Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 11 and June 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Malware.Remcos-9870545-1 Malware Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.TinyBanker-9870642-1 Malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Packed.CoinMiner-9870654-1 Packed This malware installs and executes cryptocurrency mining software. You can read more about this kind of threat on our blog /blocking-cryptomining.
Win.Packed.Dridex-9870842-1 Packed Dridex is a well-known banking trojan that steals credentials and other sensitive information from an infected machine.
Win.Malware.Adrozek-9872066-1 Malware Adrozek is a family of malware that hooks into installed web browsers to inject malicious ads onto webpages and that can also steal login credentials to websites that a user visits.
Win.Packed.Razy-9870963-0 Packed Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, eventually sending it to a command and control (C2) server. Information collected may include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.DarkComet-9872302-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware has the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Packed.Upatre-9871108-0 Packed Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Dropper.Gh0stRAT-9871236-0 Dropper Gh0stRAT is a well-known family of trojans designed to provide an attacker with complete control over an infected system. Its capabilities include monitoring keystrokes, collecting video footage from the webcam and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.

Threat Breakdown

Win.Malware.Remcos-9870545-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\X 10
<HKCU>\SOFTWARE\WHNASBXNNZBXJSHDCNXBZNXCNVMKKSJNXBCVDFGHEJSKICMMNXBZCDVANXNNCMDJFHGKLOEIEDHNCBXVSANMZBXCDBCVNFDJDHHSNJSJDJNCNNDKJMXNCB-PHCEFW
Value Name: licence
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\X\RUN 10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\X\RUN
Value Name: NOME
10
<HKCU>\SOFTWARE\WHNASBXNNZBXJSHDCNXBZNXCNVMKKSJNXBCVDFGHEJSKICMMNXBZCDVANXNNCMDJFHGKLOEIEDHNCBXVSANMZBXCDBCVNFDJDHHSNJSJDJNCNNDKJMXNCB-PHCEFW 10
<HKCU>\SOFTWARE\WHNASBXNNZBXJSHDCNXBZNXCNVMKKSJNXBCVDFGHEJSKICMMNXBZCDVANXNNCMDJFHGKLOEIEDHNCBXVSANMZBXCDBCVNFDJDHHSNJSJDJNCNNDKJMXNCB-PHCEFW
Value Name: exepath
10
MutexesOccurrences
Remcos_Mutex_Inj 10
whnasbxnnzbxjshdcnxbznxcnvmkksjnxbcvdfghejskicmmnxbzcdvanxnncmdjfhgkloeiedhncbxvsanmzbxcdbcvnfdjdhhsnjsjdjncnndkjmxncb-PHCEFW 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
oxbornl211[.]hopto[.]org 10
Files and or directories createdOccurrences
%APPDATA%\remcos\logs.dat 10
%APPDATA%\remcos 10
%TEMP%\Sylss.exe 10

File Hashes

351c4c1ec4d57e4b3a0fa63b45a4058edaca8fb575a248b8fba2fd479380b3d2
4ceb897b5d36abf9a80646343b44ce5c371d3ceebfa4702219a44540ed0375a7
50469f12480bd827eb0b76abed001a3e04dbebe82ec0725d2efdaa3ddb4fc121
a34fd82434a4fad680f1c6bcdfe5fe7d003d17eed4018f1033e5611dab65c0f2
b87510780ca87a63eecaef13eb95fa26bf0b7f38638743e772d6db69bb98f5c2
bae42ce386ac9e12098f91b3fc3797c1fb050b87abfaa7eed9cb9dc3606ed62c
d82f7ce909f376d082915a7d2f85e848b9e3409487eb64d5be38a02196ad8f7d
deb0467fb80df026f5ece9f91d0f2c87c5693d3ce5c804d189eeb80726cb9448
eef5a3ee6e8e467e54332174e5067067c9e3ade47bf8c39e82c3cdeadc0f12bf
f337370d79475a54f6de5139a94a17644c6668f02e45c684754542392795368c

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.TinyBanker-9870642-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: F9D4B853
25
MutexesOccurrences
F9D4B853 25
<random, matching [a-zA-Z0-9]{5,9}> 9
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
216[.]218[.]185[.]162 9
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
elitiorecfreetoo[.]cc 9
ljjskttqximu[.]in 6
ljjskttqximu[.]net 6
ljjskttqximu[.]com 6
fovcpylsiqvv[.]com 3
ljjskttqximu[.]ru 3
Files and or directories createdOccurrences
%HOMEPATH%\AppData\LocalLow\F9D4B853 25
%APPDATA%\F9D4B853 25
%APPDATA%\F9D4B853\bin.exe 25
%APPDATA%\6B42FF54\bin.exe 1
%APPDATA%\795E8E1E\bin.exe 1
%APPDATA%\14DCEDC1\bin.exe 1
%APPDATA%\0E5B1F2C\bin.exe 1
%APPDATA%\6B29CFF6\bin.exe 1
%APPDATA%\38F87083\bin.exe 1
%APPDATA%\567D7950\bin.exe 1
%APPDATA%\6D2CD281\bin.exe 1
%APPDATA%\44C5E997\bin.exe 1

File Hashes

0217aa99cea70b16c0def81b3ec85f42ae58a42bf629d2670435c802e4dec066
0471f2d8cb6d8cbc7319b57cd1f2692c1234eae3cf77812608ed5c6ea3a4bd97
050b7e37261fbd95fbe9790f96c31ca1c06027068f38fea04936172c667366ba
05f9107414a73ca3b7ea4b29890071a00ca03f7d0dbc6605a3f4db9703cc166d
06e72fed3f7d90b859f2ae36a799e9c3d3579c8312c82d6c86a55ec54076e05e
06f04b351a13f5c55209115d548bf58b50de7630d0ecf33d90d552b8aed6a1b0
0715311356ac408e48f90f4e7c14515dea2c477dcbd76ad3748f5d79f9170790
08f1028e92888c8e3e0dc0f4a2b3aea7ae0902fd1f72e70cab2641a311009b5d
09efab02ee0e7b237d0fdcd5f975230e83f0e46a1c44ad4d92264dc8e66fa0bd
0b78e7d99344c94f3eb3008fbf4bf8f16377b44e9ae5388d911bbe5c4fbc07c9
0ba2f065fb5d65b88777bf518167ea183086d135c346087175ef888d8ab4308f
0d64fec726c86785d685d24b464171b10437d1689f0d11433e1bec91941dfe62
0dcfb3a3fd7889f037959f23f40cc45cb122c9d0c8f650f7039183b4c00a8b56
0e06637b054c7daf7d7301a60787f5c366498ca9d45f9ed592f6998b625b75f7
0f17b43a43acdf788a3e51a6807860b7576af5a0ae13a4989601359d9e9ef088
0f3a6ce3aee4c002955ad458eac798546b3883a162b948903ff7aed6bc007270
114642f47b9855c88508e17c0a87784cb8f2459146fdd776106fa5345fdc5da6
118a785393502e70b962995f4b976e76ff94e1b6728153c3a134d6c644f6ff55
12ce9877aa2f80f416a91612f7e91d8b60e1174670d9928035863c1e88c75d2c
12feccde34c8b18880f5a8d2f27ae9e951598b3dfe68a03b7e6d368d3034c31d
141117683740cab9831e368513b7fbfc125d73c61800d44ae9048314fb006a2a
15226a30138f17363023897575fafba7d5840f6539f054fe5a8792a98a3e155f
154cc9ecdf70620b74786985cd4201fbab8aa2d1145c3e401022b36717f84bec
1550b42794be5628d212d99ec9c2b685fbdc159d9f2583a432d80cff92b6658b
165fec8f85690fa1861708ac8da3ce0c815ce4d86877f4e6afd767321ef1251a

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.CoinMiner-9870654-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Services.exe
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: VLC.exe
1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
104[.]23[.]98[.]190 7
104[.]23[.]99[.]190 6
157[.]90[.]156[.]89 6
162[.]55[.]36[.]41 3
18[.]210[.]126[.]40 2
49[.]12[.]80[.]40 1
49[.]12[.]80[.]38 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 13
mine[.]bmpool[.]org 6
pool[.]bmnr[.]pw 3
xmr[.]pool[.]minergate[.]com 2
gulf[.]moneroocean[.]stream 2
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Libs 18
%APPDATA%\Microsoft\Libs\WR64.sys 18
%APPDATA%\Microsoft\Libs\sihost64.exe 15
%System32%\Tasks\Services 10
%TEMP%\Services.exe 8
%APPDATA%\Services.exe 4
%APPDATA%\WinCFG 4
%APPDATA%\WinCFG\Libs 4
%APPDATA%\WinCFG\Libs\WR64.sys 4
%TEMP%\svchost.exe 1
%System32%\Tasks\svchost 1
%APPDATA%\rundll32.exe 1
%APPDATA%\WinCFG\Libs\sihost64.exe 1
%System32%\Tasks\rundll32 1
%HOMEPATH%\VLC.exe 1
%TEMP%\c6ef4c2b-9a55-40b4-957b-c3cb74191397 1
%TEMP%\c6ef4c2b-9a55-40b4-957b-c3cb74191397\GunaDotNetRT64.dll 1
%HOMEPATH%\Exloader Update.exe 1
%System32%\Tasks\Exloader Update 1

File Hashes

02b9348d45451443e4ba72e8ca26231feed6b978cbad762ede667e56936b2fbe
06ad60f8f1012fbec6f7b59263cc37dd59eb9013a8ccee6c2e6d6f80aef9c972
1b1519f2761444721cc7c1dd7003177276c5289d0a6f02d75a1847759a7fd78c
1be0bd5bc01195397f1d21aef5accd9581992c839d5605c446b857554109927c
224821f1a065695f1a71686220b4b779b9f0d6b18251374f6627f061bdc0a264
2bedbb7b99fdfc1d66c05c7047464be21f2bb96aafe3b931f2ebbb60d42cbb89
3bf9cf57c4d2c22f7c3b94b429adbdb32f1e4c65f051d3c7ee5acc1c0a8f3598
401fc418e31ad89e37f224683c6b3c905ad526e584c8d8cfc07cbe11b5ab1382
483c99751e071ef6bcfd420a7f3d1f22d89a9371948932364c8d62649ee45f6f
48ac2c72bd4e8a33f11edaa077bc774446d341937dea254dd22712b61238464e
4fffc0d3f8b97f820a0c5e1b6145a0df9b297f8caa317a3748b176ee3733ba8f
5c494da7dac3cc9867936d84d1096916d68f7ccc09b748dbcc5af8ec5f76b25f
5d3431c554e84b9e76ba598bd6ad9595b038e4b89a36730a8014f9bad6ef05cd
600ac06172b9eb31cfd35eb3b9a49f831efded43e60387430f4b4241c4b8ea6c
61a7abf3398784bf04e18b5737d476d82e4ab347ee734a521c607c113c2efeb7
6265e638ec667c3ff1b069ad6e3c274396256f6ef3b5fb02dcac7712f697ec33
7b36529d8a4f9e12dce18aa958d0a950303a1a070a20ccf407c9964366cf9a52
8d25a71e9f178809a361abec986b59ee3cb2e92eb41455080c0e9f6ed68349bd
96ad12715ff441a99c0eb727723bb4261eb87c53247817b98b0984745850cd04
9d7109953d2af36546567d6ae0ad935f9a0d5693e71632069004388fd3327af1
a2adc950231215ab9740646c948109476b902fa27afcdf351deac38f2996ae7e
a5efee070065325c5e7c7cecfbffc4f2d4bd580c282309045e5dfe82f95a6f36
a872965ffe638665e1b1bbb05a30c2d022549bb9fe07680119062cc630fcd48c
af6f21925242d031b6af02497986d0cd5c933c4567ee558a5e780cc53565b8a8
b3b752fc9a62667bdad3fcf93e4f493e0b285124fe3c93455f4ea41dd7426fcb

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Dridex-9870842-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
26
MutexesOccurrences
<random, matching [A-Z0-9]{10}> 26
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]217[.]7[.]14 19
104[.]23[.]98[.]190 14
104[.]23[.]99[.]190 12
172[.]217[.]197[.]138/31 7
23[.]3[.]13[.]88 6
172[.]217[.]197[.]100/31 5
23[.]3[.]13[.]154 4
172[.]217[.]197[.]113 3
142[.]250[.]73[.]206 3
172[.]217[.]197[.]102 2
172[.]217[.]12[.]206 1
172[.]217[.]10[.]238 1
172[.]217[.]7[.]238 1
142[.]250[.]80[.]46 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
pastebin[.]com 26
w[.]google[.]com 26
www3[.]l[.]google[.]com 17
www[.]qj7lhusuak[.]com 2
www[.]abepihehok[.]com 2
www[.]uuv8o5qtja[.]com 2
www[.]fxxt7qvkdf[.]com 2
www[.]1reci0glgs[.]com 2
www[.]l9p3as8oen[.]com 2
www[.]f7gwfiqoug[.]com 2
www[.]b6doakgava[.]com 2
www[.]nbmclz6kb2[.]com 2
www[.]3ot8vaxox0[.]com 2
www[.]n3sqgb5ux0[.]com 2
www[.]eag7xpzsj0[.]com 2
www[.]4q73kif30e[.]com 2
www[.]gfs2nigbvw[.]com 2
www[.]4cp9eyi7se[.]com 2
www[.]0pofjumsme[.]com 2
www[.]bxxea5jpgi[.]com 2
www[.]sxfgciznet[.]com 2
www[.]m7sv6t4rcy[.]com 2
www[.]2gxtjxcwlb[.]com 2
www[.]nyzo2bp18b[.]com 2
www[.]qfjmchvfbb[.]com 2

*See JSON for more IOCs

Files and or directories createdOccurrences
<malware cwd>\old_<malware exe name> (copy) 24

File Hashes

0051d46a5fadb5ce83161125aeb4ca3d267447bd9e86357acb1e186470491ae7
059e2960d950bbacdb0a25f4d7a32c539db0f7827d5ad12887b5f7054443b52f
05b0397492a571028d9c548bcf95573e09355b3b13ef2ac827ac85a293c799f6
0616c8857127a282a7c8fd587d0166c0c2a6e4eb893268af5e1b8690b04afced
0f4e33d942d08197203bc3c8da3d7a5b1547293ead43984f602ebf2e9e4898d6
0fbe8cb0e9bc7a349ff8e2eb1400cc6345a2b272a444c0dd966d8dc037d1e8ba
10c2bde457a6b2e3c78e09bcf70ce0e5700994cd828ebc47d73a315207697828
11d2bb53c7ef0fce3b42d14a2da96f9de8033bfab5ea1d98c9d5077b7c13a4d3
128106ec3dd57d182f8be500f3f723dd1973af12b056974eb6594454876769b4
1372fd8d93d60a0f6e39e159ebf973bb972ebf367dd27e383d5b2990b0044e51
13c5e61a74721d8ecfac90bbbbd29ded9054350199bcaae3a68408cde6cd50a7
1476c60f8744ebaa64eb38a02c465b0282b4d3ab153eb2cab3ed78a9d433fc6a
155d7861afbf29f576c207976c1d175e46ad16822e22e70cde664df7f2d0dbaa
1739b9ea69447cc4501a0dc5022bf7e330d5113590fa529ecdcd35b2e4ede656
1cfdbbe8eb86bc5cb4bee0fa199954cf8f9610a2acce13fa44ecfbf84b80e4c8
1ecb01e12afc326d5cb329280c029fad150b67e1c6cf651a92aee2813690647b
200fc6de01eb55dbc6e82000f5a095e7c322c0ec07b6b89958b5e91680dbc03c
25069224cb3cba7ab275009ed478273d4cce9ff1d59f522e97390887a542c79b
2516a61546a1888b960cd2685cc3ed258ec3aa3c90412f62fc2b0dd0645d03c8
2761a14283b963cf8cbb167e922ed74ce9b63a4ab6519cb2c459d4861c42e706
282919998809230fe173814b6e34e39396f61d1992afd6b140f48a04ef3781f4
286c012c3edf08c4089a85fd45607969084365e53ca47111b25e8a55b7dcb91e
2a4742222ecfd03af6573f4e4a9a75c2f101702e6fe16cbfe1cf6ef4d881464f
329164937ed6aa2a2d5817b80e5efb110ac506df292cb2fcdc05dec677921005
338486f6e96c34286419918f374472e453d77495b51790569262e1f92cca9c06

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Malware.Adrozek-9872066-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MACHINER
Value Name: 3_tag
24
<HKLM>\SOFTWARE\WOW6432NODE\MACHINER
Value Name: k_tag
24
<HKLM>\SOFTWARE\WOW6432NODE\MACHINER 24
<HKLM>\SOFTWARE\WOW6432NODE\MACHINER
Value Name: s_t
24
<HKLM>\SOFTWARE\WOW6432NODE\MACHINER
Value Name: id
24
MutexesOccurrences
Global\<random guid> 24
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
104[.]21[.]70[.]96 18
172[.]67[.]222[.]123 14
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
samegresites[.]live 24
17 3
d7 2
a6 2
8a 2
ba 1
7b 1
35 1
4a 1
0c 1
e7 1
3b 1
a2 1
ae 1
fd 1
8f 1
8d 1
47 1
c3 1
73 1
Files and or directories createdOccurrences
%ProgramFiles(x86)%\MachinerData 24
%System32%\Tasks\Microsoft Windows Defender Update 24

File Hashes

08fd3bb559801fab985948ff60e1c401748f15f984cc97eba1b5df40d3ea7f3d
10fd8954b7cca02d9626aeab22aa83a78da048373240c974ceb377b07a681e7b
335a85988d6bacc3a40953cf08bd6c4b566d9709047a88afe2a39853e4e1c100
343ac51ead89330503b44ae586bab14aac56eb79a66b516008bed071c8249b44
34e9a6dc3305522fe0f7c2fc5b32470cb9b7030399540cfbd77c446c5e4deef5
36efdada787fd28c159aeed83f6b0705aef2500bdcd580e6cc99fae2c877bcdf
3875fc6e3943320f325744e333fbece600ae698bd487a35e3213ffb39a4a1d0d
38f59793db1d3bec60edc5ed713806c5da7849bf5d3f650ccae4a2401cf1a9d3
4e9dd245afef951c71a630ec50aabdbc78a124ea4998a0c387a83d25c13a1534
6aff8643efe69aecf3d4622625798b096d51b5fd059bc1951eeb7fcf6000bea4
70f8c5bda086c2c7c57323a73cdd79733f96e6469425a64a3831220deb39e410
7593f048565f8f670235752d0eadd89283642914b0880b17a7d62e7d2828cdd4
7d7c8697ad7cf150272bcc9122313beb6ac6bd8ab332d273a0c362d45a44942e
8314fcd8b479a297bfa032f346c9b756e9d7ad09e60f2dbc28c63c01568c34d8
91b8754b8cce45e799a6a0065aa40510b415685a4c2ef5cab481732e445c9c93
9a08ad7762d034f89cd79ffe2572d2fab89afa2469e3e4f79cdba306692bfab7
a7eb6746122f4956c799dc5a6867482d20d6283c236cdf365a3b798960e2b6a4
c03bf4b9260aea99dffc7018f146e526d06c4223c0960569053f332c2eb0f85b
c0a51cea4eae1fe116c4ca31cb3894056cdb59b74297947b36e34dc6cf382ab0
d741991f7f94b13b60a425b7e08f9c23f0e7090b50043739faba65986765cd77
d84613966bf88a906e11fbeaaa7fd3aa1b89fec4d1bb5fb56de42e5becf198e7
e54fb4b85b5ede5ccbbdb4d245899dc98f5a83acb17a36e066a5d6a009f3aa52
f81893efe49e8f32bc1c894530357ed6cb745ff4f4f3b4e8b68b6fae424befd3
f88f07be1a5d936ea0a75b9630e99b60e9b0332e84a2ced53c6622ae24acda19

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Razy-9870963-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\2712425CD298393FE7BDC288EAA7E90D
Value Name: FRun
25
<HKCU>\SOFTWARE\2712425CD298393FE7BDC288EAA7E90D 25
<HKCU>\SOFTWARE\2712425CD298393FE7BDC288EAA7E90D
Value Name: O`ld
25
<HKCU>\SOFTWARE\2712425CD298393FE7BDC288EAA7E90D
Value Name: Q`ui
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Security Protection
20
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Malware Protection
5
MutexesOccurrences
Security Protection_MUTEX 20
Malware Protection_MUTEX 5
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
35[.]205[.]61[.]67 25
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
soft-4download[.]com 25

File Hashes

039617365826829cb304a1ad20552cc8400356bc0e20dc08c753f91def0aea0e
04946e6608bfc641110f553e6b98d8e1dd9ac952f6d69340f48510ced915ecc1
09fc22d1175f70023a2957cbd9a8c598ea7f5ab30d285e3df8807f65ea470f1f
0c3bfaf00bf3a65c177833fffef2a1c2c7ffedcdd71c49c3e0426a3b79a09207
0c5a082247bdeb2f4f986a648236ab3e8c0c68f1a0cd24137fc9606d64ef28a4
170e1cdad6ba14ec06196182c689f9ea701f639be87c84c3a010c396037258a3
1e6cf1a6a613881724b22029acd0028511ba672ceeafbf94060b2276451e6072
1edfd11a13af00a943b784183e14bb8e13f94be8a24eee5481d2b691c600bd00
1f96e41ca0ccd0f2f750187571c3b267571ce02b510dc2dbd53f679778a92b87
255ab5107c296d2fd830aae485cb8148a62179f5bead3e7c91291fc95f30686e
298984580fa338ba76b621140780184e73d3a4a2a6847305af21aeff02bf5cf6
2de90aa58decfd6bc0efa569f9416058802c619da43d4b8551b16732d34bd044
3136dc4ec760145330d18bc4da2d64f3cf68506ff22a64a1d824642576660e5f
352365525e8eb160abc316d7694f742b119e6e6185e076b171a0062c99cc2ee7
3777c9f266a5343e114d0d6c17c4dd6dbacd3fd82787377134b53e140aadb920
395c5d3716ffe6c55ac44008aba39cdff373e4d22372fe05a9657c39505fbd87
3dd0a9dee3f1a73f03520e0d76a49d5e7eba15ac02762e96ab16afd1acc84770
4164a0c5c7fbe24f8e7a8c2be0a9114f37a30a77dcda850873b67ea8b0a8c9ec
422bf4641db8be98aaa6536f4fb31435dd10c556d3c217103c301d7aedd7d8b3
424d3ece1b655f35191f95bb6f2cb07a7cfdde95427e2416f7a1cf6fbb9cb910
436d98cac5c723bf397eb4ffca93ce15427521573fd3e4bf9667b824de1c89aa
4514c21088cf0979d6b12a114a3c06750a737bd1d11f1b0f04bf1dbaf09e860d
48175e1a6ca7189e217731e6a4208073be96b612006a1342ecc94fa1f9f0f638
4848e6c7504f46373100cb7293a5391b5e0cbfbafa54dd322544adf7a904055d
49b08a17def8c71095b11d1d456796b53c4d01717421b69fddeb9d6d3d524e69

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.DarkComet-9872302-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\DC3_FEXEC 8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svchost
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION 1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: winlogon.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Loading
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Update
1
<HKCU>\SOFTWARE\ZZGITE3 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{85I07JMG-0MJ2-M0M6-6715-OU82K7Y42778} 1
<HKCU>\SOFTWARE\ZZGITE3
Value Name: ServerStarted
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{85I07JMG-0MJ2-M0M6-6715-OU82K7Y42778}
Value Name: StubPath
1
<HKCU>\SOFTWARE\ZZGITE3
Value Name: InstalledServer
1
MutexesOccurrences
DC_MUTEX-<random, matching [A-Z0-9]{7}> 8
DCPERSFWBP 5
_x_X_BLOCKMOUSE_X_x_ 1
_x_X_PASSWORDLIST_X_x_ 1
_x_X_UPDATE_X_x_ 1
XTREMEUPDATE 1
KyUffThOkYwRRtgPP 1
ZzGitE3 1
ZzGitE3PERSIST 1
ZzGitE3EXIT 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
13[.]107[.]21[.]200 1
188[.]187[.]1[.]85 1
37[.]192[.]44[.]128 1
31[.]193[.]90[.]60 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ashotbot[.]ddns[.]net 3
www[.]bing[.]com 1
kiselekchannel[.]ddns[.]net 1
nelss[.]ddns[.]net 1
tibiasoft[.]no-ip[.]info 1
Files and or directories createdOccurrences
%APPDATA%\dclogs 8
%SystemRoot%\SysWOW64\MSDCSC 3
%SystemRoot%\SysWOW64\MSDCSC\msdcsc.exe 3
%TEMP%\MSDCSC 2
%HOMEPATH%\Documents\MSDCSC 1
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 1
%TEMP%\MSDCSC\msdcsc.exe 1
%APPDATA%\MSDCSC 1
%ProgramFiles(x86)%\Microsoft 1
%ProgramFiles(x86)%\Microsoft\DesktopLayer.exe 1
%SystemRoot%\SysWOW64\winlogon.exe 1
%TEMP%\MSDCSC\Loading.exe 1
%APPDATA%\MSDCSC\update.exe 1
%TEMP%\196KillerMamonas RPG.exe 1
%TEMP%\196KillerMamonas RPG.exe.exe 1
%APPDATA%\Microsoft\Windows\ZzGitE3.cfg 1
%SystemRoot%\SysWOW64\svchst 1
%SystemRoot%\SysWOW64\svchst\svchst.exe 1
%APPDATA%\Microsoft\Windows\ZzGitE3.dat 1
%TEMP%\196KillerMamonas RPGSrv.exe 1
%ProgramFiles(x86)%\Microsoft\pxBA27.tmp 1

File Hashes

19bea011f0b7cd8b007071076698db3f363af0117624ab2acecb445d0effc104
2438d98520bff9aa704d0c66af92f06bb1fa2301a23e3fe3a451ab11731d6cfa
2c17c9a5bd677dc0ed8c34cd1d67945e20d4815df50f62272817f50846bf43e0
4b9b56ba115ddca985c105f715a69e33de0aca8269f142f56efeb74c9676da2a
579d36a4d7bd44e868f5dec198050a727d093897e0395d456fe927c90a665fdf
6bb97d306df67a11a36fc5b749717199f4d8ad828962e558e36add96aeee7d6b
94b68fb51993400f1f80b3236973a839ec6aaee6611cc3412e19939dd8406c11
db42b08f61b945fa39065f62c1cf89b9c1cad5a3ae8a81820b6b76ac42da3a6c
e4faef951b3f224091290539faa2794ea7d4e0ba28f7d4b544778367c850681f
e9a6c94a8107475fe5069a28b9bbd076056ef4a77b6a295d376a79cec364c119
f1c0261b4ced400fe85a54b10310e8202fe685863ac1e56d007eca8f067f7719

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Packed.Upatre-9871108-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 32 samples
MutexesOccurrences
131 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
93[.]185[.]4[.]90 25
104[.]18[.]6[.]156 17
73[.]175[.]203[.]173 15
69[.]9[.]204[.]114 13
188[.]255[.]175[.]213 13
173[.]248[.]27[.]163 13
188[.]255[.]239[.]34 12
173[.]243[.]255[.]79 11
37[.]57[.]144[.]177 10
104[.]18[.]7[.]156 9
173[.]248[.]22[.]227 7
188[.]255[.]236[.]2 7
188[.]255[.]167[.]4 7
173[.]248[.]31[.]1 6
173[.]248[.]16[.]79 5
72[.]21[.]81[.]240 4
173[.]248[.]31[.]6 3
24[.]240[.]107[.]12 3
64[.]182[.]208[.]184/31 3
178[.]214[.]221[.]89 2
104[.]238[.]162[.]182 1
104[.]238[.]141[.]75 1
104[.]238[.]136[.]31 1
104[.]238[.]145[.]30 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
icanhazip[.]com 25
cs11[.]wpc[.]v0cdn[.]net 4
Files and or directories createdOccurrences
%TEMP%\VyleLog.txt 26
%TEMP%\vylepoket.exe 26
%TEMP%\jitoposse.exe 6
%TEMP%\~Jit695A.txt 6

File Hashes

006b8a51b1b4530412190eb1d79600b840f25fa043c8ea0cd5ae2731900bcac3
0142865dc5a0c76b52567ea7a50d7b33b825e2ce250889afe9d957e86c996650
022c618d3dd56eafc0e83968d3ef8698275ccd786437c7c98ff14af798057416
028e0069a879065a23285f9398c9fd521abcffd257ed5363e786486ca12bb494
02e5c3dab061d2579bc146a754b49eccc41e12feeb033e19acf0651476614004
031074193f784d9bbe938ac3d2099d401cdbd167a98918758b41a599812fec34
042b77131a7053744b4c53406652fd2858eb1fe29bd53e42ac4cf3495e44f31f
05cfce3abc698c03950c525ab7e4f424d982dc47fa825a2f8f56f63a9de7a451
0607d7a743e74a2d94b7dfd3a8279dba1a03f58fe0925624274903fa672a4abb
07f939283a2395728ef5954101045749763019252d200499fc4c872a68454764
0881d0ddf82b080790b3ddc63ede23b875b6fb698ca8ccc2ee121a4c168fa1f9
0ac7f16571bf5cbda7d20d1fc9b05d56fa81233cb19aa39eb41c53a875c82588
0f70b2478717ac8a064180e2830372b48be5d17eac7891daab063f0a7b8476f7
0fd943ce98ee2d1d14c2be03be0964051711041c7ba8cbbd1a59110d4dd132b5
123a061816cca2484510c52376cf019980b2afaca994f5ce5f34ceb0987d9024
12925b2e84b5d12ad35dc2d245b4e25459204f0ad1a36f2dbe2c465c35e2aed7
13f47159d9717767527c2f54cd28c20b69d7eacb291f3d4635d4edc717b9986d
14ed27320955421c73ceec322bc4bea75e8b61de0fb1a41dda27f485a24b91c9
15490031d4371607dc712c822a91ec19e5cdd80aa0919f54990d7c5f2b3e456d
162e1b519df7b38683babd77b29b7699a3587edc5270754ad0c82ecfeb9e3827
16c9e7cc8433bdedbe18246e60aa7cac31523edc6afc52ae558e26478e251f50
188c9818d3286902e5d09679282bdb2e856ce99056c42c61d3de4915aa8a0be4
18d7caa1855e3dd00a1e69ba5469feed4db87750c1bb1069d2468f43ff2b2ab5
19614683b011dfca8c050e37ba663738ba71b1f1c21fc5be80bc9a6035560284
1b59c918b816c4e8cb948774df7f226198f555781d7180f031915f7a10f6e7c4

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Win.Dropper.Gh0stRAT-9871236-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 28 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\CLASSES\.KEY 26
<HKLM>\SOFTWARE\CLASSES\.KEY 25
MutexesOccurrences
gaoshouzaimimang.f3322.org 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
108[.]171[.]248[.]211 21
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
gaoshouzaimimang[.]f3322[.]org 21
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startupÿ 25

File Hashes

001036c6fe986d00733e8d18c91483698f60b4ae8fbd97eac146735456f4f96b
00ab74450a4388e77a5ea42ec153589b6ad01db873244bdddc92259d4c4d49a3
056e16be2a7ab13f7e6a2c2ee632eb5e916925f33a73509dcff75208420bc3b1
109c68482cb95f75c1927d3e3e65731b68f75928a6b9b1b3444102bd097899e7
15ba42bb5292eb1dcdda2276682d8ea0df7faf593ea48940adb9c19c3847cfdb
1aedbdb763d452776a3a02c9451b9a21262574e74d18986f7a616491e1c77c27
1b245f3a7ce036bbcf763c54ff957686e974da4be7eb1d922148c588924c06fd
1eff2317b3f7aa21b2a63ef6e096cfc113ab0f29856bb77d8af79ee8eae2243d
233a383f4866d22b23700cce1c1cfd315b1385d68fee92267ca1fde4c91eeba1
24554b58eee07bf84702ef65d8091a74baf50144dff15ea97b37487dc597fc6a
315bae08dda6624232dec2516dd663d8268a63fa3fd1a6e6d392147f8471c290
40b75c419d09c7df6d2288f75ef66313b8ebcbf17dc9096c9f2ace60c5433d86
491d3bc841d4b8a1095ea971d93d54460871e025cd36ce9340398222c456a77f
4f6876c6dad5822286d4cd73871fa4daea15d69c6bbec12da4e15ceb4fc9d6c5
55871576d5fa3e124fe12d1cc0711b8cfbb49b0e9a958979adcdcb21cab25259
57466f12a6db3f993dd07b1e4ba63c74889cb3881564ecf3d28c109a7bf499d8
5ec3a039991f559b9fbf4155ea4d70168b656e2442b86322efad22889e0ab471
6e6e283fb06e542768e27863025cd9527d71bf8980a47a8629052f88fa289d6c
727f9b736de2cfe833df7875c7221d18fad867358e3313e3839a17a7625d0ef9
82b8539ca7832388e4496c7cf8595028546f91eecd3406e30bc04ab6c955db51
82ee770d3bdebc3435722cfe40af7969f3ec6f9877ef500f31f505be89954f0e
8d42cc6b3e83e8b4a6182b8d4c6d2dea9a1db88094ed6ffc9b31c620d860314b
8d4dc7db1ab0720ad3ed6514efecba231f769c623b77fcca345cfc737deb32b1
96da45123eba130ec6941055deba17ad9f9ee3734d3dcedc7a4c47c340a66be3
a4c4c01eed381f15e42064d8ff8a043dcd801d78599874c79264e013dc561b8a

*See JSON for more IOCs

Coverage

ProductProtection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK


Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (12418)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected - (5736)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Reverse tcp payload detected - (2106)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Crystalbit-Apple DLL double hijack detected - (1682)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
A Microsoft Office process has started a windows utility. - (810)
A process associated with Microsoft Office, such as EXCEL.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Kovter injection detected - (601)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Squiblydoo application control bypass attempt detected. - (451)
An attempt to bypass application control via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Dealply adware detected - (403)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
IcedID malware detected - (209)
IcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections.
CVE-2019-0708 detected - (141)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.