The submitted file 01ed102dc3e4841d00b4be37ee73c24321498e5d0727961d537d073c057e1ee6 is a RANSOMWARE

SHA25601ed102dc3e4841d00b4be37ee73c24321498e5d0727961d537d073c057e1ee6
File Name01ed102dc3e4841d00b4be37ee73c24321498e5d0727961d537d073c057e1ee6
File TypeWin32 EXE
EnvironmentWindows10
Analysis Start Time2023-06-07 17:41:47 (UTC)
Analysis End Time2023-06-07 17:47:24 (UTC)
Tags
  • Trojan
  • .neqp
  • STOP
  • Ransomware
  • Vidar
  • Exe-Downloaded
  • Spyware

Static Analysis  

MALICIOUS

Trulli

Network Analysis

MALICIOUS

Trulli

Dynamic Analysis

MALICIOUS

Trulli

   File Analysis  

NO THREATS

Trulli

  • Malicious
    • Changes The Autorun Value In The Registry
      • 2904 - 01ED10~1.EXE
        • Persistence - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
        • Privilege Escalation - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    • Task Scheduler Executable Triggered
      • 4516 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 3648 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5196 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5000 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Task Scheduler Task Creation
      • 4516 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 3648 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5196 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5000 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • Suspicious
    • Sysmon Process Hollowing Detection
    • Use Icacls to Hide File to Everyone
      • 2200 - icacls "C:\Users\Administrator\AppData\Local\ab81031a-28d7-45d6-8789-7a00c1ac829c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        • Defense Evasion - Hide Artifacts: Hidden Files and Directories
    • Suspicious Schtasks From Env Var Folder
      • 4516 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 3648 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5196 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5000 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Suspicious Add Scheduled Task Parent
      • 4516 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 3648 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5196 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5000 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Suspicious Execution of Shutdown
      • 5196 - C:\Windows\system32\shutdown.exe /r /f /t 0
        • Impact - System Shutdown/Reboot
  • Info
    • Creation of an Executable by an Executable
      • 2904 - 01ED10~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 2304 - 01ED10~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 6392 - build3.exe
        • Resource Development - Develop Capabilities: Malware
      • 6684 - 01ED10~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 6036 - build3.exe
        • Resource Development - Develop Capabilities: Malware
    • Creates Files In The User Directory
      • 2904 - 01ED10~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 5420 - WINWORD.EXE
        • Collection - Data Staged: Local Data Staging
      • 2304 - 01ED10~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 6392 - build3.exe
        • Collection - Data Staged: Local Data Staging
      • 6684 - 01ED10~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 6036 - build3.exe
        • Collection - Data Staged: Local Data Staging
    • Scheduled Task Creation
      • 4516 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 3648 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5196 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5000 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • 01ed102dc3e4841d00b4be37ee73c24321498e5d0727961d537d073c057e1ee6
    • 6372 - [-7.67s] SearchFilterHost.exe 0 796 800 808 8192 804 780
    • 6968 - [0.0s] 01ed102dc3e4841d00b4be37ee73c24321498e5d0727961d537d073c057e1ee6.exe
      • 2904 - [0.72s] 01ed102dc3e4841d00b4be37ee73c24321498e5d0727961d537d073c057e1ee6.exe
        • 2200 - [2.07s] icacls "C:\Users\Administrator\AppData\Local\ab81031a-28d7-45d6-8789-7a00c1ac829c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          • 5340 - [2.33s] 01ed102dc3e4841d00b4be37ee73c24321498e5d0727961d537d073c057e1ee6.exe --Admin IsNotAutoStart IsNotTask
            • 2304 - [2.76s] 01ed102dc3e4841d00b4be37ee73c24321498e5d0727961d537d073c057e1ee6.exe --Admin IsNotAutoStart IsNotTask
              • 6392 - [28.29s] build3.exe
                • 4516 - [28.32s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                  • 5788 - [28.33s] conhost.exe 0xffffffff -ForceV1
        • 7132 - [2.38s] svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
        • 5420 - [4.56s] WINWORD.exe /n "C:\Windows\System32\Tasks\Time Trigger Task"
        • 5912 - [4.70s] 01ED10~1.EXE
          • 3656 - [4.92s] 01ED10~1.EXE
          • 6408 - [8.86s] ApplicationFrameHost.exe -Embedding
          • 6892 - [12.33s] svchost.exe -k LocalService -p -s BthAvctpSvc
          • 5176 - [14.41s] WINWORD.EXE /Automation -Embedding
          • 6288 - [15.61s] WINWORD.EXE /Automation -Embedding
          • 6952 - [20.49s] SystemSettings.exe -ServerName:microsoft.windows.immersivecontrolpanel
          • 3996 - [21.45s] 01ed102dc3e4841d00b4be37ee73c24321498e5d0727961d537d073c057e1ee6.exe
            • 3332 - [21.66s] 01ed102dc3e4841d00b4be37ee73c24321498e5d0727961d537d073c057e1ee6.exe
              • 6476 - [22.73s] 01ed102dc3e4841d00b4be37ee73c24321498e5d0727961d537d073c057e1ee6.exe --Admin IsNotAutoStart IsNotTask
                • 6684 - [22.92s] 01ed102dc3e4841d00b4be37ee73c24321498e5d0727961d537d073c057e1ee6.exe --Admin IsNotAutoStart IsNotTask
                  • 6036 - [51.30s] build3.exe
                    • 5196 - [51.33s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                      • 5224 - [51.34s] conhost.exe 0xffffffff -ForceV1
            • 7040 - [21.88s] UserOOBEBroker.exe -Embedding
            • 7068 - [22.00s] FileCoAuth.exe -Embedding
            • 7164 - [22.63s] msedge.exe --default-search-provider=? --out-pipe-name=MSEdgeDefaultda31566bh7088h4e29hb564h92e4d0d7e517
              • 6348 - [23.20s] msedge.exe --type=crashpad-handler "--user-data-dir=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.111 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=111.0.1661.54 --initial-client-data=0x120,0x124,0x128,0xfc,0x1d4,0x7ff88288b5f8,0x7ff88288b608,0x7ff88288b618
              • 6224 - [22.91s] svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
              • 6908 - [23.37s] msedge.exe --default-search-provider=? --out-pipe-name=MSEdgeDefault83fc9704hcdfeh403dh91f4he5934294ebcf
                • 6280 - [23.39s] msedge.exe --type=crashpad-handler "--user-data-dir=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.111 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=111.0.1661.54 --initial-client-data=0x120,0x124,0x128,0xfc,0x130,0x7ff88288b5f8,0x7ff88288b608,0x7ff88288b618
                • 5056 - [30.90s] WINWORD.exe /n "C:\Windows\System32\Tasks\Azure-Update-Task"
                • 5268 - [31.18s] build3.exe
                  • 3648 - [31.22s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                    • 6036 - [31.23s] conhost.exe 0xffffffff -ForceV1
                  • 4492 - [31.29s] mstsca.exe
                  • 1916 - [40.73s] WINWORD.EXE /Automation -Embedding
                  • 3348 - [42.68s] WINWORD.EXE /Automation -Embedding
                  • 4644 - [49.68s] WINWORD.exe /n "C:\Windows\System32\WDI\LogFiles\StartupInfo\S-1-5-21-2530950276-3298662170-1402498598-500_StartupInfo2.xml"
                  • 1176 - [51.43s] mstsca.exe
                    • 5000 - [51.49s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                      • 2732 - [51.50s] conhost.exe 0xffffffff -ForceV1
                    • 1212 - [59.65s] WINWORD.EXE /Automation -Embedding
                      • 2108 - [65.92s] splwow64.exe 12288
                      • 1628 - [60.73s] WINWORD.EXE /Automation -Embedding
                      • 6884 - [66.37s] svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
                      • 2064 - [74.02s] svchost.exe -k NetworkService -p
                      • 7012 - [74.18s] SgrmBroker.exe
                      • 6188 - [74.38s] svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                      • 5024 - [74.55s] svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                      • 5196 - [144.59s] shutdown.exe /r /f /t 0
                      • 4152 - [144.63s] LogonUI.exe /flags:0x4 /state0:0xa3fb4055 /state1:0x41c64e6d
                     SearchFilterHost.exe 0 796 800 808 8192 804 780
                     01ed102dc3e4841d00b4be37ee73c24321498e5d0727961d537d073c057e1ee6.exe
                     icacls "C:\Users\Administrator\AppData\Local\ab81031a-28d7-45d6-8789-7a00c1ac829c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                     01ed102dc3e4841d00b4be37ee73c24321498e5d0727961d537d073c057e1ee6.exe --Admin IsNotAutoStart IsNotTask
                     build3.exe
                     C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                     conhost.exe 0xffffffff -ForceV1
                     svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
                     WINWORD.exe /n "C:\Windows\System32\Tasks\Time Trigger Task"
                     01ED10~1.EXE
                     ApplicationFrameHost.exe -Embedding
                     svchost.exe -k LocalService -p -s BthAvctpSvc
                     WINWORD.EXE /Automation -Embedding
                     SystemSettings.exe -ServerName:microsoft.windows.immersivecontrolpanel
                     UserOOBEBroker.exe -Embedding
                     FileCoAuth.exe -Embedding
                     msedge.exe --default-search-provider=? --out-pipe-name=MSEdgeDefaultda31566bh7088h4e29hb564h92e4d0d7e517
                     msedge.exe --type=crashpad-handler "--user-data-dir=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.111 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=111.0.1661.54 --initial-client-data=0x120,0x124,0x128,0xfc,0x1d4,0x7ff88288b5f8,0x7ff88288b608,0x7ff88288b618
                     msedge.exe --default-search-provider=? --out-pipe-name=MSEdgeDefault83fc9704hcdfeh403dh91f4he5934294ebcf
                     msedge.exe --type=crashpad-handler "--user-data-dir=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.111 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=111.0.1661.54 --initial-client-data=0x120,0x124,0x128,0xfc,0x130,0x7ff88288b5f8,0x7ff88288b608,0x7ff88288b618
                     WINWORD.exe /n "C:\Windows\System32\Tasks\Azure-Update-Task"
                     mstsca.exe
                     WINWORD.exe /n "C:\Windows\System32\WDI\LogFiles\StartupInfo\S-1-5-21-2530950276-3298662170-1402498598-500_StartupInfo2.xml"
                     splwow64.exe 12288
                     svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
                     svchost.exe -k NetworkService -p
                     SgrmBroker.exe
                     svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                     svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                     shutdown.exe /r /f /t 0
                     LogonUI.exe /flags:0x4 /state0:0xa3fb4055 /state1:0x41c64e6d
                     C:\Users\Administrator\AppData\Local\ab81031a-28d7-45d6-8789-7a00c1ac829c\01ED10~1.EXE
                     C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                     C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\752WOBP4\build3[1].exe
                     C:\Users\Administrator\AppData\Local\482e61da-7253-4a8a-9252-b339a444ae93\build3.exe
                     C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe
                     C:\Users\Administrator\AppData\Local\a4f4e6ec-f771-4524-a6ef-d68ed4d18275\build3.exe
                     HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
                     HKLM\System\CurrentControlSet\Control\WMI\Security
                     HKLM\System\CurrentControlSet\Services\SharedAccess\Epoch
                    RegistryValue
                    HKU\S-1-5-21-2530950276-3298662170-1402498598-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper"C:\Users\Administrator\AppData\Local\ab81031a-28d7-45d6-8789-7a00c1ac829c\01ED10~1.EXE" --AutoStart
                    HKU\S-1-5-21-2530950276-3298662170-1402498598-500\SOFTWARE\Microsoft\Office\14.0\Word\Security\Trusted Documents\LastPurgeTimeDWORD (0x01accdea)
                    HKLM\System\CurrentControlSet\Control\WMI\Security\c688cf83-9945-5ff6-0e1e-1ff1f8a2ec9aBinary Data
                    TypeIndicatorReputation
                    IP Address189[.]245[.]66[.]56Malicious
                    IP Address201[.]252[.]19[.]77Malicious
                    IP Address119[.]148[.]40[.]122Malicious
                    IP Address123[.]140[.]161[.]243Malicious
                    IP Address195[.]158[.]3[.]162Malicious
                    IP Address187[.]232[.]176[.]222Malicious
                    IP Address175[.]120[.]254[.]9Malicious
                    IP Address210[.]182[.]34[.]10Malicious
                    IP Address175[.]126[.]109[.]15Malicious
                    IP Address58[.]235[.]189[.]192Malicious
                    IP Address82[.]78[.]247[.]152Malicious
                    IP Address190[.]229[.]19[.]7Malicious
                    IP Address61[.]253[.]71[.]111Malicious
                    IP Address211[.]59[.]14[.]90Malicious
                    IP Address5[.]239[.]240[.]61Malicious
                    IP Address211[.]119[.]84[.]112Malicious
                    IP Address177[.]254[.]85[.]20Malicious
                    Domainzexeq[.]comMalicious
                    Domaincolisumy[.]comMalicious
                    URLhxxp://zexeq[.]com/lancer/get[.]php?pid=***&first=***Malicious
                    URLhxxp://zexeq[.]com/files/1/build3[.]exeMalicious
                    URLhxxp://colisumy[.]com/dl/build2[.]exeMalicious
                    Sha2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0Anomalous Activity
                    MethodURLIPHTTP Status
                    GEThxxp://zexeq[.]com/lancer/get[.]php?pid=***&first=***189[.]245[.]66[.]56200
                    GEThxxp://colisumy[.]com/dl/build2[.]exe175[.]120[.]254[.]9-
                    GEThxxp://zexeq[.]com/files/1/build3[.]exe189[.]245[.]66[.]56200
                    DomainIP
                    r[.]bing[.]com23[.]3[.]70[.]48
                    23[.]3[.]70[.]91
                    zexeq[.]com189[.]245[.]66[.]56
                    201[.]252[.]19[.]77
                    119[.]148[.]40[.]122
                    123[.]140[.]161[.]243
                    195[.]158[.]3[.]162
                    187[.]232[.]176[.]222
                    175[.]120[.]254[.]9
                    210[.]182[.]34[.]10
                    175[.]126[.]109[.]15
                    58[.]235[.]189[.]192
                    api[.]2ip[.]ua162[.]0[.]217[.]254
                    colisumy[.]com175[.]120[.]254[.]9
                    82[.]78[.]247[.]152
                    210[.]182[.]34[.]10
                    190[.]229[.]19[.]7
                    175[.]126[.]109[.]15
                    61[.]253[.]71[.]111
                    211[.]59[.]14[.]90
                    5[.]239[.]240[.]61
                    211[.]119[.]84[.]112
                    177[.]254[.]85[.]20
                    JA3SDomain
                    61be9ce3d068c08ff99a857f62352f9dapi[.]2ip[.]ua
                    Sha256FileType
                    4d40a89ca3f0b1ca56a278499951fbf93821132f05001f1c6930481f9a0dc910text/plain
                    8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0application/x-dosexec
                    ConnectionsIP
                    TCP175[.]120[.]254[.]9
                    162[.]0[.]217[.]254
                    189[.]245[.]66[.]56