The submitted file dd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade is a RANSOMWARE

SHA256dd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade
File Namedd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade
File TypeWin32 EXE
EnvironmentWindows10
Analysis Start Time2023-05-08 09:55:21 (UTC)
Analysis End Time2023-05-08 10:00:58 (UTC)
Tags
  • Ransomware
  • STOP
  • Exe-Downloaded
  • Trojan
  • Spyware
  • Vidar
  • .qopz

Static Analysis  

MALICIOUS

Trulli

Network Analysis

MALICIOUS

Trulli

Dynamic Analysis

MALICIOUS

Trulli

   File Analysis  

NO THREATS

Trulli

  • Malicious
    • Changes The Autorun Value In The Registry
      • 6200 - DD12F3~1.EXE
        • Persistence - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
        • Privilege Escalation - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    • Loads The Task Scheduler COM API
      • 6200 - DD12F3~1.EXE
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6596 - DD12F3~1.EXE
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 3056 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6936 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 3020 - dd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 1632 - DD12F3~1.EXE
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6264 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5520 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5896 - schtasks.exe
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Task Scheduler Executable Triggered
      • 3056 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6936 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6264 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5520 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5896 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Task Scheduler Task Creation
      • 3056 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6936 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6264 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5520 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5896 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • Suspicious
    • Sysmon Process Hollowing Detection
    • Use Icacls to Hide File to Everyone
      • 6408 - icacls "C:\Users\Administrator\AppData\Local\4884d36a-082c-4e90-893a-f575debea3e2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
        • Defense Evasion - Hide Artifacts: Hidden Files and Directories
    • Suspicious Schtasks From Env Var Folder
      • 3056 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6936 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6264 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5520 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5896 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
    • Suspicious Add Scheduled Task Parent
      • 3056 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6936 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6264 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5520 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5896 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • Info
    • Creates Files In The User Directory
      • 6200 - DD12F3~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 6596 - DD12F3~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 3248 - WINWORD.EXE
        • Collection - Data Staged: Local Data Staging
      • 2976 - build3.exe
        • Collection - Data Staged: Local Data Staging
      • 1632 - DD12F3~1.EXE
        • Collection - Data Staged: Local Data Staging
      • 6928 - build3.exe
        • Collection - Data Staged: Local Data Staging
      • 5532 - build3.exe
        • Collection - Data Staged: Local Data Staging
    • Creation of an Executable by an Executable
      • 6200 - DD12F3~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 6596 - DD12F3~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 2976 - build3.exe
        • Resource Development - Develop Capabilities: Malware
      • 1632 - DD12F3~1.EXE
        • Resource Development - Develop Capabilities: Malware
      • 6928 - build3.exe
        • Resource Development - Develop Capabilities: Malware
      • 5532 - build3.exe
        • Resource Development - Develop Capabilities: Malware
    • Scheduled Task Creation
      • 3056 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6936 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 6264 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5520 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
      • 5896 - /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
        • Execution - Scheduled Task/Job: Scheduled Task
        • Persistence - Scheduled Task/Job: Scheduled Task
        • Privilege Escalation - Scheduled Task/Job: Scheduled Task
  • dd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade
    • 5572 - [-9.14s] -c -s 0 -f 0 -t Empty -m Empty -a 0 -u Empty
    • 6272 - [0.0s] dd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade.exe
      • 6200 - [0.94s] dd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade.exe
        • 6408 - [2.25s] icacls "C:\Users\Administrator\AppData\Local\4884d36a-082c-4e90-893a-f575debea3e2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          • 6584 - [2.50s] dd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade.exe --Admin IsNotAutoStart IsNotTask
            • 6596 - [4.21s] dd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade.exe --Admin IsNotAutoStart IsNotTask
              • 5492 - [9.28s] build2.exe
                • 5728 - [10.73s] build2.exe
                • 2976 - [10.92s] build3.exe
                  • 3056 - [10.98s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                    • 4812 - [11.02s] conhost.exe 0xffffffff -ForceV1
          • 3248 - [4.70s] WINWORD.exe /n "C:\Windows\System32\Tasks\Time Trigger Task"
          • 6816 - [4.76s] DD12F3~1.EXE
            • 6872 - [5.58s] DD12F3~1.EXE
            • 1172 - [11.19s] build2.exe
              • 3800 - [11.86s] build2.exe
              • 6788 - [13.85s] WINWORD.exe /n "C:\Windows\System32\Tasks\Azure-Update-Task"
              • 1428 - [13.94s] mstsca.exe
                • 6936 - [13.97s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                  • 3740 - [13.98s] conhost.exe 0xffffffff -ForceV1
                • 6832 - [14.69s] WINWORD.EXE /Automation -Embedding
                • 4860 - [17.40s] WINWORD.EXE /Automation -Embedding
                • 5184 - [22.35s] dd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade.exe
                  • 3020 - [23.13s] dd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade.exe
                    • 6952 - [24.42s] dd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade.exe --Admin IsNotAutoStart IsNotTask
                      • 1632 - [25.32s] dd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade.exe --Admin IsNotAutoStart IsNotTask
                        • 4052 - [29.31s] build2.exe
                          • 6548 - [30.28s] build2.exe
                          • 6928 - [31.08s] build3.exe
                            • 6264 - [31.11s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                              • 1504 - [31.12s] conhost.exe 0xffffffff -ForceV1
                    • 2456 - [23.71s] WINWORD.EXE /Automation -Embedding
                    • 176 - [25.36s] WINWORD.EXE /Automation -Embedding
                    • 4192 - [30.48s] build2.exe
                      • 6884 - [31.11s] build2.exe
                      • 5532 - [32.75s] build3.exe
                        • 5520 - [32.79s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                          • 1364 - [32.80s] conhost.exe 0xffffffff -ForceV1
                        • 5940 - [51.86s] mstsca.exe
                          • 5896 - [51.89s] C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                            • 5416 - [51.89s] conhost.exe 0xffffffff -ForceV1
                          • 5756 - [101.08s] svchost.exe -k netsvcs -p -s wuauserv
                          • 6372 - [101.39s] wmiadap.exe /F /T /R
                          • 2876 - [103.97s] SecurityHealthService.exe
                          • 2808 - [109.34s] svchost.exe -k LocalService -p -s CDPSvc
                         -c -s 0 -f 0 -t Empty -m Empty -a 0 -u Empty
                         dd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade.exe
                         icacls "C:\Users\Administrator\AppData\Local\4884d36a-082c-4e90-893a-f575debea3e2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                         dd12f3e0ffb28d4154befe052109a0c295c07c326156aa4d1c44a9d69201eade.exe --Admin IsNotAutoStart IsNotTask
                         build2.exe
                         build3.exe
                         C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe"
                         conhost.exe 0xffffffff -ForceV1
                         WINWORD.exe /n "C:\Windows\System32\Tasks\Time Trigger Task"
                         DD12F3~1.EXE
                         WINWORD.exe /n "C:\Windows\System32\Tasks\Azure-Update-Task"
                         mstsca.exe
                         WINWORD.EXE /Automation -Embedding
                         svchost.exe -k netsvcs -p -s wuauserv
                         wmiadap.exe /F /T /R
                         SecurityHealthService.exe
                         svchost.exe -k LocalService -p -s CDPSvc
                         C:\Users\Administrator\AppData\Local\4884d36a-082c-4e90-893a-f575debea3e2\DD12F3~1.EXE
                         C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AWDN3N2Z\build2[1].exe
                         C:\Users\Administrator\AppData\Local\e4f3d978-026f-4896-b819-638c4ce50cec\build2.exe
                         C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AWDN3N2Z\get[1].htm
                         C:\Users\Administrator\AppData\Local\bowsakkdestx.txt
                         C:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                         C:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AWDN3N2Z\build3[1].exe
                         C:\Users\Administrator\AppData\Local\e4f3d978-026f-4896-b819-638c4ce50cec\build3.exe
                         C:\Users\Administrator\AppData\Roaming\Microsoft\Network\mstsca.exe
                         C:\Users\Administrator\AppData\Local\141a00be-2a3e-45b6-86f7-d7d21d15c085\build2.exe
                         C:\Users\Administrator\AppData\Local\141a00be-2a3e-45b6-86f7-d7d21d15c085\build3.exe
                         C:\Windows\System32\perfc009.dat
                         C:\Windows\System32\perfh009.dat
                         C:\Windows\INF\WmiApRpl\WmiApRpl.h
                         C:\Windows\INF\WmiApRpl\WmiApRpl.ini
                         C:\Windows\INF\WmiApRpl\0009
                         C:\Windows\System32\PerfStringBackup.INI
                         HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
                        RegistryValue
                        HKU\S-1-5-21-4024204036-1465485123-3602351515-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper"C:\Users\Administrator\AppData\Local\4884d36a-082c-4e90-893a-f575debea3e2\DD12F3~1.EXE" --AutoStart
                        HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-4024204036-1465485123-3602351515-500\\Device\HarddiskVolume2\Windows\System32\conhost.exeBinary Data
                        HKU\S-1-5-21-4024204036-1465485123-3602351515-500\SOFTWARE\Microsoft\Office\14.0\Word\Security\Trusted Documents\LastPurgeTimeDWORD (0x01ac2358)
                        HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini
                        HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x000029be)
                        HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x000029bf)
                        HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x00002918)
                        HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x00002919)
                        HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List10520 10526 10536 10546 10566 10610 10620 10658 10664 10680
                        TypeIndicatorReputation
                        IP Address190[.]140[.]140[.]75Malicious
                        IP Address187[.]245[.]185[.]123Malicious
                        IP Address222[.]236[.]49[.]123Malicious
                        IP Address187[.]212[.]183[.]201Malicious
                        IP Address58[.]235[.]189[.]192Malicious
                        IP Address211[.]171[.]233[.]126Malicious
                        IP Address186[.]182[.]55[.]44Malicious
                        IP Address211[.]40[.]39[.]251Malicious
                        IP Address200[.]124[.]17[.]88Malicious
                        IP Address187[.]156[.]90[.]178Malicious
                        IP Address175[.]120[.]254[.]9Malicious
                        IP Address84[.]224[.]34[.]240Malicious
                        IP Address183[.]100[.]39[.]157Malicious
                        IP Address211[.]104[.]254[.]139Malicious
                        IP Address211[.]119[.]84[.]112Malicious
                        IP Address211[.]171[.]233[.]129Malicious
                        IP Address49[.]12[.]34[.]6Malicious
                        Domainzexeq[.]comMalicious
                        Domaincolisumy[.]comMalicious
                        URLhxxp://zexeq[.]com/test1/get[.]php?pid=***&first=***Malicious
                        URLhxxp://zexeq[.]com/files/1/build3[.]exeMalicious
                        URLhxxp://colisumy[.]com/dl/build2[.]exeMalicious
                        URLhxxp://49[.]12[.]34[.]6/drivers[.]zipMalicious
                        Sha2568d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0Anomalous Activity
                        Sha256810be76ae3ecc5ab7f019f91979ac9ebf76ed220a7b42c2254a21ec660f8289fAnomalous Activity
                        MethodURLIPHTTP Status
                        GEThxxp://49[.]12[.]34[.]6/drivers[.]zip49[.]12[.]34[.]6200
                        POSThxxp://49[.]12[.]34[.]6/49[.]12[.]34[.]6200
                        GEThxxp://49[.]12[.]34[.]6/31c7719b5ee962fbde376b75e771360d49[.]12[.]34[.]6200
                        GEThxxp://www[.]msftconnecttest[.]com/connecttest[.]txt13[.]107[.]4[.]52200
                        GEThxxp://zexeq[.]com/files/1/build3[.]exe190[.]140[.]140[.]75200
                        GEThxxp://colisumy[.]com/dl/build2[.]exe187[.]245[.]185[.]123200
                        GEThxxp://zexeq[.]com/test1/get[.]php?pid=***&first=***190[.]140[.]140[.]75200
                        DomainIP
                        api[.]2ip[.]ua162[.]0[.]217[.]254
                        r[.]bing[.]com104[.]86[.]188[.]184
                        104[.]86[.]188[.]224
                        104[.]86[.]188[.]145
                        104[.]86[.]188[.]200
                        104[.]86[.]188[.]154
                        colisumy[.]com187[.]245[.]185[.]123
                        175[.]120[.]254[.]9
                        186[.]182[.]55[.]44
                        187[.]156[.]90[.]178
                        187[.]212[.]183[.]201
                        84[.]224[.]34[.]240
                        183[.]100[.]39[.]157
                        211[.]104[.]254[.]139
                        211[.]119[.]84[.]112
                        211[.]171[.]233[.]129
                        www[.]msftconnecttest[.]com13[.]107[.]4[.]52
                        t[.]me149[.]154[.]167[.]99
                        zexeq[.]com190[.]140[.]140[.]75
                        187[.]245[.]185[.]123
                        222[.]236[.]49[.]123
                        187[.]212[.]183[.]201
                        58[.]235[.]189[.]192
                        211[.]171[.]233[.]126
                        186[.]182[.]55[.]44
                        211[.]40[.]39[.]251
                        200[.]124[.]17[.]88
                        187[.]156[.]90[.]178
                        JA3SDomain
                        098e26e2609212ac1bfac552fbe04127t[.]me
                        61be9ce3d068c08ff99a857f62352f9dapi[.]2ip[.]ua
                        c8d5b17a0fd5b4ee799ca8bd692fee69r[.]bing[.]com
                        Sha256FileType
                        ff038d77cbb35d0329a60c945508eca9d2e0f395b50cbd628296399cbe0690b9application/zip
                        2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1dftext/plain
                        2486be4ac1743c86a950ce88fa3e96a6f71f76fea22e6980b973e9e15e332562text/plain
                        5e9a7996fe94d7be10595d7133748760bf8348198b71b7a50fd8affaa980ac61text/plain
                        8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0application/x-dosexec
                        810be76ae3ecc5ab7f019f91979ac9ebf76ed220a7b42c2254a21ec660f8289fapplication/x-dosexec
                        d8d2ad3bf7ac898ac658ae85641788321a8c669dad97bfc852d5087d1d55ee84text/plain
                        ConnectionsIP
                        UDP40[.]81[.]94[.]65
                        TCP149[.]154[.]167[.]99
                        184[.]25[.]160[.]170
                        204[.]79[.]197[.]200
                        187[.]245[.]185[.]123
                        192[.]229[.]232[.]240
                        20[.]198[.]188[.]157
                        20[.]106[.]86[.]13
                        20[.]3[.]187[.]198
                        20[.]190[.]145[.]141
                        13[.]107[.]4[.]52
                        13[.]71[.]55[.]58
                        20[.]231[.]121[.]79
                        13[.]78[.]111[.]199
                        184[.]25[.]241[.]250
                        162[.]0[.]217[.]254
                        51[.]104[.]15[.]253
                        184[.]50[.]18[.]95
                        190[.]140[.]140[.]75
                        142[.]250[.]195[.]234
                        52[.]165[.]165[.]26
                        20[.]195[.]114[.]44
                        192[.]16[.]49[.]85
                        20[.]190[.]146[.]37
                        23[.]207[.]152[.]32
                        142[.]250[.]196[.]10
                        20[.]189[.]173[.]15
                        52[.]168[.]117[.]173
                        152[.]195[.]38[.]76
                        49[.]12[.]34[.]6
                        184[.]25[.]242[.]90
                        104[.]86[.]188[.]184
                        142[.]250[.]76[.]42