INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Cloud Atlas Exploitation Tool and Payload

| 2026-05-22 09:12 CRITICAL HIGH
JSON
Executive Summary AI-generated
The incident involves a sophisticated cyber attack that has been ongoing since 2025, with the malicious activities persisting into 2026. The attackers have targeted government organizations and commercial companies in Russia and Belarus, exploiting vulnerabilities to gain access and establish persistent backdoors. A PhantomHeart backdoor, attributed to Head Mare, was used to create an SSH tunnel, while a deobfuscated script identified victims as locations of interest. Technical details reveal the use of phishing, network reconnaissance, lateral movement, and malicious documents to deliver malware payloads. The attackers have also employed anti-forensic cleanup techniques to erase evidence of their presence. This incident highlights the evolving nature of cyber threats and the need for robust security measures to counter such sophisticated attacks.
Technical Mitigations AI-generated
• Implement a robust anti-malware solution with advanced signature-based detection and behavior-based detection to detect and prevent Cloud Atlas activity. • Conduct regular security audits and penetration testing to identify vulnerabilities in systems that may be vulnerable to Cloud Atlas attacks. • Utilize secure coding practices, such as input validation and sanitization, to prevent the exploitation of known vulnerabilities like CVE-2018-0802 by malicious actors.
Technical Observables
pdf.lnk
gen.vbs
video.vbs
update.vbs
kill.vbs
agenciakharis.com
genk.vbs
firsai.tipshub
run.vbs
paleturquoise-dragonfly-364512.hostingersite
install.vbs
allgoodsdirect.com
writetoschedulergeneratekey.vbs
lafortunaitalian.co
writetoschedulerkillssh.vbs
writetoschedulerrunssh.vbs
alnakhlah.com
video.mds
termsrv.dll
bounce.exe
msfu.exe
libcrypto.dll
Asset.exe
notepad.exe
pdf.zip
diagnostic.exe
splwow32.exe
package.exe
vmnetdrv64.exe
dwmw.exe
Termsrv.dll
svc.exe
syruntime.dll
reports.exe
i39884.exe
wininet.exe
HostManagement.exe
conhosts.exe
esentprf.exe
taskkill.exe
update.exe
rar.zip
Intel.exe
fodhelper.exe
service.exe
winrar.exe
scat.exe
1cv8ud.exe
RuntimeBrokers.exe
ssh.exe
stant.exe
IMTCEN14.exe
client.exe
MicrosoftBrowser.exe
print_status.exe
winlog.exe
dfsvc.exe
A75DBED984963B9AB21309C5B2F8FD9B
40A562B8600F843B717BC5951B2E3C29
50568B1F9335A7E3BA4E5DF035A8FB86
28ECF8FB6719E14231B94B4D37629B0E
8158552950D2E13B075001CE0C52AA97
ED34F5A136FBA4FDEA976570FAA33ED7
6AA586BCC45CA2E92A4F0EF47E086FA1
BBF1FA694122E07635DEEAC11AD712F8
F721A76DEB28FD0B80D27FCE6B8F5016
1D401D6E6FC0B00AAA2C65A0AC0CFD6B
9769F43B9DE8D19E803263267FA6D62E
D5B38B252CF212A4A32763DE36732D40
C0D1EAA15A2CEFBAB9735787575C8D8E
C5702EB250F855C8C872FFFB9BB656ED
69121C36EB8BF77962DCA825FCFFD873
F301AA3D62B5095EEC4D8E34201A4769
EC076CD21C483A40156F4E40D08DADED
7A95360B7E0EB5B107A3D231ABBC541A
D3C8AFD22BAA306FF659DB1FAC28574A
5000A353399500BC78381DC95B6ED2DC
F42085522EC2EBB16EDCF814E7C330AD
7F776AD200287D6DE14A29158C457179
6D7B2D1172BBDB7340972D844F6F0717
2AA1E9765EF6B00B94A9B6BE0041436A
F6F62456FB0FCC396FB654CBED339BC3
3C75CEDB1196DF5EAB91F31411ED4B33
B6AAE073E7BFEBF4D643C2BBEB5C02E1
67D7E3AEEB673BF60C59361C12A4ED81
83EDDE9F7EEEFAC0363413972F35572B
2042EB5D52F0B535A1CE6B6F954C8C2B
216CB7F31D383C0DD892B284DF05A495
51F7F794ED43FB90D0F8EBBB5EFFE628
1B39E86EB772A0E40060B672B7F574F1
A632858F14B36F03D0F213F5F5D6BFF2
BC3739DEC8CD8F54F3F60A85F3ED600E
493B901D1B33EB577DB64AADD948F9CE
1A11B26DD0261EF27A112CE8B361C247
0857C84B62289A1A9F29E19244E9A499
CC751619BFEC0DC4607C17112B9E3B2C
36120F5E9411BCBAC7104EF3FA964ED2
89572F0ED20791A5AC9FC4267D67CCB0
B8C753DD254509FBA5077FFD5067EAB0
EBA3BCDB19A7E256BF8E2CC5B9C1CCA9
9EAAE9491F6A50D6DF0BE393734A44CB
25C8ED0511375DCA57EF136AC3FA0CCA
369B75BDCDED16469EDE7AB8BEDCFAE1
5339D1A666F3E40FE756505CF1D87D4B
42AC350BFBC5B4EB0FEDBA16C81919C7
579A9952D31CAD801A3988DBE7914CE7
FB0F8027ACF1B1E47E07A63D8812ED50
BA9CE06641067742F2AFC9691FAFF1DC
63B6BE9AE8D8024A40B200CCCB438F1D
344CA9EA07CD4AC90EF27F8890D4EC05
2CABB721681455DAE1B6A26709DEF453
7242AC065B50BCDE9308756B49DBADCB
2B4BA4FACF8C299749771A3A4369782E
F9C3BBE108566D1A6B070F9C5FB03160
38FA4306FA4406BA31CF171AF4D36E34
5329F7BFF9D0D5DB28821B86C26D628F
3E6E9DF00A764B348EC611EE8504ACA0
0577DB70844E88B32B954906E2F20798
9BD788F285E32A05E6591D1EB36EBFFC
867B634588C0FD6B26684D502C15AB03
0C514E137860F489E3801213460EF938
F56B31A4B47AD3365B18A7E922FBA1A8
B4E183627B7399006C1BC47B3711E419
097CA205AD9E3B72018750280904718C
0320DD389FDBAB25D46792BD2817675E
116F59E70A9DF97F4ADAEA71EECB1E9A
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
EquationEquation PowerShowerPowerShower CVE-2018-0802CVE-2018-0802
Target & Sectors
CIS CIS governmentgovernment
Incident Timeline
‎2025/05/22
Threat actors used ReverseSocks to target Cloud Atlas in the second half of 2025 and early 2026.
organisation ReverseSocks
Over the course of last year, many targeted campaigns in general were found to employ ReverseSocks, SSH and Tor, and the use of these utilities was no exception for Cloud Atlas.
‎late 2025
Threat actors used a new payload to target Russian and Belarusian victims in late 2025.
source_region Russian Federation
Fragment of the deobfuscated script Victims According to our telemetry, in late 2025 and early 2026, the identified targets of the described malicious activities are located in Russia and Belarus.
source_region Belarus
Fragment of the deobfuscated script Victims According to our telemetry, in late 2025 and early 2026, the identified targets of the described malicious activities are located in Russia and Belarus.
‎the second half of 2025
Threat actors used a new payload to target Cloud Atlas systems in the second half of 2025.
‎2026/05/22
The attackers used the Cloud Atlas tool, PowerCloud, to target users in the second half of 2025 and early 2026 by sending out malicious ZIP archives containing LNK files as attachments.
infrastructure Windows
The PhantomHeart backdoor ( available in Russian only ), attributed to Head Mare and used to create an SSH tunnel, was placed in directories actively used by Cloud Atlas: C:\Windows\ime C:\Windows\System32\ime C:\Windows\pla C:\Windows\inf C:\Windows\migration C:\Windows\System32\timecontrolsvc C:\Windows\SKB However, TTPs are still differentiated.
To execute with high privileges, the script uses a UAC bypass technique via fodhelper.exe (a built-in Windows utility).
Multi-user RDP by patching termsrv.dll Moving laterally across the victim’s network, the attackers executed a suspicious PowerShell script named rdp_new.ps1 (MD5 1A11B26DD0261EF27A112CE8B361C247): The script is designed to allow multiple RDP sessions in Windows 10 by patching the termsrv.dll file.
Termsrv.dll is the core Windows library that enforces Remote Desktop Services rules.
By default, Windows limits the number of simultaneous RDP sessions.
To achieve persistence, the attackers added a new scheduled task in Windows:
Indicators of compromise PowerCloud 7A95360B7E0EB5B107A3D231ABBC541A   C:\Windows\wininet.exe C0D1EAA15A2CEFBAB9735787575C8D8E C:\Windows\LiveKernelReports\update.exe D5B38B252CF212A4A32763DE36732D40    C:\Windows\ime\imejp\dicts\i39884.exe 3C75CEDB1196DF5EAB91F31411ED4B33   C:\pla\reports.exe 42AC350BFBC5B4EB0FEDBA16C81919C7    C:\ProgramData\update_[redacted].exe 493B901D1B33EB577DB64AADD948F9CE   C:\Windows\migration\wtr\MicrosoftBrowser.exe 2CABB721681455DAE1B6A26709DEF453   C:\Windows\pla\reports\winlog.exe 1B39E86EB772A0E40060B672B7F574F1 C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe 1D401D6E6FC0B00AAA2C65A0AC0CFD6B C:\Windows\setup\scripts\install\software\activation\aact\dfsvc.exe
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
organisation PhantomHeart
The PhantomHeart backdoor ( available in Russian only ), attributed to Head Mare and used to create an SSH tunnel, was placed in directories actively used by Cloud Atlas: C:\Windows\ime C:\Windows\System32\ime C:\Windows\pla C:\Windows\inf C:\Windows\migration C:\Windows\System32\timecontrolsvc C:\Windows\SKB However, TTPs are still differentiated.
organisation UAC
To execute with high privileges, the script uses a UAC bypass technique via fodhelper.exe (a built-in Windows utility).
organisation RDP
Multi-user RDP by patching termsrv.dll Moving laterally across the victim’s network, the attackers executed a suspicious PowerShell script named rdp_new.ps1 (MD5 1A11B26DD0261EF27A112CE8B361C247): The script is designed to allow multiple RDP sessions in Windows 10 by patching the termsrv.dll file.
organisation Termsrv.dll
Termsrv.dll is the core Windows library that enforces Remote Desktop Services rules.
organisation Remote Desktop Services
Termsrv.dll is the core Windows library that enforces Remote Desktop Services rules.
infrastructure 194.102.104
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 46.17.45
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 46.17.44
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 185.22.154
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 194.87.196
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 195.58.49
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 93.125.114
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 45.87.219
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 37.228.129
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 185.53.179
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 185.126.239
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 5.181.21
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 146.70.53
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 45.15.65
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 185.250.181
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
infrastructure 81.30.105
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
organisation D3C8AFD22BAA306FF659DB1FAC28574A
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
organisation Malicious MS Office
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
organisation IPs
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
organisation MS Office
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
organisation amerikastaj[.]com bigbang[.]me
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
organisation wizzifi[.]com
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
organisation mamurjor[.]com
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
organisation internationalcommoditiesllc[.]com
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
organisation Powershell
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
organisation ReverseSocks C:\Windows\PLA\System\bounce.exe
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
organisation VBCloud
The primary purpose of the Fixed.ps1 script is to deliver and install subsequent malware onto the compromised system, specifically VBCloud and PowerShower.
organisation Microsoft Office
This technique is employed in addition to the previously described use of malicious documents, which exploit an old vulnerability in the Microsoft Office Equation Editor process ( CVE-2018-0802 ) to download and execute malicious code.
threat_actor Equation
This technique is employed in addition to the previously described use of malicious documents, which exploit an old vulnerability in the Microsoft Office Equation Editor process ( CVE-2018-0802 ) to download and execute malicious code.
infrastructure 3 Downloads
3 Downloads and drops “$temp\rar.zip” Extracts “*.pdf” from the downloaded  “$temp\rar.zip” Payload delivery: retrieves the decoy archive from the remote server to prepare user-facing content for the distraction phase.
organisation Decoy
4 Extracts “*.pdf” from the downloaded  “$temp\rar.zip” Decoy preparation: unpacks the legitimate-looking document so it can be executed silently without requiring user interaction.
organisation EDR
7 Searches and deletes “rar.zip”, “*.pdf.zip” and “*.pdf.lnk” Anti-forensic cleanup: removes the initial infection artifacts before activating the main payload, reducing the number of disk traces available for incident response or EDR correlation.
infrastructure Winrar
6 Executes  “taskkill.exe /F /Im winrar.exe” Process concealment: terminates the archive extractor to prevent the user from seeing the archive contents or noticing unexpected file extraction activity.
organisation VBScript
This is a VBScript that decrypts the contents of video.mds (typically using RC4 with a hardcoded key) and executes it in memory.
organisation VBCloud::Backdoor
video.mds: the encrypted body of the backdoor, VBCloud::Backdoor.
organisation Chrome, Edge
PowerCloud script Browser checker Additionally, the attackers used another PowerShell script (MD5 5329F7BFF9D0D5DB28821B86C26D628F), compiled into an executable file via PS2EXE, which checks whether browser processes (Chrome, Edge, Firefox, and other) are running.
organisation syruntime.dll
Instead of libcrypto.dll, the SSH executable imports syruntime.dll, which was placed in the same folder as the binary.
organisation Tor/SSH/RevSocks
We have observed the use of third-party public utilities (Tor/SSH/RevSocks) to gain a foothold in infected systems and create additional backup control channels.
organisation LNK
In the observed campaigns, the attackers emailed a ZIP archive containing an LNK file as an attachment.
organisation PDF
Fixed.ps1 establishes persistence (by adding itself to registry Run keys), creates a decoy for the user (by opening a PDF document), and executes the next stages of the attack. Fixed.ps1::Payload (VBCloud dropper) Example of the fixed.ps1::Payload (VBCloud dropper) This module functions as a dropper for the VBCloud backdoor.
organisation DOC
This backdoor is designed to function as a stealer, specifically targeting files with extensions of interest (such as DOC, PDF, XLS) and exfiltrating them.
organisation XLS
This backdoor is designed to function as a stealer, specifically targeting files with extensions of interest (such as DOC, PDF, XLS) and exfiltrating them.
organisation Conduct “
Conduct “Kerberoasting” attacks (stealing password hashes of Active Directory accounts).
organisation Active Directory
Conduct “Kerberoasting” attacks (stealing password hashes of Active Directory accounts).
organisation SAM
Copies the SAM (stores local user password hashes) and SECURITY system files from this shadow copy to C:\Users\Public\Documents\, disguising them as PDF files.
organisation SECURITY
Copies the SAM (stores local user password hashes) and SECURITY system files from this shadow copy to C:\Users\Public\Documents\, disguising them as PDF files.
organisation B8
and replaces it with B8 00 01 00 00 89 81 38 06 00 00 90 .
organisation SSH
Reverse SSH tunneling As mentioned above, during this wave of attacks, the adversaries widely deployed reverse SSH tunnels to many hosts of interest.
organisation PAExec
To install a reverse SSH tunnel on a victim’s host, the attackers run VBS scripts via PAExec or PsExec.
organisation PsExec
To install a reverse SSH tunnel on a victim’s host, the attackers run VBS scripts via PAExec or PsExec.
organisation RevSocks
In addition, we found a portable version of OpenSSH, presumably compiled by the adversaries: RevSocks
organisation Reverse SSH
In addition to Reverse SSH tunnels, the attackers installed RevSocks using the same infrastructure.
organisation Tor
Tor tunneling To maintain control over the compromised host, the Tor network was used in some cases.
Below is an example of a configuration file for routing connections from Tor to RDP ports on the local network, as well as example command lines for logging into Tor. Example of TOR configuration file PowerCloud We analyzed a new Cloud Atlas tool, PowerCloud.
organisation HiddenService
A minimal set of a Tor executable and configuration files, necessary for launching HiddenService, was copied to the system directories of infected devices.
organisation Google Sheets
It collects user data with administrator privileges and writes this information to Google Sheets in Base64 format.
‎early 2026
The identified targets were compromised in late 2025 and early 2026, with the malicious activities targeting Russia and Belarus.
source_region Russian Federation
Fragment of the deobfuscated script Victims According to our telemetry, in late 2025 and early 2026, the identified targets of the described malicious activities are located in Russia and Belarus.
source_region Belarus
Fragment of the deobfuscated script Victims According to our telemetry, in late 2025 and early 2026, the identified targets of the described malicious activities are located in Russia and Belarus.
Tactical Metrics
Metrics
infrastructure
‎Windows
Affected Product
The PhantomHeart backdoor ( available in Russian only ), attributed to Head Mare and used to create an SSH tunnel, was placed in directories actively used by Cloud Atlas: C:\Windows\ime C:\Windows\System32\ime C:\Windows\pla C:\Windows\inf C:\Windows\migration C:\Windows\System32\timecontrolsvc C:\Windows\SKB However, TTPs are still differentiated.
To execute with high privileges, the script uses a UAC bypass technique via fodhelper.exe (a built-in Windows utility).
Multi-user RDP by patching termsrv.dll Moving laterally across the victim’s network, the attackers executed a suspicious PowerShell script named rdp_new.ps1 (MD5 1A11B26DD0261EF27A112CE8B361C247): The script is designed to allow multiple RDP sessions in Windows 10 by patching the termsrv.dll file.
Termsrv.dll is the core Windows library that enforces Remote Desktop Services rules.
By default, Windows limits the number of simultaneous RDP sessions.
To achieve persistence, the attackers added a new scheduled task in Windows:
Indicators of compromise PowerCloud 7A95360B7E0EB5B107A3D231ABBC541A   C:\Windows\wininet.exe C0D1EAA15A2CEFBAB9735787575C8D8E C:\Windows\LiveKernelReports\update.exe D5B38B252CF212A4A32763DE36732D40    C:\Windows\ime\imejp\dicts\i39884.exe 3C75CEDB1196DF5EAB91F31411ED4B33   C:\pla\reports.exe 42AC350BFBC5B4EB0FEDBA16C81919C7    C:\ProgramData\update_[redacted].exe 493B901D1B33EB577DB64AADD948F9CE   C:\Windows\migration\wtr\MicrosoftBrowser.exe 2CABB721681455DAE1B6A26709DEF453   C:\Windows\pla\reports\winlog.exe 1B39E86EB772A0E40060B672B7F574F1 C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe 1D401D6E6FC0B00AAA2C65A0AC0CFD6B C:\Windows\setup\scripts\install\software\activation\aact\dfsvc.exe
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎Microsoft Office
Affected Product
This technique is employed in addition to the previously described use of malicious documents, which exploit an old vulnerability in the Microsoft Office Equation Editor process ( CVE-2018-0802 ) to download and execute malicious code.
Metrics
infrastructure
3
Downloads
3 Downloads and drops “$temp\rar.zip” Extracts “*.pdf” from the downloaded  “$temp\rar.zip” Payload delivery: retrieves the decoy archive from the remote server to prepare user-facing content for the distraction phase.
Metrics
infrastructure
‎Winrar
Affected Product
6 Executes  “taskkill.exe /F /Im winrar.exe” Process concealment: terminates the archive extractor to prevent the user from seeing the archive contents or noticing unexpected file extraction activity.
Metrics
infrastructure
‎194.102.104
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎46.17.45
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎46.17.44
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎185.22.154
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎194.87.196
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎195.58.49
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎93.125.114
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎45.87.219
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎37.228.129
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎185.53.179
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎185.126.239
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎5.181.21
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎146.70.53
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎45.15.65
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎185.250.181
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Metrics
infrastructure
‎81.30.105
Software Version
40A562B8600F843B717BC5951B2E3C29   C:\Windows\branding\scat.exe F721A76DEB28FD0B80D27FCE6B8F5016   C:\Windows\ime\imekr\dicts\dfsvc.exe D3C8AFD22BAA306FF659DB1FAC28574A   C:\ProgramData\update_[redacted].exe 6D7B2D1172BBDB7340972D844F6F0717 C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe C:\Users\[redacted]\AppData\Local\1c\1cv8\svc.exe 9769F43B9DE8D19E803263267FA6D62E C:\Users\[redacted]\AppData\Local\1c\1cv8\1cv8ud.exe 63B6BE9AE8D8024A40B200CCCB438F1D   C:\Windows\notepad.exe 6AA586BCC45CA2E92A4F0EF47E086FA1   C:\Windows\splwow32.exe EBA3BCDB19A7E256BF8E2CC5B9C1CCA9    C:\Users\[redacted]\Desktop\soc\stant.exe B4E183627B7399006C1BC47B3711E419   C:\WINDOWS\ime\service.exe F56B31A4B47AD3365B18A7E922FBA1A8   dfsvc.exe F6F62456FB0FCC396FB654CBED339BC3    – 25C8ED0511375DCA57EF136AC3FA0CCA    C:\branding\dwmw.exe Browser checker 5329F7BFF9D0D5DB28821B86C26D628F   C:\ProgramData\checker_[redacted].exe ReverseSocks 2B4BA4FACF8C299749771A3A4369782E   C:\Windows\PLA\System\bounce.exe C:\Windows\pla\print_status.exe BA9CE06641067742F2AFC9691FAFF1DC   C:\ProgramData\hp\client.exe FB0F8027ACF1B1E47E07A63D8812ED50    C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe BBF1FA694122E07635DEEAC11AD712F8    C:\Windows\System32\HostManagement.exe F301AA3D62B5095EEC4D8E34201A4769    C:\Windows\ime\imejp\msfu.exe F9C3BBE108566D1A6B070F9C5FB03160    C:\Windows\ime\imetc\help\IMTCEN14.exe Malicious MS Office documents 369B75BDCDED16469EDE7AB8BEDCFAE1 9EAAE9491F6A50D6DF0BE393734A44CB 3E6E9DF00A764B348EC611EE8504ACA0 9BD788F285E32A05E6591D1EB36EBFFC F42085522EC2EBB16EDCF814E7C330AD 2042EB5D52F0B535A1CE6B6F954C8C2B 2AA1E9765EF6B00B94A9B6BE0041436A 36120F5E9411BCBAC7104EF3FA964ED2 5000A353399500BC78381DC95B6ED2DC 579A9952D31CAD801A3988DBE7914CE7 867B634588C0FD6B26684D502C15AB03 38FA4306FA4406BA31CF171AF4D36E34 83EDDE9F7EEEFAC0363413972F35572B CC751619BFEC0DC4607C17112B9E3B2C A632858F14B36F03D0F213F5F5D6BFF2 097CA205AD9E3B72018750280904718C 69121C36EB8BF77962DCA825FCFFD873 C5702EB250F855C8C872FFFB9BB656ED ED34F5A136FBA4FDEA976570FAA33ED7 0577DB70844E88B32B954906E2F20798 28ECF8FB6719E14231B94B4D37629B0E 0857C84B62289A1A9F29E19244E9A499 0C514E137860F489E3801213460EF938 50568B1F9335A7E3BA4E5DF035A8FB86 7F776AD200287D6DE14A29158C457179 51F7F794ED43FB90D0F8EBBB5EFFE628 B8C753DD254509FBA5077FFD5067EAB0 BC3739DEC8CD8F54F3F60A85F3ED600E EC076CD21C483A40156F4E40D08DADED 216CB7F31D383C0DD892B284DF05A495 116F59E70A9DF97F4ADAEA71EECB1E9A 7242AC065B50BCDE9308756B49DBADCB 8158552950D2E13B075001CE0C52AA97 A75DBED984963B9AB21309C5B2F8FD9B 0320DD389FDBAB25D46792BD2817675E 5339D1A666F3E40FE756505CF1D87D4B 67D7E3AEEB673BF60C59361C12A4ED81 89572F0ED20791A5AC9FC4267D67CCB0 B6AAE073E7BFEBF4D643C2BBEB5C02E1 344CA9EA07CD4AC90EF27F8890D4EC05 Domains and IPs Reverse SSH/Socks domains tenkoff[.]org cloudguide[.]in goverru[.]com kufar[.]org ultimatecore[.]net spbnews[.]net onedrivesupport[.]net Malicious and compromised domains used in MS Office documents amerikastaj[.]com bigbang[.]me paleturquoise-dragonfly-364512.hostingersite[.]com wizzifi[.]com totallegacy[.]org mamurjor[.]com landscapeuganda[.]com lafortunaitalian.co[.]uk kommando[.]live internationalcommoditiesllc[.]com humanitas[.]si fishingflytackle[.]com firsai.tipshub[.]net alnakhlah.com[.]sa allgoodsdirect.com[.]au agenciakharis.com[.]br Powershell payload staging istochnik[.]org znews[.]net i investika-club[.]com 194.102.104[.]207 46.17.45[.]56 46.17.45[.]49 46.17.44[.]125 46.17.44[.]212 185.22.154[.]73 194.87.196[.]163 195.58.49[.]9 93.125.114[.]193 93.125.114[.]57 45.87.219[.]116 37.228.129[.]224 185.53.179[.]136 185.126.239[.]77 5.181.21[.]75 146.70.53[.]171 45.15.65[.]134 185.250.181[.]207 81.30.105[.]71 File paths VBS scripts WriteToSchedulerKillSSH.vbs Create_task_day.vbs WriteToSchedulerGenerateKey.vbs C:\Windows\INF\Run.vbs c:\Windows\INF\install.vbs Update.vbs c:\Windows\PLA\System\Gen.vbs C:\Windows\INF\GenK.vbs c:\Windows\PLA\System\Kill.vbs c:\Windows\PLA\System\Run.vbs ssh.exe c:\Windows\ime\imejp\Asset.exe c:\Windows\PLA\System\conhosts.exe c:\Windows\INF\BITS\esentprf.exe c:\Windows\INF\MSDTC\RuntimeBrokers.exe c:\Windows\inf\diagnostic.exe ReverseSocks C:\Windows\PLA\System\bounce.exe C:\ProgramData\hp\client.exe C:\Windows\System32\timecontrolsvc\vmnetdrv64.exe Tor client C:\Windows\Resources\Update\Intel.exe C:\Windows\INF\package.exe
Intelligence Sources
Kaspersky 2026-05-22
Kaspersky 2026-05-22