| Indicator | What It Means | |-----------|----------------| | AV detections > 5 (different vendors) | Strong likelihood of malware. | | Outbound traffic to known C2 IPs or domains | Command‑and‑control communication; treat as malicious. | | Persistence via Run/RunOnce, Scheduled Tasks, Service creation | Malware attempts to survive reboots. | | Dropped additional binaries (especially in %TEMP% or %APPDATA%) | Typical loader behavior. | | Use of known exploit kits (e.g., Angler, RIG) | Indicates a delivery chain; block the hosting domain. | | No suspicious activity (clean AV, no network, no registry changes) | Could be benign, but keep the hash on watchlists for future correlation. |

Create a short incident report:

Title: Analysis of bit.ly/2mlb0gx (expanded to https://example.com/xyz.exe)
Date: 2026‑04‑15
Analyst: <your name>
Summary:
- Final URL: https://example.com/xyz.exe
- Domain age: 12 days (registered 2026‑04‑04)
- VirusTotal: 13/71 AV engines flagged as Trojan.Downloader
- Sandbox behavior: 
   • Created a hidden service “svcXYZ” that persists via HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • Contacted C2 185.62.44.22 over HTTP GET /c2?id=12345
   • Dropped “payload.dll” to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
- Verdict: **Malicious – Trojan/Downloader**
- Recommended actions: Block example.com, hash 5F3A… in endpoint AV, notify users to delete the file, update IDS/IPS signatures.

Tip: If the domain is brand‑new (≤ 30 days old) or the registrant uses privacy protection, treat it with higher suspicion.