{"Doc.Malware.Powload-6815340-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing the Emotet malware.", "hashes": ["016449ce658b591c81a660cdf3aa38bfff92a5f107ba172c31e127954b36e344", "28cf4ee192bfbf24ef0bc9a8eff889501ddaf08031c4c369035ddeec949e2879", "3356b99748cd869b64a8be09de12dc8af1f417acd040e6ca4d80344ad58eb62c", "33bc3b2d5e4464eb9a12fcbdd7a4dc0a6e7c02f3e2149325f473e1d59c019022", "388fe279f421985cb9e147aaf8231a98c832874952c396a13df08894c3a9714d", "38e53d78bb20c1475bb99e81348df948a7a2a7c54e553f7a07297e53de59ea15", "581e775919ebf602a88369287a40c6b746ebf0a6e4f631c627091527690ab6c3", "5a2e46067d3710ece2abdb092e7a3e49075ca19d0849e6499fb7953c28a9ec8e", "8c2bd29b1fc6bb1e3187ba8cf8329847e419fe62b6ed3f2e054991dcade63dda", "aa800f12bc65cd7580d5f75a3b19de5333ccba6b81a4d7df58556c7878a4d82a", "b5d324893085f52a6b7d750b41d3039462d0e66e2e07f36d7aa07ab53f694790", "c7cb43c0854e5691b41f80496be003f9c1741e2921e5ee039645e220190162a2", "d7e114011982bf58dbd1752874d27895b1716fc1a0a02f8515a3384c9dde7a97"], "iocs": {"domain": [{"host": "www[.]dawsonvillepropertymanagement[.]com"}], "file": [{"path": "%WinDir%\\SysWOW64\\tabbtnfetcha.exe"}, {"path": "%UserProfile%\\664.exe"}, {"path": "%LocalAppData%\\Temp\\drp4vham.v1t.ps1"}, {"path": "%LocalAppData%\\Temp\\h224jefh.5gj.psm1"}], "ip": [{"ip": "187[.]163[.]213[.]124"}, {"ip": "68[.]66[.]216[.]25"}], "mutex": [{"name": null}, {"name": null}], "registry": [{"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "Type"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "Start"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "ErrorControl"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "ImagePath"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "DisplayName"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "WOW64"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "ObjectName"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "Description"}]}}, "Doc.Malware.Sagent-6813871-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Sagent launches PowerShell through macros in Microsoft Office documents. The PowerShell then downloads unwanted software from remote websites. ", "hashes": ["15c651628f4ccd80f1d6ff52a3464610cd9f7fe31ffcc332c15bb4abaa5a3486", "184ccc288232c76b5589ec0c6aeb280c934a5ad35c0c7155146d71030a040b40", "20d9a0f8fe27a43d9d99fd593c8d8af9b9799172c5b7179aa5a8cd2219de3b28", "210999842efd1221eb1973f2f18bdc8e8764ee19bba2680ac931edb357c72c29", "219520e560a9eb432aba9d319c3c959ff9fe3f4a3ed9eb7f34ff13d1f8fdeaa1", "2ad4db5a367762fcde6ddaffc4159f16f82c15d0af81b17d445327acfdc896ed", "2ce7330a70040737397b483674680e27bcbdc67390dc64df11319539f15d4c79", "3382c6cad4e8edd4f9423bfb6a7c0b2404386274280b9dbc09da6b40c3a976c0", "37e0df1c725974d8842dbfd1c97c2808174bb13507008056d71acf5dcb16be86", "3ca90d5bcf6aa92241dbfd3974542febbf325d25458643f2705fa71233445213", "3fb6a4110c75a5c207da5997ed9b61fa0987d505bcb64aefad0676b1403fcbf6", "4aa3fa1ef3642be02826ef9466eaf90427857dcdaaca6b7086b842527376f6fa", "4acbd8ebac5a1cfcb72aad7e5f1ff3b21d2541a931964a07de2a50bcb9325121", "4b122ed996a80e03a2056abfc84a875b6c3cf2f02081f8546fe62ba9308a8e58", "57b90075a2a9821278a1ce760e5fd36f35f5ff5e768bef60f04aa4ac3741bc9d", "58503078fa335ae31c9c405e1ae21f9784a8b1fa397481289fbd387549d1d857", "58972ab31449176f9d62c6b35bcd63843cbeeb099b374e56b2c1cda373fb880b", "7bb379b42a8c970753eb37ecfd9e33fc758a9e24cd72594e1463b967552884d7", "807a8434cc34fb0b2875b8a8edbad637e29225288e8400c58317d6e50a93a2c7", "8d10a6a99658759428cc5ab65baf57aee16ab607c23e2fb779e60450883aceb3", "934acd0d0bb2e9dd8c533594fc5b883a5542a7cbfc967a64243810124ae1193d", "95329196e424d530c8d1871241a630b2bebaf7d7c2ceeda21e1d5634f6fdd721", "9aaeb10b1fa88e535d1c4d1b4313c0423173489c9e6b90f1922cd86df0c2c316", "9dae1c9ef8a1bad9c6d708cef1e3f156eb634f406af397c55fca0fd3763311c2", "a50bbe414048cadb53c22770c78fdae9ac730249693ca7d46df239732938b3f1", "a9c8f17f0ab4816915ce54f6f44b61b81699adfc5d8746a8575a8deb085e5364", "c1d96a67fe7ef5167ed20032a3cfb29e72e451293a38a208f4c33ac23a2ef031", "c3216b2eccb30c178ea9b2760e8a3425c4cba06b2ca91a68aa94d58196996289", "d7901fc18b11c1fed24c4c6f34a8715c705c4e4806cb20ce48357a086ebab64f", "d82ecdf13473ba7a21b9249396186a1834834ba3e33c8bd59e77247d765898bd", "e011dc60c1e15bd58173b0d4b99968bfbb196d7a3e3d8fc0c48ec9b38c813417", "e4c3853c7ecbe9aa4944b55a9c007ee5a4060b93df905b2980174e0457305634", "e780fd1f5f969766ea3b11bdcd1a01f51f07346942e95caf1098dc9973a31dd1", "e9ac4df60f1d93149af474b6a26a29fb35ce98f834c23795488d501c6cd5d44f", "f0d8e56e95b43a3575bbb53701e95881ddf0c6b2246138dfad3e355a379bb9e7", "f1aa79aec4d5de86cd0fc1a6ee8f2fe92cd88f6e20850ceda20b9c432f44c66d", "f3c0263167708bbce2f451776ce0c2c79b3fb11b7113f7958f5edbad4622bfe4", "f50da10873273002acff6937efa273fff54fdd971eb12b2842d0e219f81923d4", "f8de8e542f9d43ab90d44fa94a92aa5a0160162c797b175b57fcbfaf402d275b", "fe96b521f7e6812d074e2421a9fdc95ca570766d19594dfb386d3d4518f2b006"], "iocs": {"domain": [{"host": "www[.]richmondchamber[.]com"}, {"host": "madisonda[.]com"}, {"host": "carminewarren[.]com"}, {"host": "chefshots[.]com"}, {"host": "carriedavenport[.]com"}, {"host": "ezpullonline[.]com"}], "file": [{"path": "%TEMP%\\cFi.exe"}, {"path": "%LocalAppData%\\Temp\\lhfpz4cu.e3t.ps1"}, {"path": "%LocalAppData%\\Temp\\nxli3mbc.5ex.psm1"}], "ip": [], "mutex": [{"name": null}, {"name": null}, {"name": null}, {"name": null}, {"name": null}], "registry": []}}, "Win.Downloader.Powershell-6810733-0": {"category": "Downloader", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "This cluster came with spam emails containing zipped JavaScript attachments. Once the user runs the file, these malicious JavaScript attachments use PowerShell and BITSAdmin to download and install the Gandcrab ransomware.", "hashes": ["08523df3d1943edaeddde63d82ef9883c647fa0e32e6dd38b6ea132e5e67a938", "0ece442fd0f210407f128e1cd0c32fcac42f18a7490be62f6ef445725ec6c08e", "14eb1abed6c28c1b3f34d15f663cbad4ccd35f586e72dd6bdb68cc2295f46ed4", "15d55efbcadf80890653db8d710f5dbd8af0a15aa02174287864b76dbac711e2", "4525956fa304c39359981f0a0541985395b52f33bcb3bffba82576abad5d83da", "4e60c907247bb3dc206de6c9a59fcd2dc108cd0f7e3109a41eed3b29b0e2dc6b", "61c1822c8e0feeff2e35a6f821d634a9306c9c6fcebce3459a43c9eb3e482b04", "7ee9421633c1cf45b855551025d7c8b5eccca16a32a569ef62265b067e142d65", "82b4b7bb6a74ac688b563543f1720bdbe2c91319e9eede5c4b9fd0979c99dd03", "864586f404a45319aa1b921f460f6b672b0f0f384442366dcca7a9b8deeb0cfe", "8a48ab287acb6260e4ec3d1e59631d8ec91f3a8bf848dc5f1e97657fd2be5112", "b41d6173c4a345c945451a444954a44569984fe4695047155e8f5328fa0fa0b5", "bc2f6a4105f310dde0bd1ebc80e0453f6cf660d55414ee8638eaba339e372696", "e23b6494912529d6339e9922048214a2dc0162489e33a3c1750c99348865b68e", "e5cef04fdb9f9a47979db41eb80e5fc148b2b374c6ad28bd831283ac538e9c77", "f92034a3417a6f0506dc7392fd745731be810b21f9dffb4e3b6b0b1b794f45fb", "fc378a5892438ed05fcbdfc422eb4de13f1cab8fd30385c96c19532a9c974ee1"], "iocs": {"domain": [{"host": "slpsrgpsrhojifdij[.]ru"}], "file": [{"path": "%LocalAppData%\\Temp\\979574639568794.exe"}, {"path": "%LocalAppData%\\Temp\\jqlrdsf3.aw2.ps1"}, {"path": "%LocalAppData%\\Temp\\qg25nwiz.upp.psm1"}], "ip": [{"ip": "92[.]63[.]197[.]48"}], "mutex": [{"name": null}], "registry": [{"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\BITS", "value_name": "Start"}, {"key": "\\SOFTWARE\\MICROSOFT\\TRACING\\POWERSHELL_RASMANCS", "value_name": "EnableFileTracing"}]}}, "Win.Downloader.Upatre-6815606-0": {"category": "Downloader", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Upatre is a trojan that is often delivered through spam emails with malicious attachments or links. It is known to be a downloader and installer for other malware.", "hashes": ["0008e3366cdb87658cde4f85f0e5741be774af2694012c5f8502c1d51759dee2", "0b9fbbdcc9efc61347e0f0c483098d42ec98a6111a8009e5e5ff1447a82e1687", "1af0f85fde6d7365d4a97557f244cd95138a9803c2761d224fccc0eb0b4ad98e", "1f6e5f75292636c7188d6f9cdcaa7597e0c251a3be8ce984488d68914f7ec9df", "26b32472bb1a256a74573ec41e62fd871bb4ea756e4e8d57a941a032f6f405cd", "285311d3a4d8608b94d4b3cccf3b9af094b5cdb51f7f92820b3b5bda8252137d", "31db2340ffd8138aa3edaaa8029a30ea69a7e15ddbc1305f358c1478ff86f520", "3cac1b87633da57b21fc38fc0da4f861e1dce3f8e48a2ced1824466da0b96049", "3ef053f471053ead09f9b6dd0e54d13d64c83b5cb8141a8bece7acc66b61cca7", "429612f20949951f879009fd9843668237baf3aaebd55c645f30e4f08d12e203", "43c983dc9afe5727c47415c4a49ae29ea9ecc0ee902dc1918a9b5b9717f29e54", "4e57fa6fb7d6ba5604b731123416a1c0f57802c4f2f4b639e1cef7734b14156c", "4e7249b5bab1568c6f288313c0fae32350aaa909cae234618a5cf2d63a55b9b0", "505bfa3c9c8e636aea732304b35f433d2293b0d0551c838a1b92f1c3f5fe7c7b", "5914cd64a76b00d7959492292242ddbf42db9664a12f28aa42ee55c9d1a331c5", "60d0b3f876b5e3e71a670dcfe60e42fef400122b74c63918fc77a35b31acdf93", "653d6a96f4df49dc81a7cf2093cc622ebbeedd1a5e7298f61cc7227e8757aa50", "68f21b90a6486f1288e88f5e00fe69bb35dba3fadba68212c226d4661d6cd6e2", "6ea9adfb2dd8d038803708173b88f366d79a8de500268f988f9d34a7717ae5d3", "7266abbcf661e5648958d321114eadd09b05fa00cf7ba67610fbcc97cf5d8094", "78d18fd4a7d66bd3c6c7b7a6b962f115a1059d7587e933b295621ee4b46813ef", "83c355f8cc2eb5f2381bfdbfa92db493891b2d08519d575e6a27e677cc60b1e1", "83fb58f507b34a716b4e2a7b7edfcd184d64ec7577e2fe2c4cf26aaf2ab2ec46", "8d59f4516f1d894e8b52ec3f4ed5d5ee0e0bbacfc3e51078a9209641e5c0bc02", "a0adfc3962b66d010da50d5fe1821b5a0cdbd85d98b03914655d269eccac44a2", "a6b9bffcaa29fb4e0b804ebf8ba6020374916dfd536821b73331f07dd1c60a24", "ad7d9d46b8d800c2f01deb707c650da0f61c644b2e00235758ed7d25c117b74a", "af52657127d06b315c954287a4df3f5aef4afbd24c7a3f2cecf98f36ebccb779", "b62ca46cfbe772a54e6822ce000365d8c0283cd79021f98b4ae998c6ad968cb6", "c23b06a366c7307595e850b9a881a6b921a70398ce8b337bf15b2cf96b2d5bf4", "c2720bab058840f19315eff4d46ef6c5d154aafbca3348722fb18bbf14a71fd7", "c9f0c956cf62340f41d0ae1ca7316cae246ea557eb1744a7d727088e657ce4be", "d83348947898be0adf1a4cf146f09ad65da000fab540e4ebb543525242b3a7ba", "e05b22834e4ec634cb153edd630bd66e96c524bc47f83953fe86e4fad5b64793", "e6e38e9c16f10802bbfbc2528753731ece147ca1a4c5083abb7dac32353804ba", "e7c66816d3ca4d00643ad24ff4ef74cb94d9cf075133341a93a3900e77e7d195", "ed227d845393f0879e44ee74af5049a4efdb4fe149a463cb0226fcd5d769d4d5", "ffd6f144c3f35fbdea3c967ccd8d63a5924d2915aadc2a7618879bb4631db74e"], "iocs": {"domain": [{"host": "ce-cloud[.]com"}], "file": [{"path": "%LocalAppData%\\Temp\\hfdfjdk.exe"}, {"path": "%LocalAppData%\\Temp\\ddjienn.exe"}], "ip": [{"ip": "84[.]22[.]177[.]39"}], "mutex": [{"name": null}, {"name": null}, {"name": null}], "registry": [{"key": "\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS", "value_name": "ProxyEnable"}, {"key": "\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS", "value_name": "ProxyServer"}, {"key": "\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS", "value_name": "ProxyOverride"}, {"key": "\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS", "value_name": "AutoConfigURL"}, {"key": "\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS", "value_name": "AutoDetect"}, {"key": "\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP", "value_name": "ProxyBypass"}, {"key": "\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP", "value_name": "IntranetName"}, {"key": "\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP", "value_name": "UNCAsIntranet"}, {"key": "\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP", "value_name": "AutoDetect"}]}}, "Win.Malware.Emotet-6816461-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Emotet is a banking trojan that remains relevant due to its ability to evolve and bypass antivirus products. It is commonly spread via malicious email attachments and links.", "hashes": ["0353c9149b5f88a330904bb62b32224f04ba58f03d68dd0792757ad775308b55", "04353446c29fd35b28ee9b67f8bd44979478501cca7c954753a79c52b68d9037", "04c3f1590c9e9389582e21d7711379cab42d460433a2918bb888ce941bcfeedd", "0753b4ea09e7c562abacd4d3fbb6ceb8065075fa7e9ac3d53a7d7b9464111d97", "07a40319b4eab80ad4bc5ddd1d326b380fbd84cb5695436ad973026f10b2ffcf", "09dfb7b98eb9d84194c786107af24f345ba98abce2264eb350aaa49ec5f0b2a3", "0a05e728e40d80db4159ced8760ade6cc66cd1d1c3187bc389801f975ea356a5", "0b664accc6898a9c073ca27deb58abaa597477d88c54559439f9a92a45f8d055", "0e0838d60693a9fe803d104f97b1513781460a3e0eeedc0add12d9cab9d57b89", "0e5731849a5274705251a772b9cfc527d4646e5af1d0d8a9c0dc536d3a60ef73", "11c6c26f9d485fa833fc457cc51a99e9b772c36816fc6c3bd55d3cd10b3722be", "16d620b02bdf396a3992dc4b2ef8d2508924303e4c013e1fbb49921470008516", "17061a6389a454eb7b2891b19708d0a2b54a6c4b4ce5fb20070475e0eec94202", "19b0b0087b81e9c2c6b5c94a7830fcb2674318a32eb7b7f22beac0c21f7afe6e", "1cea1c276ebbfb7016b71f5c4060ebda6771c82f8a7f7b1de17469f564cdd4ec", "1fb31fd9d68cdf3e7003c8312920f47279c35d5e6a57072274c347abfa72546f", "2304f4a6d495ffbe53edf321320c3d9c370f2ed04881481219e54b76877df66f", "296f421a8f830c9b249dda7b08603ef70b9940165b22c323c81ac63f026e3b14", "2b9278f08544327a17740022286878835f952b3e419f6eb591d266af5fe9d95e", "2e26453cbe70950db2ff2866374eb65199158432518df90130d616d2fa0dc0d1", "32a25295271b2091b10533f3beb8f9b032ef32668f3081c9f1c44e8e6017f325", "3388ba07c6f77b926395f7638848aae558ea5804e09c82e441e03530e7c69d63", "33906f0abea0b36325a9fae790527fd5317485426c70801600e129795af7f0f9", "350f42856e87c939fbc0a994c5ee8df09e056c449931320e7a2ed633b62e7f2e", "3759184ad0939d60725e52abf38493808986f7ebcf81b8037beceb4a50539602", "397bae15519a2cf9e0b8364e1c15db08c1a3adee36c17ebf96bc91c46a61c5ca", "39f7b6d423a1281ae081a613be75fcb2844faa3cf80aac59617554d72f216320", "3ab78388338a4de158a445d338389abf70268cfee474ba06a64d15ba21b783d6", "3c090e7cc9507d048af4843af612fac9ef80a8b6f98e52f2fc1aa343788d41a2", "42997feb454e2920d1ca5a535f7351cf0f4787399dd777589ea0ffd5f8c6f7a9", "4441266aac31b528f3af4841c3ff18ccd0580899074a268acb6a1bbbb2c079c3", "4a936f552009683b4dcf10284dc01c1a2c576a47c165c07c3eefdd747d891ee4", "4cb1c0ce3de256e671b096729ae35b65b5f4ac67fe0ca9bbdc27e84aaf25a4d3", "4f99ff28aa0864e4cee9e07cdafd03343ee929645b53260033c80d9c95cb41a0", "53f05ab189b0bad02234df5d14283e8f66b09c7c397f9ed0db929b3c9c94bf87", "54efb1013f89d06196e354d43c14935b0647c2058aa6cf6f62050210e9f83616", "5506b5dcea80aed5bb2c8378612d811e99784737d64fef27569895ca9f7fc5f1", "59df1757c601148f8df9daa8a4a5ec6c75f62a0f6a9f7d4467f61e30e1794e82", "5a75c1c79709b57b77326215c9d0c35f01cd8bc331cfa2993ccc0b0b3fbe5fb6", "5daa4002a8aa2a68d8b953eacc3ad29835fd347743c36350f073ad72fb82c7a8", "5fa86cf2fcbc15c38f9ea66595604fcb65f9f83604cecf2b93178cc29c7202b3", "614e018986df5c399290bf2ada45dbd9954cae80554fc8c75c6d9f725dab9c69", "6644890c4fac390e89f2b4a4137994371a08e5c3ad99105181e08eccdfe69d7c", "67b7afa9bab3c68e3458f3dc59bf78198ec09cbd26ee9b91c9ffcf01f837f514", "6959458d9a5e319beb5d7b7a55ef5b5eef9bdddb0f490534ec576615a9c158f1", "6af4d2a6f3388fc108b3d8835b051a0f474b6036a94487598f5cd9e14a89f8a6", "6b03b5bdfbd82da8e9a8fa364129a7dcca93eed9ee3e8534361ea7464d70621d", "6c2890c61e73feb0227c4d8951b7dcc6b8b0fea0e0c6e9a2bd65019163045cdb", "6cdfe05c8c1d55be1d935fa4a202aa0d1117e6081a6c2f74ac78d323b96216d7", "6e72d96d8689f33fa110c3f75b51a03c9f04951b7435c18049f8372f981d7fda", "6ef905013244e7ac8af70931d4dff5fac28b98558978ef8916f4ecc4dfb8eb0e", "71019bfff9446c7260e90300c7f2192232ec0dd3a13078587e69d927861ff74b", "7543419ad2c47a6fc8765597d43ef56be77598b9073f8a7d1007f43dbdcf5cdc", "7626a5bd265f05ba9fa292325c6604c4e6a3d2bb7c4da675bf0a64b6090202ca", "787b027cf2cc3a6dee2f381e86f026af3242b8a70de423ee3714c61bd8c7bade", "7a22727630e9bb2c2d4b92f2fddc7f7c7446cc3db781debc3bec872e63fdd3f7", "7a5f98f14172b15e79c2081d6344fb6a5103f7f262cfc4174d95b6d47b02ee95", "7b086adf025db7dc0f09cec1934b94597094be77b8115dd9ed08c58d886ea32b", "7b427a5d7cb28116f84cc2f5b850426275ad5a302f690dcf0b9eb74fd1700291", "7d5284539dea3386f4918b1345fcaa54362d748de3e330b4d16b364bed7534f6", "7da518307963fd1acf140735617e14a046113df1a0181085034e3a0aaffb9d5f", "7e00876ee9dcbcecba1385455c93fb742ba20f32ee16168b6ea7bfda35db0f14", "7e5ea13fa9483567ccfc964f2b81ceef37a6e25bc72145595d1b210ffff7592a", "7eaea939bd32085ae6b0dfd0d1a47c1751737442ee97906b6d37aff0660139e0", "80719d43798a4ca942f156a74ebe5bbdc969a5b9e2522d95f31493a6b614d68f", "8775d014150cf21e0d0d1485a8113ee26b4fbbc0b520365dcc873940033d22b1", "8ff1c044ffc6b034e6af2ecf3ed5274298ae329b9b9bf0e9056a909305db4f90", "9a0a11ff0bcb1310aea584b231fd2d25687e7b2ca1a490b24c8ac4f5324be12e", "9cbe8046bfe914ee36a6e342c1ef50c7889dda49e70128c996fcc4f18a8fa676", "9dec686303eef4785b0653d61b8a2f987f4f56bd09298b6f7787d9b6160c6ebe", "9ea80fc0f2bc1e32328b48f642c30a04b7f2d8c53a08af0a48167908ea5d7630", "9f29b0a25f561d88ef445d6443b057888bc0d57f3a19ef634bbb9439d15ed16c", "a0536f7eb759331684f01d876a8f4015b87b2cb72907eb95f1a5e53bd4411ab9", "a53b47796f3ad49dd0b126d86ec68d4d4c7d37037da1572999a21da1f17c0887", "a80b0974d9b0ae7358dec39a3b6caa8c2e4bd0c0280fd1539ec5d2d581d80adf", "aabd206ea5f0fd70989b09269df40d25644d6b0172c285329beaa5acc162f725", "ac1d4535cb727e7284e0011edae475c78ec5b3d655e886b4445651860729c732", "b188a33eb9b8db7b8af18881f9a4f91a608e96e4d9084f267599f1e9d8df002a", "b423a36a84e0be94184b595bc947399a3c49be5dc3eb5b3b41563734dbaa7a1c", "b92f35f14649f546fefb90b30af2669e386668b11e759229304f471642c62e91", "b9e670411c61bf5c2efea152272482c8adeb648fc2fea7518b31ffcc1eb10006", "c1a8a919dc02df2cd5841166b8d3ece3df11877e239e79184951a6d63bc12898", "c477fcc258c4b5217b5a7c826366de5e6af9e1c8e90bb912ab6e3665e52e7ab8", "c55d7593a435b732f2991cc31ba84364cca6e5a08b9eec92bd085414ba6c6a0a", "c7690bc53f593dfb9c9eb1e07626436a7125ccb0e60bc63f294a0558a3115d44", "c8f9f18d95c4a59183a05bba7c38b586ceeb456701d15dc535f83bd869188435", "cd3fa296d4edba903fc4887a80eb42ab3a7165c8967b46db6c1aa754d339a2b7", "ce86415a3b941257107ac663aa2c0aabe82875de3806008db9cd586b49149867", "d1c75d1087c83363d888c9b465d2e90d338064dab541691d02d6dd91a02473f9", "d20faba73f5b67dba4ec88f728359c65d684cdab44d4b70ddec81fdc5f86652d", "d3775c520dab6ba548f5bd9262a24a76d8c8d87bbec52ef62fee0b173c539a6a", "d4a61c5c3ecad1bb92f2d7b6c8f4e220c527dd1e34d24f471d790293df24a649", "d865026c3f3f82fbe2ad2e68f36a143ebdfee8d1a924829a4503511b536539ba", "ddbf72530aee7305bc99ae9d64a8cb8264b0ee0500abe07fecd76a1322565a1e", "e021864082c80a4a94bab95801aef4a8770c02eaa61c7d5323463f91d021573a", "e043d7fc269c01dbbce59db95fdd9801adeb66a4e4f90125693fbfbdfc5c897e", "e0c0aa302419e41648fa2decbd2246be94baafce6312069af431ace1c502d8ba", "e1fa1c7d8bb15cbd30ec50bc055630dc2a227a1cdd26c4a3c58657b8db23480f", "e467a0d11161ed0af27a2d2806d410bff5b619693ff5acf77c5b0c5158eef76c", "e8fec5df9be23687dd2249900f7ab151a3b12c38bacfe28204b625d34f5db1d8", "edbbf5e10de9d89705f68fe6fe526e2db7c925cf1722ce7a602341914a496436", "eee0e0e3be71c4ad4e65e7f8a2f8a17dec0e7c68cd299297259b3fbb9f064b34", "eef407f9bf2f1949557751e090582941061c0081e950f94dbdf0526da758f0e9", "f1d74e49e8aaf3421e9da21b46f96948fc11b76e04a578fb6c0794272f4ae387", "f231f07889a509c4f3178300a131e23a641bd242cb55e265f755764c2afa0e68", "f6ba39af978e1767ebda15ff51c78c2c3ff2c56e2df7e566200b88c8c5267d4d", "f794bb48d1ce138d81296e9c5ea0ec2964ef81de1babf3e95d90f3fcc273f2d7", "fb11f0964d3b12dd8d783a0866397548b6db263916de67617bd699b122a2a67e", "fd093eb9dad00d0932db5dfcd92d686d649cc26706cd32a75097dfb9d702672f"], "iocs": {"domain": [{"host": "smtpauth[.]avalongroup[.]in"}, {"host": "smtp[.]weiler-elektro[.]de"}, {"host": "mail[.]yomarbodycolor[.]com[.]mx"}, {"host": "mail[.]theconcordhotels[.]com"}, {"host": "mail[.]migranjita[.]com[.]mx"}], "file": [{"path": "%WinDir%\\SysWOW64\\t5lKUp7.exe"}, {"path": "%WinDir%\\SysWOW64\\ohFmRm3hO8ae.exe"}, {"path": "%WinDir%\\SysWOW64\\XyDDS09O1vT.exe"}, {"path": "%WinDir%\\SysWOW64\\ouFc.exe"}], "ip": [{"ip": "187[.]207[.]58[.]148"}, {"ip": "187[.]178[.]233[.]96"}], "mutex": [{"name": null}, {"name": null}], "registry": [{"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "Type"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "Start"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "ErrorControl"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "ImagePath"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "DisplayName"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "WOW64"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "ObjectName"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\TABBTNFETCH", "value_name": "Description"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED", "value_name": "Type"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED", "value_name": "Start"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED", "value_name": "ErrorControl"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED", "value_name": "ImagePath"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED", "value_name": "DisplayName"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED", "value_name": "WOW64"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED", "value_name": "ObjectName"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\STARTEDTURNED", "value_name": "Description"}]}}, "Win.Packed.Johnnie-6814043-0": {"category": "Packed", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.", "hashes": ["1091dadfa59fe9530292e18818036f6e8ea754664a29665427f357f5ab75d4e1", "2d00dce46e197f8fb90ee6ac49d4a671fbf4a5a52965021df8b18f787974b8e5", "3086d7d8c8d73a9d6e010edef5be6741be609120c7a6d5500b75d38157c65b40", "30e11e19fae9d52645c3d39f2988880cc7a92361cfd4cc16887efc2533eccaa3", "3c5550e2547c2b34dd54755a102c118884cc5eade31a455240f6d728f1fa142e", "42649ce0c2c923fc667921078c999d6bf0f83d41d5cff1fca4f3bcbab825609f", "468a2974e88fdbd3e43e9bb1fbb4e706e83215ea7af6d792ce818173d7eb91a2", "4a835d5e7c4293b6ac0fcd277051c6718397a425ae0b9e87f836927b5aaf5bfc", "542e1acae7a25e27803e5e48ef2bf6bad70edc79d1d0861d420c812bc41000d9", "54842caa37882cfc0aa7d565f4d2d1c6c77b9af259ae051c380fe08337576cd0", "795dd2ce39784bafcbda7b5fd364f7ca70ea9bcc9ea87cc9b46a4d8c0cf320b6", "a94bc5d6fa3117328c19a9da7325a788ffc89ad481e63e761e875f10ee1910bc", "aa75c45c4b182f44f265665905956827474e1da5fb002ced185cf679830772e3", "cb5698b07a75086cb1aaddff5a451b3dfbcf07407ba0da9376cfe69a51c2b38b", "d4825d1956ccf52a7e8043f28af9f2942e08c16bcee2785c51717047c89d1a92", "da665cdf12e4e77c8383c37497e36f34bd5794273df879109774065bfbbec40f", "ec0638880ff60664c2ffe5417342297f90b9df3df8b7e0c063387f8eb69f633b", "ef405428d8e6f3bc8db642f36192e9684982ff4a6fa507259e8a63b832a72f8d"], "iocs": {"domain": [{"host": "havefunnuke[.]servequake[.]com"}], "file": [{"path": "%AppData%\\Window Updates\\winupdt2.exe"}, {"path": "%AppData%\\Window Updates\\winupdt2.txt"}, {"path": "%AppData%\\Windows Updater.exe"}, {"path": "%AppData%\\data.dat"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\kAZSM.bat"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\kAZSM.txt"}, {"path": "%AppData%\\Window Updates\\"}, {"path": "%AppData%\\Window Updates\\winupdt2.exe"}, {"path": "%AppData%\\Window Updates\\winupdt2.txt"}, {"path": "%AppData%\\Window Updates\\winupdt2.exe"}, {"path": "%AppData%\\Window Updates\\winupdt2.txt"}, {"path": "%AppData%\\Windows Updater.exe"}, {"path": "%AppData%\\data.dat"}, {"path": "%AppData%\\Windows Updater.exe"}, {"path": "%AppData%\\data.dat"}, {"path": "%LocalAppData%\\Temp\\AlgRz.bat"}, {"path": "%LocalAppData%\\Temp\\AlgRz.txt"}, {"path": "%LocalAppData%\\Temp\\AlgRz.bat"}, {"path": "%LocalAppData%\\Temp\\AlgRz.txt"}], "ip": [{"ip": "204[.]95[.]99[.]61"}], "mutex": [{"name": null}], "registry": [{"key": "\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "internat.exe"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST", "value_name": "C:\\Users\\Administrator\\AppData\\Roaming\\Window Updates\\winupdt2.exe"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST", "value_name": "C:\\Users\\Administrator\\AppData\\Roaming\\Windows Updater.exe"}, {"key": "\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN", "value_name": "WinUpdt"}, {"key": "\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\SRVID\\ID", "value_name": "DZ85WJDHN3"}, {"key": "\\SOFTWARE\\VB AND VBA PROGRAM SETTINGS\\INSTALL\\DATE", "value_name": "DZ85WJDHN3"}]}}, "Win.Virus.Sality-6814419-0": {"category": "Virus", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Sality is a file infector that establishes a peer-to-peer botnet. Although it's been prevalent for more than a decade, we continue to see new samples that require marginal attention in order to remain consistent with detection. Once a Sality client bypasses perimeter security, its goal is to execute a downloader component capable of executing additional malware.", "hashes": ["02e195243af5923dae171d824b63a3d25a2538bc596a971273eb30b0a920b9e5", "03232668bd0c47073066f155ac5577b0240fcff40eafac864adef86694006e43", "03bc456b9c91607a9ace1f4d8121d28f51ea3177bc2198fc3a1d76aab20b3620", "049d7d3d22c12f592379446b2ebb2cd2c894422379421afd4c77986a293760ed", "06e4245cf5a76061587820f25a5d019663b63cca431e9bb43095d6c09b25a3ea", "091eb9a5e513328d93d4e46884a210464ebbf3da71be68704bfd3bb00a842724", "0a8bd011f75fc337eba89d7aa95f293999ca5aa086357abe96555266d952b883", "0c0999de8b07c0e231326c88f991d068f6d56d9e85a2c386a09ccf2eb8be9ebf", "0ec786687795fff9476658ca7b29a04949025cdb3fae672a6ae071520313f43c", "109ec982b35185df989ef3558f704648ff4e4b9c307fba80d238dc546a5ff8d2", "10c2740264a991ddd1bc1058975565eaa871803647805048c8132d169d34f5ca", "11b75d4bb7cdc3938d884da59da1885e70b8bc995bbf528ffd1c02d5876214f8", "13971272ef6b82c6b5ef9de3eb33f2dc439048c4eacd388faf2de37d89d25bb1", "15b9de1e80e24edb459847e427edbee34734d9950db2c84f30175ba46eb5d208", "168fce02cad1cfd3ac578f3ccfb023c6ea76f8c402ab160f0271863c66279af0", "1692102392f7d3552307ae0b1e081b862650272d22a3823134cc9a2bfc6866c3", "16e8fc998564cd4272795782a371fad13fca160f9427f85e0a8591d56c9a5248", "1a93a65e01aecd981c300f7877d51c1b4907fccb4acced53c3e70bb7c1884e61", "1c2479ad95ad5ec5944d10fc4222b0f7b9c40e4f3e940515c18773205a6129c8", "1c7a9720df7186f3354799f5f7b17139e20d8c9233ef796c1f8a9a4a61a3eb73", "1f747322ea42c2d20d19d3f0b9b2afe1f143910006163a6f08d27b97b2927ff7", "2012be50bc465db1fee01bcd1183590e9d22a1fb3105efa1005f9da81adc7a5c", "238f6f0376a19f92bfb2e616bac4da36f5eb922e2e93bba8bb61d0a0dfa18f18", "252fe2be1234ed2028a28650daa61a2a5e90f40598c52b97226d67c8e701b97b", "256fd9777738e64c2dc9279a398a24cc2382d95eb94d760d081fee71d8daa32b", "2612c393d5a985ec33811f04c14ae3de774784e2322cc59fb969342482cad5ca", "26163a1d7a581014fecb8de07617299c289d3b6751a615b3a1467761ef21b925", "261d308c0bcb30b593b79079dab3da4cde8b3c2b29ff2fe38e5a06e1cf4cd177", "263da31d849686f872162877235edf5e21d987120dbcec1777a113c1255dea16", "2726c1cf75307134c05b01cd3a2ba0688f5908f4ec2e492f275fd807793e373a", "2db8268d36abb233b09d9536a416f2e2b9a1fa29461990408a1c3c02ba5751da", "2e5721c6e428e261e09ade0d1c8ee176fa2aeb32177f5c27c1db789f1ddcd698", "2f0b25f836e64020ce8719d264fea5ba88310119bd03181018c583e01e56a52b", "30245cc077fe317944c076d9edbf6e300b65efb244d48c1ebb92980cd2fbc18a", "3159b9eebb336a9496173f5b584288f4cecf105d630f572ec21047f371886cb3", "318aa1dfb90a6cc511800c2bb45fd2463a87780beb13dfc88d0adc3d49c166e7", "31dce8c48c94960c053e28162520fcc519570e89c17d7ae153b423b20725ec23", "328eaa2932f9b3bbc8e60b434659a1069a9f3e67581998a40c97b2c1ea770c4d", "332e9685f14d0191c723565c5763f41cd056562d2d9a7497ba449f35cf1ee5cf", "336c3d4239fbf81bfa67ee9ef0f181ba7907c9fa374c850ae7b57f2d30e7511f", "33d1f3fec8dac5e77c33779e02c5a3931e542a52cde6022a74180f3662bba7b1", "351dd6ed928e5a479510b82c8893369e2c0c35ea4e5c7903129d568e3bc9f694", "35d24e2e28b56cc1b6108989e3c1700870c247f6e8612ff669acd60b3e16d415", "35f7f7fcba11a8887b2e0e0730eb927d255ac3938e54c616bdd31f50291e639e", "36ca6f85c029583e8ec4a259d61b96833881e5a1107edbec1deeef11eca91bd4", "3803721a5b67dd072e120bc5c3d3f14f314e0b6e780f5db1e541cda54e0d99a4", "38d65eefedaa3451e817a05156fb9174e193023f3aecf3770fd9cf187c31318a", "3978f6c2fb2d85dff97b54a45b640869bbfd118c920c523f27ee5bce73ebf0a3", "39bdfaf18651910f101217bed22fee068b5c52658dc7f0a12117255bc38d7ed7", "3c0f0d6e7e5436e2847c9369eecb42535aa8909291518c9ce0b88494e4b18ac5", "3cbfb2b47e67b143b228df8ee285655a150b208278cc6596d7cfa3564c6f0f25", "3cf6d44601e57ce12f557afbb0213027b36ec866bc52a27f529033e61f26b435", "3feb21989ee96b3b4ee2fc0271ce40042e72535f4d096eb7a9078b60e91ca6b9", "420493c75af666a347f3121a56c8f9e5c045a0f8fdb1c48f3fccbd9a5c0325e2", "43583cc4f2895b557a91d8ca87ccc6d9889f2c18fb7bad9ea2fc9a6fcf6f50db", "4360ffdd12c511b2951473f5c6b001af047733bc2bac109844457138e1c397f2", "44bc9308e474f2824c4f15647198a4652990113d5736532f737a00f7c73ff230", "465cec90a492bb303057ffb01b564732b4d29f44774a48db1648a5bd70761245", "46f9f1fb009e38cc46d3c428155af25fc14ee213b5949f779e263fea681d1ee8", "47a009c605d1bfb33f2c033dc39cfed874e3753e77044fac478b5b64c0528055", "488ca372283607df22ce2530fe378af7806a66888d0759c6101fc10aa66d0ce8", "4a297b296b06336aa380b55cf6c8ea495ae7fe41d0b18d0c47a6e7e01f092664", "4a7b34f317b1bd0a73d19e5e5e4c756abeb55b92074034ce1e749205c4e32301", "4b14e5049150aad2fe958935281d73bca2ad473d8a1d649217848e73f1990dc3", "4ba42bcef1d33ad6d27c7be73ba292d125c72135047a1ae8b2bd5b2daed5c73d", "547f5176f252680402b3cc20d3542911eed3e71e15cd186110447980bfc23135", "5535fd79eb3a5132c17369b0a8758727608eb3a059c0d6530624c9f9e1aaddf8", "55dde696e2262462d4e08658325c64df67046c19b8d18e411768c41fbef4fc83", "5669feecc6e65683f8fb36419bdacb599a9060c274f4dd7536bae1064d346eb5", "57004224c1dda327a3a02ef34b6029a7fec3c5153784975b2089f79901da1947", "57078b20aff209edad5ffaeeaf49d4c225e6b9cff284d1b72098978c076241bb", "59e7eebb14cef11a6468070e405a4921ac66a285e0f4f3d9ba76cd33548de433", "5ab1989db636a1e0c881029d53a1d49fbad7f1d8ad8998f5746900d35b370981", "5e4c84372f2e7e1a397926f213011acc93569a359bb3f500bc6ae364b92937ef", "5fa41b439fb23216d453c9f9189b73a9608592cc86165cd884ba4ed69b4d5733", "6204890c36d0e45f4be2e49512c329e6107723100c485bdf37bea7bf3b4e21d2", "6373391723999d3e6c7b83873123dded9f29d5cb7e13338fab14fe5da3a1a939", "63823c4b818798d3b07ab9219329764ebb5d63154497c65f3eef78f0128c110e", "63835c3cfdb4583a3a0f0884056cbf9c730c90b3b93aef86ca781eb7cd3ebdcc", "63de847cc945409b38286f20107038de6e5239065327e9f114dbac105138eeb0", "648e3858c33375f05b060a5db6185132ee6975374deab56211d9dfcc94298fb2", "64d4f5a5db6944e6335d49d67eb7c42fca110031d10bdceaa7f4a3d46f865baf", "657a4a66acda3df4c9ad5c6435548c036f034d2af1f1f2527c923a06fcea5a2e", "6590e11c64a3cb6b8e6f461069173ef75b91809980b3a5da2a43c56751a69d16", "65c7a0f7e805f65f7d62a3b0ffa2538187fbef82dabacb77f422c33e5068fd99", "673d079d5d078af60aefec278deb7026981866fbea90002d1f9dae43948b8675", "67454b984dc9f19da2165810aae16068d7a209692560d012b71e878e2f528403", "67dc6cae2ee1e99740e7b9416c3cbcdd8114f0c100504e0a6dd7985147b5a8b3", "6856b2bbb64b039f2f2ea691262d84fa8b19af0be595a00a95c76fbe9552a343", "693000fa68ff1a79f4bf926d76a63ddcdf4a4c57eebae5e86dbb3861df4b1a8f", "6932f46c2a049737e4fde5083ab0b37f9e9448aff9f877dc62c38a3a2ca535a0", "6935cf36be1dc76e44a81e14a9baca85153971f6ee5d97bb4dfbef7774e93dd8", "6bedd10d641b8113c1ce65dcf67ec8a94ac9f212544a8aa7b9a1b5b6c714df7b", "71f0831fd3351c66a403422cf08524778b58866cac5c52b5d75b45f597edd2f1", "7425207f616bfc1146ecbc3da7424690dc61dbcd064f2e45e68c99f0b8c648cf", "74e448060646ffab686333b2457b96237b7bb322e43493c8b611f745c6277004", "757d57ccdcd636dd47166cfaf0bc83bf5dd0a24b800a1bd926c49129beefee63", "75d8d3e32017a866238a39e8cdd497392917830d13a6a6cc76af7088cc69616f", "768b276a16de7accd30f3e447481bfd4a12c43ab892787030fb388ee00fa939f", "76fa56cea92bbf348b06f785e554098ed178432030c3a966a41f2e3f4d4b5190", "796faff4239cd767853f1e301676586ba9828a7dc8e4a6f8f9ad8137e065ccab", "7bf1bbf49ddc65c51f92188ccbe312846b31524c56a05367056c9119da91704d", "7c94dfb8b6fcef9a1efba3104162142f31273262950f1ac383f70410ad7c01c5", "7d3eb8fb1ba0838e8bfaf754f21754e98ac89fd71747431ab23f6e21587ca90d", "7d9eed4401c8a1e054e089cf45b9593a23750c54d53f866a6f473caa251d478b", "7f686035922ecdbac427a3b76c77c4ce5f4df3f9d72568d509bac7c85cb8d584", "7faf1aa0ed00aab16cc06ff7481ea4032446ba99ce66364aae3128e02372d4af", "7fd4131efc75da3ed27c90ae56c8c8ced8e30580e8888ba034a43e620e6fa9e7", "80ae6662808b310f91ae550efc6d602c90c4de84bd2b40a26cba60faa7450c3a", "8117c8e02016b8726547b8fae9fc77e540caf219fa7eca978101ba8b57eece3d", "83a672edebcc00307f6e02b41b984eecbdf2e2d0fc3394a8661b5cbb1084bc3a", "83e367539854487ade428c06e745136d4909c0c079e1ff20a1ab19295cbf065e", "85a83a4074e4f418d133da25613c7433da4a68d52dc89aff4297527e6fa0fee1", "86880fec4ed535f62113b9ac78beabc96a19822c1944ac532b781be1932a63bd", "8733d3ad58975ff2384f11c9873d83ee091328be148f7d7aac12cc704a39f7fe", "8878dd9927d605f366d0ff4fff046575d4f4766b0c1f538c5200bdf534606159", "8a7d2f73870df52eab8768f278e741efd5bffd6d8d8c8f29b322ac3ed6d34f85", "8add0de36ee88c56521222a75dc42433fba5816fc408679e95479f6fc154e1ff", "8befcda7a9145b281412bdee3094bf72baf85b37234f4742c38989104f0a953c", "8c41db151bae5787c0e137944a27408493a55150b83045c121079876ab228ca1", "8dab6e36942942e2348d326acd262b6a3f24ac12ff18fe962159ca7ca5c621ac", "8e3b0627e31cf65b5cbbb4c06f9111eeb8efde71d37f80e846e1cd4a86c48d75", "8e95f1ef11be4ba41fed15b2e923b3a3aae524c628bd4a5d11e2e0cef0e5eae6", "8f57109d322d214de4395bf959758e0073b910173c0c9bc094d9450aa01ec662", "90f10f509ad69852ef8a9ca63fb3eb96c5c85483b7c65242902fe8f61caac990", "940fdf4e19215716f0416607cec1e8d5417fc6d2b7adb00c38cd3e0458f1aa83", "9544da86196ab2e9e56272e734ef552517d9263354da1d8014b117d2fe075b63", "981189ca11f55f1e3147005b393935dc8f5006468ae901b308b1394080c19a63", "987d6cbae2ac0f8879f3d695245bf47a44863df9b658f3cfb715f569ac73aa91", "991143fc4ce625ff22ed1dd4670a93008c56415107913811efb3699a9e12b1f1", "9a0fb1fd6e8b3dda064f5836d3a06ec6ac1f900b32a5e8468bc1f3e88a3be7ec", "9ed16a126f843e64b87137f8d8df57c14f3833c4139350af47cda28cbfe02154", "9f1b5a50998945ce566e7b51e6ec65f879599e901a18c63d230cc58a253ac107", "a02d8d3d1174dca088ee354251fa5e7efb631612f7535ca3deaffb5be7569ea6", "a102709490306fd926cfcbc1a7a8bdee5c5aadac6a96a998d15796b5b550a6e3", "a11d5069ddbb2174d47e70c2c68d8911ea7ae576e6ae1c2908baaed3185162b8", "a1438a4af259246e724aa33fa4cb179e3b84c6c2bd49d829bfd062d0e1af16f7", "a29748f4c2ed33e6d88b5126eefce193a8352caff1c524cc6d13fe36ae2557e9", "a53c935dacb07c28ac1eb630854244f1c20a21a0b72589cdd67ab5e599bfd95f", "a72d9442f31077f10b498caa47e0d32b548890f3ed70e5c26c78b95683d86237", "a8a0d60fb8fa3e2ed65b2ad6c3e504f07b28e8059a200b00fd0627d5d1ca80f3", "aaf1c1405a0454076bc1d447b250f981e880772e2a37a0fcff9e9fb534e51629", "af6fb92c99f9b9749c1939c5137a58749f868674118453b4a8e3f186fc7efcaa", "afa97516715676075a4f76effa7ed3aa3eb5405dc7f0c9f5f8e806a4b51110ff", "b01be48f256ea8f58a152a373d2555478cd8a00c210d862ff3e5a24df4d886b0", "b2240706c56d5403883656a7a2b0aa75a4a90022a7705a363f4fb2d37e4937cb", "b3a8f89db94581f31faa08168408743e5000e905df44be33428a0b1ff0ff6aea", "b469344b52e9d31b24331213ed3a9b0cbeba07971dd44d80c2535161f4ec0736", "b4741c6ebfb2e8049aecba54a375c6292a7aba573c27ad85b31aff08fbade7b2", "b55d5b8b90e043b6f1c6c87de6b93f6985c5518e5c486b1df7d0ee14ce68cce8", "b71a3939baa151ab3b7692bf91fa558d6cfc2ccb88e3d43e1023b49a134f1238", "bbf0ee7c58aab689fd9acd9ebdd990a7c619f66615b7661cad9e21a699f1c41c", "bc42f3f98885b8b4dce8b9633071bc29e9bc27c08fd6de522c82a62229552b51", "bcb97363b8e1a3b72683c8f5f08a11360de22405660cef27de76f838ff5fb2c8", "bd51ccad0d1430ef4cf522485b2a800dcd02f23362fe2e86f23fe9a4f8fed9d5", "bd95fe59b36a13f8f62b199c64ede5e59ac58aaba5950fae64c5263df1013383", "bef7740019a55451d37e44d8d85f408442d555d68ed7738e2bb44de3023f7c70", "bf69426d04ff0fa5a3fa02f991c254e99a33e993466d093e64673192422cab4d", "bf7ce39b29d08450df5bb78ebf5ba6445f9474cb09801f0fec34a310c7e635b8", "bff750637a528dd4771cad78771421573ef00a4b7e86e4c2b5fbc86942c106f3", "c07552ec444d7671d53445e2a5b3633d7aa92158fcd910dddc93debe2a060b10", "c0bf15f84f17febdb5d224458368ba5d2084aeabf5c4d8cfa009bde43b76a9e3", "c32f0d8842cc1d4e05ca066036b42a9e3a423f9102debcf7622c5da114d45024", "c48d017f5459debb6426f83800e200c0e132afe5747ad5d07152be3eaf73407f", "c84461bcd93a14193fbf47b703aad3ba68a5409c53a626aeb99e14d87fdaac2b", "c9a41c09729a385adadeedca09f19e2aa2abb24c0a44117432fe6c64136ad5ef", "ca7d52b900bb5c32ef70f523faed62b7c76ec6bfe354952c7cba5133058d227c", "cb0eed7777fd98056ca420340332af007e5d028bf3accc40951fd8738a4ff887", "cb94b4c139dd774d82c83639b8c7424d846c9c57cb68d760edabe3960cf79b94", "ccfab805c658789b9910f2d27854061b539189c11e3ed93836d1bb6371e12a45", "cec103835e45f325cd5ec305c8f98470135dc3553e04676ba0f946326b7cd544", "d1b06a597192985bbc459bc673f16839ba7b7ee5c3fa673ab8bf61734ccb8210", "d3825ad54a2ff9404f1738a169a433c64e729da18b8189a4dd03665acc09965a", "d509e8ce576559ddf032be71e5fb8d15fdafb3cbb65d2bfe614dfad78edefef5", "d6c0c4640b08f29ee1771b71809f104cae418e940da39192d3293052bc9cb8cc", "d7d0068023d315a88d6a45bd982132ddceeb81f0d5659501f0e7c39acbd2a352", "d7f9ed5d9e01b5b17d0356e3ca0226981fbdef8a830cbf6d034d150aef4ae304", "d82d9618c56fb4842bbcfc365cd9565f8f8a09cdfee54d5a94516934fd163462", "da15dbab7aafe0d3e54ee078763d77f8731578be37c9bf45b3a816e074d795ef", "dbf8177230c1f36c5fc4bccdf002f6eb6ef6e5bf8ff7bbfba11584c4a95367c6", "dc0e99ae668fd15364ddaeb568cac2390767588c1b686d9026197accd8b7c16c", "dcae35b388c2c02e66e66a132a2eb4de0774a8f96c8e2b73812b4e1cd8e2c679", "dcb77342e81f88fea0f69f2326ab893ab7aad3091ff3b7e894c2ca1a2721a272", "dd270276d9c18c9c5b7af6cf3a093f8c79ebb324a4eee7a6693416af6a61e444", "dd27d1ebf438a2d34add180121697cd5554d7b38abbeca73de8fbd4381b43f5c", "dd422541cd72f9331503a1b8a6c608bcded5dcde2d52ce0f9e5ab541dcc406f5", "de226ad682ab7bd6df1c8c24952ae0f581543a5f371de6b91c9388b8b4913713", "e05bf24e244452008a393493c9af353422a12c768fd17fc03c4658dc7011915d", "e0b795f578678a16f246df76169c59dd615bef11865b61865baa7005b4929bf8", "e18ee13c6cb0cfcfc5eb7df700b8e1fedf46f0ad75d39dbc16d4a3f1ce3d8921", "e5769a2f582bf75d29fd7c9d8102a425b4e3e7aebf5e968704a7ae13ad6a7d19", "e82a330024bd0fa1170fe0b91a3b592dce533702a5c2316822e4ec625c1b5bba", "e881729408433a45ca03a0b674d279406d8cfee562afdc2673a4db7154412d47", "eb995acc34816e20d1825c83ea1672cb4a2dba221c5fa7a9722e43257d5b8eb7", "ed31e77f614a47a81736b39608198324ff370f747b721097ecf407019bfb58d0", "ed7f120b1f2d97ec0b742995c5574de3b68b3501df0d1fdd67d2c1ad4fa95ddc", "eed288055ca2ddc88869de737022bf2d48ce9cd64a2597fa3a370afa6edf6aac", "f13f91debe9212c842f845ee2664b5cf038c8518458a4da91d6f906100058a82", "f263606e02ac2da469bf79f31a505f21860245a4292a7e3285aa6fd6ee67b687", "f39e4381b00d2151fcbd42772b69c10c9a69a75d5f52a27a2678466ed8715ef9", "f48f924242b75aef968309912e30645a7056e65a24207ef6c0705e0181a8f915", "f6591d6b4b41160968b96a82ee0a3b18301e76f6d156965bb1f42ad338845420", "f7e3fce58d0cd6e3b111dfb341bc85026eb278ccfbb4b48521fbc35f00dae054", "f8a143e36b457bdc2bab17283eff2aee066135242474b4f27477a51c2942b850", "f97e5f35763efdc597569546fffc8a108a136b65f7430d9d5954f0dbb262ea8c", "f99998ee98be9001da72c730d859d39a69e530dbf06e1ed15d318b4871d6f105", "f9ddc07db959bacf36d861bf6c0c9f3d3aa056dd0c5deff1571f12cf188e4538", "fa5968f1d842da8271b1f4aa4d4b026c9e46f7649cf21c1f68d9d98c0ff09540", "fb099ff8226ec4b6d0b31aa7447d46e8a53c30a3f54cf84bc1b13bcd205d78b9", "fb3a059c44d39d9ffa8428ec17bb0b1938ebe2a83e77d7d2596c1f5a10ce7dd4", "fb667049836aa2e55fc6601a727d0c050aa8072153d65e098b1cbdc752ce5f7d", "fbf3638a24dd3da185ec58f3353129190f43e41aaaf5d9d8f2718d61b73ca15a", "fc9061462888132eedf2abf5e69912e31e69769609c08d4d028381915bb32589", "fcc5ac74ea4df5442bf7ba8aefd00b87472040c736a5bf63a180347c3e908963", "fdc48ed79b03a608f891a20e62e8e2fe64eff66def1acdabdd51df9f330544b4"], "iocs": {"domain": [{"host": "www[.]litespeedtech[.]com"}, {"host": "pelcpawel[.]fm[.]interia[.]pl"}, {"host": "www[.]interia[.]pl"}, {"host": "chicostara[.]com"}, {"host": "dewpoint-eg[.]com"}, {"host": "suewyllie[.]com"}, {"host": "www[.]bluecubecreatives[.]com"}, {"host": "724hizmetgrup[.]com"}, {"host": "yavuztuncil[.]ya[.]funpic[.]de"}, {"host": "www[.]ceylanogullari[.]com"}, {"host": "cevatpasa[.]com"}, {"host": "pracenadoma[.]wz[.]cz"}, {"host": "tehnik-unggul[.]com"}, {"host": "philanthrope[.]in"}, {"host": "www[.]katenilsson[.]dk"}, {"host": "www[.]best-lab[.]org"}, {"host": "ksaxl[.]com"}], "file": [{"path": "%System16%.ini"}, {"path": "%AppData%\\Microsoft\\Windows\\Cookies\\70QUCKJE.txt"}, {"path": "%AppData%\\Microsoft\\Windows\\Cookies\\OMAMI620.txt"}, {"path": "%AppData%\\Microsoft\\Windows\\Cookies\\XTNNC6UJ.txt"}, {"path": "%AppData%\\Microsoft\\Windows\\Cookies\\502SJT1F.txt"}, {"path": "%LocalAppData%\\Temp\\huies.exe"}, {"path": "%LocalAppData%\\Temp\\yjoj.exe"}, {"path": "\\osipby.exe"}, {"path": "\\xcmjc.exe"}, {"path": "%LocalAppData%\\Temp\\dnbaex.exe"}, {"path": "%LocalAppData%\\Temp\\whprwx.exe"}, {"path": "%LocalAppData%\\Temp\\wingahupx.exe"}, {"path": "%LocalAppData%\\Temp\\winuarv.exe"}, {"path": "%LocalAppData%\\Temp\\wlpilw.exe"}, {"path": "%LocalAppData%\\Temp\\ccwus.exe"}, {"path": "%LocalAppData%\\Temp\\uhmeo.exe"}, {"path": "%LocalAppData%\\Temp\\winauaepw.exe"}, {"path": "%LocalAppData%\\Temp\\winkwskn.exe"}, {"path": "%LocalAppData%\\Temp\\winltmrtj.exe"}, {"path": "\\doxioa.exe"}, {"path": "\\wbpi.exe"}], "ip": [{"ip": "206[.]189[.]61[.]126"}, {"ip": "195[.]38[.]137[.]100"}, {"ip": "213[.]202[.]229[.]103"}, {"ip": "217[.]74[.]65[.]23"}, {"ip": "217[.]74[.]76[.]129"}, {"ip": "91[.]142[.]252[.]26"}, {"ip": "69[.]172[.]201[.]153"}, {"ip": "94[.]73[.]145[.]239"}, {"ip": "173[.]193[.]19[.]14"}, {"ip": "185[.]64[.]219[.]5"}, {"ip": "5[.]101[.]0[.]44"}, {"ip": "49[.]50[.]8[.]31"}, {"ip": "103[.]11[.]74[.]25"}, {"ip": "173[.]0[.]143[.]204"}, {"ip": "107[.]180[.]27[.]158"}, {"ip": "103[.]224[.]182[.]246"}, {"ip": "46[.]30[.]215[.]173"}], "mutex": [{"name": null}, {"name": null}, {"name": null}, {"name": null}], "registry": [{"key": "\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED", "value_name": "Hidden"}, {"key": "\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER", "value_name": "AntiVirusOverride"}, {"key": "\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER", "value_name": "AntiVirusDisableNotify"}, {"key": "\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER", "value_name": "FirewallDisableNotify"}, {"key": "\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER", "value_name": "FirewallOverride"}, {"key": "\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER", "value_name": "UpdatesDisableNotify"}, {"key": "\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER", "value_name": "UacDisableNotify"}, {"key": "\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER\\SVC", "value_name": "AntiVirusOverride"}, {"key": "\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER\\SVC", "value_name": "AntiVirusDisableNotify"}, {"key": "\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER\\SVC", "value_name": "FirewallDisableNotify"}, {"key": "\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER\\SVC", "value_name": "FirewallOverride"}, {"key": "\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER\\SVC", "value_name": "UpdatesDisableNotify"}, {"key": "\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER\\SVC", "value_name": "UacDisableNotify"}, {"key": "\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM", "value_name": "EnableLUA"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE", "value_name": "EnableFirewall"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE", "value_name": "DoNotAllowExceptions"}, {"key": "\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE", "value_name": "DisableNotifications"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS\\-993627007", "value_name": "-757413758"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS\\-993627007", "value_name": "1011363011"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS\\-993627007", "value_name": "-1514827516"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS", "value_name": "A3_0"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS", "value_name": "A4_0"}, {"key": "\\SYSTEM\\CONTROLSET001\\CONTROL\\SAFEBOOT", "value_name": "AlternateShell"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS", "value_name": "A3_1"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS", "value_name": "A4_1"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS\\-993627007", "value_name": "1768776769"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS\\-993627007", "value_name": "253949253"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS\\-993627007", "value_name": "2022726022"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS\\-993627007", "value_name": "-503464505"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS", "value_name": "A2_2"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS", "value_name": "A1_0"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS", "value_name": "A2_0"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS", "value_name": "A1_1"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS", "value_name": "A2_1"}, {"key": "\\SOFTWARE\\AASPPAPMMXKVS", "value_name": "A1_2"}]}}, "info": {"origin": "Cisco Talos Intelligence Group", "publication_date": "2019-01-18T14:39:42+00:00", "version": "1.0", "warning": "As a reminder, the information provided for the following threatsin this post is non-exhaustive and current as of the date ofpublication. Additionally, please keep in mind that IOC searchingis only one part of threat hunting. Spotting a single IOC does notnecessarily indicate maliciousness. Detection and coverage for thefollowing threats is subject to updates, pending additional threator vulnerability analysis. For the most current information, pleaserefer to your Firepower Management Center, Snort.org, or ClamAV.net."}, "signatures": ["Win.Malware.Emotet-6816461-0", "Doc.Malware.Powload-6815340-0", "Win.Downloader.Upatre-6815606-0", "Doc.Malware.Sagent-6813871-0", "Win.Virus.Sality-6814419-0", "Win.Packed.Johnnie-6814043-0", "Win.Downloader.Powershell-6810733-0"]}