{"Win.Malware.Autoit-6919193-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Autoit is a malware family leveraging the well-known AutoIT automation tool, widely used by system administrators. AutoIT exposes a rich scripting language that allows to write fully functional malicious software. This family will install itself on the system and contact a C2 server to receive additional instructions.", "hashes": ["00e6268b7676fe162515c9b4191ae17186d708961a5545cf2b0e76e0d702a035", "02f9a5389aea7c071f277a51bbd449d845b7e5acb5a94c5e795bd283415569be", "055f89ea1016a672124bf38461d7a04632c9caf270714a783b34fa014e038c57", "06e27b85a1994a896d81cf423bbf9bbff1bbc5d89d26d4aa8b0fbbfa6b824d13", "0837fda8e72d32584a4c53dcc8f7ca75f38eae979d178f6db434e9521fbe82e8", "11a4e3e12cec6041bdf9508c56a7d75a00992f59c929172eabd8725a89904970", "15159b94f3fbf990f53b9df0a5f08b66fb1548e84d48c99a7537be84bece2062", "1f450f566e7896c60524017d006bb01902e854371313abb8d8f62038de2ecc7b", "21705746b4eb464753d99cc7999db91a55ca4a8a08ab53b8031c969adc47d899", "31cdf98e7e648986edabcbf58a70030ff882d2ec08106440b2b97b7d17d890f5", "468bd5cd0779eec9d11b325e5dd7aa7721e7189a04b7d92a236279d1cbab4439", "4e46d7ddef280bb91c73f15975b610d3bc4be014d29f05dade4860932cd63913", "556b0f36507a9da9bc8236d6328ac25b7d42e7d62d859ccb6163d117d9d39ccc", "64c2d4517abd6081f6401ee4237132f087177b8891d9840ae9e69fdd128dc9b0", "7254eb9ebb64ad0916d7678e8d01fca31a18d73f970a64394f9fc88069590929", "8594f3e2f19d3512830312737a9706fb8a3a92ab8d4afad9f2005c8d6c644db7", "8616e952c063ad624242745f595803a39931e134bd319b57cc36251e73aad3cb", "8acab560aa72f1d6a39b1bcdc48334e51cb9654fb21185da22413434bb01d22c", "9104f6034c2e99c2fd8d3158be68b20a93ba51f0d25b6e4908094f75cc3234ad", "977eb4729a3f3f20fdda9cc7cb4ba5e5e6066f3e9f0d05874b9978bcd6471532", "a428bb2458b74579874a41d9ebb463835dc938777b7a21f52454af4e52856603", "b1aa39eef0e0f815f9c91993cc24e786cf050f17e818f103416e7dd95727b911", "c0406b0fedfb94e25ddd6b04947830c82460f5080999ad08fd5abc23fcf004dd", "d9e637657dacc3e665fa5abbaa30443f474a299c0fa61b801409233a62e8440d", "dad963b9062233185343b7564500514c8e51ed1056f717615e7885524a5ba8a6", "e474d639c4d14a5b99603b9c03ccda660a3f1d8b14300cf3596c344c5eecff8a", "f7bc2391503d80a71730cd8e2bf73762e4798b3f132f9525bf4cb281b61fdfe8"], "iocs": {"domain": [{"host": "jfnutts[.]com"}, {"host": "jamesxx[.]dynu[.]net"}], "file": [{"path": "%APPDATA%\\D282E1\\1E80C5.lck"}, {"path": "\\PC*\\MAILSLOT\\NET\\NETLOGON"}, {"path": "\\lsass"}, {"path": "%APPDATA%\\D282E1"}, {"path": "%APPDATA%\\Microsoft\\Crypto\\RSA\\S-1-5-21-2580483871-590521980-3826313501-500\\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5"}, {"path": "\\samr"}, {"path": "%APPDATA%\\Microsoft\\Protect\\S-1-5-21-2580483871-590521980-3826313501-500\\Preferred"}, {"path": "%APPDATA%\\Microsoft\\Protect\\S-1-5-21-2580483871-590521980-3826313501-500\\7bfba4ab-37fb-49ad-95de-c46116256232"}, {"path": "%ProgramFiles%\\Microsoft DN1"}, {"path": "%ProgramData%\\images.exe"}, {"path": "%LOCALAPPDATA%\\Microsoft Vision"}, {"path": "%HOMEPATH%\\Documents\\20190401"}, {"path": "%TEMP%\\~DF3968B9D4F94E63DD.TMP"}, {"path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\.url"}, {"path": "%TEMP%\\4vlsgi4i.nxw.ps1"}, {"path": "%TEMP%\\gs2vkrhw.jd3.psm1"}, {"path": "%TEMP%\\1xjo2rvg.l3o.psm1"}, {"path": "%HOMEPATH%\\.exe"}, {"path": "%HOMEPATH%\\.vbs"}, {"path": "%HOMEPATH%\\Start Menu\\Programs\\Startup\\.url"}], "ip": [{"ip": "62[.]173[.]139[.]203"}, {"ip": "85[.]143[.]175[.]2"}, {"ip": "107[.]173[.]219[.]120"}], "mutex": [{"name": "3749282d282e1e80c56cae5a"}, {"name": "local\\zonescachecountermutex"}, {"name": "local\\zoneslockedcachecountermutex"}, {"name": "eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - s-1-5-21-2580483871-590521980-3826313501-500"}, {"name": "dxdiag"}, {"name": "\\basenamedobjects\\dxdiag"}], "registry": [{"key": "<HKCR>\\LOCAL SETTINGS\\MUICACHE\\3E\\52C64B7E", "value_name": "LanguageList"}, {"key": "<HKCU>\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing", "value_name": null}, {"key": "<HKCU>\\Software\\Microsoft\\SystemCertificates\\My", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP", "value_name": "ProxyBypass"}, {"key": "<HKCU>\\Software\\Microsoft\\RAS AutoDial", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\ENTERPRISECERTIFICATES\\CA\\Certificates", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\ENTERPRISECERTIFICATES\\CA\\CRLs", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\ENTERPRISECERTIFICATES\\CA\\CTLs", "value_name": null}, {"key": "<HKLM>\\Software\\Wow6432Node\\Microsoft\\SystemCertificates\\Disallowed", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\ENTERPRISECERTIFICATES\\DISALLOWED\\Certificates", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\ENTERPRISECERTIFICATES\\DISALLOWED\\CRLs", "value_name": null}, {"key": "<HKLM>\\Software\\Wow6432Node\\Microsoft\\SystemCertificates\\Root", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\ENTERPRISECERTIFICATES\\ROOT\\CRLs", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\ENTERPRISECERTIFICATES\\ROOT\\CTLs", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE\\CRLs", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUSTEDPEOPLE\\CTLs", "value_name": null}, {"key": "<HKLM>\\Software\\Wow6432Node\\Policies\\Microsoft\\SystemCertificates\\TrustedPeople", "value_name": null}, {"key": "<HKLM>\\Software\\Wow6432Node\\Microsoft\\EnterpriseCertificates\\TrustedPeople", "value_name": null}, {"key": "<HKCU>\\Software\\Policies\\Microsoft\\SystemCertificates\\trust", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST\\Certificates", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST\\CRLs", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\POLICIES\\MICROSOFT\\SYSTEMCERTIFICATES\\TRUST\\CTLs", "value_name": null}, {"key": "<HKLM>\\Software\\Wow6432Node\\Microsoft\\EnterpriseCertificates\\trust", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\ENTERPRISECERTIFICATES\\TRUST\\CRLs", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\ENTERPRISECERTIFICATES\\TRUST\\CTLs", "value_name": null}, {"key": "<HKCU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage2", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\RAS AUTODIAL\\Default", "value_name": null}, {"key": "<HKCU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\OK3KMXI9HE", "value_name": "inst"}]}}, "Win.Malware.Barys-6919339-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": false, "Threat Grid": true, "Umbrella": false, "WSA": false}, "description": "This is a trojan and downloader that allows malicious actors to upload files to a victim's computer.", "hashes": ["0869ac4f786a1f544abdab137e4470e008b50ae49e740f4137d2457805e4ded4", "0db104c871e5214fc4365b34cfdc74c4e0330668da0399653865f43d96b58160", "106af8294406803fa0773813b3d827acdacc00e2faabb99d215afd091226b7b2", "1ea3c3bd8673dec3901d7f82b77f8e8bfad3bd51bd80d7796b2a9b7e07a98339", "223b3d2d4ada9ab9423efa187c1d230503ebd37fecca1209f3afcb9c15d961db", "2ecbd255bd3f1a60450a1b7df2d3643ad517372e9a74b41fb2981d31ceeb017a", "4034f9ff4d3fb10e1afe93e12e97183f8859b5c745cde8e9a52cbe0c93a7524c", "4b89e180490dd4da410bedbccb5c98cb78901b752eedeea3588c25a833117b8b", "50136cda2cb504a1c9dc6344b24d1b46c5c24c87b97fb33da23ab52346217f95", "5316ea912b78ff5f98cffbd4104bc5f57abc07946e53a0e7b4ed4100e9a511e0", "58007a4c73c96932b44d67ec7c6db050ed18577f2cc5eec427be6a2b6a962dd6", "5a5c3aa34c245fb90404cba3d98ab53445683ed8dc470bad316707915ad1fbe7", "5e0b77a4db61b89aa98faa07433c12366cef0b747b677005df139c18a48e8643", "60a0121cfcffdd898bb452aa464bc9dd0cf658b11285b4ba917c480046503370", "6b4864ef87cbc0b4884075a60f5bfbdb39e84405fd6f7f01b019c81013ef9b68", "7e777487165f72a5d42608e2bc4c3fb8ccf0c2aa0c059c53f4c05d6318803be6", "809c104c5546b025e8680f612573ed4e1123a19cab555deb9984407d69c18abd", "84d35bea78f59fcb33cc45d7ea6eca8d9cb1b9b1a1a5c493e88e020386c1eb43", "868b8e6f1301f54178839130eaefc5bbf2e6aa1c78e6054389a1f2d0b02a1bcd", "a0aa2c03d0f4e9caed5f0a1e52e59423944864ad2d9ccdcd54b271d7133bbf2f", "a6e84c3b4c46fbb17f9ae770c2244579ab3e7b82621290d977ff93b539b9bf37", "afecfc0b7e4c6218fcfb546ce088cbd6b5087358a5e44bab9595df720e1a7490", "bb04cca5245d8ddda41a24339ab63e8519bffd83a2bbcf80e74c2945bd1420c5", "bf211d2a71ff102c2c4fc3d41afb7f9a4f46e37aea06b64d86cddca372438d44", "da42054f51ba5744d7b2be271b96bc220002a1c5dee7580c540746a6f8436dc5", "db9aee5dbbbee0194b7290ffb57f696b4053deaf255b7b0a43b93b77bd99c73e", "e17fd23c464f3e6d98bc63d70c7a7f5ecb5fcd09b1c3695a9b1ba2414ec79afd", "fe524f83dee8fb75e5cd30ebd62edb4810788df6b1a12431a0de44c109c37cdf"], "iocs": {"domain": [], "file": [{"path": "%System32%\\config\\SYSTEM"}, {"path": "%System32%\\config\\SOFTWARE.LOG1"}, {"path": "%ProgramData%\\Mozilla\\thfirxd.exe"}, {"path": "%ProgramData%\\Mozilla\\thfirxd.exe"}, {"path": "%System32%\\Tasks\\aybbmte"}, {"path": "%ProgramData%\\Mozilla\\lygbwac.dll"}, {"path": "%ProgramData%\\Mozilla\\lygbwac.dll"}, {"path": "%HOMEPATH%\\APPLIC~1\\Mozilla\\kvlcuie.dll"}, {"path": "%HOMEPATH%\\APPLIC~1\\Mozilla\\tfbkpde.exe"}, {"path": "%SystemRoot%\\Tasks\\kylaxsk.job"}], "ip": [{"ip": "216[.]218[.]206[.]69"}], "mutex": [], "registry": [{"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SCHEDULE\\TASKCACHE\\TREE\\AYBBMTE", "value_name": "Index"}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SCHEDULE\\TASKCACHE\\TASKS\\{FF46FC7D-1E0D-46F8-87EC-94D0FDA83668}", "value_name": "Path"}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SCHEDULE\\TASKCACHE\\TREE\\AYBBMTE", "value_name": "Id"}]}}, "Win.Malware.Vobfus-6919817-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.", "hashes": ["046c299741954c07ca5feab9039d7a7208c9e5dad3fca354041acdecab550cf9", "057d66787c6ee44bd9d8015f563c3b6e2eab4a83bfe2eee53e1b7d0006e0df84", "05f0f24b4fc446cf95fe3be015fe0f61908d1b5cbb1706a14c2e393886454f38", "0b5716a756064ebe398f0e164f8d7e0dd747ca50795e3624b5574fd78e92059d", "119bb2c3b038c70448cbb9a4a8f8eeed1071d2174f5d1907a01d348f1740927e", "1506a6d7439fab0a6b3c775fdde0627bacafa4760900c0f111edce4d55a03a50", "1bd8db7ee7413001573a689ae4ebcb29da7652717f35ecbd735a87f3d621586b", "272c48ac067319a1c8d51717c5f34b34ac4db4f970f9fccc5915d7bf77123ecb", "2bd2f27610560eea9d652b3b8c44225a4b66ef349350e53fff8b42406f74ad3d", "2dd8cc3597a6e411b7f258c2ecb78aacd54d9cadb3807997b2b00c1a4e07e178", "368d741aef2ab6e41a4696f5d28dee169580dfff4cc69a5946faaec3d14925bb", "3b6a66df8369ac8bf26e8402989d29534b7d7e1c7e460d970f50416e2afe5ffe", "40466788e57d5200867dcfd7a3f2c18004b8317c19a0528af585c537edfc1201", "4a67a46ce70cd36aab995cd0a04621a4050cac0488bab6c433efb1324c6b4513", "4b77f7be93f7a27a30a87f5d3fd611d54ead6b62a18a12dcfca3bd65f3081e86", "4cbbeba77a0e8af025aeb17352a36b6c75687a00827ecac1f9dfac206603ab52", "4ce11c03c2fd40bd58f7044d9bf17fce4118e31cc058113a8cb6d68b0fe2cbc7", "5312c2573551bf4ea733031528f4e79b8b1c675c2a05e4059c06cf9c2706b9e1", "5ebbf7f1ffdb7f5a5483ad26971c20bf7ffdea7fd1566260d6e4875ff9a477c1", "61707b56cec807908e713dd8acbcc2ee8b7359c9c3e8eb826e53fca3fa0de866", "62312807fa51f896940f2480b29a133365a146eccb5c5775faf886f3238b2f9a", "66c85f135b970fd774f2582202458bd083ecf71bc1f80cd195706d7b354bb601", "689860f079fe900589e3c70af6932587b44135439b48cde5462537008a9537f4", "6c863b2f65224fbc6d85702cf9cf48b120a851ec4c2f7e76b21c9c56b5427d82", "6fc3ab28e7177cf2ca67f6d3a945979b6bdce37eea446d21cef54181a673a35c", "759fccaa4165ab6f15ea745ee76519eedf3a492ad4c085db21eaa739dcedd3eb", "7e99b0108ebf100f4313590337b1e95439b7dacdcd8014b224e050e493a51a9a", "7fe1daf215424093a1d49576b3f5be1f83899146a0b3eacc3f1b64045bb11cda", "84edc50e0f9b5993711054f76f66978a44cdda4d8089f065678d328014f982ff", "8a16f4050eb53244e55cb3bcea546fb9275e9f1a95d78ec889eaf0c22403c329", "8a77c7c9d1b937c4e87b7503d03f2db47e7d348f315c3ccbe8c2794059d74b3e", "94a9368b31da3617124e7a017d6c3c3228c09fbd2f7adef76b9d3da8d3762d33", "959a9e6a413f5ed3602ab1f9645ae98604f19f84868bfa9385ac9322061e5b37", "98992046aa352a435136ecb6dd4c4a817134ba0a1c7b1e6b1bde70e5bbc78f45", "9a994b9420b922219f87f2fcfd19d4b7bfc4d19538e3df937b6e4d1808f71fb4", "9b0be1d4b6086e3f64e1d8203505e2b18692b6cf8675759953d9f362ba45a4f7", "9b4a14479440dbf5962ccdd738453e256d4ec74f817d0291f224cb6c082ab416", "9d7cbe52f87bcc11497da82fab54960f1eeb2db6ac082516fa722f6a4881454b", "a5aa1148501db1740f612a85c27e1b30f779b2673bd16cc31e510131a0276a5a", "a7e0b025f996f11437ad5a1ec61be910a696840f9bd03c2f83ce6415962c348e", "b47cdf145101ad20490cbb66c2a40429139d61980ed64a9df2f0d8b9db932b01", "b526615dc352c77bbc6b0ea96ccb93154d9dd141acc0dab18db154191360e262", "b75f82d73266f261cfc1c879ba728d39b6004a4a865378c199a0b1ee833dd04e", "b84883dab97378835f79e5482b8a97f495a45a54da45cd2261fb804c0caa5d59", "b9d0d9a35b50e7761816caedc8b6809c1c22a98267b994f3181f6544fe34bf5f", "bf1bcbd6fc1b711acaec7e6eb8666d3b7c91aee5bafc179f693fd4eaa68e9482", "c21fbdc9c602aa253b481d756fe957b04c277abd382b993d2e980b196ee3db5c", "c26e4358fe3139898070b5d01a419480b5d01a76237e672e8bcd428323155289", "cfee09659d8814aff9ae19c5ebead8eeb458fce666c4464c6968a6b2aeda3d36", "d02a8b459a6e20081e729ccad86c7511ff66ab04fb694937f301d25c0fa80b8b", "d1c367776b429d958c54de6c4d41de02b951343d326a1f82892ec4d2bd2bb545", "d46ca859275543dd988411d3415abec6349cca60c5b95dedfa1535cd805196d5", "d587d5bf65c0a5c3beb78415d352b971ec1fa5ddf11eefc18fde70e8114e3039", "d5cdfbc6415991af9526196842f9b8fe63a91b5b0b654aab36f08bbcc61668e0", "dc6a7e87bd28965366eb12b9b6c48228f68ddf66cc8c59cd4bdd79c0e4d541dd", "e19ebaf7a3869f5d4906e5d7de6e9596199c2abcfab5ac0943edfe4e611fec9a", "e2138ed8fabc4ae799e5ca5d9553e67963dac2a0e9d2d47b3bc9a043bd8e2259", "e3fd074a92bc5be32c4a37507331efdf6358a31cd84bef156f52142a54d08780", "ef5d90a2eac385848d20bf32eb945f0a216ad98966234174d5e2bfb7080a068d", "ef7b280581c8399d01930065c41231fdd0914c1396b7c972aa5ac80d34065622", "f3e9a1d034545f1bdef555fa8849cf411fe4a365b73d8ee2ee677aa439e8fa46", "f9821c99e8b0316b99bfbb25d4b5c3bf4bbff78f537f7dc8db543a228c99f525"], "iocs": {"domain": [{"host": "ns1[.]backdates1[.]net"}, {"host": "ns1[.]backdates2[.]com"}, {"host": "ns1[.]backdates4[.]com"}, {"host": "ns1[.]backdates2[.]net"}, {"host": "ns1[.]backdates11[.]com"}, {"host": "ns1[.]backdates17[.]com"}, {"host": "ns1[.]backdates8[.]com"}, {"host": "ns1[.]backdates15[.]com"}, {"host": "ns1[.]backdates3[.]net"}, {"host": "ns1[.]backdates1[.]com"}, {"host": "ns1[.]backdates3[.]com"}, {"host": "ns1[.]backdates5[.]com"}, {"host": "ns1[.]backdates1[.]org"}, {"host": "ns1[.]backdates9[.]com"}, {"host": "ns1[.]backdates10[.]com"}, {"host": "ns1[.]backdates16[.]com"}, {"host": "ns1[.]backdates1[.]net[.]example[.]org"}, {"host": "ns1[.]backdates15[.]com[.]example[.]org"}, {"host": "ns1[.]backdates4[.]com[.]example[.]org"}, {"host": "ns1[.]backdates9[.]com[.]example[.]org"}, {"host": "ns1[.]backdates8[.]com[.]example[.]org"}, {"host": "ns1[.]backdates11[.]com[.]example[.]org"}, {"host": "ns1[.]backdates17[.]com[.]example[.]org"}, {"host": "ns1[.]backdates2[.]net[.]example[.]org"}, {"host": "ns1[.]backdates16[.]com[.]example[.]org"}, {"host": "ns1[.]backdates3[.]com[.]example[.]org"}, {"host": "ns1[.]backdates10[.]com[.]example[.]org"}, {"host": "ns1[.]backdates3[.]net[.]example[.]org"}, {"host": "ns1[.]backdates1[.]com[.]example[.]org"}], "file": [{"path": "\\??\\E:\\autorun.inf"}, {"path": "%System32%\\winevt\\Logs\\System.evtx"}, {"path": "\\autorun.inf"}, {"path": "\\??\\E:\\System Volume Information.exe"}, {"path": "\\$RECYCLE.BIN.exe"}, {"path": "\\??\\E:\\$RECYCLE.BIN.exe"}, {"path": "\\Secret.exe"}, {"path": "\\??\\E:\\Passwords.exe"}, {"path": "\\??\\E:\\Porn.exe"}, {"path": "\\??\\E:\\Secret.exe"}, {"path": "\\??\\E:\\Sexy.exe"}, {"path": "\\??\\E:\\x.mpeg"}, {"path": "\\Passwords.exe"}, {"path": "\\Porn.exe"}, {"path": "\\Sexy.exe"}, {"path": "%HOMEPATH%\\Passwords.exe"}, {"path": "%HOMEPATH%\\Porn.exe"}, {"path": "%HOMEPATH%\\Sexy.exe"}, {"path": "%HOMEPATH%\\c\\Passwords.exe"}, {"path": "%HOMEPATH%\\c\\Porn.exe"}, {"path": "%HOMEPATH%\\c\\Secret.exe"}, {"path": "%HOMEPATH%\\c\\Sexy.exe"}, {"path": "%HOMEPATH%\\Secret.exe"}, {"path": "%HOMEPATH%\\c\\autorun.inf"}, {"path": "%HOMEPATH%\\seofuaj.exe"}, {"path": "%HOMEPATH%\\RCX9D65.tmp"}, {"path": "%HOMEPATH%\\RCX9DC4.tmp"}, {"path": "%HOMEPATH%\\RCX9E23.tmp"}, {"path": "%HOMEPATH%\\RCX9E91.tmp"}, {"path": "%HOMEPATH%\\RCX9EEF.tmp"}, {"path": "%HOMEPATH%\\RCX9F5E.tmp"}, {"path": "%HOMEPATH%\\c\\RCXAE6C.tmp"}, {"path": "%HOMEPATH%\\c\\RCXAEDA.tmp"}, {"path": "%HOMEPATH%\\c\\RCXAF39.tmp"}, {"path": "%HOMEPATH%\\c\\RCXAFA7.tmp"}, {"path": "%HOMEPATH%\\c\\RCXB015.tmp"}, {"path": "%HOMEPATH%\\c\\RCXB083.tmp"}, {"path": "\\??\\E:\\seofuaj.exe"}, {"path": "\\seofuaj.exe"}], "ip": [{"ip": "208[.]91[.]197[.]66"}], "mutex": [{"name": "local\\msctf.asm.mutexdefault1"}, {"name": "\\basenamedobjects\\a"}, {"name": "a"}], "registry": []}}, "Win.Malware.Zbot-6919277-0": {"category": "Malware", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": false, "WSA": false}, "description": "Zbot, also known as Zeus, is trojan that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing.", "hashes": ["19300406a8fedba8513085fa93004d3330024e3a97d685c34bf4404e15e9beea", "1d8005f6fecbb238db1b40e6cb7afc2baf323c0059883f0bb7b11c01c1067026", "276dab07147db188ff45e12e53ec462af42e1973a4687a2b2e3e9301c15db929", "2a0588520f7752424195cc36e6843d09ec850b6c7a41e966af58f3ebee8353c0", "33626a9cd5105d595872d76146629d1b440bb625383ac30f71c7f9ff369982f3", "35b7a37a7bd1ad371add7f0d3a3d9e3f9d8dc22894d0949c775f9eec5fd60104", "3832485cab5a4ea92c616b24bf79374a4999eb76119e2e14e40c7f693a71ea1c", "408f335dc58fa9fe44e16c4f76813c3cb6bca1821134cd3eaacc162787d74ee7", "424171b94775b10d108095adb1a29f3ee6b8918e2bc3e6b96d62ea8a9c2ff01a", "42c89f9e463771c6de93ecbd94210a7242234ca512ba2d68e4133e7835ce9f46", "466731dc06288c6288b2b306ecd2d457d23624b32dc8a6ba950f2344a4ec0228", "4e90c6ace53e3278aec3df081252e46b6d6f32e3786c862895fc724595bdfd09", "54f29401d5a69da03b8e1ed390e76a94b0967ae4859d885db5abd5a8632a8ce1", "58b1da3642367b1f8f80a018befaaeaa91ddbc0187d56f52c62eebeb06ac4291", "5c41aca107b6f288e5436c5722150e62845d594a89dd31de98865f87a1618880", "6ce10269595ec82e081472bddbdfd235086f6205dd836464e68c11b29b56a96c", "701fd08f2dcd10f75e462feaeedbc04c5d640d57e7203bfecf490c79b8da50ab", "795fb4569df188d5ce7ec1448d5088ffa7dc79bf60ea02e0fde15a2e8b4d0868", "79af5e9ff5b60e9ac555bf82c43d01b20d7a2d4faa85fff2651883cff52be4e8", "7dcde4f60dd8f1caf3c37047cbde35c00ff4c70d2bb6e33ac6811c0f2d0a7742", "84ab81138637667e9a304c70f6332d6e07a7fe01cada75b87501e1119654fe62", "88fd82e899034dfaeaf5fb3fa40ee31849e35dc781718119207c049a506d47b8", "8be6442f102a1a607ba44cb708e1b78c847a17d583e8caf673885613ac58eb35", "8d6f9213c8611b2d23dbe7ad43749c20332f35926c72eb71d4b8bc125b80730f", "8fe26438c3bd8257c7c09e13bcb06f049a65cdeef64fdf6260048b97c839c72c", "91929eb7c51e92f571918d20be872cb4fff592ec50aef8eb269367ae5e859544", "9316f6caea6bcc1f117e765cd1d6bfe1457685b99e164fcb6c004d54a88c0714", "94a2c2e5b62e4f0d727f149147044270a9b34b371a65005eeb383f6be6047920", "96e6b90cde4613abdb6d16c0de29788c8a6bea8cfa124cb3e9320e359410fa4e", "992ebf3b1eeaedc80a70d536eeaf6e6771744f0c17a80e61953d2afbe0c256c7", "9d11c134200356bd2399868b07e05f499dc90b261894a61ac8ed0eb6d001b8be", "9ee337f0211cc30ac3b828b25d08ea96d2991a736a4a1d58b06cfcf8b5dc5638", "a285472d94228e8252460d7d7eb6fd81101c58fc13e24c17e43d8e2b2684b657", "a7e30742a8c93795b742f44933fe92c34b54ee4bb2d8270d2c2b3187089f479a", "a8f001a731eaf1fae1c03e8700d87ab1a6d745b04f74ed3cead18c76b57a2e41", "a96611d91edf9c25e9bb1ed4e960b0a1e8b0579ff1fb970937a4555219455e94", "aa2ce4c94d5994c01dd34b9b281a3db51b015d986e477cec5e76b07934fe6757", "aaddac2cc555ed68e234c25c420cdf5dadbc34024a2f98a0e2669cfd866df519", "add9336d0b03af081e077ea4e7ece456c0a460f9e6b40880f26b2a848850e8e3", "af22e382cd8eecaa8d2312364937fed6a553fafbcead5a0c5f8678ce100c200d", "afc204e33ca2714107d4880109c1edee7570d2afae878fb90eee2bea9910ecf9", "afce08afaa94f333030125912198e311ed307b18447f768b2de661a472f9b776", "b090e7ef28b49b156a89363badffb4e6edc79a9f9fd3ce308736f1cf76dbe145", "b0cf6ae95460cdd23600c7fa6dafb0fdd2e76cb86879450314921f2ce8121b76", "b31d468ca40471406c214fb876e9a1b8abd328218ed29f55c134279d0522c165", "b51f3331c22980cf797a6a24e93f92362bf159d7b34aa83e07eeab44e93367ec", "b6d795c8e7a32c99ccd422f313d713979e5ed85c7492a99c0cc06357edf6341d", "b7b538f1b275df9282408e9f15f11cfd4ce8b84fc10815f4aef3c3b1361857ea", "b872611d070d5418b916a6a0c587becb602047a47618c5794d9cabbe48b0871d", "ba941774ff53337195c3b7d19739dd488945b99bd942176832cda4514196c2f0", "bbef48c74969128ce80c0a4a5fbf1ce481b09938fa3c3a02cd4932ca56e7a8ed", "bd66b7adc77716890cb01b4b1ac0459ebc33a247bcd7f42eec1398496afd9295", "bea0d5d420f0dca2319661f6d869140f0d77c42603bb0ecec3accd4c04f9dfba", "c1400d5634d2624a571c6c7d7d2c656943287fa3fd2ef741cd0b695a4e3187ac", "c2d8d7ed961336533bea55d9181a5c1ffee0f03c00af224778239f9864a73dea", "c3f87467a903cbc07f9d8060df582fdefa715499148511c1e6663273ff8b1c6f", "c6a8265f43ae7fa6e26fab9501130e6cfd7d26ef1a36ca7df10f28f94ea53293", "c6ab2866a1e64883e880be69b9d26f1d61950b540fd5f98d7849b75d3f005a03", "c766301e7b34b0a33e68a34b5b619c8a675f85d4062f192d996c7ccce855230b", "c84af67d43e308d8daba50dbadecfd03daf6b1fc520bc50f2def7ee8e78b416f", "cc88d695b98af080717c19a45442aa7c788a732a26c7054cb9d9703f0da3ced6", "cca4c47b4ae9df7ff63d70071f2f2f23f774ee48538d208bed1421f7ffc5ac78", "cf06548d2e7396d3fe16a6cba587a12edf86cee0dff69e68de9d25db7665fa74", "cf3d03d70ab423293f515c194394ba1683007e0888fbcd135df10a07f83e7865", "d15362cbc695cf58f6c5e0709d14ac3fd72167dbf1221c294b3b9eb026468a7d", "d15f0b9d339214b69410c3023f3fff161442370595349350097964817efcd27c", "d18b2dce57c9d04e80545c2411070e5b7eb208b22f6d38beb8ecea554631ecc2", "d3815f963385d5d50f198d72f0fbda8bb0baf5ded95a7f9a02bfeb21c6ae0e65", "d52d7459fb5f069c487a0570c6d17e5fd4fc3b4a63b8a60694a48782705e3bdb", "d59c9ea6b6c575705c514715e64670ceeba3f34a9cfd5e32c92d1117be156954", "d73c193cf74044208034332d22fa6fa1d3f44e236f59a194c574243577c6cb19", "d8d14dbbf587942f63b6bcba39ea528919ff54570e7975d29a1c6a03f2837fb3", "dbc82b60ffcce4009ca977cc17df0ccd3087613dff75a63ef70f67b95380ba0c", "e0e3e9034bfcae1c0ef2ff5697ddb45383a5bf5e722972b76ef8b544215f244e", "e3c6f0b9edc982a05c14d8753338aa8d4eb0be541e9c2e8961d95c34bcd90a74", "e7955c084f8c7c015e328e1b4e929196c226403199f1f7c3867359204231074f", "ec0fa35b49f8e94c91af3099f4d9d767d60df02d208ddc41372e81298271bb30", "ee3d826e01ecda373557ebb325bc9554c3225456d2ec62b46094fe46774b9828", "f0c713855e51cd050e55cc4e3b8a85b6a714d293874cbba1ea8f04e9f546881c", "f15340ad514fbc91a880e5f0feb79860d15d2ca8c5efcf2d741ba1b362df215e", "f369b08850b7ba034dabe51096fd7b9ad2aba4fd9cace1b8bf1b1fd178c473ee", "f37346727c41154d27b57a630ec34af7aac248eebe9a0e55e6132b967c39dd32", "f4dfef28c29cf2e128154d30a68e6999551e278ed45224ee1c829d713102d8d4", "f6a93864da24eba34c60d272e48afac219d3aee876d0531a564c4c08c884a095", "f6b63ecdc7ec4cedf51a691a5f4e19597e127db8b425c04e44c008436d470b63", "f8f2722aaff03528ef1c8da4a0d6b69b33dbed486ab323ca9d583282a530bd73", "f96e4d2f1e1757fcfaa757679c0c75b81e444dfc197a436454aa8f8c4ed063bc", "f98d2a516f380ea6649f258e56ebb29a9ad54c4ee6c9c87321ce8c3f3a4c9c88", "fb2e579aee532d03510bcd4daec26c51de28434b29bff46ae7c46f97e087bdbd", "fc6d888ac04c4d0802c284a59efb3d2e1b4f7af44c19777e3307fa605f8b85e9"], "iocs": {"domain": [], "file": [{"path": "%ProgramData%\\Mozilla\\thfirxd.exe"}, {"path": "%ProgramData%\\Mozilla\\lygbwac.dll"}, {"path": "%ProgramData%\\Mozilla\\lygbwac.dll"}, {"path": "%HOMEPATH%\\APPLIC~1\\Mozilla\\kvlcuie.dll"}, {"path": "%HOMEPATH%\\APPLIC~1\\Mozilla\\tfbkpde.exe"}], "ip": [{"ip": "216[.]218[.]206[.]69"}, {"ip": "116[.]255[.]235[.]9"}], "mutex": [], "registry": [{"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SCHEDULE\\COMPATIBILITYADAPTER\\SIGNATURES", "value_name": "aybbmte.job"}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SCHEDULE\\TASKCACHE\\TASKS\\{FF46FC7D-1E0D-46F8-87EC-94D0FDA83668}", "value_name": "Path"}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SCHEDULE\\TASKCACHE\\TREE\\AYBBMTE", "value_name": "Id"}]}}, "Win.Trojan.Emotet-6918815-0": {"category": "Trojan", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": true, "Threat Grid": true, "Umbrella": true, "WSA": true}, "description": "Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.", "hashes": ["02a0a4800d92ba59432af6e47480ede2769bd53d7af7840ce9a8ee7097ae0003", "079dd41f7437110d28bbd3c0f6bacb2f0cd1b23cb899772e8c380124be044fac", "09ad52e3866b1cd1629f5206c38d968ed82977026dfa79f3f9313625fce9298c", "16969a648499623f5b6d61785673c445035bcfa90d4303b88b922d76e6d95728", "1ab5e8be2711179c75581141bdaacf4b1fbc1806806d73e53b94e2286e150569", "2ca9efb4e856be7af3bbaa2c22108ab30a0aa30203b5accdd2787f4d4bda0315", "337af19fb5a1403b332b77a5c6958387ba9150d225d32c6474d5807fb5e9c21c", "43e226bd92a81a17a2f73a0e9f2f0ea7dee5c7756a4a6d476483cdf456024fdf", "49116b29290b3878908d64fc78d1fc92c21f9add774c8a3b2e55e8763f8a8267", "503c9111d0fc0efb4a3290c977dd8f0f6cf4925de69bf644fbbdf03857ca1776", "521c964fe97018ae915a3762dbf31a2397f7c283a494f19671354d5a179dcf3a", "524622e92156fb4e155e18f820b2897f60b49b2e0533ed449ab99642b16ef887", "52f83952d33df5dea2440d6a0211c004a41b6543f64edc6b9428c2b55897d45b", "53523d8333a3e913bb53523269c22af0e38d26bae9f637f2617acef7dabab06e", "5353758894e7cfaee0376ac38e76a1c366b1d0ea19911affdd23f2cbdc12d020", "53c708d13bb6526de05446fdef04d9d9f183f825596c89cc92d8e7aced3acbd0", "53d075b5be564101c888a82187527845404a2df42e7ae774937f9630da98fc3a", "559028389697aa6b223920c69441d68dddf5c1d46d7be8b3fb0d23af183d477c", "5844365b389ab2865c1c032561da07954e1b8312a61fe612672d7c11aca908c9", "5971aaaa42335a059f017e6586776f5b5de40590b4e68dfca8124811e372300e", "64cffcac96694cf3ffce2b7ff2962176f0fea267093ea4970d2aac3d53038fea", "67f41f532423939b59a2f0b890028ec7b9de5ec71b7e8bd0a8aee7906101174b", "689685a2edd6b0cabc8ca0fcbcf39e53e4da57d65dfe0e2658964dfb8cca39dd", "6cfc0383c421992c8d4e0f8a9a13e705e67b1735ad71520eacc1351c9e8cdc14", "78a0a5844a1ca119d94bcaea5ac5b8e256f2711b76eaccdffd0089c18f079e2d", "794b06ae51b2a5e1b0b7e661d8e454f130c9eb520d75f46dd650019e5f7f3f70", "7f28f1902e0a0bc568feb3329ec67ec87796548a9b4926fff23e6b05a600ebf9", "84b16c943546b89aa339f05f67bda9a42fbb7e7f10eff8159b20e30cceeb42f8", "86adff8e999bdc00e0822b9473a3ce15ad4cf60948fe4201d1abdcabda0eb4a0", "881a64e978b8431e65304a867c2feb98023607ce8ba3f52e23c6a68968e606cd", "8bc0c5a8fdb3473f4209825d0a4423e17abd31967eb8c069f5f3701742c9e769", "8deabee7bd4658a671c626141ee30abddbace157af90ec04132c45155df6dd9f", "915dc60097ce7f422e899f6efda961be9a962c39151eaedc89ed449b395a894f", "945e00b3dbecc8d1b2fc6d10496f245ca62c058ad243e6073a1b555e6ac44804", "9492b87827af38d136b182ed0fdc1fe386754dc56dfc2fd2a591f8862ad77098", "952043337e3831f43b832d7deeae3bfd2566fc6c197f62df5271f91faa05ce63", "981717e3abbe0d3611cc94d53112ef2abd12e6f81ac139ee32cad5763f086ca0", "9f01c61392d0f4ff2a3f73edf19834fef507d4f9056eb7f1be413839cdb4d164", "9f3095a36b067e2d074407a95728796551cc4fb70f9028d95721d9b956ba2d4f", "a7169ace2b4d5189f4d65fc4911f83a24733cf5552cc9bfa0dc15b7efdff2032", "b084f12a12619ddec971ff9f1d6b216b5b10544fa5a3695195ee00416b72a496", "b72c96df1c8be8b6acf3f2e7d7209a9e01b22ea26b4c23ccd547b7fb848992ad", "c389dc63eed7969b79a1bc7233cce8f1b60ec2c294b42a4639837c317e59f5d5", "c54ddcb928ca9c952ba7e3e08f21566d43ef9e9a4a8fca52da4b6147ca63fc95", "c78ed1f1f26d7f6335493969dd15256c4fd5fd2b23c7cef18b352d45b0d258dd", "c8aade3603dd8dd76b9c62e793e707b60f10c1b86ea538d2121096fe85af7758", "c8fdf7ce4ed363ae984e339072a78a041222bc31b5fab2ea33836746fac23591", "ca8cafbe0385ed187cf67ff92f123b7dd61578c8960cacec19f5b8b1a9193ad1", "cf609e298adf893fd7aeaca77a2502e63b4af51ab4d8c173ffc45477e8803385", "d48cc9f951046c42c6b58d2f49b7252857a9558b0c2e7f1998f4a06d457aca4d", "dd3337b28a67a044fa0886e98d3ee18d869aca9811ea81050eb2be5bdc54e6dc", "df30194f73845626deb8af5c369f693c53a849838a35f5641a9fc312a2a77a54", "e0c643bc306b59b5fff2d024eadd9f6d34be0b7f21d489c28efddee196d29860", "e2b464b83f298533c870c978391de41c82a739c04130dce889ecb019f423528e", "e3fb8a6f55e80e34f524a0427a9fa51399ad7cd037035e4cbf2426f900e5c120", "e9ab3d7ed8db21b59fbe0c54ef55bd0950ce622eafb2c2275cd4877299de00fe", "ec8ee6e99a27fdff33e9eb27794917862915dfd53d320338e0f4aebb14a309be", "ec9ed1238e11fd80b5b8d016d43efdb102628f6a1a75cadd1af84f24a995f07b", "ed2bb88774f67cf457a2e267d685ff67936ef30fd1614a67c1e3037f12abb86c", "f4a22102980626517e68873f6a206d8807a27d742b7981394a4e759df74e9c33", "fbd0832847a2c23cbb42258aa6690848aa0837721c3dacf011120d3ad1d73f79"], "iocs": {"domain": [{"host": "imap[.]1and1[.]co[.]uk"}, {"host": "mail[.]gmail[.]com"}, {"host": "imap[.]gmail[.]com"}, {"host": "smtp[.]secureserver[.]net"}, {"host": "pop[.]1and1[.]com"}, {"host": "smtp[.]1and1[.]es"}, {"host": "MAIL[.]GMAIL[.]COM"}, {"host": "mail[.]1and1[.]co[.]uk"}, {"host": "smtp[.]live[.]com"}, {"host": "smtp[.]mail[.]com"}, {"host": "pop[.]secureserver[.]net"}, {"host": "mail[.]secureserver[.]net"}, {"host": "pop3[.]telkomsa[.]net"}, {"host": "imap[.]secureserver[.]net"}, {"host": "secure[.]emailsrvr[.]com"}, {"host": "mail[.]multisistemas[.]com[.]mx"}, {"host": "pop[.]infinitummail[.]com"}, {"host": "smtp[.]mail[.]yahoo[.]com"}, {"host": "smtp[.]telkomsa[.]net"}, {"host": "outlook[.]office365[.]com"}, {"host": "smtpout[.]secureserver[.]net"}, {"host": "imap[.]comcast[.]net"}, {"host": "smtp[.]vodamail[.]co[.]za"}, {"host": "smtp[.]orange[.]fr"}, {"host": "imap[.]mail[.]com"}, {"host": "mail[.]biz[.]rr[.]com"}, {"host": "pop[.]biz[.]rr[.]com"}, {"host": "correoweb[.]iess[.]gob[.]ec"}, {"host": "smtp[.]roadrunner[.]com"}, {"host": "mail[.]basculasmagnino[.]com[.]ar"}, {"host": "smtp[.]infinitummail[.]com"}, {"host": "smtp[.]windstream[.]net"}, {"host": "smtp[.]shaw[.]ca"}, {"host": "correo[.]movistarcloud[.]com[.]ve"}, {"host": "smtp[.]arnet[.]com[.]ar"}, {"host": "pop[.]broadband[.]rogers[.]com"}, {"host": "pop[.]hostcentric[.]com"}, {"host": "smtp[.]arnetbiz[.]com[.]ar"}, {"host": "smtp[.]broadband[.]rogers[.]com"}, {"host": "gator4126[.]hostgator[.]com"}, {"host": "mail[.]dotster[.]com"}, {"host": "adinet[.]com[.]uy"}, {"host": "mail[.]mi[.]com[.]co"}, {"host": "imap[.]bell[.]net"}, {"host": "pop[.]everyone[.]net"}, {"host": "mail[.]chikool[.]cl"}, {"host": "smtp[.]mailplug[.]co[.]kr"}, {"host": "royalmabati[.]com"}, {"host": "mail[.]infovia[.]com[.]ar"}, {"host": "mail[.]pomonatowing[.]co[.]za"}, {"host": "mail[.]tmmchealthcare[.]com"}, {"host": "mail[.]interdns[.]co[.]uk"}, {"host": "mail[.]hazari[.]com[.]pk"}, {"host": "smtp[.]tesapparel[.]com"}, {"host": "mail[.]empresasjayir[.]cl"}, {"host": "mail[.]serbanc[.]cl"}, {"host": "mail[.]shineaccesorios[.]com[.]ar"}, {"host": "mail[.]teambuildingempresarial[.]com"}, {"host": "smtp[.]berabevudigital[.]com[.]ar"}, {"host": "mail[.]conduto[.]com"}, {"host": "gator4216[.]hostgator[.]com"}, {"host": "smtp[.]terra[.]com[.]mx"}, {"host": "webmail[.]carbonesdesantander[.]com"}, {"host": "smtp[.]mail[.]yahoo[.]com[.]ar"}, {"host": "correo2[.]redynet[.]com[.]ar"}, {"host": "mail[.]freightlineroftoledo[.]com"}, {"host": "mail[.]ebmworld[.]cu"}, {"host": "smtp[.]dreamhost[.]com"}, {"host": "p3plcpnl0728[.]prod[.]phx3[.]secureserver[.]net"}, {"host": "mail[.]oxigenoshoes[.]com[.]ar"}, {"host": "newmaq[.]com[.]bo"}, {"host": "sintcom[.]com[.]mx"}, {"host": "mail[.]inttegrain[.]com[.]mx"}, {"host": "email8[.]luxsci[.]com"}, {"host": "pop[.]itcsa[.]net"}, {"host": "mail[.]grupodemejoracontinua[.]com[.]mx"}, {"host": "mail[.]dtpressnorte[.]com[.]ar"}, {"host": "pop[.]cbacontadores[.]com[.]uy"}, {"host": "gator4012[.]hostgator[.]com"}, {"host": "mail[.]ahesan[.]com[.]mx"}, {"host": "mail2[.]isysa[.]com[.]mx"}, {"host": "mail[.]peltier[.]net"}, {"host": "pop[.]moorwaymanagement[.]com"}, {"host": "mail[.]ykkip[.]com"}, {"host": "mail[.]refridcol[.]com"}, {"host": "mail[.]digosaautopartes[.]com[.]mx"}, {"host": "mail[.]merzey[.]com"}, {"host": "pop[.]icon1[.]ca"}, {"host": "mail[.]cablenettv[.]com[.]ar"}, {"host": "mail[.]petrovalle[.]com[.]ar"}, {"host": "md-ht-2[.]webhostbox[.]net"}, {"host": "iceschool[.]com[.]pe"}, {"host": "imap[.]europe[.]secureserver[.]net"}, {"host": "mail[.]hblseguros[.]com[.]co"}, {"host": "mail[.]bell[.]net"}, {"host": "mail[.]listo[.]com[.]co"}, {"host": "pop[.]mcargo[.]net"}, {"host": "mail[.]heyas[.]com[.]ar"}, {"host": "mail[.]sedicomsa[.]com"}, {"host": "filter1[.]nsbasicmail[.]com"}, {"host": "mail[.]iphsa[.]com[.]mx"}, {"host": "mail[.]seproacr[.]com"}, {"host": "pop[.]startlogic[.]com"}, {"host": "cowealth[.]com[.]tw"}, {"host": "mailbox[.]carrossierprocolor[.]com"}, {"host": "mail[.]enviro5[.]com"}, {"host": "grupomycasa[.]com"}, {"host": "mail[.]cssialtda[.]com"}, {"host": "mail[.]diligroup[.]com"}, {"host": "mail[.]salon53[.]mx"}, {"host": "imap[.]tiendasenforma[.]com"}, {"host": "pop3[.]sld[.]cu"}, {"host": "smtp[.]ipv4networks[.]net"}, {"host": "mail[.]navarac[.]com"}, {"host": "gator3161[.]hostgator[.]com"}, {"host": "mail[.]ramasa[.]com[.]mx"}, {"host": "mail[.]tradequimsa[.]com"}, {"host": "pop[.]premium-soft[.]com"}, {"host": "mail[.]comodoro[.]coop"}, {"host": "mail[.]distribuidoralamaro[.]com"}, {"host": "mail[.]gaiasrl[.]com[.]ar"}, {"host": "server1[.]cosefa[.]com[.]ar"}, {"host": "lamallorquina[.]com[.]uy"}, {"host": "mail[.]dycindustrial[.]cl"}, {"host": "mail[.]ibs[.]mx"}, {"host": "MAIL[.]BELL[.]NET"}, {"host": "mail[.]kinderland[.]com[.]ar"}, {"host": "mail[.]metropolitainerefrigeration[.]com"}, {"host": "frbb[.]utn[.]edu[.]ar"}, {"host": "mail[.]manchesterdental[.]co[.]uk"}, {"host": "p3plcpnl0515[.]prod[.]phx3[.]secureserver[.]net"}, {"host": "mail[.]lodis[.]cl"}, {"host": "mail[.]lionquick[.]com"}, {"host": "eclipse[.]websitewelcome[.]com"}], "file": [{"path": "%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\counters.dat"}, {"path": "%SystemRoot%\\SysWOW64\\kyGqvfpU.exe"}], "ip": [{"ip": "212[.]227[.]15[.]158"}, {"ip": "72[.]167[.]238[.]29"}, {"ip": "216[.]40[.]42[.]5"}, {"ip": "74[.]208[.]5[.]5"}, {"ip": "74[.]208[.]5[.]15"}, {"ip": "196[.]25[.]211[.]150"}, {"ip": "97[.]74[.]135[.]10"}, {"ip": "173[.]201[.]192[.]158"}, {"ip": "67[.]195[.]228[.]95"}, {"ip": "192[.]211[.]51[.]147"}, {"ip": "74[.]6[.]141[.]43"}, {"ip": "74[.]202[.]142[.]72"}, {"ip": "184[.]106[.]54[.]10"}, {"ip": "173[.]201[.]193[.]101"}, {"ip": "196[.]11[.]146[.]149"}, {"ip": "193[.]252[.]22[.]84"}, {"ip": "64[.]98[.]36[.]5"}, {"ip": "74[.]6[.]137[.]75"}, {"ip": "173[.]194[.]204[.]108"}, {"ip": "64[.]90[.]62[.]162"}, {"ip": "107[.]6[.]16[.]19"}, {"ip": "208[.]84[.]244[.]49"}, {"ip": "69[.]168[.]106[.]36"}, {"ip": "74[.]208[.]5[.]13"}, {"ip": "107[.]14[.]166[.]78"}, {"ip": "173[.]201[.]192[.]101"}, {"ip": "212[.]227[.]15[.]138"}, {"ip": "40[.]97[.]124[.]18"}, {"ip": "107[.]14[.]166[.]72"}, {"ip": "65[.]254[.]228[.]100"}, {"ip": "74[.]202[.]142[.]71"}, {"ip": "190[.]95[.]221[.]182"}, {"ip": "200[.]58[.]118[.]149"}, {"ip": "190[.]226[.]40[.]3"}, {"ip": "200[.]24[.]13[.]80"}, {"ip": "18[.]211[.]9[.]206"}, {"ip": "64[.]250[.]117[.]68"}, {"ip": "200[.]45[.]191[.]16"}, {"ip": "69[.]156[.]240[.]33"}, {"ip": "64[.]59[.]136[.]142"}, {"ip": "89[.]19[.]2[.]235"}, {"ip": "192[.]185[.]4[.]138"}, {"ip": "64[.]85[.]73[.]16"}, {"ip": "200[.]50[.]175[.]25"}, {"ip": "200[.]40[.]31[.]18"}, {"ip": "209[.]249[.]170[.]98"}, {"ip": "65[.]182[.]102[.]90"}, {"ip": "200[.]58[.]113[.]90"}, {"ip": "173[.]203[.]187[.]187"}, {"ip": "52[.]96[.]38[.]82"}, {"ip": "31[.]172[.]86[.]183"}, {"ip": "186[.]64[.]119[.]135"}, {"ip": "192[.]185[.]16[.]118"}, {"ip": "50[.]87[.]144[.]197"}, {"ip": "190[.]96[.]118[.]53"}, {"ip": "67[.]241[.]81[.]253"}, {"ip": "154[.]0[.]163[.]40"}, {"ip": "174[.]136[.]30[.]150"}, {"ip": "190[.]15[.]222[.]14"}, {"ip": "200[.]58[.]110[.]122"}, {"ip": "205[.]204[.]67[.]142"}, {"ip": "158[.]69[.]99[.]42"}, {"ip": "162[.]144[.]71[.]101"}, {"ip": "74[.]205[.]78[.]113"}, {"ip": "121[.]78[.]246[.]33"}, {"ip": "200[.]58[.]123[.]107"}, {"ip": "201[.]220[.]211[.]7"}, {"ip": "173[.]0[.]129[.]16"}, {"ip": "190[.]224[.]160[.]116"}, {"ip": "200[.]107[.]202[.]6"}, {"ip": "188[.]165[.]208[.]226"}, {"ip": "66[.]96[.]134[.]1"}, {"ip": "103[.]15[.]48[.]91"}, {"ip": "50[.]23[.]248[.]182"}, {"ip": "179[.]60[.]208[.]2"}, {"ip": "192[.]185[.]107[.]140"}, {"ip": "192[.]185[.]90[.]238"}, {"ip": "108[.]179[.]234[.]88"}, {"ip": "162[.]241[.]2[.]35"}, {"ip": "192[.]185[.]185[.]176"}, {"ip": "108[.]167[.]189[.]42"}, {"ip": "108[.]167[.]160[.]249"}, {"ip": "59[.]124[.]1[.]19"}, {"ip": "192[.]185[.]184[.]94"}, {"ip": "192[.]185[.]26[.]156"}, {"ip": "108[.]167[.]181[.]188"}, {"ip": "192[.]185[.]2[.]182"}, {"ip": "98[.]136[.]96[.]84"}, {"ip": "207[.]249[.]74[.]109"}, {"ip": "83[.]170[.]124[.]82"}, {"ip": "159[.]203[.]163[.]219"}, {"ip": "184[.]150[.]200[.]201"}, {"ip": "50[.]87[.]150[.]177"}, {"ip": "190[.]107[.]22[.]116"}, {"ip": "66[.]195[.]202[.]115"}, {"ip": "69[.]16[.]228[.]14"}, {"ip": "66[.]96[.]147[.]110"}, {"ip": "190[.]124[.]215[.]2"}, {"ip": "50[.]87[.]59[.]65"}, {"ip": "187[.]157[.]85[.]132"}, {"ip": "200[.]119[.]246[.]201"}, {"ip": "96[.]116[.]224[.]179"}, {"ip": "69[.]175[.]31[.]212"}, {"ip": "188[.]121[.]52[.]82"}, {"ip": "200[.]58[.]110[.]40"}, {"ip": "69[.]61[.]0[.]198"}, {"ip": "50[.]62[.]176[.]244"}, {"ip": "104[.]236[.]244[.]101"}, {"ip": "67[.]222[.]2[.]148"}, {"ip": "14[.]49[.]39[.]215"}, {"ip": "192[.]185[.]37[.]19"}, {"ip": "162[.]217[.]70[.]59"}, {"ip": "192[.]185[.]190[.]90"}, {"ip": "192[.]185[.]136[.]209"}, {"ip": "192[.]185[.]76[.]191"}, {"ip": "192[.]185[.]129[.]8"}, {"ip": "192[.]254[.]185[.]112"}, {"ip": "192[.]185[.]4[.]23"}, {"ip": "66[.]96[.]147[.]103"}, {"ip": "108[.]163[.]221[.]2"}, {"ip": "190[.]11[.]243[.]146"}, {"ip": "66[.]71[.]241[.]102"}, {"ip": "212[.]83[.]168[.]160"}, {"ip": "62[.]210[.]127[.]136"}, {"ip": "50[.]62[.]176[.]42"}, {"ip": "64[.]26[.]60[.]221"}, {"ip": "67[.]225[.]221[.]173"}, {"ip": "67[.]241[.]81[.]253"}, {"ip": "190[.]96[.]118[.]53"}], "mutex": [{"name": "global\\i98b68e3c"}, {"name": "global\\m98b68e3c"}, {"name": "\\basenamedobjects\\global\\m3c28b0e4"}, {"name": "\\basenamedobjects\\global\\i3c28b0e4"}], "registry": [{"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC\\PARAMETERS\\PORTKEYWORDS\\DHCP", "value_name": "Collection"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NETBT\\PARAMETERS", "value_name": "DhcpScopeID"}, {"key": "<HKCR>\\LOCAL SETTINGS\\MUICACHE\\3E\\52C64B7E", "value_name": "LanguageList"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\NETWORK\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\\CONNECTION", "value_name": "PnpInstanceID"}, {"key": "<HKU>\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad", "value_name": null}, {"key": "<A>\\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\IndexTable", "value_name": null}, {"key": "<A>\\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\\DEFAULTOBJECTSTORE", "value_name": "_CurrentObjectId_"}, {"key": "<A>\\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\LRULIST", "value_name": "CurrentLru"}, {"key": "<HKU>\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "value_name": null}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SOURCEBULK", "value_name": "Type"}, {"key": "<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\5A-54-99-D2-86-6F", "value_name": "WpadDecisionReason"}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\ESENT\\Process\\guiddefribbon\\DEBUG", "value_name": null}]}}, "Win.Trojan.Winwebsec-6918829-0": {"category": "Trojan", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": false, "Threat Grid": true, "Umbrella": false, "WSA": false}, "description": "A that masquerades as legitimate antivirus software, alerting users to nonexistent threats. It disables Windows Defender and Windows System Restore. It also may block users from accessing websites or programs until they buy the \"antivirus\" software.", "hashes": ["04311b0a06d95014390434149f1dae9f1c8e399e678fe80903d515501b4ac04a", "0ee9b85dd0d097210d138ac73b5687d8de17e4880131360a258295b0ece85006", "35512788e3ec6bf939840d6ac94191b7976b4309bb26bf91eb00b461beb29ad3", "420a929f0ce0a6194d82a41b1674f2e2fbc78278c0723c37a2bcd038aa997301", "4ce41686ffaea1f9c80d2bbe00bbbe0a1da864a038a0a48066f209bbc98cb969", "520eefe6fde2fe435b885080259ae7357c291de05c7d3df8ae69095e48a1ca1d", "73208a63a25abaec555e1621f991b167ccd40eac8b06d330fd2642d157d028d1", "7340137319da76ae915a176658a9f577847aac97908d2ab1edaa289c092f8954", "b34930cdd050eb0968301ec594091dd714f516547bc41f37390031655f282577", "b7192f768a639280169016309758dd5e4d5be76a96850b7eab52c25198ecdafa", "e639df0b0afa8a5fafd40064339d75b7098de98068ed9b9d1e20da9e3649d25e"], "iocs": {"domain": [{"host": "www[.]w3[.]org"}], "file": [{"path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Live Security Platinum"}, {"path": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Live Security Platinum\\Live Security Platinum.lnk"}, {"path": "%HOMEPATH%\\Desktop\\Live Security Platinum.lnk"}, {"path": "%ProgramData%\\529C532D212C2CDD00000399B4EB2331"}, {"path": "%ProgramData%\\529C532D212C2CDD00000399B4EB2331\\529C532D212C2CDD00000399B4EB2331.exe"}, {"path": "%ProgramData%\\529C532D212C2CDD00000399B4EB2331\\529C532D212C2CDD00000399B4EB2331"}, {"path": "%ProgramData%\\5A4ED6CB212C2CDD0000F04ED151FC4E\\5A4ED6CB212C2CDD0000F04ED151FC4E"}, {"path": "%ProgramData%\\5A4ED6CB212C2CDD0000F04ED151FC4E\\5A4ED6CB212C2CDD0000F04ED151FC4E.exe"}], "ip": [{"ip": "116[.]255[.]235[.]9"}], "mutex": [{"name": "local\\zonescachecountermutex"}, {"name": "local\\zoneslockedcachecountermutex"}, {"name": "local\\msctf.asm.mutexdefault1"}, {"name": "dbwinmutex"}, {"name": "global\\c::users:administrator:appdata:local:microsoft:windows:explorer:thumbcache_1024.db!dfmaintainer"}, {"name": "global\\c::users:administrator:appdata:local:microsoft:windows:explorer:thumbcache_256.db!dfmaintainer"}, {"name": "global\\c::users:administrator:appdata:local:microsoft:windows:explorer:thumbcache_32.db!dfmaintainer"}, {"name": "global\\c::users:administrator:appdata:local:microsoft:windows:explorer:thumbcache_96.db!dfmaintainer"}, {"name": "global\\c::users:administrator:appdata:local:microsoft:windows:explorer:thumbcache_idx.db!thumbnailcacheinit"}, {"name": "global\\c::users:administrator:appdata:local:microsoft:windows:explorer:thumbcache_idx.db!rwreaderrefs"}, {"name": "global\\c::users:administrator:appdata:local:microsoft:windows:explorer:thumbcache_idx.db!rwwritermutex"}, {"name": "global\\c::users:administrator:appdata:local:microsoft:windows:explorer:thumbcache_sr.db!dfmaintainer"}, {"name": "539d542e222d2dde0101049ab5ec2432"}, {"name": "..mtx"}, {"name": "529c532d212c2cdd00000399b4eb2331"}, {"name": "56a05731253030e10404079db8ef2735"}, {"name": "57a15832263131e20505089eb9f02836"}, {"name": "5aa45b35293434e508080ba1bcf32b39"}, {"name": "\\basenamedobjects\\5b4fd7cc222d2dde0101f14fd252fd4f"}, {"name": "\\basenamedobjects\\5a4ed6cb212c2cdd0000f04ed151fc4e"}], "registry": [{"key": "<HKCU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", "value_name": null}, {"key": "<HKCR>\\LOCAL SETTINGS\\MUICACHE\\3E\\52C64B7E", "value_name": "LanguageList"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\NETWORK\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\\CONNECTION", "value_name": "PnpInstanceID"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\CONTENT", "value_name": "CachePrefix"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\COOKIES", "value_name": "CachePrefix"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\5.0\\CACHE\\HISTORY", "value_name": "CachePrefix"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS", "value_name": "ProxyEnable"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONEMAP", "value_name": "AutoDetect"}, {"key": "<HKCU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage2", "value_name": null}, {"key": "<HKCU>\\Software", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER", "value_name": "AntiVirusOverride"}, {"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\Microsoft", "value_name": null}, {"key": "<HKCU>\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "value_name": null}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\ENUM\\WPDBUSENUMROOT\\UMB\\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_HARDDISK&REV_2.5+#1-0000:00:1D.7-2&0#", "value_name": "CustomPropertyHwIdKey"}, {"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER\\svc", "value_name": null}, {"key": "<HKLM>\\System\\CurrentControlSet\\Services\\luafv", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", "value_name": null}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\Live Security Platinum", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SYSTEMRESTORE", "value_name": "RPSessionInterval"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LUAFV", "value_name": "Start"}, {"key": "<HKU>\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "value_name": null}]}}, "Win.Virus.Expiro-6918982-0": {"category": "Virus", "coverage": {"AMP": true, "CWS": true, "Cloudlock": false, "Email Security": true, "Network Security": false, "Threat Grid": true, "Umbrella": false, "WSA": false}, "description": "Expiro is a known file infector and information stealer that hinders analysis with anti-debugging and anti-analysis tricks.", "hashes": ["57d65c0c068da7ec72e8c9ba0c6f9a354917bae5127f55de1635a6d5d471d60b", "6e16f59631c0382f8902123e8f021656235724d3b76ec33913dcd813f567df4e", "a9a42f7c8d67d59137bcdb813ff2c92277fcf778599e349062be332960b91c62", "ad6d8581a541cc8622b132e171627324d8e02c4ba2a3804e0f6763d336207a01", "ad73a287c879b1ac9605f5889064373e95f3db526e98c3349a48d63c549c23c2", "b0aa80111d23dd578815c935aa529f30a5f10b38e6ef799a402f7819bb077d89", "b21649f76ec9cce8d3937f512c8d9a841979d1b90cb3f24ca2eb1a0d97c615f0", "b9e9f61ba07393c6da51ea20c3764b0088f0fc9cfc6be99d355fe1f5aec82f8f", "ba649d6fbcade5b73b2a761f4d40702c2a21195fed22285213959abebd818833", "c11d1f5a9c5056c439ddfef99150dd0a817c728c73dbcee9d80956389164b9d0", "c56268667843181e7aad8cb849496a530be0a7916cfda65e34942bb8e0b909bd", "c7f0f4fde7c85f456e95bfdbe2a5ab25f07a8e749c11e62b8be2e56587d9ebaf", "c9785ee70ca68ac41cb78fd83e37fc33837c10d3d82ad2188b2554ef14c2a345", "cc7f00cab330786e2de92e1fb3b36baed5868da2f66744d9d058072e9b5587b9", "d7d5248e70e3ebfd772783ef78f22d7843596fda42231659373827504ce9ca2b", "dc78031890299fa4a8ee415a90ed95a79dc060a2a55342d7d60da8c468bf5288", "dd198d756ce002a3eab75e4faedb6e48cfd27032ad4e9f4643f454b613b616dc", "ee3c63c6c9d0c5887b22a820d1b97b44ec97ee212f819d9ad478a6846e6a5f87", "faab282b345611411cbe53e35c94f2c56c9314bb4211a20ebfb6b17d85366cf4", "fac8e1f9ef6b06eff6e7ec4a5c088644f21f82882daf674e27e699fa9563357b", "ffb30a4ba399b607cb0b72fc67353a75609c28f66c73d41cc5f13fecc8f400c1"], "iocs": {"domain": [], "file": [{"path": "\\srvsvc"}, {"path": "%APPDATA%\\Microsoft\\Protect\\S-1-5-21-2580483871-590521980-3826313501-500\\Preferred"}, {"path": "\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.EXE"}, {"path": "\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.exe"}, {"path": "\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.exe"}, {"path": "\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.exe"}, {"path": "%CommonProgramFiles%\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE"}, {"path": "%CommonProgramFiles%\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.exe"}, {"path": "%ProgramFiles%\\Java\\jre6\\bin\\javaw.exe"}, {"path": "%ProgramFiles%\\Java\\jre6\\bin\\javaws.exe"}, {"path": "%ProgramFiles%\\Java\\jre6\\bin\\unpack200.exe"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\jabswitch.exe"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\java.exe"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\javacpl.exe"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\javaw.exe"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\javaws.exe"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\jp2launcher.exe"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\ssvagent.exe"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\unpack200.exe"}, {"path": "\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.exe"}, {"path": "\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.exe"}, {"path": "%CommonProgramFiles%\\Microsoft Shared\\ink\\ConvertInkStore.exe"}, {"path": "%CommonProgramFiles%\\Microsoft Shared\\ink\\InputPersonalization.exe"}, {"path": "%CommonProgramFiles%\\Microsoft Shared\\ink\\ShapeCollector.exe"}, {"path": "%CommonProgramFiles%\\Microsoft Shared\\ink\\TabTip.exe"}, {"path": "%ProgramFiles%\\DVD Maker\\DVDMaker.exe"}, {"path": "%ProgramFiles%\\Internet Explorer\\ieinstal.exe"}, {"path": "%CommonProgramFiles(x86)%\\microsoft shared\\source engine\\ose.exe"}, {"path": "%ProgramFiles(x86)%\\microsoft office\\office14\\groove.exe"}, {"path": "%ProgramFiles(x86)%\\mozilla maintenance service\\maintenanceservice.exe"}, {"path": "%CommonProgramFiles%\\microsoft shared\\officesoftwareprotectionplatform\\osppsvc.exe"}, {"path": "%SystemRoot%\\ehome\\ehsched.exe"}, {"path": "%SystemRoot%\\microsoft.net\\framework64\\v2.0.50727\\mscorsvw.exe"}, {"path": "%SystemRoot%\\microsoft.net\\framework64\\v4.0.30319\\mscorsvw.exe"}, {"path": "%SystemRoot%\\microsoft.net\\framework\\v2.0.50727\\mscorsvw.exe"}, {"path": "%SystemRoot%\\microsoft.net\\framework\\v4.0.30319\\mscorsvw.exe"}, {"path": "%System32%\\alg.exe"}, {"path": "%System32%\\dllhost.exe"}, {"path": "%System32%\\fxssvc.exe"}, {"path": "%System32%\\ieetwcollector.exe"}, {"path": "%System32%\\msdtc.exe"}, {"path": "%System32%\\msiexec.exe"}, {"path": "%System32%\\snmptrap.exe"}, {"path": "%System32%\\sppsvc.exe"}, {"path": "%System32%\\ui0detect.exe"}, {"path": "%System32%\\vds.exe"}, {"path": "%System32%\\vssvc.exe"}, {"path": "%System32%\\wbem\\wmiApsrv.exe"}, {"path": "%System32%\\wbengine.exe"}, {"path": "%CommonProgramFiles%\\Microsoft Shared\\ink\\mip.exe"}, {"path": "%System32%\\FXSSVC.exe"}, {"path": "%System32%\\UI0Detect.exe"}, {"path": "%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\ngen_service.lock"}, {"path": "%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\ngenservicelock.dat"}, {"path": "%SystemRoot%\\Microsoft.NET\\Framework\\v4.0.30319\\ngenrootstorelock.dat"}, {"path": "%SystemRoot%\\Microsoft.NET\\Framework\\v4.0.30319\\ngenservicelock.dat"}, {"path": "\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.exe"}, {"path": "%ProgramFiles%\\Internet Explorer\\ielowutil.exe"}, {"path": "%SystemRoot%\\Registration\\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog"}, {"path": "%SystemRoot%\\Microsoft.NET\\Framework64\\v4.0.30319\\ngenservicelock.dat"}, {"path": "%ProgramFiles%\\Internet Explorer\\iexplore.exe"}, {"path": "\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.vir"}, {"path": "\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.vir"}, {"path": "\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.vir"}, {"path": "\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.vir"}, {"path": "%CommonProgramFiles%\\Microsoft Shared\\OFFICE14\\MSOXMLED.vir"}, {"path": "%CommonProgramFiles%\\Microsoft Shared\\VSTO\\10.0\\VSTOInstaller.vir"}, {"path": "%CommonProgramFiles%\\Microsoft Shared\\ink\\ConvertInkStore.vir"}, {"path": "%CommonProgramFiles%\\Microsoft Shared\\ink\\ShapeCollector.vir"}, {"path": "%ProgramFiles%\\DVD Maker\\DVDMaker.vir"}, {"path": "%ProgramFiles%\\Internet Explorer\\ieinstal.vir"}, {"path": "%ProgramFiles%\\Internet Explorer\\ielowutil.vir"}, {"path": "%ProgramFiles%\\Internet Explorer\\iexplore.vir"}, {"path": "%ProgramFiles%\\Java\\jre6\\bin\\java.vir"}, {"path": "%ProgramFiles%\\Java\\jre6\\bin\\javaw.vir"}, {"path": "%ProgramFiles%\\Java\\jre6\\bin\\javaws.vir"}, {"path": "%ProgramFiles%\\Java\\jre6\\bin\\unpack200.vir"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\jabswitch.vir"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\java.vir"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\javacpl.vir"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\javaw.vir"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\javaws.vir"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\jp2launcher.vir"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\ssvagent.vir"}, {"path": "%ProgramFiles%\\Java\\jre7\\bin\\unpack200.vir"}, {"path": "%CommonProgramFiles(x86)%\\microsoft shared\\source engine\\ose.vir"}, {"path": "%ProgramFiles(x86)%\\microsoft office\\office14\\groove.vir"}, {"path": "%ProgramFiles(x86)%\\mozilla maintenance service\\maintenanceservice.vir"}, {"path": "%SystemRoot%\\ehome\\ehsched.vir"}, {"path": "%SystemRoot%\\microsoft.net\\framework64\\v2.0.50727\\mscorsvw.vir"}, {"path": "%SystemRoot%\\microsoft.net\\framework\\v2.0.50727\\mscorsvw.vir"}, {"path": "%SystemRoot%\\microsoft.net\\framework\\v4.0.30319\\mscorsvw.vir"}, {"path": "%System32%\\alg.vir"}, {"path": "%System32%\\dllhost.vir"}, {"path": "%System32%\\fxssvc.vir"}, {"path": "%System32%\\ieetwcollector.vir"}, {"path": "%System32%\\msiexec.vir"}, {"path": "%System32%\\snmptrap.vir"}, {"path": "%System32%\\ui0detect.vir"}, {"path": "%System32%\\vds.vir"}, {"path": "%System32%\\vssvc.vir"}, {"path": "%System32%\\wbem\\wmiApsrv.vir"}, {"path": "%System32%\\wbengine.vir"}, {"path": "\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.vir"}, {"path": "\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.vir"}, {"path": "\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.vir"}, {"path": "\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.vir"}, {"path": "%CommonProgramFiles%\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\osppsvc.vir"}, {"path": "%CommonProgramFiles%\\Microsoft Shared\\ink\\TabTip.vir"}, {"path": "%CommonProgramFiles%\\Microsoft Shared\\ink\\mip.vir"}, {"path": "%SystemRoot%\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.vir"}, {"path": "%System32%\\msdtc.vir"}, {"path": "%System32%\\msiexec.vir"}, {"path": "%System32%\\sppsvc.vir"}, {"path": "%SystemRoot%\\Registration\\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C0F5CDA5-94A5-411C-9D50-E0AEC7EA25A6}.crmlog"}, {"path": "%APPDATA%\\Microsoft\\Protect\\S-1-5-21-2580483871-590521980-3826313501-500\\29a1f50d-6e60-4de9-b56c-1a6439e5baa1"}], "ip": [], "mutex": [{"name": "global\\loadperf_mutex"}, {"name": "asp.net_perf_library_lock_pid_640"}, {"name": "bits_perf_library_lock_pid_640"}, {"name": "esent_perf_library_lock_pid_640"}, {"name": "lsa_perf_library_lock_pid_640"}, {"name": "msdtc bridge 3.0.0.0_perf_library_lock_pid_640"}, {"name": "msdtc bridge 4.0.0.0_perf_library_lock_pid_640"}, {"name": "msdtc_perf_library_lock_pid_640"}, {"name": "outlook_perf_library_lock_pid_640"}, {"name": "perfdisk_perf_library_lock_pid_640"}, {"name": "perfnet_perf_library_lock_pid_640"}, {"name": "perfos_perf_library_lock_pid_640"}, {"name": "perfproc_perf_library_lock_pid_640"}, {"name": "remoteaccess_perf_library_lock_pid_640"}, {"name": "smsvchost 3.0.0.0_perf_library_lock_pid_640"}, {"name": "smsvchost 4.0.0.0_perf_library_lock_pid_640"}, {"name": "servicemodelendpoint 3.0.0.0_perf_library_lock_pid_640"}, {"name": "servicemodeloperation 3.0.0.0_perf_library_lock_pid_640"}, {"name": "servicemodelservice 3.0.0.0_perf_library_lock_pid_640"}, {"name": "spooler_perf_library_lock_pid_640"}, {"name": "tapisrv_perf_library_lock_pid_640"}, {"name": "tcpip_perf_library_lock_pid_640"}, {"name": "termservice_perf_library_lock_pid_640"}, {"name": "windows workflow foundation 3.0.0.0_perf_library_lock_pid_640"}, {"name": "windows workflow foundation 4.0.0.0_perf_library_lock_pid_640"}, {"name": "wmiaprpl_perf_library_lock_pid_640"}, {"name": "aspnet_state_perf_library_lock_pid_640"}, {"name": "rdyboost_perf_library_lock_pid_640"}, {"name": "usbhub_perf_library_lock_pid_640"}, {"name": "kkq-vx_mtx1"}, {"name": "gazavat-svc"}, {"name": "kkq-vx_mtx89"}, {"name": "kkq-vx_mtx91"}, {"name": "kkq-vx_mtx92"}, {"name": "kkq-vx_mtx93"}, {"name": "kkq-vx_mtx94"}, {"name": "kkq-vx_mtx95"}, {"name": "kkq-vx_mtx96"}, {"name": "kkq-vx_mtx97"}, {"name": "kkq-vx_mtx98"}, {"name": "kkq-vx_mtx99"}, {"name": "kkq-vx_mtx31"}, {"name": "kkq-vx_mtx32"}, {"name": "kkq-vx_mtx33"}, {"name": "kkq-vx_mtx29"}, {"name": "gazavat-svc_29"}], "registry": [{"key": "<HKLM>\\Software\\Microsoft\\WBEM\\CIMOM", "value_name": null}, {"key": "<HKCU>\\Software\\Microsoft\\SystemCertificates\\MY", "value_name": null}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC", "value_name": "Start"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND", "value_name": "Start"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONES\\4", "value_name": "1406"}, {"key": "<A>\\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\\DEFAULTOBJECTSTORE\\OBJECTTABLE\\75", "value_name": "AeFileID"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_64", "value_name": "Start"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_32", "value_name": "Start"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\COMSYSAPP", "value_name": "Start"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IEETWCOLLECTORSERVICE", "value_name": "Start"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MOZILLAMAINTENANCE", "value_name": "Start"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MSISERVER", "value_name": "Start"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\OSE", "value_name": "Start"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\UI0DETECT", "value_name": "Start"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\VDS", "value_name": "Type"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\VSS", "value_name": "Type"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WMIAPSRV", "value_name": "Type"}, {"key": "<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WMIAPSRV", "value_name": "Start"}, {"key": "<HKLM>\\SOFTWARE\\Wow6432Node\\Microsoft\\.NetFramework\\v2.0.50727\\NGENService\\State", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Wow6432Node\\Microsoft\\.NetFramework\\v2.0.50727\\NGENService\\ListenedState", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\Microsoft\\.NetFramework\\v2.0.50727\\NGENService\\State", "value_name": null}, {"key": "<HKLM>\\SOFTWARE\\MICROSOFT\\SECURITY CENTER\\SVC\\S-1-5-21-2580483871-590521980-3826313501-500", "value_name": "EnableNotifications"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONES\\0", "value_name": "2103"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONES\\1", "value_name": "2103"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONES\\2", "value_name": "2103"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\ZONES\\3", "value_name": "2103"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101", "value_name": "CheckSetting"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103", "value_name": "CheckSetting"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100", "value_name": "CheckSetting"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102", "value_name": "CheckSetting"}, {"key": "<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104", "value_name": "CheckSetting"}]}}, "info": {"origin": "Cisco Talos Intelligence Group", "publication_date": "2019-04-05T15:46:20+00:00", "version": "1.0", "warning": "As a reminder, the information provided for the following threatsin this post is non-exhaustive and current as of the date ofpublication. Additionally, please keep in mind that IOC searchingis only one part of threat hunting. Spotting a single IOC does notnecessarily indicate maliciousness. Detection and coverage for thefollowing threats is subject to updates, pending additional threator vulnerability analysis. For the most current information, pleaserefer to your Firepower Management Center, Snort.org, or ClamAV.net."}, "signatures": ["Win.Malware.Vobfus-6919817-0", "Win.Malware.Barys-6919339-0", "Win.Malware.Zbot-6919277-0", "Win.Malware.Autoit-6919193-0", "Win.Virus.Expiro-6918982-0", "Win.Trojan.Winwebsec-6918829-0", "Win.Trojan.Emotet-6918815-0"]}