{
	"id": "ad15360e-a69c-4e7b-8fae-9b3183bc0cbf",
	"created_at": "2026-04-06T00:13:56.823726Z",
	"updated_at": "2026-04-10T13:11:26.48691Z",
	"deleted_at": null,
	"sha1_hash": "d507ae0fff6245600fdeba296d8e20c11cada539",
	"title": "Threat Round Up for Oct 20 - Oct 27",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1331390,
	"plain_text": "Threat Round Up for Oct 20 - Oct 27\r\nBy Alexander Chiu\r\nPublished: 2017-10-27 · Archived: 2026-04-05 13:59:04 UTC\r\nFriday, October 27, 2017 18:45\r\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between October 20 and October 27.\r\nAs with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats\r\nwe've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are\r\nautomatically protected from these threats.\r\nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of\r\npublication. Detection and coverage for the following threats is subject to updates pending additional threat or\r\nvulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or\r\nClamAV.net.\r\nThe most prevalent threats highlighted in this round up are:\r\nDoc.Macro.Downloader-6355564-0\r\nOffice Macro\r\nWord documents making use of VBA macros to download additional binaries to further compromise the system.\r\nThis cluster focuses on VBA importing external Win32 API to download and execute a file with the presence of an\r\nobfuscated URL.\r\nDoc.Macro.Obfuscation-6355576-0\r\nOffice Macro\r\nWord documents making use of VBA macro obfuscation techniques to evade detection and prevent quick analysis.\r\nThis cluster focuses on the repeated use of base64 encoded data encapsulating a substring used to created the\r\ndesired string for malicious use.\r\nWin.Ransomware.Bucbi-6357228-0\r\nRansomware\r\nThis is a ransomware variant that encrypts a user's data and demands that a Bitcoin ransom be paid. To achieve\r\nthis, the malware performs code injection and set registry keys for persistence. Moreover, the samples contain anti-debugging techniques to hinder analysis.\r\nWin.Trojan.Msil-6358223-2\r\nTrojan\r\nThis .NET trojan creates a shortcut file in the Windows Startup folder for persistence, drops and executes a\r\nmalicious VBScript and a .bat file, and downloads additional files from different websites.\r\nWin.Trojan.Tinba-6357827-1\r\nTrojan\r\nTinba (or TinyBanker, or Hupigon) is an information stealer and banking trojan. It is capable of hooking into\r\nseveral popular web browsers in order to gather credentials to send back to an attacker controlled C2. It is custom\r\npacked and code is injected into an instance of winver or Explorer (or both, in that consecutive order) before\r\nexecution reaches its intended purpose.\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 1 of 23\n\nWin.Trojan.Tovkater-6355575-0\r\nTrojan\r\nThis malware is able to download and upload files, inject malicious code, and install additional malware.\r\nWin.Trojan.WillExec-6356235-0\r\nTrojan\r\nThis  trojan injects into other processes, disables security features, and tries to contact several domains, waiting for\r\ninstructions.\r\nWin.Trojan.Zusy-6357526-0\r\nTrojan\r\nThis is a bank credential stealer which gathers online bank passwords, credit card numbers and social security\r\nnumbers. The malware injects itself into winver.exe and explorer.exe.\r\nThreats\r\nDoc.Macro.Downloader-6355564-0\r\nIndicators of Compromise\r\nRegistry Keys\r\nN/A Mutexes\r\nN/A IP Addresses\r\n239[.]255[.]255[.]250 Domain Names\r\nsite[.]sitez3[.]com  Files and or directories created\r\n%WinDir%\\SoftwareDistribution\\DataStore\\DataStore.edb\r\n%AppData%\\Microsoft\\Windows\\Cookies\\7OT1LGP2.txt\r\n%SystemDrive%\\~$1334139.doc\r\n\\srvsvc\r\n%AppData%\\Microsoft\\Office\\Recent\\SAT_Documento741929.LNK\r\n\\TEMP\\SAT_Documento741929.doc File Hashes\r\nd7630525cebf55d76096b2aa1d3fd10f00f8db98fb0ca0f9b5bdae5172913244\r\n137dd479759fd525720874f4f94ee169950f46a41e7cc46b2159b10d28d61082\r\n08d224602235aec498c31c1b1d16740d4ee294b5213a9236ff9ff09a8e07ae02\r\n4922461d1524944042eb674ab0f04f43b9935c93c9cb6947f43dc546332161af\r\n2d0b4e8f1d8f77838a97f1201fd114c63d19f67c7630725d04fd448c884e6b15\r\n49cb1cde87383dc7b8feb70a3844cacb61bdbacbda67da19781be4ac67d8ca2f\r\nf18b9066ccb85df41cbd2686ce686324f7dadea23a0aecb58275dcbfa3db17b9\r\n53c879eb61fa7079f1d78b97d79bf105dcd6eedbc65edf34634002c69c4a4db3\r\n14da983e5dd73ca236f567fbbc09c7478f7575919b27b537cb0be0c87a1a808f\r\n30a5a6f342fae27e81da59fa8a6c27e0730d0039bce9febd961ec33e436f9961\r\nb6e105246ff47a3263900ca49c4ad8255b56f3a72edb9c98dcb605eb096c1d32\r\n06d2b9d3ca2e2bfc445ebb738261b47ec02787add1aea864d202e12cbcf65d74\r\n8af2f1175a4599c2c7bb5100a6fd6edf2f1094573aaf12b8d63bff1c4182059c\r\nbea666206a9648750da4653ca55159ba5cb1677a1cd4de1df9dd53c452890c49\r\n0ce3c8f42aa43764e76fdf620e2b19abe70903d3aeb0302ab774535bfb6bc163\r\n4bb72db17e61dae3990c448d88a4de41cc5ffc50ab64486d73bceb7ec2e92655\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 2 of 23\n\na80d57a9b68a0cf17e21d23de8c9912ab08335f1ecf2f01470f51d65aad3fc98\r\n20c4888614517caf7f87e79e4f1e83ab1aa518f8ad1c55fef0f3c9c031c34405\r\nc1f30a7bf8c953b6a75152b8c06c474682b8269a4422bebb5f44288e8abca6a0\r\nc965d63446d4f6a6a7f392c8497f8d4c121a80ca92027affda967d0edd342c62\r\nCoverage\r\nScreenshots of Detection AMP\r\nThreatGrid\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 3 of 23\n\nUmbrella\r\nDoc.Macro.Obfuscation-6355576-0\r\nIndicators of Compromise\r\nRegistry Keys\r\nN/A Mutexes\r\nMC8D2645C\r\nGlobal\\I98B68E3C\r\nMF4F51CA3\r\nGlobal\\M98B68E3C IP Addresses\r\n81[.]169[.]145[.]76\r\n194[.]88[.]246[.]9\r\n239[.]255[.]255[.]250 Domain Names\r\npuikprodukties[.]nl Files and or directories created\r\n\\Users\\Administrator\\Documents\\20171025\\PowerShell_transcript.PC.BQAZNa49.20171025072414.txt\r\n%SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Temp\\54180.exe\r\n%SystemDrive%\\~$690febddc8bf29d57cee5e527e3a386d0d32afa4ae9bc1fa4a18cf849f5be3.doc\r\n%WinDir%\\AppCompat\\Programs\\RecentFileCache.bcf\r\n\\TEMP\\~$690febddc8bf29d57cee5e527e3a386d0d32afa4ae9bc1fa4a18cf849f5be3.doc\r\n\\TEMP\\27690febddc8bf29d57cee5e527e3a386d0d32afa4ae9bc1fa4a18cf849f5be3.doc\r\n%WinDir%\\SysWOW64\\specsystem.exe File Hashes\r\n27690febddc8bf29d57cee5e527e3a386d0d32afa4ae9bc1fa4a18cf849f5be3\r\n1ae79bf1ce63c3ea8d73f051cecb53d806bb477919d98257c363cb22d50410d1\r\n74d3f7dc3417444e17a08c644807475c6b7b3e28316eb96a40877448417093c3\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 4 of 23\n\n25aff8c96de125e1f922df676f3a117e07c0abb9e41b8d06bd6c995e614b8dec\r\n664c26180cc669785d6e30140e07dfa538e66d8d9c38b9f1b8a94aecf9348fbe\r\ne135f8b2bd2588f94d47a084b75f0470fef7681c28fa0ddac71a80410beaea83\r\n010e17653177339519c89f7ee9d67d4772928ae1c3eebaaf57191263ad2f4dbb\r\n1f51f205991240c81a25d54d50cb05ffaa33a031560dea6d43e9423dc257c99d\r\n61003d0b2697a5d457f8ef5fc219ec526dbdd41cb067230f3475edbb044ac649\r\nbb4795a99563991495f42f9b25395d5cc66d96cac7da4e4fbd1f6ae0f5019d18\r\n31580e5f0462ce34241ab9d133edbaae3442840d1f5fd0a9958dd3cd0e750d7f\r\n26bc8918448cc0fb9fb2d3f264006bb927ecc477b84f4f452606e2207e88f932\r\n8aba5ce12e0df2f4fc6a58b4defbfc7fc0bae480740892d04f4fee9156f25ffd\r\n9499a9a629a585fd75b7af3eacbc000c74a7eed240928a250ad580b8c8efc8d3\r\n1e7de19e0636b8e224ce0d69b207d8bc5f8375b7bbc9228e43f426f5fdf05bc4\r\na3fbecf3aa41c5b91274eb8c8319fd52c06fa5d20dc6c5f28bc535a8b17b2726\r\n9131bc11a47c82ae466c719ab946fcac0a5e00e96e1bfc985d74e726526b4e84\r\nb6d69d0f0a3ee1dfb08f311c2ec0bab1b4e565ec4e03f23d555defdaf1b8dc9e\r\n6e9d2d12a9d53fce2a16f63e18d970896f4a7f67bf40411c143fa3cf061ec4b8\r\nf1d99d9a6ff529ceba5bcfefffdea1aeece875db4563838095f6382888842a7a\r\n5f2eda2978e6da11ba9f29a398f100531ceda1ec44a49dc5b7e013f711a850ad\r\n32453c24c8e36e93a594650554ecd730d5d00a466b764c1d774fc344b009d58a\r\nfc82b57b5f2aeafd2a602321afa4a7f9a33ea0575f0329786b5c2598abef57a7\r\nfdd0acbdd96dd0fb72ca78fa84dca24577796e1cd977206280bc5ac715f32d02\r\n640976b9ad42936e9cc75778292bb28f402321883a124a674a5a6551df481781\r\nCoverage\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 5 of 23\n\nScreenshots of Detection AMP\r\nThreatGrid\r\nUmbrella\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 6 of 23\n\nWin.Ransomware.Bucbi-6357228-0\r\nIndicators of Compromise\r\nRegistry Keys\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\CONNECTIONS\r\nValue: SavedLegacySettings\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\ZONEMAP\r\nValue: IntranetName\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\ZONEMAP\r\nValue: AutoDetect\r\n\u003cHKLM\u003e\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\ZONEMAP\r\nValue: IntranetName\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\5.0\\CACHE\\CONTENT\r\nValue: CachePrefix\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\5.0\\CACHE\\HISTORY\r\nValue: CachePrefix\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\5.0\\CACHE\\COOKIES\r\nValue: CachePrefix\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\r\nValue: ProxyServer\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\ZONEMAP\r\nValue: UNCAsIntranet\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\CONNECTIONS\r\nValue: DefaultConnectionSettings\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\ZONEMAP\r\nValue: ProxyBypass\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 7 of 23\n\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue: internat.exe\r\n\u003cHKLM\u003e\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\ZONEMAP\r\nValue: ProxyBypass\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\r\nValue: AutoConfigURL\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\r\nValue: ProxyEnable\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\r\nValue: AutoDetect\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\r\nValue: ProxyOverride\r\n\u003cHKCU\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\r\n\u003cHKU\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\u003cHKCU\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\u003cHKCU\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\\r\n\u003cHKLM\u003e\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\r\n\u003cHKCU\u003e\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings Mutexes\r\nLocal\\ZonesCacheCounterMutex\r\nLocal\\ZonesLockedCacheCounterMutex IP Addresses\r\nN/A Domain Names\r\nshalunishka12[.]org\r\ncaprice-porn[.]com Files and or directories created\r\n%SystemDrive%\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\lqwrnvdl.exe\r\n\\Users\\Administrator\\AppData\\Local\\wikqsvpt.exe\r\n\\Users\\Administrator\\AppData\\Local\\lpcqdivf File Hashes\r\n98e901f362641ae1fc6527215f496c9fd5de2d7f69b136ac610e453469831d07\r\n6edf7c043348efe02d94c97a4d06ec735fb90a77ea290509e03991edadb24716\r\nf51719dfeac4f52a90d52188c3b3e9145d77f612da784510c968564aa0d46e9e\r\n713413ee1a008b91a6afb29c52d2beda829778b8072c5ba5171bb50277104ebc\r\na65293abd10e7c4a306ddfae94c67df2db411c4a29ca71a1ca8169ee640a8ed3\r\nfeecc0baccecabeddc8f0e07b3a7aa54d7f13d60e232b7a538b10cd773b4c5e5\r\nCoverage\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 8 of 23\n\nScreenshots of Detection AMP\r\nThreatGrid\r\nUmbrella\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 9 of 23\n\nWin.Trojan.Msil-6358223-2\r\nIndicators of Compromise\r\nRegistry Keys\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\5.0\\CACHE\\HISTORY\r\nValue: CachePrefix\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\5.0\\CACHE\\COOKIES\r\nValue: CachePrefix\r\n\u003cHKLM\u003e\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003E9\r\nValue: F\r\n\u003cHKLM\u003e\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003EC\r\nValue: F\r\n\u003cHKLM\u003e\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000001F5\r\nValue: F\r\n\u003cHKCU\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage2\r\n\u003cHKCU\u003e\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\r\n\u003cHKLM\u003e\\System\\CurrentControlSet\\Control\\SecurityProviders\\Schannel\r\n\u003cHKCU\u003e\\Software\\Microsoft\\GDIPlus Mutexes\r\nRasPbFile IP Addresses\r\n185[.]182[.]56[.]160\r\n104[.]18[.]48[.]20\r\n104[.]27[.]162[.]68\r\n104[.]27[.]163[.]68\r\n104[.]18[.]49[.]20 Domain Names\r\npaste[.]ee\r\nartishoker[.]com\r\nc[.]lewd[.]se Files and or directories created\r\n%SystemDrive%\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\KiuFCoY1QO9PiPVC.vbs\r\n\\srvsvc\r\n%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\KiuFCoY1QO9PiPVC.lnk\r\n%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\KiuFCoY1QO9PiPVC.vbs\r\n%SystemDrive%\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\KiuFCoY1QO9PiPVC.lnk\r\n\\TEMP\\Scanned_Purchase_order_image277253491.exe\r\n%TEMP%\\1861034378.bat\r\n%AppData%\\KiuFCoY1QO9PiPVC.exe File Hashes\r\ne32a39503459bad0542ccbb75e9fb1f9dcd97784f14a34ac5baac20875984c1d\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 10 of 23\n\n2549362e299c04fd309af6034c8edca26cb4666de123d948a729a6bb98959a02\r\n1948216f19bdb2e0cd2d09d89611eec211dca86618d4d7be5c743b1433bce38b\r\n91c6d351305ee145d33df951155c6700294d1caec3a3738ba758d35e98cb9b75\r\nceffc973720d74d3afebfd38a6af2edd8237a875e1b636e794ea060220aeb4d2\r\n7cbc85a09bebdd5675e9ddb74496c60ffa67558a0978f9c619e963ca9ba7b9a6\r\n34eaf73bb07d3d0f9577d79283975a42566f193f61fbcaee616a2a4a366dbb28\r\nfbcacee6765ed156ce5751205b67efc2d8fdd2ef76cdfa67e157db0d7688031a\r\nd3014617acb71109befeea10e57b4b8fb7b8df05f66a55bb47d85f904b1ee32c\r\n3e98b03a47e0629f095fcda6ca15dc48ec72b1af36711a41785547dfabfe1af9\r\n9fd2b95cae0407e03575992690ffb155017fbdf9580b4466705f03601d01d0e3\r\nfbcacee6765ed156ce5751205b67efc2d8fdd2ef76cdfa67e157db0d7688031a\r\n0cb8711d1f2a856178c34915f204a1af2b62b145c7817b9eee90ec1ae13ed6a2\r\ncab3246e2d185bb58c3e1163f520efe300832277f24336a647e5457380ef53d6\r\nddc57143d6d212eecef60cb8ed95afa728425f976bc1db5eed74f2aa13228257\r\nc66c8be8191cefb7949fc13c7ef7f39bd2cd621c5d2f401bdec5d9e5ab738222\r\nb0b52c73ed116a84c16c1b71bab68fb1a669cbcafb0b06c676a6f3577ba7c555\r\n411aff7bcef1f9b1f00b35f0d4fbf2ea42bea72931489fce1b3edaa327f4485b\r\nb1149077c5a8c4f9730d5db86d0cb19229cf192768d3eb30de2778c6529bd0b7\r\n88e4751e486257ae14bfc4cd1c7bc5f5af5568314c54be43b6e02c8c852e93f7\r\nf19685621ec16a3c2810852acd1219e4d386119e0902486361fd2aa0d5ed3add\r\n87f9d1b5d26155470684a6410dad447ed93307428a71115bbbfce22dd34fb00c\r\n8f65d213186372f0eccee43e3f00ac145e9080858f1b384bf8faf4a39797a979\r\n251b9967ce0b664734a3fc072ec89a120df406b796364de84c83305d89a6d747\r\n1948216f19bdb2e0cd2d09d89611eec211dca86618d4d7be5c743b1433bce38b\r\nb536330f0d2028e2d561582fd1d4053860d54fe09b40212f8cb8ac8359241dac\r\n7e2a3692d653fa12120f96b10a03e9f2adb4fb009bb941c66a00182427723b79\r\nac98dab0fa4cefa816e001737ae5a8f1f08c8851d8afb8c9e75f722366705b0e\r\n56690111926e192663f3cdc04b540a1bfbd6d498690d17d360082d57ec7569f5\r\na611edd1273d31162da5a216b00d1460c433479719575018cd1cefd6a0fb297b\r\n868ed435b09074e559bfcb5dab4aebe3ff1d766d0f31132ea0c8010a1eeb7f1d\r\ndc38e69467f8d08621b498eb59f58f9139a4373c15c0567ad15d531f0aeb4766\r\nc51c9254f951f491aafb9b4fb2098189db4fed06b065162c4c288b072a85c60b\r\nCoverage\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 11 of 23\n\nScreenshots of Detection AMP\r\nThreatGrid\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 12 of 23\n\nUmbrella\r\nWin.Trojan.Tinba-6357827-1\r\nIndicators of Compromise\r\nRegistry Keys\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue: F9E7DE7B\r\n\u003cHKU\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Run Mutexes\r\nF9E7DE7B\r\n\\BaseNamedObjects\\5D79E0A3 IP Addresses\r\n216[.]218[.]185[.]162 Domain Names\r\nspaines[.]pw Files and or directories created\r\n%AppData%\\5D79E0A3\\bin.exe\r\n%AppData%\\F9E7DE7B\\bin.exe File Hashes\r\n1a011db2ad073700f1ac9eaaf9760bf4c6569af894ff847520ea2918ea9228ee\r\n2e125dcdec21f24ec0834fea0df684a0db2fe1f3c6556694f7c1e44259c34bae\r\n664cd8de35ff1318c294bdca6390aa4bd434bd0270ae997a60a1e6772a50626b\r\n883939af8de0ceb28c3e4d508b7815a1518148a1e253e8df979e95f8a697c3f1\r\nfc5e9a478435e9dac68b036779cec6fea60be92e852ba2f31ca2234550937670\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 13 of 23\n\ne488fc3c2381c55fcc2a7a59c36b39bcba20e4a37640bb45238607cb7e2062a1\r\nfef91305f435a16413c87b1db1e0891fdebba6eaa06a6ab4f3464e86a274e36e\r\n69c82a3f309d7727631925cafb134077613689a78143523a12a335af9c8014fd\r\n683d8a111660b32f7b928d0375388a64bf4c1a709a20b5997f39f1649751b656\r\n35f336aad0bb9ea07e8f49b0e10105a8bc31dc9d79c302ed594ca3d47f3aedf2\r\nd9f7dad10fe09eb4586b1156caf25f490dbe285eb6c5f5598cc6f525e559f319\r\n9ff90fcb71b6d0c44de05e9bc909778ebdcb743ea7a0ce6da42b06ea9126153a\r\nc50c70f782a7027ddfb9f40cf7fa09ba026db2e966485532c698020feb5092e1\r\nfeab7aea76929e0eea394f319ac9943431ac408ac04b0682ec28c5208d2c0143\r\n719b78cd00d5d5fd5da3fa786e8f9093169517d6d376dff95572bdd64092a282\r\n1f4524411c3d875259f8ab03d7d8d2e6eff55a603d2986cd36e006ad7091df97\r\n96e7b9cdf921c06747e68e19ed01c32eb3b8b2cfabde164dd993c75ccecef917\r\n0e00dd23c72c45f60eb7fc7581a93e5b4975997108969a28bddb1b1dfa170ace\r\nad3fac8f3b7e49c251cf829817f4f077072b7d9e4e697638836e4fccfee5693d\r\n373ce9827a9626148e5c343250015be1fd6df270141f37129586321ba72ee601\r\n5dbf9fb9db064cdc48d0b7e23aa50f7c22341b11ab848efe90c7355ff2f9d030\r\ne6d9afa1df88be5c5bc05c9b1fa4744aa8118c22eebc898769a96ad835c5e6e8\r\ndd72936abfd9887928cec7649f427c676067f05cbd23ba0e85f50533af49b2dd\r\n4ac17bc6cbd38f7e0a93e221abd71a1771804871adf6638eefae70a36693dba6\r\nb04c4527a35a70d945eed540a6373bb2db4cae3a5c8ed79266d40f527f7e74a8\r\nCoverage\r\nScreenshots of Detection AMP\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 14 of 23\n\nThreatGrid\r\nUmbrella\r\nWin.Trojan.Tovkater-6355575-0\r\nIndicators of Compromise\r\nRegistry Keys\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 15 of 23\n\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\ZONEMAP\r\nValue: IntranetName\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\r\nValue: ProxyServer\r\n\u003cHKLM\u003e\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\ZONEMAP\r\nValue: ProxyBypass\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\ZONEMAP\r\nValue: ProxyBypass\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\r\nValue: AutoConfigURL\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\r\nValue: AutoDetect\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\r\nValue: ProxyOverride Mutexes\r\n!IECompat!Mutex\r\nGlobal\\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs\r\nGlobal\\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!ThumbnailCacheInit\r\nMutexNPA_UnitVersioning_1288\r\n\\BaseNamedObjects\\MutexNPA_UnitVersioning_1908 IP Addresses\r\n185[.]80[.]54[.]18\r\n239[.]255[.]255[.]250 Domain Names\r\nchubbyoasis[.]top Files and or directories created\r\n%TEMP%\\nspB3BE.tmp\\nsJSON.dll\r\n%TEMP%\\nspB3BE.tmp\\ihovet312.exe\r\n%Public%\\Desktop\\Download Download.lnk\r\n%TEMP%\\nspB3BE.tmp\\crub.exe File Hashes\r\n00e2316602cdc220d7d96b51ddb30c8686768172aa690dca61299599b432e4e1\r\n09c6d7aa165da344e09575978d4ed279bfc7b538a21d19d8a983bf6c53f6fd63\r\n0cc22fdb99248307ad676f62fdeea54bf531a4a736db87a68b5e99200fa22346\r\n0d5abc8055d7075ddc380a2244c048be7df2e1528625f178bae28b9a385d8059\r\n37e58e7f9c958a84bc1f9e993b88ac35b208835bcd78de647e61acca0674ffc5\r\n390c133ff17c3dba9ad6a1f23300259a25bf347ce1871b7bda3137e2793dea9c\r\n46266424dc446fa849f32e390c72f2158937de669596d1604e7debfe42d4b08c\r\n4d1aa1730c5c825513dcab70b2d953f0b410a7d77ae24c37c80a6c7b064a84cc\r\n5fe7ab0b58112c10da05503e9d16429bde3cfe4fc6a6084354ad2e53ce174ead\r\n629988c5c0eca9431d34ec6c62966e0f524b60f9d958d34481bc7bd320ab530a\r\n6daf4f85fd756c9f348bf6c37361933725c44866c9a0fd48f75b37459dc1c82f\r\n6e302beef11ceff3ce6d7578f21bc5fb63ff95b30b3bc1bab6ee56d82aeaaa81\r\n7aa4bc907b1db2373c3429b54f29ad7a8e2c26d8075dce51e2019b3908123d6b\r\n993e6ca19189fc218aa72a58914fd44a18e928fd8d57cda419d5d707c80b8d56\r\nac0cee4f6a3e327ea011b790f1bd279ff835e0af32f0f6a944c20ceee60ae65c\r\nacb488c1a11f6e4c74bb16677266f90136f636564660b3365b9cadf58a3b2fe0\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 16 of 23\n\nb3bf68fc33b354a9387dd582f348ce7c739a96cbf18a52398d8f67ecbcdf04b0\r\nbe030179649c3c286ba386ce87cf2a7db4257b463d40d2fffd571801099f2209\r\nc620f230d09552f28a405d77f0a0aec3503a59fe329b01150ad975651419929f\r\nd6f21beb7b1033bef5de62b26e6e378909ddd54104cd92b2a0d359ef62f8d020\r\ne2197aebd08c65fb547461f7d4f3a86a70008743701828fbad4ff58266850958\r\nCoverage\r\nScreenshots of Detection AMP\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 17 of 23\n\nThreatGrid\r\nUmbrella\r\nWin.Trojan.WillExec-6356235-0\r\nIndicators of Compromise\r\nRegistry Keys\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV\r\nValue: DelayedAutostart\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue: dgprf\r\n\u003cHKLM\u003e\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER\r\nValue: DisableAntiSpyware\r\n\u003cHKLM\u003e\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV\r\nValue: Start\r\n\u003cHKCU\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\u003cHKLM\u003e\\SOFTWARE\\Wow6432Node\\Policies\\Microsoft\\Windows Defender Mutexes\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 18 of 23\n\nHej2ffi2jd4slfe IP Addresses\r\nN/A Domain Names\r\nLKEXIVL[.]RU\r\nHDYKVXN[.]RU\r\nebfrtgx[.]ru\r\nPIBSCXI[.]RU\r\nindvaws[.]ru\r\nmfwvokl[.]ru\r\nUOEVSFM[.]RU\r\nJTPXQRU[.]RU\r\nKAQELMY[.]RU\r\nBGYMVRR[.]RU\r\nXQTNVLM[.]RU\r\nlkexivl[.]ru\r\nMFWVOKL[.]RU\r\nEBFRTGX[.]RU\r\nHTTHUED[.]RU\r\ndtrxcms[.]ru\r\nQTKIHPS[.]RU\r\nlqwuhot[.]ru\r\nbgymvrr[.]ru\r\nUPSCDOQ[.]RU\r\nDTRXCMS[.]RU\r\nqtkihps[.]ru\r\nFACJGHS[.]RU\r\npibscxi[.]ru\r\nxlvudsp[.]ru\r\nrmcltni[.]ru\r\nLTYHVWD[.]RU\r\nADOHBTT[.]RU\r\nhdykvxn[.]ru\r\nxqtnvlm[.]ru\r\nupscdoq[.]ru\r\nLQWUHOT[.]RU\r\nfacjghs[.]ru\r\nINDVAWS[.]RU\r\nhtthued[.]ru\r\nXLVUDSP[.]RU\r\njtpxqru[.]ru\r\nRMCLTNI[.]RU\r\nltyhvwd[.]ru\r\nkaqelmy[.]ru\r\nuoevsfm[.]ru\r\nadohbtt[.]ru Files and or directories created\r\n%TEMP%\\dd.te\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 19 of 23\n\n%AppData%\\xxudxudr\\ucqupaug.exe File Hashes\r\n392f1054815c5f805d50b60ea261210012bdda386158a1da92d992a929eb77c2\r\n03b2164da6318fff63b6cad2fc613c3d885bd65432a7b8744c2b1709f2f9a479\r\n69a36e6f12b4e9b9cd15528a068385f2311b0c540336c142aabdd73c2a2e2015\r\na63a5639d0cb6a10f7af5bd0dd30ca1800958a0f5bb47f358b6d37f51d0f0a31\r\n2ae61c8c2a8e83cde33f38b89599032a6fb455256aa414a15f2724c94d3460d2\r\n40cfb7b7fad1602276ebf3fa63514ba91be6186d5d3bd190f593bdec0b6d8d64\r\n76d7a19cd2700dfe9e209f7a90b65f505ea14936dca3a5b00bd3b61c2c6ee386\r\n9a339f2cbd25fcd821e6a1d37744280007f4ce016e93c6fb8c7c9e0ef8dfaf06\r\na012c26e70ecdc13a644ef53d1202d3d1b2a53c70046ccedb12c97a00844ef73\r\nfa7e5cdf59d30ade201e91f0543a03f581ff5f95ddc74bccf7590663de3a6a01  \r\nCoverage\r\nScreenshots of Detection AMP\r\nThreatGrid\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 20 of 23\n\nUmbrella\r\nWin.Trojan.Zusy-6357526-0\r\nIndicators of Compromise\r\nRegistry Keys\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue: F9E7DE7B\r\n\u003cHKCU\u003e\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN\r\nValue: internat.exe\r\n\u003cHKCU\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n\u003cHKU\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Run Mutexes\r\nF9E7DE7B\r\n\\BaseNamedObjects\\5D79E0A3  IP Addresses\r\n239[.]255[.]255[.]250\r\n216[.]218[.]185[.]162 Domain Names\r\nspaines[.]pw Files and or directories created\r\n%AppData%\\5D79E0A3\\bin.exe\r\n%AppData%\\F9E7DE7B\\bin.exe File Hashes\r\n016edac60334e306af5a5cccc5820294b0fa91ee0e5ea71e655c4632e8998347\r\nbdd213dad416f81f8b76a7463c20500ee789c8d44371cf62c061a0aa6c232472\r\nb1fdd5250ab7300da229a091f58e655e2aade24c38cd280af4cd8cb79af30203\r\n1d2b1f2f844f40bcbdf614d4c38d3c4fde7a36d9102b7e13cc05abfa2c6bf593\r\na27d0e059e9d56b31e06899bd7287ee8e05f10b8da04124d9ad1fbc633cff893\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 21 of 23\n\n3c27beb77c3261ceb55eaee2d32a193ca4a53432a3a188fd9494202b94736522\r\nb5b46370c593ae3c32042355ff5d234b597d4f2685706f4f978006834483a689\r\n13bf1d8d2fc96ec4ad92225a77d212e2d41ad09ffee5061de73124a6662aa792\r\n1c5ba0cb523cd3c713c24c75cfa28885ef542f2226b25151ebafa3ecdde4e827\r\neef6f6d965da6f45e376eb9e5e01451ea110466e4b02780625cd5170edad4119  \r\nCoverage\r\nScreenshots of Detection AMP\r\nThreatGrid\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 22 of 23\n\nUmbrella\r\nSource: http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nhttp://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html"
	],
	"report_names": [
		"threat-round-up-1020-1017.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434436,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d507ae0fff6245600fdeba296d8e20c11cada539.pdf",
		"text": "https://archive.orkl.eu/d507ae0fff6245600fdeba296d8e20c11cada539.txt",
		"img": "https://archive.orkl.eu/d507ae0fff6245600fdeba296d8e20c11cada539.jpg"
	}
}