The submitted file c645a9302882d7d917d94ee47a75395d276e66809f6d0c0caf7c3fd8a8cf04ec.bin is a RANSOMWARE

SHA256c645a9302882d7d917d94ee47a75395d276e66809f6d0c0caf7c3fd8a8cf04ec
File Namec645a9302882d7d917d94ee47a75395d276e66809f6d0c0caf7c3fd8a8cf04ec.bin
File TypeWin32 EXE
EnvironmentWindows10
Analysis Start Time2023-05-05 11:08:30 (UTC)
Analysis End Time2023-05-05 11:14:05 (UTC)
Tags
  • Ransomware
  • STOP
  • Exe-Downloaded
  • Trojan
  • .fofd
  • Spyware
  • Vidar

Static Analysis  

MALICIOUS

Trulli

Network Analysis

MALICIOUS

Trulli

Dynamic Analysis

MALICIOUS

Trulli

   File Analysis  

NO THREATS

Trulli

  • Malicious
    • Changes The Autorun Value In The Registry
      • 7104 - HERBAL~1.EXE
        • Persistence - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
        • Privilege Escalation - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    • Loads The Task Scheduler COM API
      • 7104 - HERBAL~1.EXE
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 2116 - HERBAL~1.EXE
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6648 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 1504 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4712 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5372 - HerbalEssentials.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6984 - HERBAL~1.EXE
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4212 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 7012 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6720 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Task Scheduler Executable Triggered
      • 6648 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 1504 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4712 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4212 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 7012 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6720 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Task Scheduler Task Creation
      • 6648 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 1504 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4712 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4212 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 7012 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6720 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • Suspicious
    • Sysmon Process Hollowing Detection
    • Use Icacls to Hide File to Everyone
      • 7152 - icacls "C:\Users\Administrator\AppData\Local\dbf80f67-8645-46ed-aed8-2192e7e3f1db" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        • Defense Evasion - Hide Artifacts: Hidden Files and Directories
    • Suspicious Schtasks From Env Var Folder
      • 6648 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 1504 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4712 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4212 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 7012 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6720 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Suspicious Add Scheduled Task Parent
      • 6648 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 1504 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4712 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4212 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 7012 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6720 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • Info
    • Creates Files In The User Directory
      • 7104 - HERBAL~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 2116 - HERBAL~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 6420 - WINWORD.EXE
        • Collection - Data Staged: Local Data Staging
      • 3040 - build3.exe
        • Collection - Data Staged: Local Data Staging
      • 6528 - build3.exe
        • Collection - Data Staged: Local Data Staging
      • 6984 - HERBAL~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 3192 - build3.exe
        • Collection - Data Staged: Local Data Staging
      • 1536 - build3.exe
        • Collection - Data Staged: Local Data Staging
    • Creation of an Executable by an Executable
      • 7104 - HERBAL~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 2116 - HERBAL~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 3040 - build3.exe
        • Resource Development - Develop Capabilities: Malware
      • 6528 - build3.exe
        • Resource Development - Develop Capabilities: Malware
      • 6984 - HERBAL~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 3192 - build3.exe
        • Resource Development - Develop Capabilities: Malware
      • 1536 - build3.exe
        • Resource Development - Develop Capabilities: Malware
    • Scheduled Task Creation
      • 6648 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 1504 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4712 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 4212 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 7012 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6720 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • c645a9302882d7d917d94ee47a75395d276e66809f6d0c0caf7c3fd8a8cf04ec.bin
    • 5644 - [-4.46s] -c -s 0 -f 0 -t Empty -m Empty -a 0 -u Empty
    • 7012 - [0.0s] HerbalEssentials.exe
      • 7104 - [0.94s] HerbalEssentials.exe
        • 7152 - [2.38s] icacls "C:\Users\Administrator\AppData\Local\dbf80f67-8645-46ed-aed8-2192e7e3f1db" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          • 1196 - [2.59s] HerbalEssentials.exe --Admin IsNotAutoStart IsNotTask
            • 2116 - [3.33s] HerbalEssentials.exe --Admin IsNotAutoStart IsNotTask
              • 5564 - [8.64s] build2.exe
                • 1852 - [10.75s] build2.exe
                • 3040 - [10.20s] build3.exe
                  • 6648 - [10.85s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                    • 5200 - [10.91s] conhost.exe 0xffffffff -ForceV1
          • 6420 - [5.07s] WINWORD.exe /n "C:\Windows\System32\Tasks\Time Trigger Task"
          • 6464 - [5.25s] HERBAL~1.EXE
            • 6532 - [6.13s] HERBAL~1.EXE
            • 7132 - [11.54s] build2.exe
              • 6196 - [12.67s] build2.exe
              • 6040 - [13.72s] WINWORD.exe /n "C:\Windows\System32\Tasks\Azure-Update-Task"
              • 6528 - [13.73s] build3.exe
                • 1504 - [13.78s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                  • 1384 - [13.82s] conhost.exe 0xffffffff -ForceV1
                • 4732 - [14.20s] mstsca.exe
                  • 4712 - [14.24s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                    • 4640 - [14.25s] conhost.exe 0xffffffff -ForceV1
                  • 5488 - [15.10s] WINWORD.EXE /Automation -Embedding
                  • 2396 - [17.02s] WINWORD.EXE /Automation -Embedding
                  • 4364 - [22.42s] HerbalEssentials.exe
                    • 5372 - [23.02s] HerbalEssentials.exe
                      • 368 - [24.07s] HerbalEssentials.exe --Admin IsNotAutoStart IsNotTask
                        • 6984 - [25.27s] HerbalEssentials.exe --Admin IsNotAutoStart IsNotTask
                          • 4932 - [30.55s] build2.exe
                            • 6444 - [31.30s] build2.exe
                            • 3192 - [32.09s] build3.exe
                              • 4212 - [32.11s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                                • 4588 - [32.12s] conhost.exe 0xffffffff -ForceV1
                      • 6572 - [23.69s] WINWORD.EXE /Automation -Embedding
                      • 6360 - [26.50s] WINWORD.EXE /Automation -Embedding
                      • 1536 - [34.02s] build3.exe
                        • 7012 - [34.04s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          • 2256 - [34.05s] conhost.exe 0xffffffff -ForceV1
                        • 6580 - [52.10s] mstsca.exe
                          • 6720 - [52.13s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                            • 5380 - [52.13s] conhost.exe 0xffffffff -ForceV1
                          • 5828 - [100.90s] svchost.exe -k netsvcs -p -s wuauserv
                          • 7108 - [101.18s] wmiadap.exe /F /T /R
                          • 1396 - [103.62s] SecurityHealthService.exe
                          • 6276 - [109.98s] svchost.exe -k LocalService -p -s CDPSvc
                         -c -s 0 -f 0 -t Empty -m Empty -a 0 -u Empty
                         HerbalEssentials.exe
                         icacls "C:\Users\Administrator\AppData\Local\dbf80f67-8645-46ed-aed8-2192e7e3f1db" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                         HerbalEssentials.exe --Admin IsNotAutoStart IsNotTask
                         build2.exe
                         build3.exe
                         C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                         conhost.exe 0xffffffff -ForceV1
                         WINWORD.exe /n "C:\Windows\System32\Tasks\Time Trigger Task"
                         HERBAL~1.EXE
                         WINWORD.exe /n "C:\Windows\System32\Tasks\Azure-Update-Task"
                         mstsca.exe
                         WINWORD.EXE /Automation -Embedding
                         svchost.exe -k netsvcs -p -s wuauserv
                         wmiadap.exe /F /T /R
                         SecurityHealthService.exe
                         svchost.exe -k LocalService -p -s CDPSvc
                         C:\Users\Administrator\AppData\Local\dbf80f67-8645-46ed-aed8-2192e7e3f1db\HERBAL~1.EXE
                         C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AWDN3N2Z\build2[1].exe
                         C:\Users\Administrator\AppData\Local\2f034c97-b4f5-43ed-8124-c436714816aa\build2.exe
                         C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AWDN3N2Z\get[1].htm
                         C:\Users\Administrator\AppData\Local\bowsakkdestx.txt
                         C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AWDN3N2Z\build3[1].exe
                         C:\Users\Administrator\AppData\Local\2f034c97-b4f5-43ed-8124-c436714816aa\build3.exe
                         C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                         C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe
                         C:\Users\Administrator\AppData\Local\4007ce47-e5e0-4174-8096-7425f719def7\build2.exe
                         C:\Users\Administrator\AppData\Local\4007ce47-e5e0-4174-8096-7425f719def7\build3.exe
                         C:\Windows\System32\perfc009.dat
                         C:\Windows\System32\perfh009.dat
                         C:\Windows\INF\WmiApRpl\WmiApRpl.h
                         C:\Windows\INF\WmiApRpl\WmiApRpl.ini
                         C:\Windows\INF\WmiApRpl\0009
                         C:\Windows\System32\PerfStringBackup.INI
                         HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
                        RegistryValue
                        HKU\S-1-5-21-4024204036-1465485123-3602351515-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper"C:\Users\Administrator\AppData\Local\dbf80f67-8645-46ed-aed8-2192e7e3f1db\HERBAL~1.EXE" --AutoStart
                        HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-4024204036-1465485123-3602351515-500\\Device\HarddiskVolume2\Windows\System32\conhost.exeBinary Data
                        HKU\S-1-5-21-4024204036-1465485123-3602351515-500\SOFTWARE\Microsoft\Office\14.0\Word\Security\Trusted Documents\LastPurgeTimeDWORD (0x01ac12c1)
                        HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini
                        HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x000029be)
                        HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x000029bf)
                        HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x00002918)
                        HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x00002919)
                        HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List10520 10526 10536 10546 10566 10610 10620 10658 10664 10680
                        TypeIndicatorReputation
                        IP Address116[.]202[.]1[.]171Malicious
                        IP Address123[.]140[.]161[.]243Malicious
                        IP Address175[.]126[.]109[.]15Malicious
                        IP Address211[.]59[.]14[.]90Malicious
                        IP Address95[.]158[.]162[.]200Malicious
                        IP Address189[.]143[.]215[.]84Malicious
                        IP Address190[.]141[.]132[.]105Malicious
                        IP Address211[.]104[.]254[.]139Malicious
                        IP Address190[.]229[.]19[.]7Malicious
                        IP Address189[.]245[.]136[.]247Malicious
                        IP Address211[.]53[.]230[.]67Malicious
                        IP Address210[.]182[.]29[.]70Malicious
                        IP Address211[.]119[.]84[.]111Malicious
                        IP Address84[.]224[.]34[.]240Malicious
                        IP Address175[.]119[.]10[.]231Malicious
                        IP Address190[.]140[.]140[.]75Malicious
                        IP Address37[.]34[.]248[.]24Malicious
                        Domainzexeq[.]comMalicious
                        Domaincolisumy[.]comMalicious
                        URLhxxp://116[.]202[.]1[.]171/drivers[.]zipMalicious
                        URLhxxp://zexeq[.]com/test1/get[.]php?pid=***&first=***Malicious
                        URLhxxp://zexeq[.]com/files/1/build3[.]exeMalicious
                        URLhxxp://colisumy[.]com/dl/build2[.]exeMalicious
                        URLhxxp://116[.]202[.]1[.]171/Malicious
                        Sha2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0Anomalous Activity
                        Sha2564ca995875e46b16dfc89d1310737e0c0722adaf49b76de2a5179fc2149f1f173Anomalous Activity
                        MethodURLIPHTTP Status
                        GEThxxp://zexeq[.]com/test1/get[.]php?pid=***&first=***123[.]140[.]161[.]243200
                        POSThxxp://116[.]202[.]1[.]171/116[.]202[.]1[.]171200
                        GEThxxp://colisumy[.]com/dl/build2[.]exe210[.]182[.]29[.]70200
                        GEThxxp://zexeq[.]com/files/1/build3[.]exe123[.]140[.]161[.]243200
                        GEThxxp://116[.]202[.]1[.]171/31c7719b5ee962fbde376b75e771360d116[.]202[.]1[.]171200
                        GEThxxp://116[.]202[.]1[.]171/drivers[.]zip116[.]202[.]1[.]171200
                        GEThxxp://www[.]msftconnecttest[.]com/connecttest[.]txt13[.]107[.]4[.]52200
                        DomainIP
                        www[.]msftconnecttest[.]com13[.]107[.]4[.]52
                        api[.]2ip[.]ua162[.]0[.]217[.]254
                        r[.]bing[.]com104[.]77[.]173[.]121
                        104[.]77[.]173[.]122
                        104[.]77[.]173[.]120
                        104[.]77[.]173[.]106
                        104[.]77[.]173[.]152
                        104[.]77[.]173[.]35
                        104[.]77[.]173[.]153
                        104[.]77[.]173[.]131
                        104[.]77[.]173[.]136
                        colisumy[.]com210[.]182[.]29[.]70
                        211[.]119[.]84[.]111
                        84[.]224[.]34[.]240
                        190[.]229[.]19[.]7
                        189[.]143[.]215[.]84
                        175[.]119[.]10[.]231
                        211[.]104[.]254[.]139
                        190[.]140[.]140[.]75
                        37[.]34[.]248[.]24
                        123[.]140[.]161[.]243
                        zexeq[.]com123[.]140[.]161[.]243
                        175[.]126[.]109[.]15
                        211[.]59[.]14[.]90
                        95[.]158[.]162[.]200
                        189[.]143[.]215[.]84
                        190[.]141[.]132[.]105
                        211[.]104[.]254[.]139
                        190[.]229[.]19[.]7
                        189[.]245[.]136[.]247
                        211[.]53[.]230[.]67
                        t[.]me149[.]154[.]167[.]99
                        JA3SDomain
                        61be9ce3d068c08ff99a857f62352f9dapi[.]2ip[.]ua
                        098e26e2609212ac1bfac552fbe04127t[.]me
                        c8d5b17a0fd5b4ee799ca8bd692fee69r[.]bing[.]com
                        Sha256FileType
                        d8d2ad3bf7ac898ac658ae85641788321a8c669dad97bfc852d5087d1d55ee84text/plain
                        2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1dftext/plain
                        4ca995875e46b16dfc89d1310737e0c0722adaf49b76de2a5179fc2149f1f173application/x-dosexec
                        8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0application/x-dosexec
                        eca1f91b1295d8606d563f82158902016bcd85d29e1439600367bedf69bcb62atext/plain
                        253a34e3bd4db5d3f62e0a468c4cb8f53af4ba00b30c23261bb02fe5a4348cd9application/zip
                        5e9a7996fe94d7be10595d7133748760bf8348198b71b7a50fd8affaa980ac61text/plain
                        ConnectionsIP
                        UDP40[.]81[.]94[.]65
                        TCP116[.]202[.]1[.]171
                        40[.]126[.]17[.]135
                        123[.]140[.]161[.]243
                        20[.]3[.]187[.]198
                        204[.]79[.]197[.]200
                        20[.]44[.]10[.]122
                        20[.]198[.]188[.]157
                        184[.]31[.]212[.]208
                        23[.]54[.]93[.]139
                        13[.]89[.]179[.]12
                        13[.]107[.]4[.]52
                        13[.]71[.]55[.]58
                        142[.]250[.]193[.]138
                        162[.]0[.]217[.]254
                        184[.]50[.]18[.]95
                        184[.]25[.]160[.]170
                        52[.]165[.]165[.]26
                        20[.]195[.]114[.]44
                        20[.]190[.]146[.]36
                        142[.]250[.]182[.]10
                        138[.]91[.]171[.]81
                        8[.]241[.]168[.]254
                        210[.]182[.]29[.]70
                        149[.]154[.]167[.]99
                        104[.]77[.]173[.]121
                        52[.]167[.]17[.]97
                        52[.]168[.]112[.]66
                        20[.]190[.]146[.]33
                        142[.]250[.]193[.]106
                        152[.]195[.]38[.]76
                        118[.]214[.]139[.]83