One thing that continues to amaze me is that anytime something like this hits the news, IOC's are limited to what files (by name) it drops. Ya know what's even more useful? Hashes, hashes are more useful. So here's a few I was able to pull.
Note: I seem to be missing DX.exe and update.dll that were posted here. I'm not sure why I didn't see these drop, perhaps it's only periodically. If you have them, drop me a message on Twitter.
c:\programdata\sqlite3.dll (not sure if malicious, or just used by)
And Hybrid-Analysis links:
Win7 x64 - https://www.hybrid-analysis.com/sample/4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441/5ad8906b7ca3e116860b7c33
Win7 x32 - https://www.hybrid-analysis.com/sample/4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441/5ad8958d7ca3e1200b3a2663
Virus Total links:
Relieve_stress_Paint_1.6.exe - https://www.virustotal.com/en/file/4a972d009561ea1960c7e866665979d74506c2d84eb0ad594540366873ab0441/analysis/#comments
ctfmon - https://www.virustotal.com/en/file/13654cbe13a3585b28b1b19042a49da0531a8db0a93ff7c6d6e52c497f247cda/analysis/
And some known network connections. These seem to vary, so this may be shared hosting, round-robbining, etc. No garentee of maliciousness.
18.104.22.168 - count.homepagetools.online / 22.214.171.124.vultr.com
Lastly, the sites that have been hosting it
xn--80a2a18a.net (currently offline?)