{"Doc.Downloader.Emotet-6846065-0": {"category": "Downloader", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.", "hashes": ["03591121dcf83a4aeb5e5fa12a1c1b75c93f5a215780eb1ebf209cc9518f12d3", "04c6555af6871c7818d3df3f0d5bbf9b85efac94e979c58234310b9a36079e78", "09be75647f21e12c0c4948ed45c68eb1db6667beece4e1d9748cddd5b4c38eaa", "15968dcbcb0514e7fd5bb68ced13112a3f1d8b31cd948b967f3becce9283508a", "1920f3315544295d13a8c3366216b74514369bb31cea90a4659506c0c4c549a1", "1a4c6a9c9e4bcce9f83776f87f158d39cb21eb78ea839afaa01abf3f93c49a4c", "1a7211b1d27124d3409b2d1346ba93fc2a91fd00ed3899c95c1e16fc849c54a7", "1e83dfa18cc1ccff50dd5118f710bcc16e6c4e178977435c62b4238554bcf7f4", "2287689165547b27ed983152dd781bc53777060a8dd911b18671b60509329ebf", "247adbdf9950ad6e592f0276ae72625818f87b41ce1bb7596aa89181e0ce99d4", "267af9baaa1401ae4034200940bad6c1f8cb622a7e731ed28fe84fe0682a6616", "3bc75dd152bea2d4670d22e2844731646cc4a83024a3cd2349d465d5c16020ef", "607f94f56ab7d2e2b01a0b8ee0bed7379144363d65e3040f44a197e8245b842c", "72da32c1bec496a54885f38802c429bc1aed434651bc67dc4acbac637c0c94ce", "76b02247cf6c9a6c436532a536ccd2711fa876c15312dd6e0b3863e070e8595c", "7fb24419176dd9aa58bb53a4246398d40c260c253b4772cb8fdc600324f24318", "ad6b9cb00268157013c2b547a379a836609f5c7e01ce6893df16cf1db8fd3965", "af8e1169f130baf122b25aae81d95d62cd3506bae39673652d91ac4c4936049d", "b5d83480ad61ce204743ef0904cbd2995991944efd3d0d2c9daaca9385f4b290", "b9cbad9b3cd4a1f08c3284d479ff40093454e9f76d23783901087cd0add5d468", "fd46fb328e72ebe81cb97846b846051a95d2012630a3ee37bf55002c3908883e"], "iocs": {"domain": [{"host": "estacaogourmetrs[.]com[.]br"}, {"host": "www[.]intelhost[.]com[.]br"}, {"host": "restauranthub[.]co[.]uk"}, {"host": "docksey[.]com"}], "file": [{"path": "%LocalAppData%\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRS{B106E8EE-597B-49CA-A6A4-5BA8ABCC8F6A}.tmp"}, {"path": "%SystemDrive%\\TEMP\\~$LE1922193.doc"}, {"path": "%LocalAppData%\\Temp\\CVR3B09.tmp"}, {"path": "%LocalAppData%\\Temp\\~DF0EC263132EE87D9F.TMP"}, {"path": "%LocalAppData%\\Temp\\~DF93E860FA48DCAA9A.TMP"}, {"path": "%LocalAppData%\\Temp\\~DFCEAA78F57CC3DA47.TMP"}, {"path": "%LocalAppData%\\Temp\\~DFDE0E179FA1A94A5D.TMP"}, {"path": "%AppData%\\Microsoft\\Office\\Recent\\FILE1922193.LNK"}, {"path": "%LocalAppData%\\Temp\\p24is3bq.j0q.ps1"}, {"path": "%LocalAppData%\\Temp\\zjkgwiwg.sq0.psm1"}, {"path": "%UserProfile%\\Documents\\20190204"}, {"path": "%UserProfile%\\Documents\\20190204\\PowerShell_transcript.PC.0Py_SQrs.20190204204359.txt"}, {"path": "%WinDir%\\temp\\putty.exe"}, {"path": "%AppData%\\Microsoft\\Office\\Recent\\366814370.doc.LNK"}, {"path": "%TEMP%orary Internet Files\\Content.Word\\~WRS{E2A82E27-8296-44EC-B019-FE52D18D73F1}.tmp"}, {"path": "%SystemDrive%\\~$6814370.doc"}], "ip": [{"ip": "177[.]11[.]50[.]52"}, {"ip": "195[.]201[.]46[.]139"}, {"ip": "216[.]119[.]181[.]170"}, {"ip": "71[.]78[.]24[.]146"}, {"ip": "217[.]78[.]5[.]120"}], "mutex": [{"name": null}, {"name": null}, {"name": null}, {"name": null}, {"name": null}, {"name": null}, {"name": null}], "registry": [{"key": "<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS", "value_name": "ProxyEnable"}, {"key": "<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS", "value_name": "ProxyServer"}, {"key": "<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS", "value_name": "ProxyOverride"}, {"key": "<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS", "value_name": "AutoConfigURL"}, {"key": "<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS", "value_name": "AutoDetect"}]}}, "PUA.Win.Adware.Razy-6847375-0": {"category": "Adware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": false, "Threat Grid": true, "Umbrella": false, "WSA": false}, "description": "Razy is oftentimes a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process. ", "hashes": ["09131ddb2cac0b4d4483b4bbbc76a26f244ab5a884350f733e1f60fc684da039", "3c6a39eee1d6b61e2c1d94332b55819182bc189fcdbe06d79bcafa2ea0febc43", "47d1bd0892f91a1c65f5e6f06fe6969cd8db1f1473760c23e668ac1cb831bc7f", "4e5e5d3bea988e7c39542245f3a1bc1046153ebefc18ee0b4d743dd8b2f93e28", "51c839a1fe25c31ba3903cc47f32880741dd1e708c9e97c81a2ea050802f84db", "68b15033f398389c45903085677e375dcaed3a3225d0854f6cbb5a2b45217cb7", "6985e3313e82b8cc6b450bb4cb6fcdebfc1b26ec83b0ace499c836d79b0b4fbe", "72a1cb206beae974f8d3504128e7892ba6fcbba38f31d7714f0fd811618bb439", "7384060612fcb8c40a324c136c571295f361a2e6d7f5b470206b574aed5fe0f4", "817ee49531f980991336c020e3d99f67796a38ff88aff948f07f658b083e6801", "888888ec0980085d2a89f43fc32f543dfbe283d7ad0186e5c1089a08795d86b8", "9d6c6642a75a6328ef321212b482519ef74c767d9a02d1538debc53f031ee293", "b0d1ef5415c13028a6fbe16900e255b599781bf3824144413f9364e619480194", "bb87882c8e8c87e3f0f2accf837d141550fc0a048409b6c0a4aaec4b9829f1a0", "fa64e7db69b070ef8bad8046cd7539dd1fca1bb63349f04c0e94584cf0a2a7d7"], "iocs": {"domain": [], "file": [{"path": "%System32%\\drivers\\etc\\hosts"}, {"path": "%LocalAppData%\\Temp\\is-51KNV.tmp"}, {"path": "%LocalAppData%\\Temp\\is-51KNV.tmp\\09131ddb2cac0b4d4483b4bbbc76a26f244ab5a884350f733e1f60fc684da039.tmp"}, {"path": "%LocalAppData%\\Temp\\is-9EHP6.tmp\\_isetup\\_isdecmp.dll"}, {"path": "%LocalAppData%\\Temp\\is-9EHP6.tmp\\_isetup\\_setup64.tmp"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\is-CA60C.tmp\\367042276.tmp"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\is-JAN27.tmp\\Asian.exe"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\is-JAN27.tmp\\Asian.exe.config"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\is-JAN27.tmp\\FallOffLone.exe"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\is-JAN27.tmp\\FallOffLone.exe.config"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\is-JAN27.tmp\\_isetup\\_isdecmp.dll"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\is-JAN27.tmp\\is-0J9ED.tmp"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\is-JAN27.tmp\\is-D4UQV.tmp"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\is-JAN27.tmp\\is-ECQFB.tmp"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\is-JAN27.tmp\\is-T0KA5.tmp"}, {"path": "%ProgramFiles%\\Luckey\\213384307.exe"}, {"path": "%ProgramFiles%\\Luckey\\213384307.exe.config"}], "ip": [], "mutex": [{"name": null}, {"name": null}, {"name": null}], "registry": []}}, "PUA.Win.Adware.Sanctionedmedia-6818436-0": {"category": "Adware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "This cluster includes .NET adware samples capable of code injection, opening a port to listen for incoming connections, disabling system restore, modifying files inside system directories, contacting blacklisted domains, modifying the registry and, in some cases, even copying itself to USB drives.", "hashes": ["0489f71417400080c1ebf6f5cf76655470a83f0f964a2ad54c242daf3012fa7a", "0e15e99295dcf13eae0d5a4d7a04a55f7fab24e8f189f5ac37cc1007346007ad", "1127cc0f06797cd128aa3724b5ecead3613c41fabebd143fcbf19a8d236a8fef", "137b894b7f9992f26dd4e6c8d8c2a09e886466305384b444aac2e2d9e3ee7a19", "1f5b1a8b9f7fb4d83bbd012d42fdc725468dc0ed29341bee4c5aa122d83f69f2", "3357239b0cb8a4683eca02fd8bf8c0de9cd3372a2222f096d7b527b39fcf8987", "372a2fde40ef021834c7d7718f2f2faf63ee372ee75a795ce3ff0e1156c57a8d", "39bbcd06380d793eb655a015e04ed122d160b6d469495a3b172a89809e5c1c1c", "3b3db732aa7ea25346da5ac1a4f0cb56357baf265259c9046885f889b56830da", "3cf72a19a5dbca5da318ca758b07f8c1e729dd3035f1f31223c8c05fa8826faa", "3f7eb77d67e6a7e2e410993234cc2bf649b3efb311931774e4c5dff3bbfcb1f7", "43983381c09f51babb1b684db1c0f804c3f00ba6c5159e99bb5a68b32e4718f5", "4a7bdf882b10e093cb0d82c61e71daaff97971f0cbaf16f61093acdfe149734f", "4b08ea2461afbf58ef946d1897ee5d4b2873ad2b261db005a85c4aa43ffeca09", "5a85a897a9e5aabf518bd1ff19339cca80543a90cefdcca5397ac09014fc71be", "5da2bf905b77f3b9c4d957458cfb9f133860ddfe5dec741aac55bced51184c1c", "5e01d3fbd260656eaf2eb22631ec30ce8433f8288911ef552855108c773580bd", "638c303a097d02c40e3790e506234cd36ea4c907166f4447f50e6f92b7429436", "63af1d420682171b535f222861b3bcc90c4da86363ad94a4b666bf489a245e11", "66a2ed3db3c55603be3a2ce301cdc71be803b18da51731373a4d23c1d5b0b1a5", "6e0a7315797b5add6dc3b23abdc8d96d0d43e9470bee64f3f5fd12721acd62f9", "7051fca8dfa96b8ee78111d72f6945d14f82aceb94f93a891dfe6e5641512b1e", "71a577218ae440efb0c6b2a624d90a8713e60ab01c525a180c15b5b2b9fa8d4e", "726787ed97a97d4057caa986bd0956a80ecb446bcbdd9a1c009fb4d1ebccaee2", "76b63d0d32b961663c20a01bd478d5cb1358eb1441bea38e2cb8e57c36e0ac41", "7828f6a243e8d591d8009845af60ca2624677c78c31a3d5309ba4bffdc649c05", "7ab06fab880fc08b764954b61db4b8cdc88420494bb1227d3e2cfad50ca409fb", "800173204643e804a6edc2496162d1a733302723ac40f350637a196464bab544", "8146a148529eaf7a8dcbf28b95917f817ea22778e83464a6728acf82e3c5a5c2", "85214686724551c7ea890f5519a4cb91f45f028a360e92b90a6cd5fcaa6aa3ba", "879c946ef9d0e2fbc0209c90970669a55304f90c8020fcaf0ee4f1b6ed2f1698", "8db2649e0812365d0f1b89272048d9b71bd88b77e32aafcc68345bed5c0510e9", "8f6af982abb06d1c4557c7af655987dd3eab6aa6f02bc7bc21a455d0ff2591f8", "9326ffca462a5da1e2b26ef3e31810ad9e26046569ccfb1a9a5f42749b1a48bd", "9b9377bb6adc85cc847a4f3b2c713c726aa74e521b4b14f96cb88c9c4ff036e2", "9bcd08546429645a1ed0f011c021ab4b1e55de698f5325c2650feda26a2de3c0", "9c2a23a96037d9d1a902da5e2715c853ad7240c51313402707ba4984bce30d42", "9e8015fe6cbbad1f77bb514e01a6a6ce269ed139f254c1d94a9a159e509febfa", "ab1167c76dd28d39e4f9b60037243b1e817b78ee2aa6373ade592b0370de9761", "ad9eb482b03d839b3251acd4aba6fb92eb8bc944aa9fa08f62f094c29c0e4ea3", "b2781f9daa0649e26351070e65841695b83298fbe0667fc665bbb338ae722a03", "b48e40ccb3efb27d37c4454e95908831092d2a2e3ee674eb974498ac9e0905b4", "b776be1bbceb07d4d52093b7f6499312b5a72de7b95e35c880937bbb6079cf90", "bc4c8c7a410c8c4a9e1c5d8ac98a27df6382c29bec55134920a128e4382b2fc4", "c0413649037793e1042ba60d1ddd2905837cddcfbb8165d7db657795e8f41740", "c075f3a03b459288392494845ed49acf8658c73a22b81317405fd728e9986702", "c147cd4388c1851b1d6275b854020319f3418e25ebef38547f8f88772614097f", "c52c03da29630b6bafc1d419e40b6f7f8b75cd29a722a2e9395315b3f1c69ed2", "c686e819eece7a35ffc6b1381a4967c5c32da9411d10263ee29d013cac97282c", "c908b7e735b19833ddeed657958d07433888075e89bfbdc679617d80f1ff5bf9", "d3e54e600d861eaead17d037a80098f9ea2546118706bf237d38651ebf843c05", "dc964f72811eff2b35466a4c251e3bb0db8da2340b1027b2eb71ffda94a8a00a", "e4abe1b5c7f172b5cf25e7365442ccf7e10e023abc28419075b3d2a42a3cae82", "e83004481c6061c895ea6355c3fefc9b3fa9f34ec95a8c25d9fe2812bb552c42", "e8e32a8d83b276f72f16fab3f573a7178325e66b768f24fe96c6b1fa063b5ba8", "eadd34ecf9ccae36bbc148c088fd0fbf721a465bede17422bdc743d90c40fdd0", "ecd7ff35b330472eb1a958cb6a2abc0f029639ae06112be2b06ce17f69546f91", "f0c4156e9bc2f3bc2d9bec7c17d9531e0e84f26dfb919b94bbc93d12e913d879", "f4f3a88b2cbf31a40f83440a3468896a80f20fdc7d288dcabc22e4947b5193c2", "f94e13df70cc0dbbc17d2b488dbf153d6166be3a613a3e5a3f56a733aed4ec95", "fe4a711e3748bb586759936108fe8167b74d5cb3b3caa952017ec2c648675950"], "iocs": {"domain": [{"host": "x11[.]zapto[.]org"}, {"host": "sambosaxzx[.]ddns[.]net"}], "file": [{"path": "%SystemDrive%\\AUTOEXEC.BAT.exe"}, {"path": "%SystemDrive%\\boot.ini.exe"}, {"path": "\\??\\E:\\$RECYCLE.BIN.exe"}, {"path": "\\??\\E:\\$RECYCLE.BIN"}, {"path": "%LocalAppData%\\Temp\\xkkr5i_9.out"}, {"path": "%AllUsersProfile%\\miner"}, {"path": "%AllUsersProfile%\\miner\\sHXJvbCG.ico"}, {"path": "%LocalAppData%\\Temp\\xkkr5i_9.0.vb"}, {"path": "%LocalAppData%\\Temp\\xkkr5i_9.cmdline"}, {"path": "%LocalAppData%\\Temp\\xkkr5i_9.tmp"}, {"path": "%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\u00c2\u00b5Torrent.exe"}, {"path": "%SystemDrive%\\miner"}, {"path": "%SystemDrive%\\miner\\nvidia.exe"}, {"path": "\\??\\E:\\miner"}, {"path": "\\??\\E:\\miner\\nvidia.exe"}, {"path": "\\miner\\nvidia.exe"}, {"path": "\\$Recycle.Bin.exe"}, {"path": "%SystemDrive%\\Documents and Settings.exe"}, {"path": "\\Documents and Settings.exe"}, {"path": "%SystemDrive%\\Recovery.exe"}, {"path": "%SystemDrive%\\366832936.exe"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\RESE.tmp"}, {"path": "%SystemDrive%\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\vbcF.tmp"}, {"path": "%TEMP%\\_ecw9cm3.0.vb"}, {"path": "%TEMP%\\_ecw9cm3.cmdline"}, {"path": "%TEMP%\\_ecw9cm3.out"}, {"path": "%TEMP%\\n02x2nc3.0.vb"}, {"path": "%TEMP%\\n02x2nc3.cmdline"}, {"path": "%TEMP%\\n02x2nc3.out"}, {"path": "%TEMP%\\nyf8h2nv.0.vb"}, {"path": "%TEMP%\\nyf8h2nv.cmdline"}, {"path": "%TEMP%\\nyf8h2nv.out"}, {"path": "%TEMP%\\q8tnr4an.0.vb"}, {"path": "%TEMP%\\q8tnr4an.cmdline"}, {"path": "%TEMP%\\q8tnr4an.out"}, {"path": "%TEMP%\\rykc4pie.0.vb"}, {"path": "%TEMP%\\rykc4pie.cmdline"}, {"path": "%TEMP%\\rykc4pie.out"}, {"path": "%TEMP%\\yjua3drf.0.vb"}, {"path": "%TEMP%\\yjua3drf.cmdline"}, {"path": "%TEMP%\\yjua3drf.out"}, {"path": "%SystemDrive%\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\  Torrent.exe"}, {"path": "%SystemDrive%\\I386.exe"}, {"path": "%SystemDrive%\\IO.SYS.exe"}, {"path": "%AllUsersProfile%.exe"}, {"path": "%AllUsersProfile%\\miner\\366832936.ico"}, {"path": "%AllUsersProfile%\\miner\\CONFIG.ico"}, {"path": "%AllUsersProfile%\\miner\\IO.ico"}, {"path": "%AllUsersProfile%\\miner\\MSDOS.ico"}, {"path": "%AllUsersProfile%\\miner\\NTDETECT.ico"}, {"path": "%AllUsersProfile%\\miner\\boot.ico"}, {"path": "%AllUsersProfile%\\miner\\ntldr.ico"}, {"path": "%SystemDrive%\\RECYCLER.exe"}, {"path": "%SystemDrive%\\Temp.exe"}, {"path": "%SystemDrive%\\Users.exe"}, {"path": "%SystemDrive%\\c2d124b8466cec6b3e47c4.exe"}], "ip": [{"ip": "158[.]69[.]30[.]89"}, {"ip": "188[.]70[.]31[.]241"}], "mutex": [{"name": null}, {"name": null}, {"name": null}, {"name": null}], "registry": [{"key": "<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\appsvc.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\rstrui.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avconfig.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AvastUI.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avscan.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\instup.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mbam.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\mbamservice.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\hijackthis.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\spybotsd.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avcenter.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avguard.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avgnt.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avgui.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avgidsagent.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avgrsx.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avgwdsvc.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\egui.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\zlclient.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\bdagent.exe", "value_name": null}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SCHEDULE", "value_name": "Start"}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\keyscrambler.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avp.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\wireshark.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ComboFix.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\MpCmdRun.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\msseces.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\blindman.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SDFiles.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SDMain.exe", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SDWinSec.exe", "value_name": null}, {"key": "<HKU>\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "value_name": null}, {"key": "<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "value_name": null}, {"key": "<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\ime", "value_name": null}]}}, "PUA.Win.Adware.Softpulse-6848587-0": {"category": "Adware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "SoftPulse is an adware that installs malicious software, leverages anti-virtual machine techniques and may access potentially sensitive information from local browsers.", "hashes": ["1a74519d1568dece3bc64889f177df271b1bf93c0db86d97bb81e44a45403c2f", "1a93550fd9e061d7b572ca6269934ae5d0747e82855420895d41547680e372b7", "1e8a9c8f07050897420bccfc612fe39dc11acec47dbb11a9b6d17876c0f1c748", "22db5127ccb49f274ab3f46f6a845bcbe693e2ed4069220c9b33c4ba7cb6e7db", "2da64c580965f9d0454b9004181ed7fdd5903e93cc41d06578cc968ac4215836", "30ff57307b5d4456c64ee80eaacb717cdc1804c1f1c49409c7d583ec9f3de1e3", "3ff2a4f01f7bfc31db3a54ecb98c0df737cd575cc11301af3b19ed99bc0e075b", "473f7dd0173bafa5de751493de7c7e2cc57fc290aac0ae4d2947cc57dcb8008d", "5492869d71c62c3ade2750e79de155104329cc08fdd9e65f9ba7d213868714c8", "54d8cb379579ab2063b223f0011d8fa2838368b4b68f070a54b7e06ca62c1f03", "5b5c9fd28470e81d23fcd6e5b2ea1bdf7c537ca610535d2f69a23fbd11f8d0cb", "5e69b36b133ca551c46014c80afbb8fe2d9f6edd1e49cebcd22ca7bbec82d9ff", "6e43c79b858a27b93c87498faba5f60edd11d6472da142229bef6fb1d1310372", "78ca808e8428963d80d651655c6f79c8df44448a0d0613eb442a20a3081d0b21", "7db57b97495b59e84bca9e7f48b472e7412751b20780f17f453e4cf8c9694543", "7fbd028726e320fddbf67a00ac1a43e8d2f7fdc98dcb53c84fbbd77871c88afb", "881497c1db786286caae56f5055909c1bba6ccb24628773805f0f3a3a91c0993", "8a70ba0afe5efa6f633d97f51043d6be2ff3b3a2e6c5fba979f88a6bce4813e3", "92fbd91b969e6f94853430cb11a7ab2eaeaa05faefd2856a4aa55861f035beb0", "93b2e125a810723a7bc4e268dccbd784cd95e593077ae59fd9ac4daa9e1a8094", "99b1320bd421b716118e2aa11ff0044be4bb8849f96b099c6d7ff106ad80833b", "9ec1af22463376ceaf3468b88b000a155aa674ff27910c4a2d7188fb4ed5b315", "a0ea6c233f4da2e161eb3108b9534d297cb15ec8d17eaf2d22132b0e67e99c4a", "a1caca2e8b3b96935fcde41509753f4531ec3b9c5f436c7291c422fdf4c1d7ec", "b2917e4031446976cdba6958df9d7c2d594f657232e0786b0e39039477b13534", "b7dd1658138c2c81ba3fd4891f1a3d6d47bd37b3b457842eea9f9edb152bb6a2", "ba2ecb39e408c04ab0e6aa62dc39c96fdee5054e08cb0e1eb70ee5289c483eef", "be5296d4d1b37d2a05b6ea0e10dcc32a9bf8546ab200fd5c8ad42a50edf3e937", "bf17c8f5751110be67cfac29efcc8741c9be1f84ce08cece6875a2fac4d9576c", "c36adf86164ee39ddb209f6fb27c1e39fedfd4c986f32f5ce6685d3297f37f79", "c6e2d59e5c28defd98e19ccb35a8eea6e64ea9ba129f5e39fc567503d10eb7f9", "d9b8c87b44aa5260de37a49eebf7bb89aeee12abb872ef752f15cc706cc5a00e", "df53fe8310ac6c108416ba61768344912f60d85e626d48d1d0d7414c1be462c6", "e0c3e298d4d6f8f648361d342c151b96386787a6f221cd3476b54fb0a127942b", "e4dfa16c7f63afe146560bcfc91e96480b06b041afbb98360534393129f0da6c", "e977e3721aafdada5cb0336e8de4bda3ac678e59b85dc80ca3eb9cbf79ce1c43", "eda28e18618fc8731521f1e7ebefca7563a7b10aeb9be7c97aa481534e269908", "f37cb8878aad80dedfa5714bae2cdb0cbe1f4aabc4714f1b009d0584d0fdd21f", "f68cbc4835d84d1dd8fc96da2018be3944663f62e1e4893817fba8c58e244d89", "fbdc80f0ceeedfe5ae2c6b4ce8869750424c8599e17af2725f08e3d9c41b1fd7"], "iocs": {"domain": [{"host": "6nu2bfmath[.]mrzp97cmg3[.]com"}], "file": [{"path": "%LocalAppData%\\Temp\\~DF38A714DABA77BAE2.TMP"}], "ip": [], "mutex": [], "registry": [{"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\NETWORK\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\\CONNECTION", "value_name": "PnpInstanceID"}, {"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP", "value_name": "ProxyBypass"}, {"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP", "value_name": "IntranetName"}]}}, "PUA.Win.Trojan.00519ead-6847245-0": {"category": "Trojan", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "PUA.Win.Trojan.00519ead is the denomination of a set of malicious adware samples that could leverage the AppInit DLL technique to achieve persistence and perform several DNS queries.", "hashes": ["06386d249ae1b3cc4bc96281ae89e10a85f68dd7e350e3e52fab4c88a7c02375", "1e81d5888f17947bcbe31a74b3761c31c4fd6b49cb02d3eb4f85e065d8729e08", "298b8e26c83ba9fd1bb1faeb5b0df909f1d163e7896e26c48d35e041aae6320e", "641432c889189c393edf97cda9b08e5b083cbb8eecc5ac09b9d476f8872ecf3b", "6fbe635039debcb4eccf4d9c24cf009b8405fbe8cf9fcc5c5f24d0ca8bffd53a", "a073171d46e57c4e308b6a62c0d14e597e95c030c019f428a26ee6c07f43557d", "a5b2ea50f8dceec4752888c5e50e364b16253160dd7fb20932d8e5e5a56ac719", "c1f44c795198b23f8058492bb82a29addd2eeae623a53296f0195777d6a5fde5", "c488c9a61f7be3a4e7b9c51dbefa36c2fe7b53904d30c38f58dcc1900aec098b", "c72e78abc54e7b785e666e0e61181c107a4cf6b9c0519146f9f2b9fbf47ba841", "f1aa892c158ea1779a210d52b9a4311245544868343d27c91454566d730aa4ee"], "iocs": {"domain": [{"host": "maxcdn[.]bootstrapcdn[.]com"}, {"host": "5isohu[.]com"}, {"host": "done[.]witchcraftcash[.]com"}, {"host": "thegoodcaster[.]com"}, {"host": "www[.]theoffertop[.]com"}, {"host": "myecomworld[.]net"}, {"host": "wonderfulworldnow[.]club"}, {"host": "images[.]clickfunnels[.]com"}, {"host": "tac25[.]com"}, {"host": "track[.]rightsearchsmooth[.]club"}], "file": [{"path": "%LocalAppData%\\Microsoft\\Internet Explorer\\imagestore\\aowwxkh\\imagestore.dat"}, {"path": "%LocalAppData%\\Temp\\A1D26E2"}, {"path": "%LocalAppData%\\Temp\\update.exe"}, {"path": "%LocalAppData%\\Temp\\~DF32A074D75E28FF74.TMP"}, {"path": "%ProgramFiles% (x86)\\Internet Explorer\\IEShims.dll.tmp"}, {"path": "%ProgramFiles% (x86)\\Internet Explorer\\ieproxy.dll.tmp"}, {"path": "%ProgramFiles% (x86)\\Java\\jre7\\bin\\ssv.dll.tmp"}, {"path": "%LocalAppData%\\Temp\\~DF832EC54C42A76DA7.TMP"}, {"path": "%AppData%\\Microsoft\\Windows\\Cookies\\2XVNLMCY.txt"}, {"path": "%LocalAppData%\\Temp\\is-0UA26.tmp\\idp.dll.tmp"}, {"path": "%LocalAppData%\\Temp\\is-B01CK.tmp"}, {"path": "%LocalAppData%\\Temp\\is-B01CK.tmp\\c1f44c795198b23f8058492bb82a29addd2eeae623a53296f0195777d6a5fde5.tmp"}, {"path": "%LocalAppData%\\Temp\\A1D26E2\\116E56C6A8.tmp"}, {"path": "%LocalAppData%\\Temp\\is-0UA26.tmp\\_isetup\\_setup64.tmp"}, {"path": "%LocalAppData%\\Temp\\is-0UA26.tmp\\idp.dll"}, {"path": "%LocalAppData%\\Temp\\is-0UA26.tmp\\itdownload.dll"}, {"path": "%LocalAppData%\\Temp\\is-0UA26.tmp\\psvince.dll"}, {"path": "%LocalAppData%\\Temp\\~DF12E5A698F292B5F8.TMP"}, {"path": "%AppData%\\Microsoft\\Windows\\Cookies\\YO092G24.txt"}], "ip": [{"ip": "13[.]107[.]21[.]200"}, {"ip": "104[.]200[.]23[.]95"}, {"ip": "204[.]79[.]197[.]200"}, {"ip": "209[.]197[.]3[.]15"}, {"ip": "188[.]72[.]202[.]44"}, {"ip": "34[.]226[.]238[.]42"}, {"ip": "158[.]69[.]244[.]165"}, {"ip": "212[.]32[.]250[.]31"}, {"ip": "144[.]202[.]40[.]125"}, {"ip": "104[.]16[.]13[.]194"}], "mutex": [{"name": null}, {"name": null}, {"name": null}, {"name": null}, {"name": null}, {"name": null}, {"name": null}], "registry": [{"key": "<HKCR>\\LOCAL SETTINGS\\MUICACHE\\3E\\52C64B7E", "value_name": "LanguageList"}, {"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS", "value_name": "AppInit_DLLs"}, {"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS", "value_name": "LoadAppInit_DLLs"}, {"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS", "value_name": "RequireSignedAppInit_DLLs"}]}}, "Win.Ransomware.Gandcrab-6843341-0": {"category": "Ransomware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "GandCrab is ransomware that encrypts documents, photos, databases and other important files using the file extension \".GDCB\", \".CRAB\" or \".KRAB\". GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.", "hashes": ["00e77dd692525ac51843e571dc4401ad383b01f3789a96ad952ad46e9bc30d5d", "01ad099c08042d05bcc5c708aeca7a3479f93def36318469c05b3fe2c25a202d", "01d3aedbbcfde336cf132fa52fb87f0a39a7e1c55cf8e30e8f79df6fa6cf2a28", "021f152e82d84617ac2ba999f436fcf85f35c9c17da8f7adff51d6f6c332c63f", "072a1a933df1fe1e0c90b07b30bf82dcc16fd860e47ac94877c25c05b89a1147", "087af2abcf44ec68d9f1f55bcbae03e12ff0380ceea4f2197fff9b8d353f417e", "098af1ba0b5cf4d27f8122eb37bc7ab009be4f6c812e990639931d8504d3619c", "0d20371ebb39d45616ecdc0ebd1ae457f98641a14c8cd3c94e553fe5cb71e128", "0e90f5195c0f0c81cd631c90809790490a7a5cac5eae61bf27332b9707f9e3f3", "0ffd01cae290d5ff33af6dcd087646bf86a065fd02f196b7dd3afe0bb5c08d75", "103f6e49c97ec73d623231fa92f418032ad223c565a7fadb238cc676a6bee79a", "110084e96789b6e657a8453d8614c14344e03ca4dac55076afe7ba605a68ca06", "112dcf3ef406642f9b2459a27dc79f626d28ac93db3482691eda8db3bbafd80b", "119238f37579434b540e2a4cda59261d86e9a9ac0c059dfd2daf699c5a3e6094", "1388310e5f683da4ad3e774923c2616a7137dc1da691efea313fccd2a0f88da1", "1694e9584805e55badf8da9ce6f8b4122e3bf419bfb22070d3e97b83be0caa73", "17517aac50cfcb9b6cd779f466d6ece0ec930071fc58e7b4b391a8e79a7ef49d", "1c4b31ea552e67d0e573cc3c4f4c93387e79e931e41742129dcf7b1cdc55d4d5", "1c700576a51cdbee44a25972503a64ebc9d4fef602b4702fca9eb02e8622a7dc", "1ced683893408d370315083efe988043cb72a864a03a3ded4a94d047d2bec262", "1d4f89c1ecd931c4b5cecfba15b76f1d6607417af487654da1d50497bcda1cd9", "1e1b83c79a5d2ff5ec3ca325debdb29f66d83f362d2bf0ec4e18c6fbafd6c179", "1eff09710c639869bef51b90404569a7917aa23afdd290c8668e617b1757a231", "20be9f6a086f07dfc3fbd8a5e6a060e50f360629e428077665980f6e6e401079", "20c45b4970eddc186e8e77266e5b2282c6faf4d53559482200c4d43404d23f7a", "23befbff466faf0506b80514279e5dce449da5f3d367c9f85f1eeb41f69dd427", "23ce66c7928c8d2f40c9c2fed652ab41aeed37b444b9b2bdb12fcaf8946a6c6e", "24827dad22bcb63bfd69cda2fdabdadb314ad1d5df108be0d473590bd5a4300b", "24c64ae7cdb7622376dbd2b89406d336c10b9a9879b68d544b640a9b463ee2db", "25733d9138ff7d546339f9eeb18b810b82d3009bf4fc942ae2d4ea3c3e35dda6", "25824ef26efd928e808fe9d94ef0f2c4f56131e85e8d215b006240e497da044a", "27778e3a6adac154be534cf901d784534d523822ff340aa7c476c9eafa933ef6", "27b0e962de3bbe366a288ff4756433e02a14ac1e2d2ab1d9064c97546a305b37", "286cb75fe7c3ec833634b52b935fd4f87eb064ea33868105c416fc06fe100a5f", "2c863d12da4e6be31b3066c9b25ff0db01b639f596389145825d7e89f95df51c", "2e842ec3bfbba2d67a022dd3cb479e3f0e4b0456b7aeefe621677e0afbee8df2", "2ed8593b7c964e2ccae2f412c6f30a0a7d2dbeed97151d15ad06629ea20b5c19", "301cf29868a6fa06a9a43c711d3fb599c2480b31c107180db715f2066cd7202a", "30b49278842969a45d66da0ce209d892d3e37134d611ecfbb5e92d58a5810379", "324d230830be6ff01e398a0eab613c8c9abe603de2f81d22b253e8fe8e429d2e", "33b5dca3d871d18e71d5f3397f1f8812abbd7f7a2da95087b0bedcdaad1f93cf", "35c03989e7942f42a80374cba564cb745a7184428c16bf92ba7fe582422454f4", "3742b5b2403302f28021850864f327d6f88b052788befa85e5dce93899b52e83", "37ecd3ec9d8a4577a99bb423c2f8fca03a9ec1e215e3b68155d21bd7f76b34f2", "38124fa1b5dd0d0f9e8c46d6b2c62982c8fb08cc65454ea1af0a7d4f7cb14088", "3b0fecab21552d89ea5f24946326dd26b7ac02090603f996d445cd18f484ecba", "3ba9a0d26f4e6bee39ae40b39693b6346483192e8503224a0ca6f54aed59606c", "3c2ad98f6abcc359464f8c5655de8468cee5fa45893c205fda09221a042c30e4", "3c2d986d4bb0c9a95a6e887a7b893f3b3c18be7d1000d7081739d754ad549d7f", "3db78ad680eb47ddc9366821ee81b07886deb72e0f33b3f7866f726c8f19906e", "3f53803178d8a29f1a5a1680c53b4cfec7ffaea31e48de7f823e445169e713c7", "40a522d004df6729ea1843a234356fde4913bc920e189f1d44aac4aeda8b8324", "40eee7106fd3f4f2e12d90465a98c794e335486b100f5c516c21a9657deaea7d", "4309a55b2f84e6e06e097a46777ca52a59256c794163688adf2e6506062f5d77", "43240157ecb5938d5e5d63110b64d98f9aac0065695fee1f71edde1304128e76", "435d9ec046f1cfda43a286db81b84e7ff47f2ec59b96d06325edd1a706ed5564", "43b08564e3a0277728e57de8dbf6463bd8ff0a3a2188ff25bef558274ec159ad", "43b51cb12c360fe86378042bcccdf82defb046091d5c51524fa88d50c68241b6", "45dd45b07099c0517ddddc29b6e10a4ff64ea45947e70001d28b82ac9814d7d9", "46927cd32193f9029ae2b80a740671cdbfd0b8430158eb487d7f906a2fc88965", "469ccdbd7595a9f3e680926f7b1309c1dca669d8cb5dab2b7d30bc52b941332b", "479727c9729e455132918dc534c53f4cc38ea5853d27de3ab0aa4d7fef7a8946", "49e5da7230443d5a71106944957c8713d8dee0888b44d6b7b77717faf4c3d21c", "4a79d7ede43db9c9496b6f79632fbac5f4626737331370cc1e965ba74cafb08d", "4b4c1cc29ab2ed062b1ab593fa02a0ff37675c3bacc55a39def8197f62d7bd98", "4b86391ba029d5c05eea6b98f1d4841e45ed65396028704af3e87de66ca351a2", "4c06eca0978e9e17f1d0c277cf7b8ffb6c01561adb1577013dd2b00c26ee37c9", "4c6799a046de0d24886e775b20571efc197754db06246f5d7795a8eb31c626f9", "4d135e396f1262499187525a35e369e1c37dbcbea88e5985b71f57003529ee2d", "4e8825e7ce9e1772081038a42411f33d91485d78d2655bc17f6b94cabf7229b4", "4ea9d12b87a21af9ba8c4b4bfee0404d848a48ba75dfbac200fa6d85a0d8b424", "4ee5be5dc080c8551444d00fa1fefa9f250e0e3ec4ac8efe0b4b7e831b79c005", "4feaaf10058865a6c75fcc76a1044e7f833848129eef6105b297db54c8cba9c3", "500a4558cfc6c8790a7ec66753116aa1d00c05161d85fc738da239488b1ccfba", "51ede87e671815c4a7e164beb1169898184f273c0c4ecf88259e9ac7e7da860e", "53549e695389cc6ee7fa0627b75d8f57b72afe29937ae4aa09fdb2d47de0df80", "54d4bade818ad023338bc5b961a849da67333fc4b297e31786d0bf8b6d8e7d5d", "55a4481cc3280c4aac92aff9c907ff842b8e5dc736a78dc27e4d08bdd5750752", "5650862599b5cb4b2944864bf8886a07d92a563c75d3299540adb8f7e55f42a2", "578bbcc4b47e7c271304314b08b6bb332046b5f2278d6fd610a9c83ad450dc5d", "586b7ec720fe77f97b271f498f4f8a6e5d5dc1cafab3b51a645d3afeee071c5b", "591c22fecf2f31b1e74e00ee2a454f8c416c92ad8e26fc5358812a4fd9c2d5e6", "5941417eff20954662f8fdc811e3a7715eaf9a0b151d9524ef861a87eba71454", "5aee01b2c4849916cc6503b4d15b566bb19cbcd5a7ca363e084f6da511f19e83", "5afb3707ddb27bb2a77331a1778aee9dee546ba635e57f89b760d4594bf88d43", "5ce28da72b1dc2c79d378f11f488ddd95fe65af8b6b1b0163f6445781eedf681", "5e21a2fb1a9102a58399e39dd4ad069d08c515004ecb09a1248c1ca3aaa2489f", "60778fda381c84fd4e147075ec578ad8d4d0da8e7ab7c5bf589420f91cb7a768", "6223134f10105fb3d0508412add675550957501c79e0734dfdf86e2895d5c9ea", "626c7ca8b9235278ae339f97bc98dd00dc00489c8e50db5e8bdc6e647f455404", "62891445fd351e5f40e2ec6ac60b83db751ab0489f72c5640e9ad648639860a8", "633bc66cdd7df588fdd115db0a48c2a6e486392debb79d5bde03893103c5068b", "64163560c8a8e849e96c927f06066f22237b37a62cfde19d057923c87554c802", "661a7d16c3ffa306f3afa280a0de021745b775d75a0de5662631079fc5947b87", "674ea938481aec148f63e4fffeae0b672cb28bcf4a477042509ccafc1abc6535", "67dcbe3aeecda95fb793e5da45f1ce461fa2676edfc4f0fe57323ffa92ca2fbe", "694dd84b03f7b9a3f7ed511349d8a4a8ca2bbdeb11acf0c0ff5cbf90bcaeddc2", "69593e45e9627259a191c54f1470fc5f6eb8e950af7415f460ae4cb2cd78c08a", "6c8d126bbe712bf4df9571405fb7c9c5f930aeff0c6f84e33f870d64b0b41078", "6d426bf91fb387e9d52d9a39c0fe4d1d00427a3b38f97be80dfc5983f1994f14", "6e4767f94772ce50c82b4ea8b06a4ef76b5a8c9332fb609e6fb9c7c59301b2e6", "6e89932a1ce63850de01b96beabf7e57fec31e2849096171176a1976730b29aa", "6ec7f61469609487a2239c6ad3051336826342be9b2eb74c71b47cd8fe0e961c", "729685c820989258fca2abd635677bcff001b053c2f9c74a128fe5c1626d3b7f", "73df2108f41e75e64b3139f5e1fb602e596de89ea7a581dc52c647e1f625e146", "74edd94b45607b5ecb215f99be26216bf72670f60bc477ac2d16298e924bfbe2", "7703491eb5ea752e7dd1fff570d3da2407b7ce278e335a6cc53d711e77d47494", "78d610fb955b9acae2dc6b363d11f06e7633c7e9aa32a49f8f7fbd0b99c9e937", "7987e99fa2d39879e9b83cc8b77806d26fe8d488d47d63eacd418e93fcbcf47c", "7a1d8e495b5aba691b6e90dfbf6c1c511a5683ed8184fc05d62196765bf10139", "7ae4fde7df1c5849b6358babe2041496d1f77c510184f12a5049129010ce325d", "7b42cb10833b1822330612cbab746de7ad17980fa9e93fb806091b0db83ed8bd", "7b831a66b31074a2fd6f6088270d5980cd6ec65b6f9af0e14a64c04011c4a551", "7d7bd410a951bdfc144339195bae6ab73b784a63db33d592c12492d91df6061d", "7dd8c97f1ca4d48ce34baefc3f0158f27e0dde5eedb0d2378f65e555d1845c49", "7fedb2d816ee5182e2f6530f3df941123a33eac50b528ff68fe42a438613fdcc", "7fee34255f7c35ebe02ec64ac9e24198d11cd397575b41bc7a4aa7dbf0f58218", "8021324dbfa2255fa47ebd4ba0eb6a9e08da8f33902d254b40667006fa070f2b", "8047f11a062489ab8a7249b8795c686eb682e38d2c4de2eee081d4525a6b0ca4", "82a0436eaf0f60fd0b603520f47e8a14e5fa04715831ebb931e5e3a50e9d0403", "8422a47b0a2cd62c622b95269fd4e5af52a3a1909b16fb1481ee4e3545a9aa62", "84ef75b7a7ef491a7043d570230ea618d88bd361ecec7c4033c3e438691b395f", "860397a5d245665865e8f32240ec6f019306313b781bfb8d72921c8c1c0fc41c", "86200c950525e8d6b7bfe9f082b69f77b8373d90b52591757328a9c6c8ea1133", "88e51d2c054990c83c21ae0dd3cc41bd1c195e6f1e193535654c17d9fc059619", "89b51eb4960f796cba9b1cc5202a3fa9280200e9be80b43ab935eeebacafe8d4", "8b2607fa8bcc561587472c1e9039f522b46bfa17de7eee7a3c09b67be05d24b3", "8c306c20430d4d181c69008f00cd8f2fdf02fbd27fca1d01d7d51cb98ce0beb4", "8c59b281e24ab829c4b91b88e9c9985489e120138ec68055dc3bec6ff6c4fb97", "8d704449f841e574f7e8df6f3c01e82de2ae67ae8cee45aeb6097be2e8c79c15", "8dc216099ddfe563996efb58cc9fe768646d3be9aad834d055ce53564513c86b", "9172ddb619a4f1f66de59e5e6e8447551688a68505e249b61bb7aa60bd6e9d75", "919b2c592a70d71ed901619399a90207c3a9f94785f84b6e42ba0f7eb091f1fd", "9203b2d2cceb30797f19f7ef5a44079f23f8caa0eca0156debcb17bdaecf1baf", "941b3c16ea6247a4c61b5bcf0e7fe1c9d48d33fd29640ee92c4bf551b3f4eb69", "949bcaaf127ebf76f075e2ce2ac73a3ce7fddb8281bde0ecb3584b95c0fff8af", "969b14cbf40ab7ad7fafad66cbc134fee66616692a8dee98e131493a394e10f3", "99d859042f788bbd46d65fdb94a01164eddbc6af21020575bc361dc895546d4c", "9afe7186e4f4a3592b6276bbeedf8c299ef51ca6cd41d962bf5fafc7d8a5949b", "9b71e96a6f7b07093a5d8e24f0cba3c8c4cbdb166aaf98e0daaad56aa0b1f450", "9b7276e1531ee85e8a25cfa35cb0fa8324ceab632bae7f305d007c97203ad08c", "9b916e9bf522ae610ea354cd1cd66be142a4b314930051a4bdd3dd0eb18202d8", "9c082d4dafc7b80596f32e747118db6f75276b7556b68adc86f7099214a07917", "9c9b01c6b4a3b9b9e02d77e97c1505bd2de9a770bc9c1794961f1589220b0915", "9cca1eb44280dc9deeaea17c37c3b95d1cfe8400c669826fdd31c037e34af88b", "9d2436de7fb8f1c85c95883d4c4e6dba9972be28d092430386876ca05e82781c", "9d3c36fbcf70464ba4f8e3ef4eeedfecc424336a44ce705d006b1e3e676f0190", "9d52327d85afca674d10048fa8a07cbcccfad19e76874d9e55ff89acf7398496", "9d97533e3ca57b03b7305569c62e66b2f07f694490e1e5a9dcd5034e1749e50a", "9f41e613a414932977b5aea0549ef767c6498c82b9066d619de81ac9c6c938bc", "a124641c2131841021c2406979fd0ff36cb4465ab8c367152127968a7e3cef7d", "a34a25c9ea6892e04ab6a08e3971abd04867110a47aef0070b56c11fb30e0075", "a58f43712cbcdda32366591eb1c82438a74cc5cc7e3ec25e89e0953bd10bd793", "a5ea52f343a1c998cda689352f59e6dc2b7512d6cbe950843d7168e325474828", "a6c85de77aeb8591655f98a76a0ffb4218aeff0c4b2a527b640fb42ca100281f", "a70e4301fbf3bfadd8f0fa82b6e609f3673c51eaf807b8de1e5aad30e36c109d", "a90998d5579eb1c306a150e1b8dc72142790ec57c6d8e0518319fa7a1cc822e0", "a95a3080c3e43edb25bf84838d7b571272d17c2e20cefabcb0b543f6d75b8099", "a9849d343752a765b727dbc7f713d9a213e0b96f9a20104993b1717f0b8ed510", "a9b73ee1f69bd988b5ce979851b0575b510968727a8632c5f16f2fe69d6a70ef", "aad5b891c84e1b1d6e8bc27bcc55333402e59c6ee502bfcf92da8fd3e2b6b524", "aae32dafd508cac0457de95b1449a71c1e4f9a8ff6cfe11dfdf80e0664fb0988", "ac3fdf3485925e0449554654e37cac1cffcd8783934e7778867c717051a3af26", "acd5cbe90899c96b96539b244d1fc848a85d419439af4cca6bf7a14f97cc24fb", "ae08fc1d6b3e8974c34bc5f94eb6049c0c8cdb093c8c5bbba898d1443cdb3da5", "af49be8bae9181e62639639f5c9ed82aaa9b10456611daa29ae0f1630e058ce2", "af5fc1261e90d41a7506a104e7db5603f0c0ff5844e571a5bcc2cba59ff80ead", "afc11c53eceff5c0f693e4f71e10087a0f7bb90a59b00d0609d45bda63a7f98a", "afe304dcee4c852a072b33ec497e3c319011714a5193fcb213ba9eb4fe98992a", "b0cba8680c0755acafc0d915f3f09c6b926056f1588042fbc0ae4d55af2e780a", "b169708fd2e98cabeecd26516bd70375bff2c38e74caf01804fb417d2f5df599", "b1f1713fb326f3f141348cb500e8f4f7566036c08a02aaa7ec39bc2ec8f67061", "b3005306a4d821c4a363428694c22f3b55f2a4cd4f4c7b1aacd4d831d139ccc5", "b31669306d5be6c3b0aeb753e4f4aa1757df9031c9b589e84752e4fc45ccb55d", "b4fba84db269755959f023dc8adafeae210a8a289ad111d0749a2be7fccf6bb3", "b57a4b1e97febdd42e013637ba7ca1a761e9a97762e3835c101ab4be7cce1b71", "b638d95a4e6f14294b10e5ac518e0472e638a9b53b5623c5cae95e77b0ed63ed", "b7a8eef22fd55e0c5338d15b098a39d7f4601cbe42427eeed2c66dad68ee5961", "b826fd502786543236390b7e2f8ee5aaa3d05f3f8a71b38ed4cc2daf8ffaadce", "b8531dc040a6e75f62f60cc1d189113872340a69a069b0289f34efd4aa8f28bd", "b9d088c30c11e68363e470225e74e8509c0c325c83c04524b3f741cee6b5ac48", "ba3a721f5cc75736922146acbca24bc767b497670826d7f022c7d0b8b1774f50", "bbe598af4dbf07f3befb765620f1c01652da898a92f5e4a3a1068334e1e5b26f", "bc9d132ae770625b3547ade8c9c270d1024aaeb7f695b5ae7a83ff2f023b670d", "bcb063ae3ea5685c09646be77016fe882d06135fb5aff5d44b28a52147f2a298", "bdf804807d37f741ed340687e0ddb8247cc5de9557da24506000ed29f8e5d230", "be59c8e99bbb03e12722ccf8f0b9adce7c095d821b27f76ca675031003ef42ea", "bee0b4054c2be9b7e4d8b9cb3d06949ebab8dcf76350a119e80205a0b989826c", "bf4a7b971d72b1a981ca8d1d4f76c6b23e54083db7cb3b8e6c9dd2b3ed61fe00", "c11d967d6706a176270b4e2c6cffbff6991e2fa5a32d148cc6fc57f1c8c6323a", "c180b3ce9867ddcede987608de158865d6155a66930d9127fd287d7e8f181d68", "c478d3bbaabb5a751282129347f581f0883a965850dc3f8133e525e8c0a47c74", "ca3a4d5c1211c09ab0d0d34d9810729c22fbfbb3f7c4d21dbde7ed2ffd4a8b67", "cb7ee343c0e8e5b46f7c277207f0eb5bb3d2f689e255e652593e3b4ed0d7d790", "ccba5b8ba2495e674286bba6491b11552efa8d4f2766941b2f29ac5310338cac", "cd2b92952ca07a88d6b3c49117099c093ee632522d3b58e374d93a23ed4f28c1", "ce9b185ee1a489ba9437e36cfd23f6f767ece5f7d76047bbc3636f8a0b8c700e", "ce9d1ce6a6eb89efb7f9422903df617414162f90201a2043abf0bc2689481c27", "ceb2821c8d02a275625121b17bd441c6eb56e0eebd1854e627467c0a4f29d150", "cf93f50f3779f343a4a7191e2f736a3fd7b4a073fffa74ab52ae3548f4469f4c", "d107b14887615552dbefb51d491a3b72b99d3d83fffa35a632537af52f20e6e9", "d20cd53a182c3d6599b9ccd8c415172f1d3ca19901c1c951b4bd505c4dab8bc6", "d3fc3392e6f41093b7115c0a589348966bf96b65e170ba33691f222b9e6d74df", "d3fc732438e085f7ff869f468d3e499f0a259025b9a11e827ec1d8394fd72627", "d7985eb57d50fac0ec2169c21daa6989d81b70ecd427f2c52c04db6013bfe60b", "d82eaf5e54ba008526ecd690962ec1096b3c5572600c2ad64faadaffdcb86b96", "d87295b9423f1ec6332b55e8b7fa4f171737b45242918b535c45d01738499a48", "db5c5193b0b57a0ae28bfba646e96ac8f6fe24f8e31c4a12d6c419c09dcdfb5b", "dde4b5e5e29723bb78c07da1cd597e09089864fd2be368360ab8476587b882a7", "de6d9dbac346da23d53743021c3f052cc40c1a25a51d01b13c1984be9f5a212c", "df7c947456e229fec00bd0951977ca52f7d9f83d5e654f2363918abc7292d331", "e2c07bf08fc9526eefcb0aa0de71745be838002e19e0f260d6e27b23ad5ec2c6", "e46e0efd3cf469defa005e3ff1659c6c8fce733cf71f39262b395e1af51571e6", "e5e3e426f09c32e678ef4b8c3cfeece53c9e36074b387929e7930804074eb9a1", "e5ede1d3f67b5717ac2b069cd270118cadf68c6691af6e0d101786cb6223a169", "e621f0a38b03d60ad7e5bcb9cdaab5e0af9cc28a6a057c26aa7368592e2c6a39", "e63ac0008077861e9b3fe3cde459b6a157db76995362169b5653fdb74bd37937", "e690aa1f792acbee420bea94ebf4d4ea0f6860da9d84c23b9c5ac46f588c4501", "e69dd6950f78d137d73da72937c8fb962b39c46bddd3c2446c7ab036b587622d", "e876d5b97d5ef7cb881fae046574160956aff79e02d105d1e6d0d0f913d3c5da", "e8e8f40dec9e5f0b4c2a3909d6bd03ee9e6551a20e80b6f63f7c4f6fad85a346", "e959fdd31a1a5702fb212371df2ce5a4a48cdcb9965bd9128561615ccc700c9d", "eaf385f0bb66299651935cd81b647cc76f28e8649c26a0842c55d337b0cd91f3", "ec306d849e03a981061dc8c7b60335344c47ce7f8d55c7cde88cc522931733b4", "ee36aa7eba954298385980721d08a43bf1f96ac8efd9ae9fd0e0f0c841388b83", "f0e02aa73cc8cd03ea10397373e68143de13f1d207f803eedc237489238d6979", "f1a9af1968579f3d938d7eae371d16664dc39af1b8ebb0b6d88fe1a34d086527", "f34ff505575eefe0c78a8e4ed6120a2260bd66d5a6712d06a2cbd1b1541d9f70", "f43822b8d1a0910e37db684ac129710bf1c9b5ca05a122ba02fbd98d0cb31561", "f5adac7a5ab739081fdbd578e86b62ec76d9bf6993cf0fc9161e7416707cc845", "f658829def0fa27a15965f1819eb6b4059bc56a1950ad1b9caccffe1bd6408d0", "f89f1b15c8c79f7bda0660647d611e39d3cdafaf15d6452345e8a9233b4fe4d3", "f95e19ddb02470b987c6f59a4a4a8c95ba0d8f2ba297064c88fa8e4610db40c3", "f9a28e9735ed8526052228c08b6440651cc14c9ad33f2427ace2ab1a7ce872cd", "faa37721ae3ddad28da03545c1ab3badf81ad68934bc5918c43db3ab06e7c45a", "fb193686075953a62eedb0cf2f585e1aee69d987504c92fbb14ee821a7a27209", "fdd6f630d17a53015101297b13ea31374f1d65d92e667823c747f1fdb35c338f", "fe0d106416538d9c87f5cc63908c41a417dec85c48aba776a2f6167bf8e1ff1e", "ff87dea07cc5a174d67b773d4e480db09cdbe64cd36424ff962b93892be711c7"], "iocs": {"domain": [{"host": "ipv4bot[.]whatismyipaddress[.]com"}, {"host": "nomoreransom[.]coin"}, {"host": "nomoreransom[.]bit"}, {"host": "gandcrab[.]bit"}, {"host": "dns1[.]soprodns[.]ru"}, {"host": "dns2[.]soprodns[.]ru"}], "file": [{"path": "%AppData%\\Microsoft\\Crypto\\RSA\\S-1-5-21-2580483871-590521980-3826313501-500\\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5"}, {"path": "%AppData%\\Microsoft\\Protect\\S-1-5-21-2580483871-590521980-3826313501-500\\Preferred"}, {"path": "%TEMP%orary Internet Files\\Content.IE5\\C5MZMU22\\ipv4bot_whatismyipaddress_com[1].htm"}, {"path": "%LocalAppData%\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SSZWDDXW\\A71QDCIP.htm"}, {"path": "%LocalAppData%\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SSZWDDXW\\A71QDCIP.htm"}, {"path": "%AppData%\\Microsoft\\psznzp.exe"}, {"path": "\\Win32Pipes.00000328.0000003d"}, {"path": "\\Win32Pipes.00000328.00000041"}, {"path": "\\Win32Pipes.00000328.00000049"}, {"path": "%AppData%\\Microsoft\\Protect\\S-1-5-21-2580483871-590521980-3826313501-500\\bb5ca9a3-5378-4a8e-8196-42a28d9ef0c9"}, {"path": "%AppData%\\Microsoft\\hjunhw.exe"}], "ip": [{"ip": "66[.]171[.]248[.]178"}], "mutex": [{"name": null}, {"name": null}], "registry": [{"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS", "value_name": "ProxyEnable"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS", "value_name": "ProxyServer"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS", "value_name": "ProxyOverride"}, {"key": "<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "value_name": null}]}}, "info": {"origin": "Cisco Talos Intelligence Group", "publication_date": "2019-02-08T16:34:07+00:00", "version": "1.0", "warning": "As a reminder, the information provided for the following threatsin this post is non-exhaustive and current as of the date ofpublication. Additionally, please keep in mind that IOC searchingis only one part of threat hunting. Spotting a single IOC does notnecessarily indicate maliciousness. Detection and coverage for thefollowing threats is subject to updates, pending additional threator vulnerability analysis. For the most current information, pleaserefer to your Firepower Management Center, Snort.org, or ClamAV.net."}, "signatures": ["PUA.Win.Adware.Softpulse-6848587-0", "Doc.Downloader.Emotet-6846065-0", "PUA.Win.Adware.Razy-6847375-0", "PUA.Win.Trojan.00519ead-6847245-0", "PUA.Win.Adware.Sanctionedmedia-6818436-0", "Win.Ransomware.Gandcrab-6843341-0"]}