{
	"id": "94abaa08-d126-4c92-a363-90f79173ca94",
	"created_at": "2026-04-10T03:22:03.118326Z",
	"updated_at": "2026-04-10T03:22:19.684043Z",
	"deleted_at": null,
	"sha1_hash": "0062160b097ca093312a5e53e98b79941fdbc9b4",
	"title": "Threat Roundup for February 4 to February 11",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2430908,
	"plain_text": "Threat Roundup for February 4 to February 11\r\nBy William Largent\r\nPublished: 2022-02-11 · Archived: 2026-04-10 03:03:54 UTC\r\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 4 and Feb. 11.\r\nAs with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the\r\nthreats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing\r\nhow our customers are automatically protected from these threats.\r\nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of\r\nthe date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting.\r\nSpotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following\r\nthreats is subject to updates, pending additional threat or vulnerability analysis. For the most current information,\r\nplease refer to your Firepower Management Center, Snort.org, or ClamAV.net.\r\nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for\r\neach category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well\r\nas all other IOCs from this post. A visual depiction of the MITRE ATT\u0026CK techniques associated with each threat\r\nis also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files\r\nwhere dynamic analysis was conducted.  There are five distinct shades that are used, with the darkest indicating\r\nthat no files exhibited technique behavior and the brightest indicating that technique behavior was observed from\r\n75 percent or more of the files.\r\nThe most prevalent threats highlighted in this roundup are:\r\nThreat Name Type Description\r\nWin.Malware.TinyBanker-9938313-1\r\nMalware\r\nTinyBanker, also known as Zusy or Tinba, is a trojan that uses\r\nman-in-the-middle attacks to steal banking information. When\r\nexecuted, it injects itself into legitimate Windows processes such\r\nas \"explorer.exe\" and \"winver.exe\". When the user accesses a\r\nbanking website, it displays a form to trick the user into\r\nsubmitting personal information.\r\nWin.Packed.Tofsee-9938395-0\r\nPacked\r\nTofsee is multi-purpose malware that features a number of\r\nmodules used to carry out various activities such as sending spam\r\nmessages, conducting click fraud, mining cryptocurrency, and\r\nmore. Infected systems become part of the Tofsee spam botnet\r\nand are used to send large volumes of spam messages in an effort\r\nto infect additional systems and increase the size of the botnet\r\nunder the operator's control.\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 1 of 42\n\nThreat Name Type Description\r\nWin.Dropper.Lokibot-9938416-1\r\nDropper\r\nLokibot is an information-stealing malware designed to siphon off\r\nsensitive information stored on an infected device. It is modular\r\nin nature, supporting the ability to steal sensitive information\r\nfrom a number of popular applications. It is commonly pushed via\r\nmalicious documents delivered via spam emails.\r\nWin.Virus.Xpiro-9938457-\r\n1\r\nVirus\r\nExpiro is a known file infector and information-stealer that\r\nhinders analysis with anti-debugging and anti-analysis tricks.\r\nWin.Dropper.DarkComet-9938488-1\r\nDropper\r\nDarkComet and related variants are a family of remote access\r\ntrojans designed to provide an attacker with control over an\r\ninfected system. Capabilities of this malware include the ability to\r\ndownload files from a user's machine, mechanisms for persistence\r\nand hiding, and the ability to send back usernames and passwords\r\nfrom the infected system.\r\nWin.Worm.Gh0stRAT-9938500-1\r\nWorm\r\nGh0stRAT is a well-known family of remote access trojans that\r\ncan provide an attacker with complete control over an infected\r\nsystem. Its capabilities include monitoring keystrokes, collecting\r\nvideo footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly\r\navailable on the internet for years, significantly lowering the\r\nbarrier for actors to modify and reuse the code in new attacks.\r\nWin.Malware.Zbot-9938525-0\r\nMalware\r\nZbot, also known as Zeus, is a trojan that steals information, such\r\nas banking credentials, using methods such as key-logging and\r\nform-grabbing.\r\nThreat Breakdown\r\nWin.Malware.TinyBanker-9938313-1\r\nIndicators of Compromise\r\nIOCs collected from dynamic analysis of 119 samples\r\nRegistry Keys Occurrences\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: EEFEB657\r\n107\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 2 of 42\n\nMutexes Occurrences\r\nEEFEB657 111\r\n4A60888F 4\r\nIP Addresses contacted by malware. Does not indicate maliciousness Occurrences\r\n216[.]218[.]185[.]162 54\r\nDomain Names contacted by malware. Does not indicate maliciousness Occurrences\r\nqytufpscigbb[.]com 41\r\nqytufpscigbb[.]net 41\r\nqytufpscigbb[.]in 40\r\nghoyvkjbnldc[.]com 39\r\nwpad[.]example[.]org 37\r\nghoyvkjbnldc[.]net 37\r\nghoyvkjbnldc[.]in 37\r\nmqrvhcolvvnu[.]net 36\r\ncomputer[.]example[.]org 35\r\nqytufpscigbb[.]ru 34\r\nmqrvhcolvvnu[.]in 34\r\nbrureservtestot[.]cc 33\r\nfettlijyycee[.]com 33\r\nfettlijyycee[.]net 33\r\nmqrvhcolvvnu[.]com 31\r\nfettlijyycee[.]in 31\r\nibyxedcowwot[.]com 29\r\nhkleofepnyvv[.]com 29\r\nibyxedcowwot[.]in 29\r\nmqrvhcolvvnu[.]ru 28\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 3 of 42\n\nDomain Names contacted by malware. Does not indicate maliciousness Occurrences\r\nibyxedcowwot[.]net 28\r\nfettlijyycee[.]ru 28\r\nhkleofepnyvv[.]in 27\r\ndtdqmlwwyekt[.]in 26\r\nmmnskehnbbbs[.]in 26\r\n*See JSON for more IOCs\r\nFiles and or directories created Occurrences\r\n%HOMEPATH%\\AppData\\LocalLow\\EEFEB657 107\r\n%APPDATA%\\EEFEB657 107\r\n%APPDATA%\\EEFEB657\\bin.exe 107\r\n%APPDATA%\\4A60888F\\bin.exe 4\r\n\\Users\\user\\AppData\\Roaming\\C085EE96\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\F9D340E9\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\EFEA19B1\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\FCD59BF4\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\FE7CEA4A\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\29EEFF67\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\3B8456CD\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\ACF7EE57\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\382240CB\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\F87C9831\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\F21AB61D\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\D9419169\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\01ACD167\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\4DD60A79\\bin.exe 1\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 4 of 42\n\nFiles and or directories created Occurrences\r\n\\Users\\user\\AppData\\Roaming\\E409BE83\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\E607047A\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\BF0913D3\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\1620527C\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\367B3C67\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\D515B45E\\bin.exe 1\r\n\\Users\\user\\AppData\\Roaming\\2DEACB61\\bin.exe 1\r\n*See JSON for more IOCs\r\nFile Hashes\r\n0034645eddcb03469720eaadad078584ee871013511e489552b352650dcd1452\r\n00dd160455b6c2a2d378b578405fadf2e9ebf41c3bc0d2d8e8b8c1e93edc4fa3\r\n011e5701074d070f99ac9b9a8992fa24cbe65fa2e4da686e2c4fa3937d9a9132\r\n02b65a12e159d1dd4e18179abc7caf8c5b989883f549ef07c8a12b7d0d6e2b71\r\n03722d9c722f738e87584f9883eca1e109e86a1c87aa164e77ebdaf0697467b8\r\n03d14614eaba728899b58b5cdfc397f30ce9277e78becc3730ab3ed3e86dd44d\r\n05728b20dab685fff4a3f1d7beb42d8fe752b07b36c934653dc6d692f60ca160\r\n0661307f542de2bd0120160bcb7f42fd27575e15669ba7d944d56947eccce4bc\r\n06a8d19314d2f384b3b828db1e7126331797eca14425d377522fc4cebeaeeb65\r\n06e2e8f718f6d8c1b4003d58f50efc68eed8c765f3bfd6db0f312ded0a1815d8\r\n071cb899230183b1eb523e61811e4fb5e6f7dc002b4db4e62384c6c966623c59\r\n07635d904e831a15fc0e2a0faa44891fbce5c53d2da8de9ace8cd13479d7857b\r\n07fa8f9c52147408c3c7ee9b3c04ca2ebbd3cc44f71656d66785f5496c585ae5\r\n08c7d389611e871e4f033af78e2652961a86bcc41ec32226ebc19d7b7b032c9a\r\n09110e30e6b4aeb824c3c3de6b0fc06a98bdab4367e01a7023eb76cd6126b22e\r\n0940189172d8b8e10f64400f57c782d2fad7a76d4993f7c14f0f9010368e8cd3\r\n0a1f8665ed21bd45f0510b4f78f27309e46c0253fbed7961ab70ef7b53fe7487\r\n0a6a500871f751981541692277c1a323945e87e9b2a7b0f4846349979b135a08\r\n0a77fe5654e52c9776a65f639625da92740b334a280a8147dca07e747876197b\r\n0b29cea80ce0bde3c99a5beaa1a472d462a024cb5e8daebf6e8997f878243d12\r\n0bc5badfffd8b74ec1d18307a760af530c7741597ab177c02ec7eb4daf8e6d49\r\n0bd104bc98f4a3b976f49209c5de1094142652a20bab6d914c4622969f57d567\r\n0e003fd1947b3ff94be1f939c060c7d41fec727367d7a56c7ff8c53b6e80532b\r\n0e348a3691c2df9a451c4f1227c04351542a0d9540ff4ad929f8793e77f39078\r\n0e5079d5f217e79fe4fa06fb5181e656f77ac6e939cf006d5321edbcbcaed28b\r\n*See JSON for more IOCs\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 5 of 42\n\nCoverage\r\nProduct Protection\r\nSecure Endpoint ✓\r\nCloudlock N/A\r\nCWS ✓\r\nEmail Security ✓\r\nNetwork Security ✓\r\nStealthwatch N/A\r\nStealthwatch Cloud N/A\r\nSecure Malware Analytics ✓\r\nUmbrella ✓\r\nWSA ✓\r\nScreenshots of Detection\r\nSecure Endpoint\r\nSecure Malware Analytics\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 6 of 42\n\nMITRE ATT\u0026CK\r\nWin.Packed.Tofsee-9938395-0\r\nIndicators of Compromise\r\nIOCs collected from dynamic analysis of 12 samples\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 7 of 42\n\nRegistry Keys Occurrences\r\n\u003cHKCR\u003e\\LOCAL SETTINGS\\SOFTWARE\\MICROSOFT\\WINDOWS\\SHELL\\BAGS\\159 12\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\\u003crandom, matching '[A-Z0-9]{8}'\u003e 12\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\\u003crandom, matching '[A-Z0-9]{8}'\u003e\r\nValue Name: Type\r\n12\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\\u003crandom, matching '[A-Z0-9]{8}'\u003e\r\nValue Name: Start\r\n12\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\\u003crandom, matching '[A-Z0-9]{8}'\u003e\r\nValue Name: ErrorControl\r\n12\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\\u003crandom, matching '[A-Z0-9]{8}'\u003e\r\nValue Name: DisplayName\r\n12\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\\u003crandom, matching '[A-Z0-9]{8}'\u003e\r\nValue Name: WOW64\r\n12\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\\u003crandom, matching '[A-Z0-9]{8}'\u003e\r\nValue Name: ObjectName\r\n12\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\\u003crandom, matching '[A-Z0-9]{8}'\u003e\r\nValue Name: Description\r\n12\r\n\u003cHKU\u003e\\.DEFAULT\\CONTROL PANEL\\BUSES\r\nValue Name: Config4\r\n11\r\n\u003cHKU\u003e\\.DEFAULT\\CONTROL PANEL\\BUSES 11\r\n\u003cHKU\u003e\\.DEFAULT\\CONTROL PANEL\\BUSES\r\nValue Name: Config0\r\n11\r\n\u003cHKU\u003e\\.DEFAULT\\CONTROL PANEL\\BUSES\r\nValue Name: Config1\r\n11\r\n\u003cHKU\u003e\\.DEFAULT\\CONTROL PANEL\\BUSES\r\nValue Name: Config2\r\n11\r\n\u003cHKU\u003e\\.DEFAULT\\CONTROL PANEL\\BUSES\r\nValue Name: Config3\r\n11\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\\u003crandom, matching '[A-Z0-9]{8}'\u003e\r\nValue Name: ImagePath\r\n11\r\n\u003cHKLM\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS\r\nValue Name: C:\\Windows\\SysWOW64\\nqeybyka\r\n2\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 8 of 42\n\nRegistry Keys Occurrences\r\n\u003cHKLM\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS\r\nValue Name: C:\\Windows\\SysWOW64\\jmauxugw\r\n1\r\n\u003cHKLM\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS\r\nValue Name: C:\\Windows\\SysWOW64\\knbvyvhx\r\n1\r\n\u003cHKLM\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS\r\nValue Name: C:\\Windows\\SysWOW64\\zcqknkwm\r\n1\r\n\u003cHKLM\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS\r\nValue Name: C:\\Windows\\SysWOW64\\mpdxaxjz\r\n1\r\n\u003cHKLM\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS\r\nValue Name: C:\\Windows\\SysWOW64\\ehvpspbr\r\n1\r\n\u003cHKLM\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS\r\nValue Name: C:\\Windows\\SysWOW64\\uxlfifrh\r\n1\r\n\u003cHKLM\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS\r\nValue Name: C:\\Windows\\SysWOW64\\ilztwtfv\r\n1\r\n\u003cHKLM\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS\r\nValue Name: C:\\Windows\\SysWOW64\\xaoiliuk\r\n1\r\nIP Addresses contacted by malware. Does not indicate maliciousness Occurrences\r\n91[.]243[.]33[.]5 11\r\n35[.]228[.]103[.]145 11\r\n67[.]231[.]149[.]140 10\r\n192[.]0[.]47[.]59 10\r\n211[.]231[.]108[.]46/31 10\r\n157[.]240[.]229[.]174 10\r\n202[.]137[.]234[.]30 9\r\n125[.]209[.]238[.]100 9\r\n212[.]77[.]101[.]4 9\r\n67[.]195[.]204[.]72/30 9\r\n117[.]53[.]116[.]15 9\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 9 of 42\n\nIP Addresses contacted by malware. Does not indicate maliciousness Occurrences\r\n209[.]222[.]82[.]252/31 9\r\n84[.]2[.]43[.]64/31 9\r\n208[.]76[.]51[.]51 8\r\n216[.]146[.]35[.]35 8\r\n64[.]98[.]36[.]4 8\r\n103[.]224[.]212[.]34 8\r\n216[.]163[.]188[.]54 8\r\n193[.]222[.]135[.]150 8\r\n193[.]0[.]6[.]135 8\r\n45[.]33[.]83[.]75 8\r\n51[.]81[.]57[.]58 8\r\n40[.]93[.]207[.]0/31 8\r\n62[.]141[.]42[.]208 8\r\n96[.]103[.]145[.]165 8\r\n*See JSON for more IOCs\r\nDomain Names contacted by malware. Does not indicate maliciousness Occurrences\r\nmicrosoft-com[.]mail[.]protection[.]outlook[.]com 12\r\nmicrosoft[.]com 12\r\npatmushta[.]info 12\r\n249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 11\r\n249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 11\r\n249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 11\r\n249[.]5[.]55[.]69[.]in-addr[.]arpa 11\r\n249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 11\r\n249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 11\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 10 of 42\n\nDomain Names contacted by malware. Does not indicate maliciousness Occurrences\r\nwww[.]google[.]com 11\r\nwhois[.]arin[.]net 11\r\nwhois[.]iana[.]org 11\r\naspmx[.]l[.]google[.]com 11\r\nmail[.]mailerhost[.]net 11\r\nfastpool[.]xyz 11\r\nwww[.]instagram[.]com 10\r\nianawhois[.]vip[.]icann[.]org 10\r\nmx01[.]oxsus-vadesecure[.]net 10\r\nmail[.]h-email[.]net 10\r\nmx0a-00191d01[.]pphosted[.]com 10\r\nsmtp[.]yopmail[.]com 10\r\nmx1[.]naver[.]com 9\r\nmx1[.]seznam[.]cz 9\r\nbellsouth[.]com 9\r\nnaver[.]com 9\r\n*See JSON for more IOCs\r\nFiles and or directories created Occurrences\r\n%SystemRoot%\\SysWOW64\\\u003crandom, matching '[a-z]{8}'\u003e 12\r\n%SystemRoot%\\SysWOW64\\config\\systemprofile 11\r\n%SystemRoot%\\SysWOW64\\config\\systemprofile:.repos 11\r\n%System32%\\config\\systemprofile:.repos 11\r\n%TEMP%\\\u003crandom, matching '[a-z]{8}'\u003e.exe 11\r\n%TEMP%\\zwqprzv.exe 1\r\n\\Users\\user\\AppData\\Local\\Temp\\lkdyrgak.exe 1\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 11 of 42\n\nFiles and or directories created Occurrences\r\n\\Users\\user\\AppData\\Local\\Temp\\wrnysiik.exe 1\r\n\\Users\\user\\AppData\\Local\\Temp\\evrkqnrx.exe 1\r\n\\Users\\user\\AppData\\Local\\Temp\\hgrwijsw.exe 1\r\n\\Users\\user\\AppData\\Local\\Temp\\tpuuwzks.exe 1\r\n\\Users\\user\\AppData\\Local\\Temp\\khbackg.exe 1\r\n\\Users\\user\\AppData\\Local\\Temp\\wsxxzcnv.exe 1\r\n\\Users\\user\\AppData\\Local\\Temp\\ksvvedjb.exe 1\r\n\\Users\\user\\AppData\\Local\\Temp\\awbbdgrz.exe 1\r\n\\Users\\user\\AppData\\Local\\Temp\\utivytuo.exe 1\r\n\\Users\\user\\AppData\\Local\\Temp\\qnhgiqm.exe 1\r\n\\Users\\user\\AppData\\Local\\Temp\\ongbujdn.exe 1\r\nFile Hashes\r\n15d120755f8a25be6ec7d68e2c055ce49ab1b24a6690016cbb870328f4745adc\r\n232028b9007937cea100813b5caa870924dcf692dfc4368e2ff33771170c08a1\r\n2aeb63ca3ce4ba5832ea9aca3a3bddf658a04e124a8903e97d8ae53eba9c7b98\r\n40c2ad4b954b53a0a134c295428523b08d7e282025c681702b007a462eb6693a\r\n5e8e7b26b5156591b4c29848b94f79f3d9812305de4503addf02355ebeb92894\r\n8acb035dd8d1eaef5053188170e7c6820ad7439eb70e0d32ca1f88e1535af82d\r\naa4cb6e59d3cbca2cb5b3c0e0e1b1775fba530a0769e3cc105c381f98c1497e8\r\naa89986881a9c81bba26925326056c5e1c26de85288f3217a956bd2ca466cde2\r\nadd6a8419c9332e0e6052b2c60fa6915220f6402f13e478d851b92dc6ca413cd\r\ndfaef1fdf4987beca57098f688530ada6262f481ded1950f6ed7871f5050afe5\r\nf78b5562d7a9acf27d4197eab873648e624bc0d081bf0505ef3d0ad2ea33d415\r\nff7190ae3095aa0d19caa1843f8a4d36406664872f4026fe34267d84d9f92b7e\r\nCoverage\r\nProduct Protection\r\nSecure Endpoint ✓\r\nCloudlock N/A\r\nCWS ✓\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 12 of 42\n\nProduct Protection\r\nEmail Security ✓\r\nNetwork Security ✓\r\nStealthwatch N/A\r\nStealthwatch Cloud N/A\r\nSecure Malware Analytics ✓\r\nUmbrella ✓\r\nWSA ✓\r\nScreenshots of Detection\r\nSecure Endpoint\r\nSecure Malware Analytics\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 13 of 42\n\nMITRE ATT\u0026CK\r\nWin.Dropper.Lokibot-9938416-1\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 14 of 42\n\nIndicators of Compromise\r\nIOCs collected from dynamic analysis of 15 samples\r\nRegistry Keys Occurrences\r\n\u003cHKCR\u003e\\LOCAL SETTINGS\\SOFTWARE\\MICROSOFT\\WINDOWS\\SHELL\\BAGS\\159 15\r\n\u003cHKCU\u003e\\SOFTWARE\\WINRAR 1\r\n\u003cHKCU\u003e\\SOFTWARE\\WINRAR\r\nValue Name: HWID\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: 076c8cd6b128aff0be52736591e26777d73497ff0b36a2f5ee9966ca051adf43.exe\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: c02f78ea73a8f86ab721800af6bf9be1ba182a779a2b55fb7b583a1b79a63ce0.exe\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: c081e8dc858925158f65aa758764781f07476edc4641dbbd1d3acdab4a590a87.exe\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: 43fbaf28a8db23ce81f85286b3316b6d3a352af0948bb58f01f7e929631f9740.exe\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: c110ae946c48f8f26287c7163cd1557bc4ad83abb93e26c10b32df856fe5c72e.exe\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: 12cf795390f0849bce4b21f1987e7fbcc92f812accdbb1a297d00638ee3e0004.exe\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: f8448219df30254002bdb8ccf5745b3f2156f25b1b48209d69a451dca03968f2.exe\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: 04f2512b1cbeeab43d96983222b5cfc15031481eed599ed39ecfca0fdf05838f.exe\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: ccdc34aa16b23192f0260b9c21529919f47c3b0e2e59034d512184b94267adc2.exe\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: 52864c84c299b950f3de76f8b8387d6ebda6726ded21d64a8ad565c25d4e4d52.exe\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: 17eb09a8fb7eae2aaa740a74234a75b47c072ca93a1b65cda00a175e25720c88.exe\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: c197343a6c7b1581b2d200e85869d7751b13549ff109b70ae5abd3b838fdea3a.exe\r\n1\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 15 of 42\n\nRegistry Keys Occurrences\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: daf3e154beeb32370cf0a5cda571b3a84959a53da4c530a77696ecd1c24ab485.exe\r\n1\r\n\u003cHKLM\u003e\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003E9\r\nValue Name: F\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: 7d00f5ccb1d443866e2d25a96377ea39787b825cf5dcd099cead7baa630e98a0.exe\r\n1\r\n\u003cHKLM\u003e\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000001F5\r\nValue Name: F\r\n1\r\n\u003cHKLM\u003e\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003EC\r\nValue Name: F\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: b73f8d8838c450977a85ba646b98db3d556b0e78a33a7b0f5126d8e698d00ba2.exe\r\n1\r\nMutexes Occurrences\r\n3749282D282E1E80C56CAE5A 14\r\n3BA87BBD1CC40F3583D46680 8\r\nIP Addresses contacted by malware. Does not indicate maliciousness Occurrences\r\n185[.]6[.]242[.]251 6\r\n91[.]223[.]82[.]29 3\r\nDomain Names contacted by malware. Does not indicate maliciousness Occurrences\r\nnextlevlcourier[.]com 2\r\nsharonbooks[.]ru 2\r\nlidgeys[.]ru 2\r\ndunysaki[.]ru 2\r\nfinelets[.]ru 2\r\nkkeyvenus[.]ru 1\r\njoanread[.]ru 1\r\ntopreadz[.]ru 1\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 16 of 42\n\nFiles and or directories created Occurrences\r\n%APPDATA%\\Microsoft\\Skype.exe 15\r\n%APPDATA%\\D282E1 14\r\n%APPDATA%\\D282E1\\1E80C5.lck 14\r\n%APPDATA%\\Microsoft\\Crypto\\RSA\\S-1-5-21-2580483871-590521980-3826313501-\r\n500\\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5\r\n14\r\n%APPDATA%\\D1CC40\\0F3583.hdb 8\r\n%APPDATA%\\D1CC40\\0F3583.lck 8\r\n%APPDATA%\\Microsoft\\Crypto\\RSA\\S-1-5-21-1258710499-2222286471-4214075941-\r\n500\\a18ca4003deb042bbee7a40f15e1970b_8f793a96-da80-4751-83f9-b23d8b735fb1\r\n8\r\n%APPDATA%\\D1CC40\\0F3583.exe (copy) 1\r\n%TEMP%\\105687.bat 1\r\n%TEMP%\\-1530491364.bat 1\r\nFile Hashes\r\n04f2512b1cbeeab43d96983222b5cfc15031481eed599ed39ecfca0fdf05838f\r\n076c8cd6b128aff0be52736591e26777d73497ff0b36a2f5ee9966ca051adf43\r\n12cf795390f0849bce4b21f1987e7fbcc92f812accdbb1a297d00638ee3e0004\r\n17eb09a8fb7eae2aaa740a74234a75b47c072ca93a1b65cda00a175e25720c88\r\n43fbaf28a8db23ce81f85286b3316b6d3a352af0948bb58f01f7e929631f9740\r\n52864c84c299b950f3de76f8b8387d6ebda6726ded21d64a8ad565c25d4e4d52\r\n7d00f5ccb1d443866e2d25a96377ea39787b825cf5dcd099cead7baa630e98a0\r\nb73f8d8838c450977a85ba646b98db3d556b0e78a33a7b0f5126d8e698d00ba2\r\nc02f78ea73a8f86ab721800af6bf9be1ba182a779a2b55fb7b583a1b79a63ce0\r\nc081e8dc858925158f65aa758764781f07476edc4641dbbd1d3acdab4a590a87\r\nc110ae946c48f8f26287c7163cd1557bc4ad83abb93e26c10b32df856fe5c72e\r\nc197343a6c7b1581b2d200e85869d7751b13549ff109b70ae5abd3b838fdea3a\r\nccdc34aa16b23192f0260b9c21529919f47c3b0e2e59034d512184b94267adc2\r\ndaf3e154beeb32370cf0a5cda571b3a84959a53da4c530a77696ecd1c24ab485\r\nf8448219df30254002bdb8ccf5745b3f2156f25b1b48209d69a451dca03968f2\r\nCoverage\r\nProduct Protection\r\nSecure Endpoint ✓\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 17 of 42\n\nProduct Protection\r\nCloudlock N/A\r\nCWS ✓\r\nEmail Security ✓\r\nNetwork Security N/A\r\nStealthwatch N/A\r\nStealthwatch Cloud N/A\r\nSecure Malware Analytics ✓\r\nUmbrella ✓\r\nWSA ✓\r\nScreenshots of Detection\r\nSecure Endpoint\r\nSecure Malware Analytics\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 18 of 42\n\nMITRE ATT\u0026CK\r\nWin.Virus.Xpiro-9938457-1\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 19 of 42\n\nIndicators of Compromise\r\nIOCs collected from dynamic analysis of 29 samples\r\nRegistry Keys Occurrences\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_32\r\nValue Name: Type\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_64\r\nValue Name: Type\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_32\r\nValue Name: Type\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_32\r\nValue Name: Start\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_64\r\nValue Name: Type\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_64\r\nValue Name: Start\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\COMSYSAPP\r\nValue Name: Type\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\COMSYSAPP\r\nValue Name: Start\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\IEETWCOLLECTORSERVICE\r\nValue Name: Type\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\IEETWCOLLECTORSERVICE\r\nValue Name: Start\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\MSISERVER\r\nValue Name: Type\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\MSISERVER\r\nValue Name: Start\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\OSE\r\nValue Name: Type\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\OSE\r\nValue Name: Start\r\n28\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 20 of 42\n\nRegistry Keys Occurrences\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\UI0DETECT\r\nValue Name: Type\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\UI0DETECT\r\nValue Name: Start\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\VDS\r\nValue Name: Type\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\VDS\r\nValue Name: Start\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\VSS\r\nValue Name: Type\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\VSS\r\nValue Name: Start\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\WMIAPSRV\r\nValue Name: Type\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\WMIAPSRV\r\nValue Name: Start\r\n28\r\n\u003cHKLM\u003e\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER\\SVC\\S-1-5-21-2580483871-\r\n590521980-3826313501-500\r\n28\r\n\u003cHKLM\u003e\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER\\SVC\\S-1-5-21-2580483871-\r\n590521980-3826313501-500\r\nValue Name: EnableNotifications\r\n28\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_32\r\nValue Name: Start\r\n28\r\nMutexes Occurrences\r\nkkq-vx_mtx63 28\r\nkkq-vx_mtx64 28\r\nkkq-vx_mtx65 28\r\nkkq-vx_mtx66 28\r\nkkq-vx_mtx67 28\r\nkkq-vx_mtx68 28\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 21 of 42\n\nMutexes Occurrences\r\nkkq-vx_mtx69 28\r\nkkq-vx_mtx70 28\r\nkkq-vx_mtx71 28\r\nkkq-vx_mtx72 28\r\nkkq-vx_mtx73 28\r\nkkq-vx_mtx74 28\r\nkkq-vx_mtx75 28\r\nkkq-vx_mtx76 28\r\nkkq-vx_mtx77 28\r\nkkq-vx_mtx78 28\r\nkkq-vx_mtx79 28\r\nkkq-vx_mtx80 28\r\nkkq-vx_mtx81 28\r\nkkq-vx_mtx82 28\r\nkkq-vx_mtx83 28\r\nkkq-vx_mtx84 28\r\nkkq-vx_mtx85 28\r\nkkq-vx_mtx86 28\r\nkkq-vx_mtx87 28\r\n*See JSON for more IOCs\r\nIP Addresses contacted by malware. Does not indicate maliciousness Occurrences\r\n69[.]16[.]231[.]59 16\r\n64[.]70[.]19[.]203 14\r\n35[.]205[.]61[.]67 11\r\n208[.]100[.]26[.]245 10\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 22 of 42\n\nIP Addresses contacted by malware. Does not indicate maliciousness Occurrences\r\n20[.]189[.]173[.]20/31 9\r\n52[.]182[.]143[.]212 5\r\n45[.]79[.]19[.]196 4\r\n20[.]42[.]73[.]29 4\r\n95[.]213[.]137[.]98 4\r\n147[.]75[.]63[.]87 4\r\n72[.]14[.]185[.]43 2\r\n20[.]189[.]173[.]22 2\r\n104[.]208[.]16[.]94 2\r\n96[.]126[.]123[.]244 1\r\n45[.]56[.]79[.]23 1\r\n52[.]168[.]117[.]173 1\r\n147[.]75[.]61[.]38 1\r\nDomain Names contacted by malware. Does not indicate maliciousness Occurrences\r\nwpad[.]example[.]org 27\r\ncomputer[.]example[.]org 26\r\nkgbrelaxxlub[.]ru 18\r\nclientconfig[.]passport[.]net 17\r\ngrewz-platker[.]ru 16\r\nvmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 12\r\nkasperskygay-formula[.]in 12\r\nwww[.]microavrc-usb33bit[.]com 12\r\nfmyjo-boneb[.]com 12\r\nfkegy-bikav[.]com 12\r\nangar-promarenda[.]ru 12\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 23 of 42\n\nDomain Names contacted by malware. Does not indicate maliciousness Occurrences\r\nfdecub-ydyg[.]ru 12\r\nfgefa-bugin[.]com 12\r\nsilcroadseevers[.]net 11\r\nfethardanabiozdoviplat[.]com 11\r\nbobamajopa2018[.]org 11\r\nfpykyb-aquh[.]ru 10\r\nvmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 8\r\nvmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 8\r\nzxspectrum4ever[.]in 8\r\ndirectconnectionx[.]ws 8\r\nwww[.]indirs-lockit[.]ws 8\r\nindir-connectx[.]ws 8\r\nmpykyb-aquh[.]ru 8\r\nmmyjo-boneb[.]com 8\r\n*See JSON for more IOCs\r\nFiles and or directories created Occurrences\r\n%CommonProgramFiles(x86)%\\microsoft shared\\Source Engine\\OSE.EXE 28\r\n%ProgramFiles(x86)%\\Microsoft Office\\Office14\\GROOVE.EXE 28\r\n%ProgramFiles(x86)%\\Mozilla Maintenance Service\\maintenanceservice.exe 28\r\n%SystemRoot%\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorsvw.exe 28\r\n%SystemRoot%\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe 28\r\n%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe 28\r\n%SystemRoot%\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe 28\r\n%System32%\\FXSSVC.exe 28\r\n%System32%\\UI0Detect.exe 28\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 24 of 42\n\nFiles and or directories created Occurrences\r\n%System32%\\VSSVC.exe 28\r\n%System32%\\alg.exe 28\r\n%System32%\\dllhost.exe 28\r\n%System32%\\ieetwcollector.exe 28\r\n%System32%\\msdtc.exe 28\r\n%System32%\\msiexec.exe 28\r\n%System32%\\snmptrap.exe 28\r\n%System32%\\sppsvc.exe 28\r\n%System32%\\vds.exe 28\r\n%System32%\\wbem\\WmiApSrv.exe 28\r\n%System32%\\wbengine.exe 28\r\n%SystemRoot%\\ehome\\ehsched.exe 28\r\n%SystemRoot%\\SysWOW64\\dllhost.exe 28\r\n%SystemRoot%\\SysWOW64\\msiexec.exe 28\r\n%SystemRoot%\\SysWOW64\\svchost.exe 28\r\n%SystemRoot%\\SysWOW64\\dllhost.vir 28\r\n*See JSON for more IOCs\r\nFile Hashes\r\n12d9d3d438f8cf5e2cf8d3918f8228cf05830cc126376a4e411a4f58b1fdb78b\r\n13f7d41bfa85d9698a3a85b02bd92c9d5454af74e6a8670e0df326ccf501f7e5\r\n1c088ac2b3618e0230cabc4771104fb618b7842fc77b8380dedf8d7b40f29f92\r\n1e657d63949d28e86fcc7ae0e0a963404b1c14a707ed2fdcd6f26ac568e2c4fd\r\n1f43ff07475d63d7a1bc21eae9e75a64585af55168ade456fc19e7f2cc1f61b2\r\n20c378d521841f48c964d61f192c2272663f5fe2fb8424f4461dc44a44b906c4\r\n2d5209d8e4bd155ea3b5c7a4ff65847817a77744751513ce0f0d61c726eb5a84\r\n3a9c31454e584355f07269a3a8ed226a6ad392e0f43076713d00200f2fa24d65\r\n3ebeba1ea83a3db1d0c57811a65e5e8d1214559f595909aa898c749b84e42630\r\n423a0c1bc0630bd11ff3f38d7be6735f097437dbbd51f68c9929f89ace4bb2fc\r\n45eada2a2a4a0d8d1d4a74f3704cae34e8d326693fdd4c387253da469129ef25\r\n5a2b08102a57e63e82ee86a871456ffc429e603b4231f4d2569857b046545503\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 25 of 42\n\n5ebbb9527c740f5186a58a56f1c304d8fa0ff313695a06f24bcd637a9f23c762\r\n6c06078490cf24f68ddbb898453048dadf2add5ff15fa24c5fa19ca6b265bfe7\r\n70bdbe1fda1f0fca2f422ae4e2a447ea6278db99435492852b37f2b55f3ff849\r\n7455f299568d3eb6ce4cb8a37b2d9665641fb30f64e9d4df64d820f0d0e26eb3\r\n77fa98a5b5d5f448898538250ba65b65b4e486d95ad98bfdf7154a1e745d741e\r\n7c7b0e39df9ba26a1701ee93ec84523cae5a997a039d5a1d99eab4774c8dc9a3\r\n84f928d52e0fb045c4911a1ea54e445ceff8af7971b0d8f71b0f359cec962584\r\n871b2e111a6193a265821d9223cf8820ae7cefada1d3d6f75cb8474c2a8a5820\r\n9bbc214cc19a49956aed36c43cbecd454fc6d881d47937f2f4fb18679ec58c5e\r\nb4639640121a2cc1b0b51f93fe0acf23a43f89862d5e5fffd847c97a6d147a56\r\nb4aea243d08387872f981607899ae4dbfde9fed1c597ee5cc07f068c0b098688\r\nb9ea1073ecae7096f10f296898fb02ba7e8b4cc1dbed70548d76c4ff028a55ac\r\nc2e0b6a1839889b4277a0e20da80d858b33fe94e8af49975b2c0da7abc84c48e\r\n*See JSON for more IOCs\r\nCoverage\r\nProduct Protection\r\nSecure Endpoint ✓\r\nCloudlock N/A\r\nCWS ✓\r\nEmail Security ✓\r\nNetwork Security N/A\r\nStealthwatch N/A\r\nStealthwatch Cloud N/A\r\nSecure Malware Analytics ✓\r\nUmbrella ✓\r\nWSA ✓\r\nScreenshots of Detection\r\nSecure Endpoint\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 26 of 42\n\nSecure Malware Analytics\r\nMITRE ATT\u0026CK\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 27 of 42\n\nWin.Dropper.DarkComet-9938488-1\r\nIndicators of Compromise\r\nIOCs collected from dynamic analysis of 25 samples\r\nRegistry Keys Occurrences\r\n\u003cHKCU\u003e\\SOFTWARE\\DC3_FEXEC 25\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: MicroUpdate\r\n25\r\n\u003cHKLM\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\r\nValue Name: UserInit\r\n25\r\n\u003cHKCR\u003e\\LOCAL SETTINGS\\SOFTWARE\\MICROSOFT\\WINDOWS\\SHELL\\BAGS\\159 24\r\n\u003cHKCU\u003e\\SOFTWARE\\DC3_FEXEC\r\nValue Name: 2/5/2022 at 7:01:02 AM\r\n14\r\n\u003cHKCU\u003e\\SOFTWARE\\DC3_FEXEC\r\nValue Name: 2/5/2022 at 7:02:02 AM\r\n9\r\n\u003cHKCU\u003e\\SOFTWARE\\DC3_FEXEC\r\nValue Name: 2/5/2022 at 1:04:02 AM\r\n4\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 28 of 42\n\nRegistry Keys Occurrences\r\n\u003cHKCU\u003e\\SOFTWARE\\DC3_FEXEC\r\nValue Name: 2/5/2022 at 1:03:02 AM\r\n4\r\n\u003cHKCU\u003e\\SOFTWARE\\DC3_FEXEC\r\nValue Name: 2/5/2022 at 7:01:03 AM\r\n4\r\n\u003cHKCU\u003e\\SOFTWARE\\DC3_FEXEC\r\nValue Name: 2/5/2022 at 7:02:01 AM\r\n3\r\n\u003cHKCU\u003e\\SOFTWARE\\DC3_FEXEC\r\nValue Name: 2/5/2022 at 1:05:01 AM\r\n2\r\n\u003cHKCU\u003e\\SOFTWARE\\DC3_FEXEC\r\nValue Name: 2/5/2022 at 1:04:01 AM\r\n2\r\n\u003cHKCU\u003e\\SOFTWARE\\DC3_FEXEC\r\nValue Name: 2/5/2022 at 1:05:02 AM\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\DC3_FEXEC\r\nValue Name: 2/5/2022 at 1:04:09 AM\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\DC3_FEXEC\r\nValue Name: 2/5/2022 at 1:04:03 AM\r\n1\r\nMutexes Occurrences\r\nDC_MUTEX-HMNSNR1 25\r\nRtkNGUI64 25\r\nDomain Names contacted by malware. Does not indicate maliciousness Occurrences\r\nmoneybag123[.]myftp[.]biz 25\r\nFiles and or directories created Occurrences\r\n%APPDATA%\\dclogs 25\r\n%TEMP%\\MSDCSC 25\r\n%TEMP%\\MSDCSC\\msdcsc.exe 25\r\n%HOMEPATH%\\Gfxv2_0 25\r\n%HOMEPATH%\\Gfxv2_0\\WindowsUpdateElevatedInstaller.exe 25\r\n%TEMP%\\MSDCSC\\zVtZSjWSmT8T 25\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 29 of 42\n\nFiles and or directories created Occurrences\r\n%TEMP%\\MSDCSC\\zVtZSjWSmT8T\\msdcsc.exe 25\r\n%System32%\\Tasks\\BitLockerWizardElev 25\r\n%TEMP%\\MSDCSC\\zVtZSjWSmT8T\\zVtZSjWSmT8T 19\r\n%TEMP%\\MSDCSC\\zVtZSjWSmT8T\\zVtZSjWSmT8T\\msdcsc.exe 19\r\nFile Hashes\r\n00c4d334768f563cced2a243cf640c592149cec38044bb8792e49945a23ee61b\r\n04b793b2cf5441a512f49044f12199110fbc24abd5300f6de5da21c95a1b118a\r\n0523cf6dcd6a1b89943cbd432e01e572f03c0abab43dcb055e95a301e9b1f957\r\n126954e3d7bb42e1757598481610e6c229d3cfca43bca9ebaf2b788f58a3a2c9\r\n13bae0fb3015efd0a27e6ea77fb9c5dfb885321c809d9668c34899ce9472c157\r\n1642b09633ce8e3f79bcdad20242a3989645d3a60d6f686235b018c8914b8660\r\n19a57c2208ef58387cb38412b0db3060b1ddcaf4f02929213f5355c40776a98d\r\n21454d9e2f5e0c502b423ffadbbe802ae69f81a99fbc7c50817b1f80a083cf1a\r\n293f0baa32b35d17e90cd03980a58d2fe1cff22efb4c09b8b2bbe210f4054856\r\n2db522042954becd5b940edc0afbfc93f0039d3f4f775d4cfa45b7012587574e\r\n33302b6dfc2b669df38aab7a4a7e74c512ce31ba3a5a9151aea435a86c36b738\r\n37edc65fde51628d1604ddbf0c14f06035e8c6819b7d0bfac7fee8dd4bf30bc7\r\n41d6765ff915ef589039b311d958c052d32d13bb03ce8b5af005161da952885a\r\n461031f7db840c45b1c0b6644d2f8772105d57785b94fda069a5fbf921879da5\r\n4ffc3229a0db6972c70c80db3be8c93017a4163f2724c6edf300ce87ba49041b\r\n611196f2e7768773cd724ec0f5b6bf602187e6bb5fc1ec59fe379b47c78e4fcc\r\n6b4a4161813a01e51ecca9b68e6d8b852ede2cfe6ff6f634f709493930f4b32b\r\n8545cb2dea3b9d29481431822352182261461e5d91d441109eb562c818d3ceff\r\n96c821c14f746271a3a89587cd25fbd47686e143bd53750c0416673df9e58a12\r\n9a1056d1898a71f3b88c875ff08b5d465b549d03206cbe02efcb19c144582ee8\r\n9c641719e876dc8b3f7ce206a59c3228b2d7abda81adecc2279a68186ce1a2d1\r\naec82f9487cdd2b727aa619b21b070b77db0572a98637212d3514f1868032828\r\nb17c1f8063ba70ecef31071a6c51117953dddf37d4b54c1a92b01525cb44c38f\r\nb40e00192ed4d4cf0c90e3c03c11124dae8fc7f2182be609b2c3efcc585a00be\r\nb5201f282c7e067e5dca7de945ed48805af74c9dae94ec3f83ff93c151f83c39\r\n*See JSON for more IOCs\r\nCoverage\r\nProduct Protection\r\nSecure Endpoint ✓\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 30 of 42\n\nProduct Protection\r\nCloudlock N/A\r\nCWS ✓\r\nEmail Security ✓\r\nNetwork Security N/A\r\nStealthwatch N/A\r\nStealthwatch Cloud N/A\r\nSecure Malware Analytics ✓\r\nUmbrella N/A\r\nWSA N/A\r\nScreenshots of Detection\r\nSecure Endpoint\r\nSecure Malware Analytics\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 31 of 42\n\nMITRE ATT\u0026CK\r\nWin.Worm.Gh0stRAT-9938500-1\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 32 of 42\n\nIndicators of Compromise\r\nIOCs collected from dynamic analysis of 26 samples\r\nRegistry Keys Occurrences\r\n\u003cHKCR\u003e\\LOCAL SETTINGS\\SOFTWARE\\MICROSOFT\\WINDOWS\\SHELL\\BAGS\\159 26\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue Name: dtfd\r\n26\r\nMutexes Occurrences\r\nMhost123.zz.am:6658 26\r\nhost123.zz.am:6658 26\r\nIP Addresses contacted by malware. Does not indicate maliciousness Occurrences\r\n107[.]163[.]56[.]110 26\r\n107[.]160[.]131[.]253 26\r\n107[.]160[.]131[.]254 26\r\nDomain Names contacted by malware. Does not indicate maliciousness Occurrences\r\nhost123[.]zz[.]am 26\r\nFiles and or directories created Occurrences\r\n\\1.txt 26\r\n%TEMP%\\\u003crandom, matching '[a-z]{4,9}'\u003e.exe 26\r\n%ProgramFiles%\\\u003crandom, matching '[a-z]{5,9}\\[a-z]{3,9}'\u003e.exe 26\r\n%ProgramFiles%\\\u003crandom, matching '[a-z]{5,9}\\[a-z]{3,9}'\u003e.dll 26\r\n%ProgramFiles%\\\u003crandom, matching '[a-z]{5,8}'\u003e 24\r\n%ProgramFiles%\\axofwxn\\12010043 2\r\n%ProgramFiles%\\uqvba\\12010043 1\r\n%ProgramFiles%\\mvbii\\12010043 1\r\n%ProgramFiles%\\cjzls\\12010043 1\r\n%ProgramFiles%\\pdvzn\\12010043 1\r\n%ProgramFiles%\\yhfes\\12010043 1\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 33 of 42\n\nFiles and or directories created Occurrences\r\n%ProgramFiles%\\mqbaqfto\\12010043 1\r\n%ProgramFiles%\\fycasauyy 1\r\n%ProgramFiles%\\mtotuwc\\12010043 1\r\n%ProgramFiles%\\jaafc\\12010043 1\r\n%ProgramFiles%\\tkxvwyhl\\12010043 1\r\n%ProgramFiles%\\mqdug\\12010043 1\r\n%ProgramFiles%\\fycasauyy\\12010043 1\r\n%ProgramFiles%\\axddl\\12010043 1\r\n%ProgramFiles%\\tufcwnkzd 1\r\n%ProgramFiles%\\cidhqek\\12010043 1\r\n%ProgramFiles%\\qytxj\\12010043 1\r\n%ProgramFiles%\\bghvo\\12010043 1\r\n%ProgramFiles%\\qhpobisc\\12010043 1\r\n%ProgramFiles%\\tufcwnkzd\\12010043 1\r\n*See JSON for more IOCs\r\nFile Hashes\r\n01b1fcc6a12cc903fe0dbc560d5a4ef1a1c97338c3250f4b95ded8bffb9a5334\r\n0281fe6b45250edb67ea958b6f40117352c4ef5a508ad250694ed6367d702fcd\r\n0391037f82b2bc2738e54552d764d706643cadaf405de682bfe64ca911a34bc5\r\n08d01b5a2cf7371fb2929a43e3de40d3a7ebde7abd2a30016db5721fdc9f493a\r\n09ec933e44eda616bc5dd6b1b9defd4cd2c247e01eda3a1e02fa4a81708e49a3\r\n123782513add1750a253e0acc93cba7424610a8112745431928fc0c21d00e844\r\n300ba8c9e61fc6fd9223bd981681ca6ee9d79e7e03703bda9f14159eaf4e2c5f\r\n34e0e3d43abcc0eefc3b70ef4b5e8889d61d4ea4571d928501341822de881f3a\r\n35a84a43a11e09b7d5e19656f834034b171bc4c8cd258cbcad7f7ffb8934d5fa\r\n3645fd55b8c92764181907e22fba8c4e55af5bcda1fb030cb1cfa02a3a283ac4\r\n42a9e037df7faa5ce3262c06523129982ac77337f2384af75324e1e8902a294c\r\n500c35cf8e2d231c5e8151d090c3d8aafb276b442ddc91dec24cc44715b3e4d7\r\n5667d97bd3b84c1abd779edfc9593e0f8837941af9aa9ef5c9711a136da85420\r\n5a1a2b62d56065bf4b5c08e8c8bd0bdb90f50d6552b5b8955df1aa82f1ecd720\r\n5e3623e2ab92a23b3eb853c1da9b1b6ce4b22a7c608d3f42f72b38c91a3220dc\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 34 of 42\n\n657b475c7fd898e000c2da73a2803ebe69e4b51f569ff705b3371c5a5605202f\r\n6d2e67f375c0638bd38a53f89d9495feba1cb20e88d3a4ed92dd3b0a47743fe5\r\n6e11e5de537441490eda85e5813011c587bb862859069003c6e30f8ea65e2bf9\r\n72f1acb9e0dd790b7435f3f108e23336c23804a36cef06ba16cb768d32fcbba6\r\n7a1df46ccca8f3c04c6a811ed718d77eba4054302570c7bba71059e9d562d0df\r\n7d35e4715ea04cb3065c77feff47867fea87c1825ce61550b8ed4860c8aa48a5\r\n7f6124b007c97f56551e57a9a43155d5a52df2ab485248256df0b08f817cc96a\r\n8820066073cfbf71f70b3fcc64191aab651f718542a0582e5675a538e4427201\r\n8a5100f5b8bbd1d332ec35c489bb8fa69230dde67db7a73e6a29a4c7bb448ae7\r\n9421107200ff0bdb97cc027179bd3c3ca9a5448c32a7d60a38e080a35c7f8ca2\r\n*See JSON for more IOCs\r\nCoverage\r\nProduct Protection\r\nSecure Endpoint ✓\r\nCloudlock N/A\r\nCWS ✓\r\nEmail Security ✓\r\nNetwork Security N/A\r\nStealthwatch N/A\r\nStealthwatch Cloud N/A\r\nSecure Malware Analytics ✓\r\nUmbrella N/A\r\nWSA N/A\r\nScreenshots of Detection\r\nSecure Endpoint\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 35 of 42\n\nSecure Malware Analytics\r\nMITRE ATT\u0026CK\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 36 of 42\n\nWin.Malware.Zbot-9938525-0\r\nIndicators of Compromise\r\nIOCs collected from dynamic analysis of 15 samples\r\nRegistry Keys Occurrences\r\n\u003cHKCR\u003e\\LOCAL SETTINGS\\SOFTWARE\\MICROSOFT\\WINDOWS\\SHELL\\BAGS\\159 11\r\n\u003cHKCU\u003e\\SOFTWARE\\PWRKXXZKWU\r\nValue Name: License\r\n5\r\n\u003cHKLM\u003e\\SOFTWARE\\WOW6432NODE\\PWRKXXZKWU\r\nValue Name: License\r\n5\r\n\u003cHKLM\u003e\\SOFTWARE\\WOW6432NODE\\PWRKXXZKWU 5\r\n\u003cHKCU\u003e\\SOFTWARE\\PWRKXXZKWU 5\r\n\u003cHKCU\u003e\\SOFTWARE\\WINRAR 1\r\n\u003cHKLM\u003e\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003E9\r\nValue Name: F\r\n1\r\n\u003cHKLM\u003e\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000001F5\r\nValue Name: F\r\n1\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 37 of 42\n\nRegistry Keys Occurrences\r\n\u003cHKLM\u003e\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003EC\r\nValue Name: F\r\n1\r\n\u003cHKCU\u003e\\SOFTWARE\\WINRAR\r\nValue Name: HWID\r\n1\r\nMutexes Occurrences\r\n85485515 11\r\nGlobal\\8e4d9ae1-86e8-11ec-b5f8-00501e3ae7b6 1\r\nGlobal\\844108c1-86e8-11ec-b5f8-00501e3ae7b6 1\r\nGlobal\\7ad43141-86e8-11ec-b5f8-00501e3ae7b6 1\r\nGlobal\\7e601721-86e8-11ec-b5f8-00501e3ae7b6 1\r\nIP Addresses contacted by malware. Does not indicate maliciousness Occurrences\r\n104[.]208[.]16[.]94 3\r\n20[.]189[.]173[.]22 2\r\n20[.]189[.]173[.]20 2\r\n46[.]165[.]243[.]51 1\r\n50[.]7[.]252[.]125 1\r\n95[.]211[.]222[.]156 1\r\n52[.]182[.]143[.]212 1\r\n52[.]168[.]117[.]173 1\r\n62[.]76[.]185[.]233 1\r\n62[.]76[.]178[.]192 1\r\n62[.]76[.]188[.]38 1\r\n62[.]76[.]47[.]5 1\r\nDomain Names contacted by malware. Does not indicate maliciousness Occurrences\r\ncomputer[.]example[.]org 15\r\nwpad[.]example[.]org 15\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 38 of 42\n\nDomain Names contacted by malware. Does not indicate maliciousness Occurrences\r\nclientconfig[.]passport[.]net 9\r\nvmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 7\r\nnet-forwarding[.]com 5\r\nvmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 5\r\nt14qb[.]mrbasic[.]com 4\r\ndiscover-lang[.]com 3\r\nvmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 3\r\nonedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com 3\r\ngeio-pricing[.]com 2\r\nonedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com 2\r\nonedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com 2\r\nwindowsupdate[.]s[.]llnwi[.]net 1\r\nonedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com 1\r\nonedsblobprdeus16[.]eastus[.]cloudapp[.]azure[.]com 1\r\nFiles and or directories created Occurrences\r\n%TEMP%\\st1m.bat 4\r\n\\Users\\user\\AppData\\Local\\Temp\\st1m.bat 2\r\n%TEMP%\\-1399634684.bat 1\r\n\\Users\\user\\AppData\\Local\\Temp\\tmp72f12c56.bat 1\r\n\\Users\\user\\AppData\\Local\\Temp\\tmp9263c976.bat 1\r\n\\Users\\user\\AppData\\Local\\Temp\\tmp83b27453.bat 1\r\n\\Users\\user\\AppData\\Local\\Temp\\tmp791b5ee5.bat 1\r\nFile Hashes\r\n0359b8913493b41b7c0209a133d3492c6893c420ecd97af7a9a997fa1efbf7ad\r\n1023e8030a884209b44b046ee3fd47996c6e3a356a0022b2184335623192d0e8\r\n3465f83eb61a1c4b32242e1ee52deddb8e507f155f8ac9b476b54de8a0ab19be\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 39 of 42\n\n41085ad88d42f4fff9cc0375a934b77560782153838180aa84725750081db662\r\n48dd72cfc8802b263921c471e1bc87d36667996971cc522d2904950d4e3708cd\r\n4fc174ba2eb3848639ead3bbc2b88136b53e3a04af1bcd5dd1616afb18715af2\r\n58dc89acadbd0377dbdf5fb442238c387ddff2033ac3d9b00031a32931307b39\r\n7112aa176e6098a97c984d8cff643733655467a9deedf6df3850833412032d64\r\n89869a26121998e8c994ccf0725a3fadcf803ff8922219519c663db67b42a1e2\r\n8b213a839cfa60bbb405f91504b86cb305d5ad19374895f3c37700ca6f943e32\r\nc5ebaa812220fbbb09996ef31827546c128873b891968b96f12d4e827ab23dd1\r\nd2c296a48c4dcb1f1c6254c55e6d97702d570119cda1d5bf509898e253662a81\r\ndb341e594d1ca60c33fe7688f3422053df2be10a8a9de4a00227147ad23559e3\r\ned601fa3467259be08db4756f41979d6528b7f8a630bb2a74b6240da0c5b7ef0\r\nf4c630b94e4f13cc3a53f86f2b7c076e5096e83b0640c237644101b8ca3d9607\r\nCoverage\r\nProduct Protection\r\nSecure Endpoint ✓\r\nCloudlock N/A\r\nCWS ✓\r\nEmail Security ✓\r\nNetwork Security ✓\r\nStealthwatch N/A\r\nStealthwatch Cloud N/A\r\nSecure Malware Analytics ✓\r\nUmbrella N/A\r\nWSA N/A\r\nScreenshots of Detection\r\nSecure Endpoint\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 40 of 42\n\nSecure Malware Analytics\r\nMITRE ATT\u0026CK\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 41 of 42\n\nSource: https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nhttps://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html\r\nPage 42 of 42",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html"
	],
	"report_names": [
		"threat-roundup-0204-0211.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791323,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0062160b097ca093312a5e53e98b79941fdbc9b4.pdf",
		"text": "https://archive.orkl.eu/0062160b097ca093312a5e53e98b79941fdbc9b4.txt",
		"img": "https://archive.orkl.eu/0062160b097ca093312a5e53e98b79941fdbc9b4.jpg"
	}
}