Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 11 and Oct. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Malware.Zusy-7288173-1 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Trojan.Lokibot-7288215-1 Trojan Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Worm.Esfury-7292180-1 Worm Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files.
Win.Malware.Emotet-7292844-0 Malware Emotet is one of the most widely distributed and active malware families today. It is a modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Gozi-7329531-0 Packed Gozi refers to a family of banking trojans dating back to 2006 with many well-known descendants and variants, including as Ursnif, Dreambot, Vawtrak, and GozNym. Its primary purpose is to steal login credentials for financial institution websites.
Win.Virus.Neshta-7330232-0 Virus Neshta is file-infecting malware that also collects sensitive information from an infected machine and sends it to a C2 server.
Win.Malware.Gootkit-7333291-0 Malware Gootkit is a banking trojan particularly interesting due to the anti-analysis techniques that it employs. It has received several updates that implement new procedures for evading automated analysis and hindering reverse engineering efforts.
Win.Dropper.Remcos-7334963-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. Remcos is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Trickbot-7340237-0 Dropper Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.
Win.Malware.Bublik-7340719-1 Malware Bublik is a downloader that targets Windows hosts. Although it's primarily used as malware to distribute various banking trojans, it's also capable of extracting and exfiltrating sensitive information from the host.

Threat Breakdown

Win.Malware.Zusy-7288173-1

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: F9E7DE7B
43
MutexesOccurrences
F9E7DE7B 43
5D79E0A3 19
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
216[.]218[.]185[.]162 23
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
spaines[.]pw 8
Files and or directories createdOccurrences
%HOMEPATH%\AppData\LocalLow\F9E7DE7B 43
%APPDATA%\F9E7DE7B 43
%APPDATA%\F9E7DE7B\bin.exe 43
%APPDATA%\5D79E0A3\bin.exe 23

File Hashes

035bcabbe75aa88cbb8dc016119ad2c1901ea759fb90b69eee45b3809e98f381
066b0fc2b1d64ddd9ff30b8046686a6cc8f43656e54f8301ddd7d3a1baf9170c
0a8cc8f4dc0dc5c04431546304d67187403caa684d60ff0787084fdde5d40abe
0c04864961c1edea6dd4231766af85f4031d3eae0756eec731bba81a98b46505
0f00ea06e5b2bc5801a0d4370facc65c0a51e00d810d9f6b16723629a1b7536b
0f91c67b52b53430a9bd2e1a9df5b151056cfee5f026c1da0b5e2342cf9c936e
107dff905969dbbe792ab5d170f2d47538afe49fa6c07f20b26f4de1edd88688
125e0437a1098570183dca847d7533461318214e4a5a746c5ed7933a1cc8d17d
130c0eeebc22bcc4fd4edf40239b66fc5d12d497c7a39851a580e82aa4433e9a
1746421b4db63c1a41a395541947fb44e9f889fd0ea62b9de6759b42c3f5e096
181be8f9157f806aea3f70181b143e12a8c95e85842f10dc31120db4dfb0e1a5
19af7d81cf89adf71bb0af50d6bfe4171b7454daaece6e2883aa08fa06629274
203bfb6936585624eaeefadb5ef6f0679663b09df0b46d9a9945936a787ab20b
2143c563658e9288b205d78775d73ab849ef5de550a398d6976e44c93988da98
217b3f26c0b5033615a26161c5f34b42ac6dc3c12385b9efcc5a6baab1ca0369
225ebaaeafb848823607654663516210377b0901e5e354c8603b9c8c2d85a650
28e5c75b145351bc1cc78829e43328a25d14028aff806947884e60940c8572f8
29ab42409df20428f7e03bce732c534698c260338e410985d112ce4410738579
2a94932f389d8c44cea94a8ac8099869312cd3337d81a423e58bcf041819f803
2b8c4770f8239882117c9e990e9a96aeb134d23be3f3cd147800594d4aad9992
2e668b329248a40c1f1dd54864023731d6862dce26efe70690d7e6ad9f2082f5
310a36c24661d877f07b3c6745efe7cf3d2480f7d43f1361cfe71ac3a6196068
43039465047c23211ef9831701d46fcb73effcf40ca7485c95a6d9c786ca6c5f
4b105589e8a96f695998816c224f250bcc02973f92bcbace3205487c75a4877f
4eb88671b506f84d1f3bd63c7e857e1082820f2d90aba7091a93bf70d9f6d290

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella


Win.Trojan.Lokibot-7288215-1

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: D282E1
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ousehehehheheheh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ngngngnngngngn
1
MutexesOccurrences
3749282D282E1E80C56CAE5A 16
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
185[.]55[.]227[.]147 2
5[.]160[.]218[.]88 2
8[.]208[.]76[.]80 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
suksez-ab[.]com 6
versuvius[.]ru 2
novinsazvar[.]com 2
majidfathalibeygi[.]com 2
lapphuongshoe[.]com 1
pliykies8[.]net 1
orientsdelivery[.]xyz 1
arkhesol[.]info 1
Files and or directories createdOccurrences
%APPDATA%\D282E1 16
%APPDATA%\D282E1\1E80C5.lck 16
%HOMEPATH%\ousehehehheheheh\ousehehehheheheh.exe 1
%HOMEPATH%\ousehehehheheheh 1
%HOMEPATH%\ousehehehheheheh\ousehehehheheheh.vbs 1
%HOMEPATH%\ngngngnngngngn\ngngngnngngngn.exe 1
%HOMEPATH%\ngngngnngngngn 1
%HOMEPATH%\ngngngnngngngn\ngngngnngngngn.vbs 1

File Hashes

11ce93263d26a1d77158f01d3964e36753a90e26487560b52e26658dd935d2f8
4e0b291e2ce71731179d297d11186265907fe73ae9feb6734d9520784dd643ab
6333008e4ed2f8af449faa9c222bf412733928a4dd0fb8011ef50d07f23bb926
6c5b6bd100bdbb0680c9bcefc4fddeec307400fcbef04bc8adaf466b99a3bd69
7a8ace6f25d06c3b91e5aeb33304576fda2ec9664caee9f1489bfd39392d927b
7ad49cca3a6db9a75954dc7d137ed702cf3b5102588e22234a53861d47df1371
842f8e3e24829467b0c4becd601cf310569cfc40320fef7242dd05d292c02bea
906215654e5e6e6cee920b8d245c0eb7dedcc35e923e0e50f1cb8091339ef420
930dea8f876d9f5f8f0d49886477b7d22fb72a73c5d22f01f0f0fb8fe674b076
9627bcfd08a534505001cb8e2e3166cba4e60dc20af10dfa50a00c24425447b3
9986a87b66047bca053c918b33d18c4779c25afa0badfdec5e15742c98cb214e
9e4101e8a41db4810e032fcf0c13eb3dc1213b0d864ab4a0b76183ee17ec6fa9
a84d17a5eb16dfc8202648bb9580a3381d71b567069efb68339607c2c3594e23
c3e63e52d9810263c08ae33457a8995f822d6159b61904e77c1d338fa4dd0513
f3c3be739e71786ca3a56d7570a109593ebedeec931be2eaca8b241a6d008dae
f93b944b29282aa07065b9f34298db2b351cdbbe60c340984d6bb4bb822d9763

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella


Win.Worm.Esfury-7292180-1

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GPEDIT.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRCKILLER.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PORTMON.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PROCEXP.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PROCMON.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FILEMON.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FIREFOX.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CRASHREPORTER.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\UPDATER.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\HELPER.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CHROME.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OPERA.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SAFARI.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NETSCAPE.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVCENTER.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVCONFIG.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGNT.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVGUARD.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVNOTIFY.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVSCANAVSHADOW.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVUPGSVC.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVWEBLOADER.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVWSC.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FACT.EXE
Value Name: Debugger
19
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GUARDGUI.EXE
Value Name: Debugger
19
MutexesOccurrences
@0MPfV5@mqt«sL+EVQ@XPbGP9@ 19
@0MPfV5@mqt sL+EVQ@XPbGP9@ 17
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
50[.]23[.]131[.]235 13
104[.]28[.]24[.]179 11
67[.]202[.]94[.]93 7
67[.]202[.]94[.]94 7
104[.]28[.]25[.]179 5
67[.]202[.]94[.]86 4
173[.]192[.]200[.]70 3
35[.]231[.]151[.]7 2
208[.]100[.]26[.]251 1
5[.]79[.]71[.]205 1
5[.]79[.]71[.]225 1
206[.]189[.]61[.]126 1
35[.]229[.]93[.]46 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
widgets[.]amung[.]us 19
whos[.]amung[.]us 19
dns[.]msftncsi[.]com 19
www[.]whatismyip[.]org 19
z-9-4-0-l-n-x-5-6-g-6-4-y-1-u-6-f-8-e-1-2-m-h-z-k-l-5-q-3-j-7-[.]xz5-af-fj-o4-it-ok-n-9j-zjg-pz9x-1z-zekv-y4f-acg-cq3v-j[.]info 3
7-0-3-h-m-a-v-l-c-b-3-z-q-d-7-p-k-7-r-7-a-9-b-t-n-2-v-y-o-y-9-[.]5-68-wk-5g-z2-pu6-e5x-4h-yij-yx-duv-wpx-2r8-7vc-ox-4q-u[.]info 3
l-r-j-5-m-2-x-1-n-9-4-3-y-1-5-1-2-2-r-o-s-i-6-d-x-6-6-k-p-n-y-[.]rb-e-e3-j-fi-1-il-h-il-3e-z-u-r-u-lk-h-wm-3-6-g-0o-s-dx[.]info 3
www[.]kryptoslogic[.]com 2
n-0-2-q-l-1-3-3-y-7-4-9-p-q-r-9-9-h-f-u-9-7-4-y-8-g-2-9-v-z-u-[.]81r-x7-tr2p-7c-5lk-huxs-0wq-bma-0wvi-2y-a8s-elw-hv-o0-6[.]info 2
8-5-q-5-9-a-2-t-5-z-7-8-v-m-r-9-0-3-4-6-0-5-h-m-a-8-6-b-z-4-5-[.]z-hk-yl8-k-7o-8z-l-v-uhb-u-td-8i-oe-0gp-e2g-we6-ws-2vpd[.]info 2
y-n-f-3-8-5-3-5-1-7-9-k-i-7-z-8-8-h-k-x-l-9-7-9-j-5-w-x-8-0-2-[.]z-hk-yl8-k-7o-8z-l-v-uhb-u-td-8i-oe-0gp-e2g-we6-ws-2vpd[.]info 2
2-l-q-l-o-0-5-x-8-5-3-6-3-c-3-u-6-1-6-9-7-t-7-i-8-k-g-4-8-2-l-[.]mw9g-ns-k-q0-e3r-6s-23-m2wf-7xy1z0-c0u-5wc-g0rb-2-1-5-l[.]info 2
l-6-0-2-c-d-a-5-9-w-4-7-5-6-t-g-6-6-9-i-9-w-l-0-a-3-1-0-p-v-9-[.]z-hk-yl8-k-7o-8z-l-v-uhb-u-td-8i-oe-0gp-e2g-we6-ws-2vpd[.]info 2
4-7-3-9-r-h-h-j-5-n-2-i-l-6-l-9-0-4-l-9-t-3-g-0-7-4-n-8-r-d-4-[.]rb-e-e3-j-fi-1-il-h-il-3e-z-u-r-u-lk-h-wm-3-6-g-0o-s-dx[.]info 2
c-0-r-5-0-5-c-7-i-z-v-4-2-j-5-n-s-1-6-d-y-z-8-r-8-s-5-j-y-t-2-[.]i-9t3-sy-7i-5j3-sf7-8z5-54-n8v7r-0-ih7-36992m-o3-0q-g-3[.]info 2
1-j-7-k-x-2-7-7-4-i-6-2-5-e-2-2-4-5-y-0-7-u-6-9-m-6-m-o-8-x-0-[.]h6y-aj-r6-ut0-jwl-9-th9-i4k-nt1s-sz4-mk4-ahr-hf8-yi-c-6[.]info 2
4-s-1-c-f-p-0-f-8-n-x-7-o-i-8-6-4-7-m-w-5-z-0-g-8-9-6-u-7-3-u-[.]2e-01j-y1a-zu-s-no-bq-q1p8-qjr-j1hr-nh8-22-af3q-7q-gu-7[.]info 2
k-1-e-b-0-x-j-0-i-8-p-o-5-r-8-m-0-3-3-f-2-k-c-8-6-6-q-s-3-7-d-[.]0-0-0-0-0-0-0-0-0-0-0-0-0-37-0-0-0-0-0-0-0-0-0-0-0-0-0[.]info 2
1-5-4-t-6-y-m-k-1-3-9-r-u-8-5-3-x-s-2-t-8-2-2-3-7-k-u-u-7-0-4-[.]p9b-8-na-5w-2z3-djmu-7pk-qy-0-bok-re9-ym-v9h-av-njx-2es[.]info 2
t-3-r-2-p-0-h-n-g-m-z-8-u-r-m-i-x-r-l-x-4-2-4-9-m-p-9-1-0-5-k-[.]81r-x7-tr2p-7c-5lk-huxs-0wq-bma-0wvi-2y-a8s-elw-hv-o0-6[.]info 2
2-g-6-2-s-x-7-7-x-7-c-s-a-a-q-5-d-9-3-a-7-4-3-4-0-8-u-u-e-9-w-[.]0-0-0-0-0-0-0-0-0-0-0-0-0-9-0-0-0-0-0-0-0-0-0-0-0-0-0[.]info 2
l-v-4-r-s-5-o-4-5-m-6-6-l-8-s-6-5-g-v-n-0-4-u-8-i-h-9-m-q-1-9-[.]h6y-aj-r6-ut0-jwl-9-th9-i4k-nt1s-sz4-mk4-ahr-hf8-yi-c-6[.]info 2
4-0-6-4-p-2-j-2-6-3-1-e-c-7-i-x-s-d-l-7-e-o-0-h-w-9-7-6-b-d-4-[.]v32c-to-5-8w-0yc-tzl8-h2a-7f-ezc-oxt1-7-8y-0elh-be-3k-d[.]info 2
4-i-0-0-q-y-s-3-3-y-6-9-9-9-3-s-p-9-b-e-z-p-b-9-4-8-3-t-g-0-u-[.]p9b-8-na-5w-2z3-djmu-7pk-qy-0-bok-re9-ym-v9h-av-njx-2es[.]info 2
k-h-4-2-o-5-8-0-z-g-3-j-3-2-3-0-n-h-o-v-1-d-u-j-i-s-2-o-i-r-h-[.]i-9t3-sy-7i-5j3-sf7-8z5-54-n8v7r-0-ih7-36992m-o3-0q-g-3[.]info 2

*See JSON for more IOCs

Files and or directories createdOccurrences
\autorun.inf 19
\$RECYCLE.BIN .LNK 19
%System32%\drivers\etc\hosts 19
\h3ojKiH9lvFefkO0mG6HlXplgLV3LYYJVfdZRr3dtLhEN80DnzEPQXQY2sziakx2axTnS4SA0447SPkbMnv4Qm\S-4-7-01-4639107501-4494491267-104133574-7046\Desktop.ini 19
\h3ojKiH9lvFefkO0mG6HlXplgLV3LYYJVfdZRr3dtLhEN80DnzEPQXQY2sziakx2axTnS4SA0447SPkbMnv4Qm\S-4-7-01-4639107501-4494491267-104133574-7046\o3mrVQz9rDByh9hfKJ9v01t5z3m0s5hP01.exe 19
\h3ojKiH9lvFefkO0mG6HlXplgLV3LYYJVfdZRr3dtLhEN80DnzEPQXQY2sziakx2axTnS4SA0447SPkbMnv4Qm\o3mrVQz9rDByh9hfKJ9v01t5z3m0s5hP01.exe 19
%HOMEPATH%\Administrator1 19
%HOMEPATH%\Administrator1\winlogon.exe 19
E:\autorun.inf 18
E:\h3ojKiH9lvFefkO0mG6HlXplgLV3LYYJVfdZRr3dtLhEN80DnzEPQXQY2sziakx2axTnS4SA0447SPkbMnv4Qm 18
E:\h3ojKiH9lvFefkO0mG6HlXplgLV3LYYJVfdZRr3dtLhEN80DnzEPQXQY2sziakx2axTnS4SA0447SPkbMnv4Qm\S-4-7-01-4639107501-4494491267-104133574-7046 18
E:\h3ojKiH9lvFefkO0mG6HlXplgLV3LYYJVfdZRr3dtLhEN80DnzEPQXQY2sziakx2axTnS4SA0447SPkbMnv4Qm\S-4-7-01-4639107501-4494491267-104133574-7046\Desktop.ini 18
E:\h3ojKiH9lvFefkO0mG6HlXplgLV3LYYJVfdZRr3dtLhEN80DnzEPQXQY2sziakx2axTnS4SA0447SPkbMnv4Qm\S-4-7-01-4639107501-4494491267-104133574-7046\o3mrVQz9rDByh9hfKJ9v01t5z3m0s5hP01.exe 18
E:\h3ojKiH9lvFefkO0mG6HlXplgLV3LYYJVfdZRr3dtLhEN80DnzEPQXQY2sziakx2axTnS4SA0447SPkbMnv4Qm\o3mrVQz9rDByh9hfKJ9v01t5z3m0s5hP01.exe 18
E:\$RECYCLE.BIN .LNK 18
%HOMEPATH%\Administrator1\VERSION.TXT 2

File Hashes

094d75233bfdfc837e0b461eb47ef442277b022f102b8f6adc80e20ec0909e2b
0f32b4ed36c393942ae9177eb4b2acd977bb2283de1b3278256a24049c2e7b8f
14e3b621de29654add1fe1fe1a1770279330dfb1920cdd0bc92cdd0f8ca489f6
17ce758c92d7c785b153845c53809f7b04a77d6f0352dff7944057cb6ace4c8f
1a6aab3064593291c0696c1efd2ac2dcd5df96bf923ae7670562cfeac3ee5478
47f286283bb6d0451650d993e656cfe32c33fc547838b8fe7cfbf1f648694d1a
5a5c0a62f7d53b6b1ee826a5baf8ff0c39d35ce6817fbee78a6398355747042f
78d3586250c6c996c1412daf885e59ca954a77384ad4eda4028f2a81024dcf1c
7de79a67d497d9bb88af291e625b233a9972f2aae9cff137c6416689e50aed98
920e28b817c5d1376715b7654ee6c5476b6b80adff54bafe2f7c5f1d952f1bc9
a3ea1ebdf50099d17c429042c5c6faeb7a60d6f42d9256ce3e89a217fed81198
b4c81dcc370ebb3bb2361000a64e87d15939c1dc10beb740b577de29cd8dde93
b75e84103d3e74ab2ab1b3a0bab01e0272fd361ec808942a598a0165e169edb0
b7e13fae589f5403964e0169c1269c91ddd6a7e06f06404207ca4f61922fa30b
ba4accd438dedd49930217bcd04cda2230e3a9d32d1f457ab98c50dec9dffa9e
d3867c8d29d5f430de171e9269a1766ed9b0a565dd38bb01438f50fd7902c6ea
d70d846815613e61511492bafcc00470c9af8579b1491fa9996a1f5267e47ce2
eae56ea32d876fa7b1559e6e005c9572f3ef8a84665ff660c3e21180f646d220
f4bbf7ec8be46bc611663482937506b1288b5f2d0b479df2d4aa24a5207435ba

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid


Win.Malware.Emotet-7292844-0

Indicators of Compromise

Registry KeysOccurrences
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: ProxyEnable
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: ProxyServer
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: ProxyOverride
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: AutoConfigURL
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: AutoDetect
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
Value Name: WpadDecisionReason
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
Value Name: WpadDecision
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
Value Name: WpadNetworkName
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
Value Name: WpadDetectedUrl
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
Value Name: CachePrefix
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
Value Name: CachePrefix
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
Value Name: CachePrefix
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL
Value Name: Type
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL
Value Name: Start
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL
Value Name: ErrorControl
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL
Value Name: ImagePath
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL
Value Name: DisplayName
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL
Value Name: WOW64
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL
Value Name: ObjectName
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MINIMUMPIXEL 24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
Value Name: WpadDecisionTime
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\88-22-E5-B6-57-EE
Value Name: WpadDecision
1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\88-22-E5-B6-57-EE
Value Name: WpadDetectedUrl
1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\4A-80-98-B4-22-0C
Value Name: WpadDecisionReason
1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\4A-80-98-B4-22-0C
Value Name: WpadDecision
1
MutexesOccurrences
Global\I98B68E3C 24
Global\M98B68E3C 24
Global\M3C28B0E4 24
Global\I3C28B0E4 24
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
74[.]125[.]192[.]108/31 15
82[.]223[.]190[.]138/31 13
17[.]36[.]205[.]74 12
193[.]252[.]22[.]86 10
62[.]149[.]128[.]179 10
213[.]209[.]1[.]144/31 10
62[.]149[.]128[.]200/31 9
212[.]227[.]15[.]158 8
193[.]70[.]18[.]144 8
195[.]110[.]124[.]132 8
81[.]88[.]48[.]66 8
62[.]149[.]157[.]55 8
74[.]208[.]5[.]14/31 8
86[.]109[.]99[.]70/31 8
91[.]83[.]93[.]105 8
80[.]67[.]29[.]4 7
107[.]14[.]73[.]68 7
74[.]202[.]142[.]71 7
212[.]227[.]15[.]151 7
62[.]149[.]152[.]151 7
86[.]96[.]229[.]28/31 7
62[.]149[.]128[.]210/31 7
37[.]187[.]5[.]82 7
185[.]102[.]40[.]52/31 7
70[.]32[.]94[.]58 7

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
smtpout[.]secureserver[.]net 12
smtp[.]1and1[.]es 10
secure[.]emailsrvr[.]com 10
smtp[.]orange[.]fr 10
smtps[.]aruba[.]it 10
pop3s[.]aruba[.]it 10
smtps[.]pec[.]aruba[.]it 10
smtp[.]serviciodecorreo[.]es 9
smtp[.]office365[.]com 8
smtp[.]secureserver[.]net 8
smtp[.]mail[.]me[.]com 8
pop[.]secureserver[.]net 8
smtp[.]1und1[.]de 8
smtp[.]libero[.]it 8
mail[.]aruba[.]it 8
pop3s[.]pec[.]aruba[.]it 8
mail[.]serviciodecorreo[.]es 7
smtp[.]outlook[.]com 7
mail[.]outlook[.]com 7
smtp[.]mail[.]com 7
mail[.]secureserver[.]net 7
pop[.]serviciodecorreo[.]es 7
smtp-mail[.]outlook[.]com 7
outlook[.]office365[.]com 7
smtp[.]aruba[.]it 7

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\minimumpixelb.exe 1
\TEMP\5wgj1pj85exl95u.exe 1
\TEMP\zk_4987.exe 1
\TEMP\60hmsbnu_02.exe 1
\TEMP\5jg_9376.exe 1
\TEMP\cven8_6.exe 1
\TEMP\ifm_6.exe 1
\TEMP\uv1m953217in7u.exe 1
\TEMP\d6xka8_28.exe 1
\TEMP\z_0.exe 1
\TEMP\9_8776851.exe 1
\TEMP\5kn4h7rfngma.exe 1
%SystemRoot%\TEMP\8435.tmp 1
\TEMP\q_8103149.exe 1
\TEMP\m4tpybzlh_327464286.exe 1
\TEMP\15pk0i_09552197.exe 1
\TEMP\izp8se3tl3b.exe 1
\TEMP\2qcsdiacpc_27712037.exe 1
\TEMP\18k5b_0082228.exe 1
\TEMP\w_752582225.exe 1
\TEMP\43vcrfe61.exe 1
\TEMP\n0n_4621.exe 1
\TEMP\su1ygco.exe 1
\TEMP\ujtcb6ddd.exe 1
\TEMP\su4gvrcyup.exe 1

*See JSON for more IOCs

File Hashes

066d31cc0e6f45e89297334aad69cca12d60e9b4fe6aad341d08bcf6bce37c45
0fe2c7cfab6e55d92fcfe60d66e236bef5d44450c6ae7b759bf694f6097d935d
14bc54ea2759508a18c4e79734d328510897db0a2c71bd4ac2dffb34f99df2b2
1e4cdfb7252c74369fc5007e70c6746994f9e7a2e9f2f11b3012718b415d77a1
289c04314df3679f04bf1817fbf1589fb19dbd481f8c20daac8861068a7c5a32
2bc8c8cf127365a2a94bf47dc26ae14d11e62c38fd0df564bfc7867e025d94c1
3251a00155619dd1ba363b7fe477dab326fe791d2135129d3133c0cb716dd58b
4a98c1b48e25ed7a590d7fc89d65e07e40896e90c7977658c3bfcd8da7392181
52dae4128bb378dc4a877aab9287fc1ceb7576e1cc8506351a5679c6e9dd2e95
5e121e16757f3a3bafbc9b3e696de9473b4f1af5a314194cdfca68ab40332e9c
5ef1a5f4d7f7e3fd74392e514680e3439de5af3c1c818d560d82a62c77eb0a91
63cb6cd04a691f5af02e6a045cdf357e93ee8be5002100b90088b5dd65b24b70
640086c532c00aade40f11146f735fd3e969fe1565e5890800fe4b7551100523
68cb95f7e0d2a77e5a4832fb75243520a5ccc109849bbc933062379df4e7d164
9af3c4f8514d9c318ac90df6fc0e3a0278b41247ecd568b30a8266d0370f3eb0
ac8e332e3a99f1020e0cfeddfb672501d9da72d025d35c5edbcd0f347d5fb6a1
b5617d46830e9a3a362c97b9c6140c15c04b1dd64136ac1abf1dea3e65d83ccf
b6c5d6655ef066545f8b9b8094c7347bf283e771b8f9b46b8e8f6e08144dcf13
b77f540a0cf278192870bab7fa677c0e858269ce1321814573934a6d095d89e4
cdbe742cd698ed504e7636811a13b8328c0a9905f4158fb25cde01dca66230fc
d8614f65c65df8ca408d493fa9ef65894a84d9a49ddcb08be7b0798b670d367d
db9ab62920e6a46ca2ed59de12132eb16c5c6205f3328a4d5a26cb52ae298ebb
e6630adfc5882be333236fd4da6b8fb8c86866b4768b7914fa9102a3de3bc3b0
ee35b43c9bf1a9c24ab983a470e1cf5eb9508c741df45f5829c8d918a771b584

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella


Win.Packed.Gozi-7329531-0

Indicators of Compromise

MutexesOccurrences
Local\55C37268-60E9-964A-3299-E2046F3CC613 72
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
193[.]183[.]98[.]66 72
51[.]15[.]98[.]97 72
192[.]71[.]245[.]208 72
172[.]104[.]136[.]243 72
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]frame303[.]at 72

File Hashes

0003b0a5bfd7488160015e4e0e81e2d2a61ea5f5db53cabd9b4a404be8412250
0551e4b2c94f0796f7bd0108a1415ddbbb1126b9ff489fc5467e7dc3ab602f9b
064409558cbc89bbff58cbd3baaad0227a15109d4771635deb4b4f5a7f226ff3
0c527506d50c4f105f4e85180c3f2e2db58d969303883e7fdda26673d7a9e460
0ef66832ac9e94ce9f81840d4a40fa5e65bab3d930ad93503fbd77de4b74559a
10b22994ffe103af6f1d690ba1abf3e13cec9712a913ff024d9d1c656b92dbc0
12e98f72b4b5e225a1d465a7b121f56360bc9fd6ad538d56ee774874e4159e97
135653620d85d3016638d83a2f863eb480bc5e5f113f45e357037aedc7dd045a
1bd260a766aef952a2bb52dc926af5042f7d0361a5d869a167465400ab4af823
1fbeca47536689cd3ab5b692171a6bd8c93cd21a2d327d107631ce98e85429bd
23e78be8e4244831011a7bd02e497d15cf8ab29b8fd647881418e664ff0ab4be
2be8b60b9bf8fc8f81e8c1ec54af862351e6428922f285d4c816d64aab86189a
2de56515f487b70c3ad879e784838da3efb0d3f44539c1eddd9ea218398a3335
3214ab12ebd572aff4147227140915d21f0c5ca0f3efb949cf6796356f6d4d11
33a74f4ec4ae12674a0079c6af7c22c059ca950690a82e1fd11e4bb1f3f21305
3509cf8e68799db2677703e49caea882b6d2c5971379ac0e8619aeb30876a2a8
384373f044464197697af0c96e2028a6d76875524d6bf6650ff68a5e5e92eabf
3bf729f719580998bd65e13d02129e96efdd74448f84c504829f418ed87607e3
3ce58e9e556c87216307495378b2b1d0eb61517771b9bb10426a2ab7d14aeefe
3da63842c752a0c705180cea273b0b397ebb3cd9b8e6087401db14fe254a44ff
3e41a7ae208fa0e8cf28a8610533dd2ef965062f38577af2c35dd8f8950669bf
42ce932aae9b15b7deaf92694fb5a4db12f0bf9936da2f1d06c7a20714af3ca0
47109959af2b7fee21af66b6eeaf948ad4bb28c7428f59c9bb90ac7ea3753f24
48f89fac46dcc1f813d87d4cbedbae83d90f660558718e52bdcad554d71ecd35
49cf6e4d3589018819869dc3cd1733a1b3c42326b52cc0e48edafe113593019c

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid


Win.Virus.Neshta-7330232-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\CLASSES\EXEFILE\SHELL\OPEN\COMMAND 25
MutexesOccurrences
MutexPolesskayaGlush*.*svchost.comexefile\shell\open\command‹À "%1" %*œ‘@ 25
Files and or directories createdOccurrences
%TEMP%\tmp5023.tmp 25
%SystemRoot%\svchost.com 25
\MSOCache\ALLUSE~1\{90140~1\DW20.EXE 25
\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe 25
\MSOCache\ALLUSE~1\{91140~1\ose.exe 25
\MSOCache\ALLUSE~1\{91140~1\setup.exe 25
%ProgramFiles(x86)%\Microsoft\Office14\1033\ONELEV.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\1033\SETUP.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\ACCICONS.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\BCSSync.exe 25
%ProgramFiles(x86)%\Microsoft\Office14\CLVIEW.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\CNFNOT32.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\GRAPH.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\GROOVEMN.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\IECONT~1.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\INFOPATH.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\MSOHTMED.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\MSOSYNC.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\MSOUC.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\MSQRY32.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\MSTORDB.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\MSTORE.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\NAMECO~1.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\OIS.EXE 25
%ProgramFiles(x86)%\Microsoft\Office14\ONENOTE.EXE 25

*See JSON for more IOCs

File Hashes

010a8e1d056b6a79142ec8abc46ae9bcd54c914f62d453370e4b74e75076b1e0
017ebabf7dc178eea75e6a5c9fe393a2f04bee2739e1d8d8085ceb4f6cf536c8
01e63cc8ed89f76c54a66baf631072f275ca0b4d90f316b3582325637260c206
1077dd3eae47e67505ddbfca24db29cc86a8272f4cd292dc134f8b3abfac2350
1d62a3dc5a827604e330ff1ee26dd32786b2b371adec06bc136c4d02dc31d3a1
1e5802bd82d8f5944e573720a81ba56de336600e576c8b6b095d1130b61c5e16
22b47cc60096f63ec4e90f65a710013688d51f6e1350df7165fe78eabc289973
24cd7a38f026dd924b59253c62616dec2bc20498ee7226be8a00bcfa1631e164
2d3c192dd31356f05dd53a8b0d489a48bbb28e0dfc02be3337e572d5b6e78ad5
2df99a6334f489425dbe0e0cb2b84e2fc708ead88e4bfcf8773bd614f16ab97b
321019b6ce05ad99ae59065d7c18f8ea6467809973eaf57b01e7482c6701e1ad
34bc860348e7b7600d41043ff0b613b93c91e3d079a066f7cd7e3a25998fb0e5
34d03297d8dfaaad8b61b26b2b45287da4a3b252a47bc9fd64bcd4cb1478f2c7
364f32c03907258b42fdd69dc0015a130e1604398d86ae4302d912bfdcf7e129
376fa4f35782601e163d4d8f8aca8589ab4b44d44b89bf13c50c639809976b87
400e12d8203bbafff024427b8287ccbc580060b4c2518127364e559b6c1dbc5b
411d9aad484f849527e3c0ea7c3f08cf5ceae2d62766c5de08fdd16e33154516
425de37d3bb1fcbac8b837fb625b5fc76c9ca2403a298faef8587aef28b0c4a9
4305e15188cc8a790513b9dd280706b13a4c3ecd53e79d7ad2c51177b3685676
496fb4b66415e7269cc6f20be797434401d94876757f6a5e0e1e0732fb27dc41
4ddb68f739d10596394f5ddc102ae1cd688630d98f58317ee50aba958d4cc6be
54a789da6eb9b456025487c386077e168b96e99682b2ede1f3d2a5609b1410e9
5845d3c49fd007012f5ee92b271757221d53eb948ecb6acacb924e5c2a8845c3
5a675fced512cadb2971f8d23d8d66aecae3c62e54cdbf110aae55facf609aee
5b3da2505153ca4146151f8d7de873868ce3041487c343cf5a43a30fd223cbe4

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP

ThreatGrid


Win.Malware.Gootkit-7333291-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\IEAK 26
<HKCU>\SOFTWARE\MICROSOFT\IEAK\GROUPPOLICY\PENDINGGPOS
Value Name: Count
26
<HKCU>\SOFTWARE\MICROSOFT\IEAK\GROUPPOLICY\PENDINGGPOS
Value Name: Section1
26
<HKCU>\SOFTWARE\MICROSOFT\IEAK\GROUPPOLICY 26
<HKCU>\SOFTWARE\MICROSOFT\IEAK\GROUPPOLICY\PENDINGGPOS 26
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_14
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_15
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_16
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_17
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_18
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_19
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_20
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_21
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_22
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_23
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_24
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_25
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_26
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_27
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_28
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_29
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_30
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_31
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_32
2
<HKCU>\SOFTWARE\APPDATALOW
Value Name: DpiSsys_33
2
MutexesOccurrences
ServiceEntryPointThread 26
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
109[.]230[.]199[.]13 4
208[.]91[.]197[.]91 3
31[.]214[.]157[.]162 3
185[.]189[.]149[.]174 2
176[.]10[.]125[.]87 2
192[.]35[.]177[.]64 1
185[.]212[.]44[.]209 1
185[.]158[.]249[.]46 1
185[.]212[.]47[.]97 1
109[.]230[.]199[.]248 1
31[.]214[.]157[.]14 1
109[.]230[.]199[.]180 1
185[.]158[.]248[.]133 1
194[.]76[.]224[.]123 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
me[.]karysmarie[.]me 2
adp[.]mjmentertainment[.]com 2
kkillihhy[.]top 2
picturecrafting[.]site 2
otnhmdmwnz[.]top 1
tics[.]cibariefoodconsulting[.]com 1
roma[.]simplebutmatters[.]com 1
me[.]woodlandsareareview[.]com 1
top[.]hymnsontap[.]com 1
adp[.]reevesandcompany[.]com 1
bud[.]ttbuilders[.]com 1
pic[.]picturecrafting[.]com 1
me[.]kaleighrose[.]me 1
it[.]its1ofakind[.]net 1
me[.]jmitchelldayton[.]com 1
me[.]thebellamyfamily[.]me 1
Files and or directories createdOccurrences
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 1
%ProgramData%\{d781e3a1-e512-422f-aa6c-27428437cbc4}.lock 1
%TEMP%\TMP2834788.tmp 1
%TEMP%\markwde316.tmp 1
%TEMP%\TMPwde316.tmp 1
\uv\04F28BB8-1480 1
\uv\04F8C430-1480 1
\uv\051EE940-852 1
\uv\051EEAC0-852 1
\409494144.inf 1
\409494162.inf 1
\409494248.inf 1
\409494334.inf 1
\409494418.inf 1
\409494444.inf 1
\409494588.inf 1
\409494628.inf 1
\409494124.inf 1
\409494190.inf 1
\409494298.inf 1
\409494658.inf 1
\409494820.inf 1
\409494840.inf 1
\409494920.inf 1
\409494996.inf 1

*See JSON for more IOCs

File Hashes

02b5fd5e99d5df445989bdf6fc390c6a91868627931a215ffe4b7c0c6575d3d2
087e3e740b260ad83ba5881be43822ecccf5bcefc3c3246a62d8f5cb11065891
0a75195584a2ff98ff416153d7ae3c5f470201bacae816a9040e1545ad1ed71c
0a98f18e5602852de2a00e1d4e4b87a9aa73bada595e14b7d05844aa85a0cb3a
0e6f4226f190a84de26df937557d624fb130e4a0b0e692a494a937d144506433
0ed33f996aa50dc73876f30aec07446dcaa0384c2c8268478a7857724c118759
195932578c922415b99e2e292acbaf32133de4727384f5860c9c5d59436ce671
20d12b744bd651c35171626f1ce6d85bd9a3362acfee4f91934da6f7d4414cce
26f188069d3f42e5a0e5f217e807703347d46c84953ccd4d39e897dd0d4ac45e
279306903e6702c79e229db28bb3d119de8641c8ad4bb24bd0e9da7559440b36
29e776ef6349ee6f4d37aa5b099b7b6abb433d950e8ec04f25069813178a2f72
3e8167eb0553a7be23864cd48db852623c95b884682df95c13c196bec9122bc7
417d2f400fb2c53c28407632edf46189f4cb4482cf5b323b55b3d75312c954dd
4957073bcc69c602b3fd1e4c98f4cc8937ebfce5f61756db4d1021a9039a5be5
5c077e0950fdd99df11e389d2b830f241b35efdfb9dc6522b457c66fd64b79a0
60a751e56901c1b593e3a58c1e0770b9fbefb83c8e75433fdbc16e55c21cebc8
73541008d1f6fbbfb7321f39ff083398d4f5ee86bde9eca2574e67a952c7a37f
76ea09817ea2aba02f6b6701ebd786adfd0a02b42ac53a51b1f334245f21004d
7a2ae75210913c882e0f6d848bfc06d729b7d0c6faf1c42ea9dec67da18c41e4
7eb13e84eac78a616ef498adb7fad002e912fbdd699891a8b0da63f224a7c277
877b0ef2e019d8f102373c6a09975c84053eb5705b8e8d4508e0b4b9418b458f
9da94873a87609b0c6471981b57fc4e6a8abe1b649e571a0eaffbaa80f4b4961
c96b2b221a2071b92cc21f75edfb0fea967271b8d15bedfece0ab686ad6431a7
d3c1a8df4b8112ebf3c3edc53ebe8adb3680accebc243040b3d438a4e5489f2a
d6fbd9d2e70a77a6bfa308ef2ce0d8ad13266a4a41ed59089a52c2ee7e550bfc

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella


Win.Dropper.Remcos-7334963-0

Indicators of Compromise

Registry KeysOccurrences
<HKCU>\SOFTWARE\REMCOS-8N5JSJ 25
<HKCU>\SOFTWARE\REMCOS-8N5JSJ
Value Name: licence
25
<HKCU>\SOFTWARE\REMCOS-8N5JSJ
Value Name: exepath
25
MutexesOccurrences
Remcos_Mutex_Inj 25
Remcos-8N5JSJ 25
TreeSee 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
208[.]91[.]197[.]91 25
185[.]158[.]249[.]88 25
108[.]168[.]157[.]70 25
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pearlsolutions[.]com 25
finnanlinks[.]com 25

File Hashes

0164052cd74b2d406c5503faf58f1794d6ba14092b7a9fa9509bc8a85eae01cd
24175b88c78d6089ee1dac7875b71c6194c5292d826911050bde8ebc55b4491f
24d2b912a0ffbde3afbef7e4460693ae84976b689ae7a150b914fb09a7551b13
2ccb899ef52566bceb4d8e09163dd21291624a73b5ad554fd58f920434af9076
2f260e1c62dd6ce1d6c042bd488881d4b562ee1990d20cc383866fd6f805abdc
47232b513efbd2c6fcd3dd1778aa00ca018710c8afd597d238ab1c94433747c4
47a9af0fcc8f26b71865398d4cf372b2d8005f5b93cf75233f44439da9378beb
4cf3770d9c9b2ea152ccf677f4f03e46fd6ee497362fa1a9fbd4d6994ec48244
556c8f046af879ab852ab13e2cde6ebf653fa436840bde821c4b7b26cc626f73
5a5b57e664e35d5528b3c9c32b7123861125e5b6789a7699e076821e0eaece10
65573233fca2347e6aa28de9caec5f49d3ff0f5b844aa1d672d822970228d8f0
6eebb872f1c301f54c77849a128e5500a7e3cfaafee2513004fabaf880bb75f9
7d2b477f6a2ae69257c9626cd87ca89b741b0397e2b4743194b1e95d802637d4
7e559c9077c5b416db0fcd99cfee7e9fa80212ed53b0bef7c37c00373c7e2cc2
81685e6e788710a878b16cb2febbc7cff3f8bf5905811fc392e840da73f79b50
8e4638e4d6cc97ebc401533a5bd4cd22ccaca17a584f24610040aff5e8ffa64e
9996145757ae9e7ca9fc01709e3b597be530d189f50fe2955db438dde9f07c77
9f01d27ac72c5194859d657ee8b024786469661cc65b29cf795b66d10fb35770
b03eece2320b96ba1c1057f3adead7c347626f6f45e867af798f03a78d030fe9
b0894a209477e906130c6a493a8d34cde4ae16442753c2513053f4e33a39ca80
b29bd09e5a11bb8b46ca1363f3455d66057c8bd24f3ea6a643851d288ee0239c
b6c098d02c8eceaf072fdf7b91c832a0c86e529a7c276fbc28ed2c242053a35a
c5ff8271d4820962d7ad72526ae7aca7b7df84e2cab249dcff099f4bfa740bc1
c9e5d6fbd34df45539a162af73ce141406c182cb072e92a7a815762ff90dcd4f
caffbaf16f0fa50066efc7435b21330c05b2b3ca602253558e4bf30cb0ddad67

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP

ThreatGrid


Win.Dropper.Trickbot-7340237-0

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: RefCount
5
MutexesOccurrences
Global\316D1C7871E10 42
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
185[.]79[.]243[.]37 11
185[.]222[.]202[.]222/31 7
172[.]217[.]3[.]115 6
200[.]116[.]199[.]10 5
194[.]5[.]250[.]82/31 5
45[.]142[.]213[.]58 5
66[.]55[.]71[.]11 5
46[.]30[.]41[.]229 4
31[.]184[.]253[.]37 4
185[.]244[.]150[.]142 4
45[.]66[.]11[.]116 4
176[.]58[.]123[.]25 3
104[.]20[.]16[.]242 3
190[.]154[.]203[.]218 3
187[.]58[.]56[.]26 3
36[.]89[.]85[.]103 3
181[.]113[.]20[.]186 3
94[.]156[.]144[.]3 3
109[.]234[.]34[.]135 3
45[.]80[.]148[.]30 3
177[.]103[.]240[.]149 2
185[.]65[.]202[.]127 2
200[.]21[.]51[.]38 2
186[.]42[.]185[.]10 2
107[.]22[.]193[.]167 2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 11
www[.]myexternalip[.]com 6
ident[.]me 3
icanhazip[.]com 3
api[.]ipify[.]org 3
api[.]ip[.]sb 1
wtfismyip[.]com 1
46igeuohbyzeokpe[.]onion 1
Files and or directories createdOccurrences
%APPDATA%\HomeLan 42
%APPDATA%\HomeLan\settings.ini 42
%System32%\Tasks\Home lan application 42
None 41
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 20
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 20
%APPDATA%\HomeLan\data\pwgrab64 5
%APPDATA%\HomeLan\data\pwgrab64_configs\dpost 5
%APPDATA%\HomeLan\data\systeminfo64 5
%APPDATA%\HomeLan\data\psfin64 1
%APPDATA%\HomeLan\data\psfin64_configs\dpost 1

File Hashes

01639c6060f371a5c4d063bcc5827577b2fc0f4c7576e018493f0f2fbaa0971c
051c1d65aa3f07c6f0c12177e66db74593cf19187a5d5279a1060215d1fd693f
0a62e631b10f9a4c3b2e18b2e1cd891de5617ed77d3486a895d5b0e300f9c03a
0b0958d9893a048f798947d43f40a8e73c39a58314ca54efcfd9b44c2fbf70c2
0dedc6c5d7f16e280b91f0fcc39776e5a81a9256679039ccf766ad47c3280107
123624171e54c4fb17187cee3bba2a42beceb6e14a533d3f678b4b79322e5ecc
176555c1164babd31c1b5cf572f04e4ae9272f749c34da82450f34496f2e38ae
19040036454f1ed997841efb79601c14ad4ddbfe8716d792645f02ad639cc4c5
19067755e33f789405fff9be3a0083fe46a9f723cbd478d8b4fc7eee02e1747b
1ab1b32131737818d95fd57c3878ad2c5ed5319915fa570742d3f72ba77a3618
1b8aa6a3db661ceba43b3e564536502e8babe78050236f35261865ab5227369c
2258ed23ff9b9999e542fd9adec574a2ea7aaa25cb72dbcd03853f74d64f10ae
24e6854a3138b45709bf7144f1e4abb69f86722a828cfd563a8b27e1dab95a9f
277a447321a678f7bc82683fab3e4b52b2a7288be76b87c014a0c33e3a187cff
2c4dda46da1f5943ee7caee3ce42454e53364371763e2bb84d4831c87636ee40
3302b6b60869d67af98b83e9a795afa6fe3ac3cfd492ff89ed284eb04dcd8a31
33111cf63f3781a3be253cfd560fef13904a80d95e0484d8be3e2515a050cf78
33528d4f9144d9f5882ad5a29602e0068d2f88926908d7fb464ec4faa502b261
351385b5ba3932321d3f830fa7accb71317832be3362636dc4e53b4ad8dc7c8c
36d985f970096d5ac23193d3d564f51402b0d815ebf3490c46b90daca05c5796
3e2e719d3c8a79ad31df38e3d8071268325cc9de90cb1d9374da205196085640
410702470b3719dba334d8e86e53560c307f9220ef0598829690d6e2f09eb8ca
414c44aedca4bf53ea9594795e50512895bb5bc84df5718111de6dc3b935baad
4d8b363440ac876738d71a5822cc49b54d6466afb05a91e69f1bfc2e20a6f5a1
4e26ef3e451e37ce362fd98f6d4ab8f6d6ee581c58094a963a594e322a0aa3be

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid


Win.Malware.Bublik-7340719-1

Indicators of Compromise

Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 14
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\LAYERS 14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\DOMAINPROFILE\AUTHORIZEDAPPLICATIONS\LIST 14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\igfxcn86.exe
11
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\DOMAINPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\igfxcn86.exe
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Intel Network Service
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\LAYERS
Value Name: C:\Windows\SysWOW64\igfxcn86.exe
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\LAYERS
Value Name: C:\Windows\SysWOW64\wmpnd86.exe
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\wmpnd86.exe
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\DOMAINPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\wmpnd86.exe
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Media Networking Device
3
MutexesOccurrences
V8x 14
muipcdraotse 14
S3xY! 14
Global\<random guid> 6
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
195[.]137[.]213[.]67 14
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
vps573[.]intelbackupsvc[.]su 7
vps531[.]intelbackupsrv[.]su 7
j13[.]bull-quantum-media[.]su 3
j35[.]evil-quantum-servers[.]su 2
j65[.]coax-quantum-media[.]su 2
j16[.]fast-quantum-servers[.]su 2
j67[.]fast-quantum-servers[.]su 2
j30[.]bull-quantum-media[.]su 1
j71[.]evil-quantum-servers[.]su 1
j52[.]coax-quantum-media[.]su 1
Files and or directories createdOccurrences
\Autorun.inf 14
E:\Autorun.inf 14
E:\TmpMount004.{645FF040-5081-101B-9F08-00AA002F954E} 14
E:\TmpMount004.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmount-t285019593.bin 14
\TmpMount004.{645FF040-5081-101B-9F08-00AA002F954E}\tmpmount-t285019593.bin 14
%SystemRoot%\SysWOW64\igfxcn86.exe 11
%SystemRoot%\SysWOW64\wmpnd86.exe 3

File Hashes

0d105c7c5ac13e3840a816cd229b19305655df295c9bafaefe23bff7e337feeb
16d64ea86143cbf62c020f313c87210c12775011368bc5add13a4a7f059d5beb
1ee966faa45a71c137856951731912e1523e8ae5bce27d40bacf53c3650398f2
2315e6edf1fcbd389e9eaae91af5e2a259a57a7b72392444da732ad896fe8fa0
24f246aafdbe4e6b1e8a209e1b1a8370e27a8c1966e5abe924a67fb9ba56d3ca
38b11c4bb0aa58d0d1ecab7aea4c4154c0202cea808c829176a43bd96ab98c12
3b6ce3103a80773196a7b5a98fb22a348a6b26feaca7180fc162e3a7aa18e14b
44615537516d7b38ce0f36a25f0a1ddc79b624a8132288cf24efacb193ef9fbe
497edec65e55215f67734aeb317f2e426238de6fe587050c5b0aa7589749ba1f
568ac42883664e6e3626b5cb47920fa29f76daa8ffc707a321092a2b5aeda070
710a0f2bf3915c8bcd56e7e019c945094356d513022a7973a024a2469041cd43
7c387616f2b369799db06728f44c01c24187545e2c0fb7850889dd63f181dfc6
817ec74768baf0c4772a072188e0c6016991208266d165bf409ca3aec8efd5d0
9557cbe21cb18643397a2a40ab7cd245536c396b83857c19ba630936b6def5fd
9f658c498057ac8c372f1eaf28c49d821ffd1ef409858127d387c6a2e2696c90
a74379225d10237dc3175bbec1dcfb8b3b01c0d44b4e2149bc5139306a9188d1
aedf45d7c403502528b581d16253b2e113ed90032fdb304a3fef3350503c90be
b8796b91c089d9487a2969ff3675cfed0565820bfe1fd20e529c2c474e0b550d
bd96928db2ce25f1c86d64b355fc551c4a31fd72af567cc05d402d06bd12c3b8
c3d16015a4791380211dd51c0a90b3042d5820d2afd9dfe935fd94160c0e7dac
c51fd0b0190e9a1b9356b5870dceb055edb9788e5706b7da1d1ed5d737e6980d
d335b629182955cfbef363b4cad3462342e573e205a8c2defea842b6f004755c
e396ba55fd116b35179f392cc24edc5f348cdf28d2bbbd1704ea0df8e77ea535
e46c7b72ff1458e2a0937c445029063a88e2af9833e034f5ff539a3efc26e44b
edf4eb3860904170a2b5ce8cac27db7dcc7f676f5dd9d767f63ce2cabcee3d99

*See JSON for more IOCs

Coverage

ProductProtection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella


Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

CVE-2019-0708 detected - (26364)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Madshi injection detected - (3206)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Process hollowing detected - (1973)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (1169)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Gamarue malware detected - (190)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Kovter injection detected - (100)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Atom Bombing code injection technique detected - (83)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Installcore adware detected - (70)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Special Search Offer adware - (46)
Special Search Offer adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware.
IcedID malware detected - (34)
IcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections.