Quantcast
Channel: Cisco Talos Blog
Viewing all articles
Browse latest Browse all 1950

Threat Roundup for May 3 to May 10

$
0
0

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 03 and May 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Trojan.Tofsee-6965613-0
    Trojan
    Tofsee is multi-purpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
     
  • Win.Trojan.Zeroaccess-6965107-0
    Trojan
    ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns.
     
  • Win.Dropper.Emotet-6964837-0
    Dropper
    Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
     
  • Win.Trojan.Darkkomet-6964750-0
    Trojan
    DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.
     
  • Win.Malware.Kryptik-6964485-1
    Malware
    Kryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user's knowledge, include collecting system information, downloading/uploading files and dropping additional samples.
     
  • Win.Packed.Kovter-6964099-0
    Packed
    Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
     
  • Win.Malware.Python-6964012-0
    Malware
    Win.Malware.Python is a generic name given to malware written in Python and, typically, compiled into a Windows executable using tools like PyInstaller. There are a vast array of supporting libraries, proof-of-concept exploit tools, and example code that makes developing malware in Python easier than with lower-level languages. Examples of functionality commonly seen in this type of malware include the ability to spread laterally by exploiting EternalBlue PoC scripts and file encryption performed by ransomware.
     
  • Win.Ransomware.Cerber-6963958-0
    Ransomware
    Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
     
  • Doc.Downloader.Powload-6959926-0
    Downloader
    Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing Emotet malware.
     
  • Win.Dropper.Qakbot-6962757-0
    Dropper
    Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
     

Threats

Win.Trojan.Tofsee-6965613-0


Indicators of Compromise


Registry KeysOccurrences
<HKU>\.DEFAULT\Control Panel\Buses 24
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\fymsrzfu 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: Type
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: ErrorControl
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: DisplayName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: WOW64
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: ObjectName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FYMSRZFU
Value Name: Description
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TMAGFNTI
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TMAGFNTI
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TMAGFNTI
Value Name: Description
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\jcqwvdjy
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\zsgmltzo 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSGMLTZO
Value Name: Description
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\jcqwvdjy 2
MutexesOccurrences
\BaseNamedObjects\ServiceEntryPointThread1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
239[.]255[.]255[.]25024
69[.]55[.]5[.]25024
46[.]4[.]52[.]10924
96[.]114[.]157[.]8024
176[.]111[.]49[.]4324
85[.]25[.]119[.]2524
144[.]76[.]199[.]224
144[.]76[.]199[.]4324
212[.]227[.]15[.]924
43[.]231[.]4[.]724
74[.]208[.]5[.]2024
192[.]0[.]47[.]5924
207[.]69[.]189[.]22924
94[.]23[.]27[.]3824
64[.]136[.]44[.]3723
172[.]217[.]10[.]22823
47[.]43[.]18[.]923
64[.]98[.]36[.]422
212[.]54[.]56[.]1122
65[.]20[.]0[.]4920
208[.]89[.]132[.]2719
117[.]53[.]114[.]1515
74[.]208[.]5[.]415
125[.]209[.]238[.]10015
213[.]33[.]98[.]14914
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net24
mx00[.]emig[.]gmx[.]net24
mx1[.]comcast[.]net24
whois[.]iana[.]org24
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net24
verizon[.]net24
comcast[.]net24
whois[.]arin[.]net24
mx-aol[.]mail[.]gm0[.]yahoodns[.]net24
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org24
hotmail-com[.]olc[.]protection[.]outlook[.]com24
cxr[.]mx[.]a[.]cloudfilter[.]net24
microsoft-com[.]mail[.]protection[.]outlook[.]com24
cox[.]net24
mx00[.]mail[.]com24
earthlink[.]net24
mx[.]optimum[.]net24
optonline[.]net24
mx1[.]mail[.]icloud[.]com24
mx6[.]earthlink[.]net24
victoria1999[.]hotrusgirls[.]cn24
irina1993[.]hotlovers[.]cn24
hot-beauty[.]cn24
hotladies[.]cn24
mx[.]dca[.]untd[.]com23
See JSON for more IOCs
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile:.repos24
%SystemRoot%\SysWOW64\config\systemprofile24
%SystemRoot%\SysWOW64\IPHLPAPI.DLL10
%SystemRoot%\SysWOW64\fymsrzfu3
%SystemRoot%\SysWOW64\winnsi.dll2
%SystemRoot%\SysWOW64\kdrxwekz2
%SystemRoot%\SysWOW64\nguazhnc2
%SystemRoot%\SysWOW64\tmagfnti2
%SystemRoot%\SysWOW64\zsgmltzo2
%SystemRoot%\SysWOW64\jcqwvdjy2
%SystemRoot%\SysWOW64\xqekjrxm2
%TEMP%\chuuxwmr.exe2
%TEMP%\tpjpvxpg.exe2
%System32%\mzfgsdih\tpjpvxpg.exe (copy)2
%TEMP%\nnmsdryb.exe1
%TEMP%\vqxutqmn.exe1
%TEMP%\nmyuzjtg.exe1
%TEMP%\dtzstbra.exe1
%TEMP%\tvqhyszs.exe1
%TEMP%\gidulfmf.exe1
%TEMP%\qtbbzxbk.exe1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\04fa61ce-e4d7-48c8-9def-427199d4e0041
%TEMP%\vyggecgp.exe1
%TEMP%\hcjgfcyz.exe1
%TEMP%\omtpoxvm.exe1
See JSON for more IOCs
File Hashes
  • 0647fc954ed93c7ea544d83e63a40d502f5fffd8a13f30017a73b67e9a45f1b2
  • 06cd974d945d25823b35d71c42c63223e70e3117e457e93dee236b32767bd7ec
  • 0780495fcad283f3b4d0a8c67ab1f899901a411609e5d418c32d63ea341ab025
  • 10d8ca95e213491b05ec904bb8632212e22886d66c45525c104678dc80f670ae
  • 125c11dec65eb1649338f5ed9442a65f79a0bcfd386e7db297de44ac7674c0b6
  • 243c7f05dc3569c907f03ed8a84d215ff9aa72c83cf3a2204d60e82c66d9aaff
  • 2db74b28c8d6fb6cd5dc708a4f63b5f0552edfdef708c2f86ea3a40361e963fd
  • 3a9fc763818d743f0b87fffc92d2fd29f6e76f182142a43a6b65c9d12dd3efd4
  • 3f057b371908761ce99846fe561f0c86376ee18ad0124fd8e848d7f2862e8c05
  • 43726985501f447b624194119724d9bf9673a6ec4a9b4d4367d8157569f5dc7f
  • 456d4a6d6fbdc25b6c9cafde2af81b6023293e564ddd6473e42f8e420f1fcdd5
  • 4623e1ce31a8671e59640e83fc545a5f19e167c31cfc6e8d097864c7a4c27859
  • 539975f3e33f6b41f3038ed1101633ce5635004bce96ca7764c19a79fb4f83ca
  • 5a0f61ab9e096aa16c514f37f60853a708b3eed62dfe8c14643dcc2652141d96
  • 61baf3c68654787eab765e7361c07270cac1b7041a07062dff7485aa860fc4b5
  • 63f7598a21986a406d2a1ac946184140a80558bc7598bebabfcff82214895d75
  • 658a040596a2b67e36bd8af81037fefd039eae1bcf63b99928f3b5125e414019
  • 751ac2eb414eba0c3f93245c865f2162e328c461c5c844271ffb299df5d1e4df
  • 79c2cfd759cc6d1727c7f7015e40333900bda4571e91d18899b98025c0480b94
  • 7f5b069015e694544a2a693ddc7815c82c9ac6ec0d523ae9ed06d77b78965be4
  • 82fbb918e0d47f7d9992cd3c5479ee1468d608d1e176f7570994e99ffc66e6b0
  • 858f2612c45ad1bb0b986f74274f61224b827912f4e1a80f9121cad40edabacf
  • 8ac67c280615873b5aec89d5bd5838d2a23552e7c47511a99b64799d28d659ff
  • 8ad48911e8594b3530022ae45fbe12e40438c71cca38d2a7e85a8d3efd220180
  • 93cb0db5f5aecff9574b756b557280b61d557724591817013c016a3a68096be5
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella


Win.Trojan.Zeroaccess-6965107-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
17
<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch 17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\Epoch 17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
17
<HKCU>\Software\Classes\clsid 17
<HKCR>\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} 17
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\InprocServer32 17
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32
Value Name: ThreadingModel
17
<HKCR>\CLSID\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\INPROCSERVER32 17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
17
<HKLM>\SOFTWARE\CLASSES\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\INPROCSERVER32 17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
17
MutexesOccurrences
N/A-
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
64[.]210[.]151[.]3217
77[.]52[.]81[.]24317
72[.]47[.]100[.]3817
89[.]228[.]63[.]3717
65[.]30[.]151[.]3617
98[.]247[.]217[.]24417
173[.]217[.]71[.]24617
101[.]63[.]15[.]3517
209[.]195[.]111[.]24617
87[.]218[.]204[.]3317
115[.]240[.]123[.]3217
114[.]75[.]62[.]3217
96[.]26[.]208[.]3017
70[.]64[.]83[.]3017
82[.]22[.]40[.]3017
75[.]224[.]240[.]2917
84[.]228[.]113[.]2617
119[.]149[.]38[.]2517
212[.]72[.]112[.]2417
46[.]194[.]56[.]2417
84[.]231[.]16[.]2317
72[.]192[.]54[.]2117
117[.]217[.]106[.]24717
91[.]67[.]192[.]1917
77[.]11[.]149[.]1917
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
promos[.]fling[.]com17
Files and or directories createdOccurrences
@17
L17
U17
\$Recycle.Bin\S-1-5-1817
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f17
n17
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@17
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n17
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de817
\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\@15
\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\n15
\RECYCLER\S-1-5-21-1258710499-2222286471-4214075941-500\$ad714f5b8798518b3ccb73fd900fd2ba\@15
\RECYCLER\S-1-5-21-1258710499-2222286471-4214075941-500\$ad714f5b8798518b3ccb73fd900fd2ba\n15
File Hashes
  • 07c405ee534570f541b59cdaa0f96ff7504589dd26b9e2c6f71e5b89b70fe77f
  • 105a3a1a379be2fc1efe05678726a2ff34183a3f6453af7fe11d3c93b00a06c1
  • 1f286fca031ace5bcd5d09af6aa0bbe2e01d709274ac02db69409b24d1605f63
  • 2334dabfb999ed340bb820f8db859248c8bda0345c044271effb482e08663397
  • 23b236a0c3a4f078b90afb13fb32d0c3f6bdd11b301cad889729699664f2e5e8
  • 2a7ec665835825ff43db2b82df1884ee5d481ef371ad4c3f8ce0e4e18bd9a2a4
  • 550ad9dda25a0f1130dd0da04ddef0621a1158db98a5c5ebf90113842c2164e8
  • 68ec8422d27625d1af4e31d6fccadd07f71cc055761b417d141a1865e58e6886
  • a68f8aa154a3c12d066e1876619eeee00034692251e4e1edd23c8c7028e9518d
  • a7f5fe66ec05e1672d7ce83e0745c028fb366c3341c8e1a907c99087dab346fc
  • b08915d6e08d92a3de5977effd344b6e22b2b0aafce2479a1aadd4842c159ab3
  • b7540ca2429a0ea057c84962b1ddb211dc20ac018b593dec8cb2501a74ab11a4
  • bdfb9125073845bdc6bebf19a27fa02d248dac1f7fe4c59fd0b677e8a0ec9f65
  • c2dc4f333f3ae35f5d40363a69639756e7b4533db364cb20f838543935510d1d
  • cdc9f0d84b8813ae03d846bf7596130a85151683e65bae067a7a1f44d066561f
  • fc84363a134bd0b2c3686c226773bc9a93e33189b2c606815e909b7d7fff79f7
  • feb2afe93c29bba4bf068e198b1e91ae95add4c104430969ae89f2f4202ba65a

Coverage


Screenshots of Detection

AMP



ThreatGrid



Win.Dropper.Emotet-6964837-0


Indicators of Compromise


Registry KeysOccurrences
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
3
<HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\Registry Writer 3
<HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\COM+ REGDB Writer 3
<HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\ASR Writer 3
<HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\Shadow Copy Optimization Writer 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
3
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion 3
MutexesOccurrences
60F16AAB662B6A5DA3F649835F6E212598B68E3C4
{7930D12C-1D38-EB63-89CF-4C8161B79ED4}3
\BaseNamedObjects\{137A1518-4964-635A-544B-7A4CB2C11D0D}3
\BaseNamedObjects\{137A1A2C-4964-635A-544B-7A4CB2C11D0D}3
\BaseNamedObjects\{137A2419-4964-635A-544B-7A4CB2C11D0D}3
\BaseNamedObjects\{137A1A2D-4964-635A-544B-7A4CB2C11D0D}3
Global\I98B68E3C2
Global\M98B68E3C2
\BaseNamedObjects\Global\M3C28B0E42
\BaseNamedObjects\Global\I3C28B0E42
MC8D2645C2
\BaseNamedObjects\M19FB4341
\BaseNamedObjects\111OurStarterProcessMutex1111
\BaseNamedObjects\222OurMainProcessMutex2221
98B6-8E3C1
M1CC2778A1
M10F364031
\BaseNamedObjects\A0E8BDA3AF02242419905B05DA0C46C13C28B0E41
\BaseNamedObjects\M10E3D08B1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB4C11D0D}1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CBC291D0D}1
\BaseNamedObjects\MEE098981
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB7411D0D}1
\BaseNamedObjects\3C28-B0E41
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
23[.]41[.]248[.]1944
23[.]5[.]231[.]2254
23[.]52[.]7[.]204
104[.]88[.]26[.]2454
173[.]223[.]236[.]2154
13[.]107[.]21[.]2003
96[.]6[.]27[.]903
87[.]106[.]190[.]1533
172[.]217[.]12[.]1742
178[.]162[.]217[.]1072
166[.]78[.]144[.]802
204[.]79[.]197[.]2001
172[.]217[.]10[.]1101
178[.]162[.]203[.]2261
85[.]17[.]31[.]821
172[.]217[.]5[.]2381
136[.]243[.]154[.]861
23[.]221[.]50[.]1221
23[.]218[.]141[.]311
209[.]34[.]241[.]2021
23[.]218[.]127[.]1641
23[.]46[.]53[.]711
5[.]196[.]73[.]1501
184[.]107[.]147[.]181
23[.]6[.]69[.]991
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
outlook[.]com4
www[.]java[.]com4
www[.]onenote[.]com4
dev[.]windowsphone[.]com4
www[.]msn[.]com4
web[.]skype[.]com4
java[.]com4
BROMNTUUD[.]XYZ4
trenkulotd[.]xyz4
QBULINTULU[.]XYZ4
TRETITNUNI[.]TOP4
www[.]torproject[.]org3
supp7[.]freshdesk[.]com3
n224ezvhg4sgyamb[.]onion3
ygqqaluei[.]com2
atw82ye63ymdp[.]com2
warylmiwgo[.]com2
caosusubld[.]com2
bekvfkxfh[.]com2
ydchosmhwljjrq[.]com2
xomeommdilsq[.]com2
xxsmtenwak[.]com2
wwyreaohjbdyrajxif[.]com2
grbjgfprk[.]com2
mdofetubarhorbvauf[.]com2
See JSON for more IOCs
Files and or directories createdOccurrences
%HOMEPATH%\NTUSER.DAT4
%HOMEPATH%\ntuser.dat.LOG14
%APPDATA%\Microsoft\gawbgrrs4
%APPDATA%\Microsoft\gawbgrrs\jisgivdt.exe4
%LOCALAPPDATA%\bolpidti\judcsgdy.exe3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe3
%HOMEPATH%3
%PUBLIC%\{846ee340-7039-11de-9d20-806e6f6e6963}3
%PUBLIC%\Pictures\Read_ME.html3
%PUBLIC%\Pictures\Sample Pictures\Read_ME.html3
%PUBLIC%\Read_ME.html3
%PUBLIC%\Recorded TV\Read_ME.html3
%PUBLIC%\Recorded TV\Sample Media\Read_ME.html3
%PUBLIC%\Videos\Read_ME.html3
%PUBLIC%\Videos\Sample Videos\Read_ME.html3
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\jumpListCache\Read_ME.html2
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\safebrowsing\Read_ME.html2
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\startupCache\Read_ME.html2
%LOCALAPPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\thumbnails\Read_ME.html2
%LOCALAPPDATA%\Read_ME.html2
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\Read_ME.html2
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Read_ME.html2
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\Read_ME.html2
%APPDATA%\Mozilla\Firefox\Read_ME.html2
%HOMEPATH%\Contacts\Read_ME.html2
See JSON for more IOCs
File Hashes
  • 1e04bcdb51abfed7d2093115cbcaec092b5e8840556f172f368c0a62057c7a37
  • 20c8e37dd60b38bbc9af1f55478e1d7618131bcc5bf383378a2bf00c6ffc1a08
  • 2d7102eb62f9f8c523b7500c5b47eb4cadeff07b2980552e5f8f59aede506eb1
  • 42697c161579c4e96b49f91935b12b3ec042ce5bfc5a583e8b44b416eb5fcf8f
  • 433ad951f81e55b63f14fafe5c606532dc08343bb803d149867c767953a94a66
  • 5550f5e1a7f27b537a1de8c945877755f8a89c28376c12ed2a635a6cc6f375b3
  • 7dbcdbf63ed234c18481358441ee78e0c156f3da60bee606c6c52eafa25fe499
  • 8196fe92cc4b2a674b7014b4505ba3339e8ad36a004d03d77b125e1f9aec76ad
  • 8b2699e4d5ac77bdd3674321b114c05e674f30979b0f032c53a4fcf5a3b11aa5
  • bd86fa60126d2c23abd5e75dbd4b6b952550a7ab1c17139ff009bca37729d7d7
  • cdc8557f6b22789a9d4e10149f9c60f94f217bcb1f695b239fe7a12a0dffaa67
  • d77d9f14025de5483c623673b3f5c4bbe8cdd01c55658c25b62970bf1be6a736
  • d9d2d222e053edc845ce56cdc0ff3516f8e962ee226434772609ee8ce6edfc91
  • e63d957b42d76bc73d03a937d1e2267e4f92c0d9ac0b678124785ea14ce9b991
  • e6c00d963b75e7e5e3f037d54dd3d7099f92dfae0cda82fb5d483e6e8ce8b33b
  • f00a7ca48e367919a09a255d040f3321e3a189ecf7533b0233b3299c9f61f207
  • f1e2beb854ed706d5837ebb789373b83ff0a658f717173227f02bcb4e40ad1b8
  • f88c591028ab0a8084ae15fdeee2afcc87be6980198d9c0ff863e9ac4c5a807f

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella



Win.Trojan.Darkkomet-6964750-0


Indicators of Compromise


Registry KeysOccurrences
<HKCU>\SOFTWARE\DC3_FEXEC 9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\System 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
5
<HKU>\Software\Microsoft\Windows\CurrentVersion\Policies\System 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
4
<HKLM>\SOFTWARE\Microsoft\Security Center 4
<HKU>\Software\Microsoft\Windows\CurrentVersion\Run 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\Policies 3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CurrentVersion 3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\Explorern 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicrosoftUpdateService
2
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2 1
<HKLM>\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\189271E573FED295A8C130EAF357A20C4A9F115E 1
<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Data Serivce
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: winupdate
1
MutexesOccurrences
DC_MUTEX-C6LXJS92
DCPERSFWBP1
DC_MUTEX-5E3YFKY1
52hfxfx521
DC_MUTEX-75QQLTV1
DC_MUTEX-P1ZGY191
DC_MUTEX-MZMFQQS1
DC_MUTEX-CNAFSEW1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
69[.]55[.]5[.]2501
12[.]167[.]151[.]1191
216[.]146[.]43[.]701
162[.]88[.]193[.]701
104[.]27[.]193[.]921
104[.]27[.]192[.]921
51[.]38[.]231[.]91
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
dezgorm[.]ddns[.]net2
250[.]5[.]55[.]69[.]in-addr[.]arpa1
checkip[.]dyndns[.]org1
119[.]151[.]167[.]12[.]in-addr[.]arpa1
www[.]whatismyip[.]com1
checkip[.]dyndns[.]com1
worgodd[.]no-ip[.]org1
oliwierze[.]ddns[.]net1
testezinho250[.]no-ip[.]org1
weath[.]ddns[.]net1
sr3u[.]und3rgr0nd[.]tk1
Files and or directories createdOccurrences
%APPDATA%\dclogs7
%HOMEPATH%\Documents\MSDCSC3
%APPDATA%\MSDCSC2
%APPDATA%\MSDCSC\msdcsc.exe2
%HOMEPATH%\My Documents\MSDCSC\ Microsoft Update2
%HOMEPATH%\Documents\MSDCSC\ Microsoft Update2
%SystemRoot%\SysWOW64\MSDCSC1
%SystemRoot%\SysWOW64\MSDCSC\msdcsc.exe1
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe1
%ProgramData%\Microsoft\Windows\Start Menu\MSDCSC1
\Documents and Settings\All Users\Start Menu\MSDCSC\msdcsc.exe1
%ProgramData%\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe1
%HOMEPATH%\My Documents\MSDCSC\msdcsc.exe1
%System32%.exe1
nigzss.txt1
%APPDATA%\svcost1
%APPDATA%\svcost\svcost.exe1
File Hashes
  • 28b4c182eede85890244ea0678da95e9744cdf175dd8748e257064e6e867824d
  • 32f509646e99c7aea9d15d180ec891328fcba9dd156750d370f481dc586d674c
  • 548d4d3ee7271c7b57f7b99c0b1348da5d1c94e7acfe1adc47f296a562af47d0
  • 725fc28899391ced1970b4caffa22f4b92a636a4a5596c587855f4040f93e557
  • a3117c0c2a3d2bbe0bb4bdf2ee37d3bd461c3116ff018277c70aad51498552d5
  • a7e82cc0def7a4884816f9a97e85675cc0d1d4d8db8ea0c01f35f26de41b654e
  • b1c674e44363aae15e87840db0f5a1123e98228a1c33110b41270318cd2f4ada
  • d5f888e61113f8cef35692be3a876caf5ac1bbb6fa7983a28e0a1de0f964cd92
  • f78968d304d87b83e759cedde480ba74011e92fd9701c77207bcdc0935735940
  • f99d91a32c833a44ff5d8f938251401eae021320777e2e6f217948a50f8af428

Coverage


Screenshots of Detection

AMP



ThreatGrid



Win.Malware.Kryptik-6964485-1


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mbihas
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: anblid
1
MutexesOccurrences
OneiricOcelot10
OnlineShopFinder10
P79zA00FfF310
PCV5ATULCN10
PJOQT7WD1SAOM10
PSHZ73VLLOAFB10
QuantalQuetzal10
RaringRingtail10
RaspberryManualViewer10
RedParrot10
RouteMatrix10
SSDOptimizerV1310
SoloWrite10
StreamCoder1.010
Tropic81933110
UEFIConfig10
UtopicUnicorn10
VHO9AZB7HDK0WAZMM10
VRK1AlIXBJDA5U3A10
VideoBind10
VirtualDesktopKeeper10
VirtualPrinterDriver10
VividVervet10
WinDuplicity10
WireDefender10
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
N/A-
File Hashes
  • 06aa0afbdfa537fa2a213bc400553e62935911ff40b2e899c839109b3aa76343
  • 0a8dbca58db6fd04e3b0fcb3ba3a08843676eb43362794b13d2b294b1428a8e5
  • 310433c733a765de4ebad4517cc227c0aa326bd496e9a0971a2c5fb2cc080e05
  • 516873875312e95e415216eecdbb0fe3799559cd774d68dd10f67b2e413cb646
  • 6155690a39ca14c04877424c2292c638910cce74e766d55036e6c3f8133f0c8c
  • 70b6964498ad91dc5cf69bca30abec8c65f549e6f11ce47b62cc999bfe167374
  • 85d7d87f0fa1cd3a5d405274286f4298ac9d66c6cd17bf90d7245bb2e0bc5b8b
  • 94c981cfdc9ec45d961a33c802e24c3c8c50771ed36e66fc5d06e7faaaba602b
  • ab44bd641e6fabcb49e6f7febd81073e296b8df9b868cf6cbadcc8515c089355
  • e1abb836355f1085113d6e4605b0eb941c965720eea05092993b8180756fb738

Coverage


Screenshots of Detection

AMP



ThreatGrid



Win.Packed.Kovter-6964099-0


Indicators of Compromise


Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: svchost.exe
16
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: explorer.exe
16
<HKLM>\SOFTWARE\WOW6432NODE\Policies 16
<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore 16
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
Value Name: DisableConfig
16
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
Value Name: DisableSR
16
<HKCU>\SOFTWARE\MICROSOFT\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS 16
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\Windows\CurrentVersion\Policies\Explorer\Run 16
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\RATINGS
Value Name: .Default
16
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_AJAX_CONNECTIONEVENTS
Value Name: svchost.exe
16
<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths 16
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\Safer 16
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\WINDOWS
Value Name: þ
16
<HKLM>\SYSTEM\ControlSet001\Control\Windows 16
<HKLM>\SOFTWARE\WOW6432NODE\D1B9ACC6 16
<HKCU>\SOFTWARE\D1B9ACC6 16
<HKLM>\SOFTWARE\WOW6432NODE\D1B9ACC6
Value Name: 3
16
<HKCU>\SOFTWARE\D1B9ACC6
Value Name: 3
16
<HKLM>\SOFTWARE\WOW6432NODE\D1B9ACC6
Value Name: 5
16
<HKCU>\SOFTWARE\D1B9ACC6
Value Name: 5
16
<HKLM>\SOFTWARE\WOW6432NODE\D1B9ACC6
Value Name: 2
16
<HKCU>\SOFTWARE\D1B9ACC6
Value Name: 2
16
<HKCU>\SOFTWARE\D1B9ACC6
Value Name: 4
16
<HKLM>\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore 15
<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings 15
MutexesOccurrences
D1B9ACC616
D1B9ACC6E116
D1B9ACC6C216
D1B9ACC6C116
83EA3AF0E3D35BA8DAAEABE15EF52FFB16
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
fastfront80[.]com15
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\Preferred16
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f7a-10cabfeabcac2
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f7a-2ccabfeabcac1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f77-20cabfeabcac1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f7a-24cabfeabcac1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f7b-10cabfeabcac1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f77-14cabfeabcac1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f79-13cbbfeabcac1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f78-13cbbfeabcac1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\bb5ca9a3-5378-4a8e-a195-7aa28d9ef0c91
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-8f79-2acabfeabcac1
%ProgramData%\Microsoft\{5c7b6c54-f92c-e302-cc6c-11c738737558}\{5c7b6c54-f92c-e302-cc6c-11c738737558}.exe1
%ProgramData%\Microsoft\{51f28878-5ee4-7fc7-2641-51d5b1ab0163}\{51f28878-5ee4-7fc7-2641-51d5b1ab0163}.exe1
%ProgramData%\Microsoft\{2c1f2442-de97-b471-1e5a-e1b8cd979bac}\{2c1f2442-de97-b471-1e5a-e1b8cd979bac}.exe1
%ProgramData%\Microsoft\{98b64c08-f14e-d5bc-4a88-5494c78ae8b5}\{98b64c08-f14e-d5bc-4a88-5494c78ae8b5}.exe1
%ProgramData%\Microsoft\{c5ca3f16-fae8-6d16-a509-2b3ce12f8839}\{c5ca3f16-fae8-6d16-a509-2b3ce12f8839}.exe1
%ProgramData%\Microsoft\{03cb90f2-8403-8565-a4ee-fbb9c4bec76b}\{03cb90f2-8403-8565-a4ee-fbb9c4bec76b}.exe1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\bb5ca9a3-5378-4a8e-8196-7ea28d9ef0c91
%ProgramData%\Microsoft\{9f9c3524-008c-a947-9125-69a3e6df8b87}\{9f9c3524-008c-a947-9125-69a3e6df8b87}.exe1
%ProgramData%\Microsoft\{5590699f-0760-ca35-28f0-aed17ac9b62a}\{5590699f-0760-ca35-28f0-aed17ac9b62a}.exe1
%ProgramData%\Microsoft\{c1735532-f3d2-0705-27fb-c9515444a59c}\{c1735532-f3d2-0705-27fb-c9515444a59c}.exe1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-af75-13cbbfeabcac1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\bb5ca9a3-5378-4a8e-8199-78a28d9ef0c91
%ProgramData%\Microsoft\{349d3e26-16cd-3c5a-17e8-a6b5712e298a}\{349d3e26-16cd-3c5a-17e8-a6b5712e298a}.exe1
%APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\5731e7cd-8311-408b-af7b-2ccabfeabcac1
See JSON for more IOCs
File Hashes
  • 967d47c136b9b0572999085bdf88035b47ac413a0fcc643379235a656c7b19bf
  • baf12e28c9f22bbc6343d8fd52ec0f9bdbec595887a3bb86ac8276b73a6149f0
  • c97d5b490cdb6a003c7fbc4f01d6e96b6eb7daa401fabb91159df441a7c3a414
  • d0e6edab6f229bddae3ba675045d31dae31ecfebc5071bcef6fb5bb75d7114bf
  • d101f5b175f474b2e8f7768e8ae0492f3732a776367b1df256412d2918edeabb
  • d229bf0e951fbb466a7a695021ff001f29b8a14e9236386fa23d64c0292fcabb
  • d7bfc27b9cae97fd12fc37aca51e72e11ad55a545d8fc1ef1cf1262b3a75d1cf
  • e09390b6cac41111e9573db97340727c493b7d61db4bd5f7be5e298bce1feb61
  • e7cf854f13c13b4356b79196b1703033ea820eb9d9c0539202774cfa62f4ddc1
  • ea4109825ea5dd469b35237206639f261ab9dbbc9029f6ff5cbe245e19708253
  • eeb139134e8f9ae9a06f2b88a5d710aff711ba5ad5f653300a2bf4f874d8cf90
  • f26f413104736c1e442bf3fc3d90f7e7ebf37015b8c81c8c8d8a3cb98ca17112
  • f644f06fe38ad3643c026e0a2eda3e0fd17b8dc3e248699d824df192455310e5
  • f76268c3dff77dddabcec092f5bc236cdacab5d052f5bac4ab3b1be932fe2f1e
  • f857b7ea2d8a195080fef9a188eceddd5c35d88bcad8cdc0ad074b937b0b4d71
  • fc8fce6392c14f721d61f41f1fdb794bd3abf8c0edbbe84e6b5f0efed38ca9d7

Coverage


Screenshots of Detection

AMP



ThreatGrid


Win.Malware.Python-6964012-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION\PARAMETERS
Value Name: TrapPollTimeMilliSecs
20
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156Agent 20
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CurrentVersion 20
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION\Parameters 20
<HKLM>\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters 19
MutexesOccurrences
Global\D0E858DF-985E-4907-B7FB-8D732C3FC3B8}20
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
79[.]98[.]145[.]4217
45[.]79[.]77[.]2016
153[.]92[.]4[.]495
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
info[.]abbny[.]com19
info[.]beahh[.]com19
info[.]ackng[.]com19
42[.]pl17
ip[.]42[.]pl17
jsonip[.]com16
Files and or directories createdOccurrences
\TEMP\m2.ps120
\TEMP\mkatz.ini20
\m2.ps119
\mkatz.ini19
%TEMP%\_MEI19082\Crypto.Cipher._AES.pyd4
%TEMP%\_MEI19082\Crypto.Cipher._ARC4.pyd4
%TEMP%\_MEI19082\Crypto.Cipher._DES.pyd4
%TEMP%\_MEI19082\Crypto.Cipher._DES3.pyd4
%TEMP%\_MEI19082\Crypto.Hash._MD4.pyd4
%TEMP%\_MEI19082\Crypto.Hash._SHA256.pyd4
%TEMP%\_MEI19082\Crypto.Random.OSRNG.winrandom.pyd4
%TEMP%\_MEI19082\Crypto.Util._counter.pyd4
%TEMP%\_MEI19082\Crypto.Util.strxor.pyd4
%TEMP%\_MEI19082\Include\pyconfig.h4
%TEMP%\_MEI19082\Microsoft.VC90.CRT.manifest4
%TEMP%\_MEI19082\_ctypes.pyd4
%TEMP%\_MEI19082\_hashlib.pyd4
%TEMP%\_MEI19082\_mssql.pyd4
%TEMP%\_MEI19082\_multiprocessing.pyd4
%TEMP%\_MEI19082\_socket.pyd4
%TEMP%\_MEI19082\_ssl.pyd4
%TEMP%\_MEI19082\bz2.pyd4
%TEMP%\_MEI19082\ii.exe.manifest4
%TEMP%\_MEI19082\msvcm90.dll4
%TEMP%\_MEI19082\msvcp90.dll4
See JSON for more IOCs
File Hashes
  • 2d5c9619b85111c8af13ad75bc334b26713839eed3ac96e9b22447039296aa0e
  • 30117d30a63aaf64648199e3874762f0a31d1c45f35ff73820d3bb65827dbc89
  • 4af89e0f76d112342c2ac7e5cd3696974027a5c771fb4655faa78fefae4774e8
  • 5304995ff9b9ca3d6f597fc2eb1e456125eb5c42dc42df234173e47184df71f2
  • 568db055c4fb8890fe7f3ef0ef3d32c250ac4d997e94571f84b3463805befedb
  • 5795c318c70fd3009a470198ce1ccb6a7d74af59f3758385fe034520d657c45c
  • 59a6c6c90be9cd113afafad6261fce0f23decc1c453ffd3f135e028073fde501
  • 5f6a3155166e492a8acf391d70b334e985d24dfd43b9ea12f5e47a2d7222ea49
  • 6059747fb8a2c5429313d835f610d9c4a6965c5f63719c694ba20533450da3f7
  • 605cbd5701cbbc4a36935599525e6d0d5c1a043c9252aa081cb9c2f3724fc8ba
  • 613531d0a4eeffaca1e34fc90de6ce2a042dac8983fe8ac30d5868f2d400d4e2
  • 619b34db1e2b672ab7709c581a43ecc902b4f36fc817c007cd557b75d7dc67bf
  • 64c06234473e62abe6b4dd9dcb8c0df812344f4808fa8d2c594e3117bb22ac8e
  • 6503fd5020dc940cb38a647c1d6ee211259e418593d6bdf9db3aeb79621a4a6c
  • 6859d6615d5de8f981ee996de57b6f2c838420c2b21cf328b8a258a500e2ebc5
  • 6921860fd202f8de479af08511a6b5ddfb9c84654a89020f133243cebf0bee9a
  • 693df72f101e68cb4a19a921c89301779552e4215830498bc8b5c7843e35e5e2
  • 6a2a3089e6adf58b64a3800b94bc53d0e2b6b05a21aa6127ce57620268b49f08
  • 70c258ff7c21f6319d1434480d5ae6f2e111feb864a5e33b81b01f8364247d11
  • 70e53a2ffa43d9d4426fc703c04d7d610aa0346c2fb7e37dc234167c613dd515
  • 7149016c8e6cdeb9494dea17b743b298d12adbc35c77dcf7bc0a1e12f8ddea2d
  • 7246bf9b6fdb3b49ce33ff7b0a3f2bae33eb1e0301db635ccb74608313c719e1
  • 763571d4fc7e3d4738941599d41a665bcb859c0180de80ac99765edbe47f93a9
  • 7895313b35d27c7d5bc0fca556736f63e800e99feb6dcde910c76c743d4634ac
  • 79582a03488d2c8a1a14ce512034f65727e4a921f7420e18078d92bf1dd085ac
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Malware



Win.Ransomware.Cerber-6963958-0


Indicators of Compromise


Registry KeysOccurrences
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2 11
<HKLM>\System\CurrentControlSet\Control\Session Manager 11
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations
11
<HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 10
<HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld 10
<HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 10
<HKU>\Software\Microsoft\Internet Explorer\IETld 10
<HKU>\Software\Microsoft\Internet Explorer\BrowserEmulation 10
<HKLM>\SOFTWARE\Microsoft\ESENT\Process\mshta\DEBUG 10
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF}11
\BaseNamedObjects\shell.{D31FFF46-7264-2F11-86F6-D577904717A2}1
\BaseNamedObjects\shell.{009333F1-551C-9DAC-1759-5B4919375F70}1
\BaseNamedObjects\shell.{AC607669-1359-523E-095D-A88DA96FD1D1}1
\BaseNamedObjects\shell.{8F606D68-4B19-E718-0DBB-45B7697D4BDA}1
\BaseNamedObjects\shell.{4A4E1DA9-250C-6EB9-DF1C-D339CF8305B9}1
\BaseNamedObjects\shell.{93742F5C-F907-5D2F-E50F-7DDF1F2F0F9C}1
\BaseNamedObjects\shell.{98B816E3-E44E-C421-229A-B8F7963D0F05}1
\BaseNamedObjects\shell.{33BDE317-B098-C54C-1E87-AECB2544252C}1
\BaseNamedObjects\shell.{D98CB22B-6CC2-5E4F-BC2F-152CBBE6DA5B}1
\BaseNamedObjects\shell.{31C26804-8082-BCD2-AE9A-2E0E343C4A11}1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
94[.]23[.]173[.]23911
94[.]23[.]173[.]23611
94[.]23[.]173[.]23711
94[.]23[.]173[.]24211
94[.]23[.]173[.]24311
94[.]23[.]173[.]24011
94[.]23[.]173[.]24111
94[.]23[.]172[.]19011
94[.]23[.]173[.]2411
94[.]23[.]173[.]2511
94[.]23[.]173[.]12711
94[.]23[.]172[.]19111
94[.]23[.]174[.]7611
94[.]23[.]174[.]7711
94[.]23[.]172[.]21811
94[.]23[.]175[.]15311
94[.]23[.]175[.]15211
94[.]23[.]172[.]5011
94[.]23[.]172[.]5111
94[.]23[.]175[.]14211
94[.]23[.]175[.]14311
94[.]23[.]173[.]23511
94[.]23[.]173[.]23411
94[.]23[.]172[.]19911
94[.]23[.]172[.]19711
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]blockcypher[.]com11
hjhqmbxyinislkkt[.]1j9r76[.]top8
chain[.]so6
p27dokhpz2n7nvgr[.]1j9r76[.]top3
bitaps[.]com3
btc[.]blockr[.]io3
Files and or directories createdOccurrences
%TEMP%\d19ab98911
%TEMP%\d19ab989\4710.tmp11
%TEMP%\d19ab989\a35f.tmp11
\DAV RPC SERVICE10
\Device\Null10
%TEMP%\8f793a96\4751.tmp10
%TEMP%\8f793a96\da80.tmp10
\I386\DRVMAIN.SDB10
\I386\EULA.TXT10
\I386\HWCOMP.DAT10
\I386\SECUPD.DAT10
\I386\SETUPLDR.BIN10
\I386\WIN9XMIG\ICM\SYMBOLS.PRI\RETAIL\DLL\MIGRATE.PDB10
\I386\WIN9XMIG\ICM\SYMBOLS\RETAIL\DLL\MIGRATE.PDB10
\I386\WIN9XMIG\IEMIG\SYMBOLS.PRI\RETAIL\DLL\MIGRATE.PDB10
\I386\WIN9XMIG\IEMIG\SYMBOLS\RETAIL\DLL\MIGRATE.PDB10
\I386\WIN9XMIG\PWS\SYMBOLS.PRI\RETAIL\DLL\MIGRATE.PDB10
\I386\WIN9XMIG\PWS\SYMBOLS\RETAIL\DLL\MIGRATE.PDB10
\I386\WIN9XUPG\E95ONLY.DAT10
File Hashes
  • 7019c1e1802915ac18691419d277a94b5e30a11209dd445f234ca14b35f5d720
  • 72316d031bea130d9475d57d97f96b05cf11190101b219b106eadbb7ffb41b4a
  • 8518d800daf5c94937948b6f1ca696a7e03faa6f86a689e809218f81f697b80e
  • 860ee1bc900c05313d12f50f17620c330f642a9dcfce66b8dd8141897bd4ed09
  • a8eb934ac833e714578d5d7d2b8fa2388328cb2145e8207553a0f124da942f48
  • ac4851b671d4ecf728681c9587bd7d14bc011c682e6957124aba87660882377c
  • bccbc893aef7ecee4eebeeb2c386e43abb1deaa78d4f03dc54e8f7f409d73b6f
  • c3e5d39b17b60def951d6c0829ed1bf887cc0e71c9d24c9dc14a02d6bdf23c86
  • cf557bc47899bdec8b94a0e8b0b00d73390be2c1c404a973b65828e264c26c77
  • e2e487d62c6c9ef0a965fbb0d99e0af7752a11738a9ef3e1d9d193862b28e118
  • f0e79e62922ddf62d71c4e44aa2e927ad111b4437df9adcf0c28c491b22d633a

Coverage


Screenshots of Detection

AMP



ThreatGrid



Malware



Doc.Downloader.Powload-6959926-0


Indicators of Compromise


Registry KeysOccurrences
N/A-
MutexesOccurrences
Global\I98B68E3C24
Global\M98B68E3C24
Global\SyncRootManager1
Local\ShimViewer1
Local\C9E8AF12-FA27-4748-EC04-38CA71239739_RegisterDevice1
5CAC3FAB-87F0-4750-984D-D50144543427-VER151
Local\{F99C425F-9135-43ed-BD7D-396DE488DC53}1
CicLoadWinStaWinSta01
Global\RecentDocumentsUpdate1
Global\b48161dd-6c92-11e9-bdf9-00501e3ae7b51
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
37[.]211[.]38[.]5022
75[.]177[.]169[.]22522
50[.]99[.]132[.]722
189[.]134[.]78[.]4221
31[.]14[.]103[.]16412
91[.]231[.]87[.]7812
45[.]40[.]251[.]24312
103[.]229[.]72[.]5910
209[.]134[.]25[.]1703
200[.]58[.]171[.]512
189[.]196[.]140[.]1872
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
protemin[.]com12
moda-blog[.]com12
chenrenxu[.]com12
depobusa[.]com10
webaphobia[.]com3
Files and or directories createdOccurrences
%HOMEPATH%\820.exe12
%HOMEPATH%\438.exe10
%HOMEPATH%\813.exe3
\TDLN-2060-411
\Device\NamedPipe\Sessions\1\AppContainerNamedObjects\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-26303127421
%System32%\WindowsPowerShell\v1.0\Help.format.ps1xml1
%SystemRoot%\SysWOW64\7Dvm.exe1
%TEMP%\CVR550.tmp1
%SystemRoot%\SysWOW64\9LObZfUjohYq.exe1
File Hashes
  • 07ad82ee6f552024b89e9569759078672295762694af017f35f64bb7284b93c3
  • 1a6641086b78035d6c9ba38c7199aac02d37dafbadf96059a81b6f4c35e49f84
  • 1f4a46bf19d090bee1282d5920e1ce502620c0a50cb4d5165d735d5b52e4a79e
  • 224d99639dbb488494e23f7fd8a60c75630ffc694a3114a6d4f596da2062fbe0
  • 2ade167cc02b318750feb789c0476581e4f2e0864c3a51fd65bd74c25534a74e
  • 3606c54dbaba863109929191dfda5771de069a4fdbdc6322ae75c549aeec3ddd
  • 394d047267664ca7feaa87df65b83ef559a4a97d7660e855fd84ad39ca15c17f
  • 3f832fc27ebcc0391c302aedbc3f8d3dfe7473679d5d9aa0176f9623d4306d68
  • 3f90bc319f969145e499fa90a32a81f0fed988320b255b0febc18befca735484
  • 404f20fabcaf9c4c086a38eb1cb139e49e2e08d6249ef41b88d7eb2c0e628bbc
  • 42981d37b50801d5cdc23d5d9f0a1e0e20f3787e24c4d20f606d2250ce5bf804
  • 438757f58f956c0bf3c4d88c3270f25c6bef6cc6c7599d01e2050871e1c7cced
  • 49b5e70a242f984eadee49435aac4371ca3cb65b02b2f6fbcbfcbfbd9d985782
  • 51d6fab6ccf8fb3460ce156af02cfcbaf6098f74d37e5d323a3d9e2c07e4b8f4
  • 567c4f99a489d6e26cdd76b719f290108f558cb49b7f5f7e2d84dc8929f7613b
  • 571210656adbfe8cde574bb15f96232169cdfb487f4597ce1a4532c7a0258f46
  • 58c44d575aa6041c0d0e87372288f96804c1fa141ee903a67f668e73cb690dec
  • 5f401aefe65751c9e09131d50f1a6ea3f86f542552ecab2973a334a360357699
  • 61e933a06b4a2af4239c378c84211b2ff1baab4effe6b5bf044ac4f2d3371c32
  • 64b75110604d920b41da5dedf56cabebac63da64a209a35cb664ba69764fb8a8
  • 68e686c3f2b87d3169766ffe4bba021a8acd7648ca38c6c75be829a864558ecb
  • 6a817c04b3ec3fb6f85801ecf4999db95505445ecbc8f741cf2985972f2d6f75
  • 6f926261cf70832a6f3332c727eb674da29212109a968a25cab4cb92fced7694
  • 72f28f83d17f71068693f8f34ea40d09dc75d111635427f1b58fa9d4cad29558
  • 7416ebc5373fd8a3ec9ece1dff46c15699738491d703b47f20ae4de8c59bcef0
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella



Malware



Win.Dropper.Qakbot-6962757-0


Indicators of Compromise


Registry KeysOccurrences
N/A-
MutexesOccurrences
Global\eqfik15
Global\ufwao15
llzeou15
4737f7e7a483154476a69b4f5a4a1
4737f7e7a483154476a69b4f5a4/C1
f23982a726efd837a3fb23d770ea1
85ff1bf1196b88d85f7f7092fc8a1
f23982a726efd837a3fb23d770e/C1
b274a28e4ad451b106c78e64d91a1
85ff1bf1196b88d85f7f7092fc8/C1
ecd2fdff63d752ee98eb1e0dd18a1
b274a28e4ad451b106c78e64d91/C1
ecd2fdff63d752ee98eb1e0dd18/C1
8c5f802a24045fc230207298aa8a1
8c5f802a24045fc230207298aa8/C1
908889c25ce86b55fc08b790b42a1
666d680dfc69cb8931cc724a81ca1
908889c25ce86b55fc08b790b42/C1
666d680dfc69cb8931cc724a81c/C1
d7c6d675543ec8fc13cb6e169f7a1
d7c6d675543ec8fc13cb6e169f7/C1
a4be182a1dc5815e8a932795631a1
a4be182a1dc5815e8a932795631/C1
99cfbb31846bd275123aa1ab920a1
99cfbb31846bd275123aa1ab920/C1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
N/A-
File Hashes
  • 4737f7e7a483154476a69b4f5a48fb4551ac02ac240a784c4f3377c436dbd203
  • 666d680dfc69cb8931cc724a81cdb588d16602788f7d3bd7955803ce224d6f80
  • 6c4d27124a279c0f49eb46852ea440fdd482bd8798126bfe0b526361f3702531
  • 85ff1bf1196b88d85f7f7092fc8f3905a9ded0e14e06b17475163df47a079e29
  • 8c5f802a24045fc230207298aa825e0fca94d7dd7d8e9f06abd59836d0ed373e
  • 908889c25ce86b55fc08b790b42ab405a485dc498821249c10d5517c47470e35
  • 9258e1004f3ddbf9bc72a4764a77d174b090faf1288afaa2f7b1d16f96fbb1a6
  • 99cfbb31846bd275123aa1ab9206e92b71556ea269e8eeceffff3b3dc27385b5
  • a4be182a1dc5815e8a9327956310222b714dac52ba4c5aa4ba0f72975c716218
  • b274a28e4ad451b106c78e64d917f9da3d1ab46d7e450a3a3908351b25718b3c
  • c6f26163d2c2dc499ffdb86d649e95301329db9d908888b909f4190d3d51ca1f
  • d7c6d675543ec8fc13cb6e169f7df286f33187ee96a3163252c607aa16e7bbf1
  • ecd2fdff63d752ee98eb1e0dd185a1919d2ff72c23c80a7a8c057d4b9f5e9ad5
  • f23982a726efd837a3fb23d770ed2e1eba1cf2629b4466b76ef205b52c19e540
  • f9d48c419ad4ea015efa8258f323a5242b46da80c1755ff2b551592a3b54d0bd

Coverage


Screenshots of Detection

AMP




ThreatGrid



Exprev

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
  • Madshi injection detected (3477)
    Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
  • Kovter injection detected (2818)
    A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
  • PowerShell file-less infection detected (1467)
    A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
  • Process hollowing detected (521)
    Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
  • Gamarue malware detected (172)
    Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
  • Atom Bombing code injection technique detected (146)
    A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
  • Suspicious PowerShell execution detected (97)
    A PowerShell command has attempted to bypass execution policy to run unsigned or untrusted script content. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
  • Installcore adware detected (69)
    Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
  • Dealply adware detected (40)
    DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
  • Excessively long PowerShell command detected (26)
    A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

Viewing all articles
Browse latest Browse all 1950

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>