb2308e6326069311d0ff
  • 94969ce153aa5109f92842d9cfd6ff038623bb64b657a60ae0f8499fca60f7b5
  • 94f746c852afb96875a8099e62d57ab1f8eaddfa440a77f2f76c2123c887ea2a
  • a688df4d7ef86c28c5789a1572e7b9cf9f7175fc1432fdf87f168ba7dc9f11fb
  • b91b055bacdcaa77c6865ad46679fe9735a6eac0e052419705cd3c9323bf7dac
  • c2f2c6ed54f470b887836f0a9cc42faed42503618747b5d843f4b9db448cbcfb
  • dbb6046d50ea2889e178e37ec7fb49c247fd2ba48c699562eac6be8acf7ac4d2
  • dd2df86722edddf0d95c827fa56a737913cacde56c0d417cd706ee58b99ddb37
  • ff4d8ff268c02c8c48808a51aad0cc528fbc23aec709823347cbd03cd74cf80a  

Coverage


Screenshots of Detection AMP


ThreatGrid