{
	"id": "d9f1435e-e3cb-4935-8ce3-049a90366a38",
	"created_at": "2026-04-06T00:15:35.203835Z",
	"updated_at": "2026-04-10T03:19:58.306251Z",
	"deleted_at": null,
	"sha1_hash": "a1fd8ad50eaff2f265a556f024e3e4c20f4c89eb",
	"title": "Free Automated Malware Analysis Service - powered by Falcon Sandbox",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 112594,
	"plain_text": "Free Automated Malware Analysis Service - powered by Falcon Sandbox\r\nArchived: 2026-04-02 11:31:02 UTC\r\nIncident Response\r\nRisk Assessment\r\nPersistence\r\nGrants permissions using icacls (DACL modification)\r\nSpawns a lot of processes\r\nWrites data to a remote process\r\nNetwork Behavior\r\nContacts 1 domain and 5326 hosts. View all details\r\nMITRE ATT\u0026CK™ Techniques Detection\r\nThis report has 11 indicators that were mapped to 15 attack techniques and 6 tactics. View all details\r\nAdditional Context\r\nOSINT\r\nExternal References\r\nhttps://hexcoderblog.wordpress.com/2018/04/17/honeypot-research-the-notable-speeds-of-malicious-targeting/\r\nExternal User Tags\r\n#honeypot #malware\r\nIndicators\r\nNot all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.\r\nExternal Systems\r\nDetected Suricata Alert\r\ndetails\r\nDetected alert \"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1\"\r\n(SID: 2024298, Rev: 4, Severity: 1) categorized as \"A Network Trojan was detected\"\r\n(PUA/PUP/Adware)\r\nDetected alert \"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (MSF style)\" (SID:\r\n2025649, Rev: 3, Severity: 1) categorized as \"A Network Trojan was detected\"\r\nDetected alert \"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)\" (SID:\r\n2025992, Rev: 2, Severity: 1) categorized as \"A Network Trojan was detected\"\r\nsource\r\nSuricata Alerts\r\nrelevance\r\n10/10\r\nSample was identified as malicious by a large number of Antivirus engines\r\ndetails\r\n64/70 Antivirus vendors marked sample as malicious (91% detection rate)\r\nsource\r\nExternal System\r\nrelevance\r\n10/10\r\nSample was identified as malicious by at least one Antivirus engine\r\ndetails\r\n64/70 Antivirus vendors marked sample as malicious (91% detection rate)\r\nsource\r\nExternal System\r\nrelevance\r\n8/10\r\nGeneral\r\nThe analysis extracted a file that was identified as malicious\r\ndetails\r\nhttps://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110\r\nPage 1 of 13\n\n58/67 Antivirus vendors marked dropped file \"MSSECSVC.EXE.6038B8CC.bin\" as malicious\r\n(classified as \"CVE-2017-0147\" with 86% detection rate)\r\n66/71 Antivirus vendors marked dropped file \"TASKSCHE.EXE.6038BB10.bin\" as malicious\r\n(classified as \"Trojan.Ransom.WannaCryptor\" with 92% detection rate)\r\n66/71 Antivirus vendors marked dropped file \"tasksche.exe\" as malicious (classified as\r\n\"Trojan.Ransom.WannaCryptor\" with 92% detection rate)\r\n58/67 Antivirus vendors marked dropped file \"mssecsvc.exe\" as malicious (classified as \"CVE-2017-\r\n0147\" with 86% detection rate)\r\n14/59 Antivirus vendors marked dropped file \"m_dutch.wnry\" as malicious (classified as\r\n\"Trojan.Filecoder\" with 23% detection rate)\r\n15/60 Antivirus vendors marked dropped file \"m_finnish.wnry\" as malicious (classified as\r\n\"Trojan.Filecoder\" with 25% detection rate)\r\n16/61 Antivirus vendors marked dropped file \"m_vietnamese.wnry\" as malicious (classified as\r\n\"Trojan.Filecoder\" with 26% detection rate)\r\n12/59 Antivirus vendors marked dropped file \"m_turkish.wnry\" as malicious (classified as\r\n\"Trojan.Filecoder\" with 20% detection rate)\r\n12/59 Antivirus vendors marked dropped file \"m_russian.wnry\" as malicious (classified as\r\n\"Trojan.Filecoder\" with 20% detection rate)\r\n14/60 Antivirus vendors marked dropped file \"m_indonesian.wnry\" as malicious (classified as\r\n\"Trojan.Filecoder\" with 23% detection rate)\r\n18/61 Antivirus vendors marked dropped file \"m_italian.wnry\" as malicious (classified as\r\n\"Trojan.Filecoder\" with 29% detection rate)\r\n15/60 Antivirus vendors marked dropped file \"m_french.wnry\" as malicious (classified as\r\n\"Trojan.Filecoder\" with 25% detection rate)\r\n17/61 Antivirus vendors marked dropped file \"m_chinese _traditional_.wnry\" as malicious (classified\r\nas \"Trojan.Filecoder\" with 27% detection rate)\r\n14/60 Antivirus vendors marked dropped file \"m_spanish.wnry\" as malicious (classified as\r\n\"Trojan.Filecoder\" with 23% detection rate)\r\n15/61 Antivirus vendors marked dropped file \"m_portuguese.wnry\" as malicious (classified as\r\n\"Trojan.Filecoder\" with 24% detection rate)\r\nsource\r\nBinary File\r\nrelevance\r\n10/10\r\nThe analysis spawned a process that was identified as malicious\r\ndetails\r\n58/67 Antivirus vendors marked spawned process \"mssecsvc.exe\" (PID: 3240) as malicious (classified\r\nas \"CVE-2017-0147\" with 86% detection rate)\r\n58/67 Antivirus vendors marked spawned process \"mssecsvc.exe\" (PID: 2796) as malicious (classified\r\nas \"CVE-2017-0147\" with 86% detection rate)\r\n66/71 Antivirus vendors marked spawned process \"tasksche.exe\" (PID: 2740) as malicious (classified\r\nas \"Trojan.Ransom.WannaCryptor\" with 92% detection rate)\r\n66/71 Antivirus vendors marked spawned process \"tasksche.exe\" (PID: 3732) as malicious (classified\r\nas \"Trojan.Ransom.WannaCryptor\" with 92% detection rate)\r\n66/71 Antivirus vendors marked spawned process \"tasksche.exe\" (PID: 1336) as malicious (classified\r\nas \"Trojan.Ransom.WannaCryptor\" with 92% detection rate)\r\nsource\r\nMonitored Target\r\nrelevance\r\n10/10\r\nInstallation/Persistence\r\nWrites data to a remote process\r\ndetails\r\n\"rundll32.exe\" wrote 32 bytes to a remote process \"C:\\Windows\\mssecsvc.exe\" (Handle: 212)\r\n\"rundll32.exe\" wrote 52 bytes to a remote process \"C:\\Windows\\mssecsvc.exe\" (Handle: 212)\r\n\"rundll32.exe\" wrote 4 bytes to a remote process \"C:\\Windows\\mssecsvc.exe\" (Handle: 212)\r\n\"mssecsvc.exe\" wrote 32 bytes to a remote process \"C:\\Windows\\tasksche.exe\" (Handle: 720)\r\n\"mssecsvc.exe\" wrote 52 bytes to a remote process \"C:\\Windows\\tasksche.exe\" (Handle: 720)\r\n\"mssecsvc.exe\" wrote 4 bytes to a remote process \"C:\\Windows\\tasksche.exe\" (Handle: 720)\r\n\"tasksche.exe\" wrote 32 bytes to a remote process\r\n\"%ALLUSERSPROFILE%\\tvzfcptuxgtlf819\\tasksche.exe\" (Handle: 140)\r\n\"tasksche.exe\" wrote 52 bytes to a remote process \"C:\\ProgramData\\tvzfcptuxgtlf819\\tasksche.exe\"\r\n(Handle: 140)\r\n\"tasksche.exe\" wrote 4 bytes to a remote process \"C:\\ProgramData\\tvzfcptuxgtlf819\\tasksche.exe\"\r\nhttps://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110\r\nPage 2 of 13\n\n(Handle: 140)\r\n\"tasksche.exe\" wrote 32 bytes to a remote process \"C:\\Windows\\System32\\icacls.exe\" (Handle: 136)\r\n\"tasksche.exe\" wrote 52 bytes to a remote process \"C:\\Windows\\System32\\icacls.exe\" (Handle: 136)\r\n\"tasksche.exe\" wrote 4 bytes to a remote process \"C:\\Windows\\System32\\icacls.exe\" (Handle: 136)\r\n\"tasksche.exe\" wrote 32 bytes to a remote process \"C:\\Windows\\System32\\attrib.exe\" (Handle: 136)\r\n\"tasksche.exe\" wrote 52 bytes to a remote process \"C:\\Windows\\System32\\attrib.exe\" (Handle: 136)\r\n\"tasksche.exe\" wrote 4 bytes to a remote process \"C:\\Windows\\System32\\attrib.exe\" (Handle: 136)\r\n\"tasksche.exe\" wrote 32 bytes to a remote process \"C:\\Windows\\System32\\attrib.exe\" (Handle: 64)\r\n\"tasksche.exe\" wrote 52 bytes to a remote process \"C:\\Windows\\System32\\attrib.exe\" (Handle: 64)\r\n\"tasksche.exe\" wrote 4 bytes to a remote process \"C:\\Windows\\System32\\attrib.exe\" (Handle: 64)\r\n\"tasksche.exe\" wrote 32 bytes to a remote process \"C:\\Windows\\System32\\icacls.exe\" (Handle: 64)\r\n\"tasksche.exe\" wrote 52 bytes to a remote process \"C:\\Windows\\System32\\icacls.exe\" (Handle: 64)\r\n\"tasksche.exe\" wrote 4 bytes to a remote process \"C:\\Windows\\System32\\icacls.exe\" (Handle: 64)\r\nsource\r\nAPI Call\r\nrelevance\r\n6/10\r\nATT\u0026CK ID\r\nT1055 (Show technique in the MITRE ATT\u0026CK™ matrix)\r\nNetwork Related\r\nContacts very many different hosts\r\ndetails\r\nContacted 60 (or more) hosts in at least 19 different countries\r\nsource\r\nNetwork Traffic\r\nrelevance\r\n9/10\r\nPattern Matching\r\nYARA signature match\r\ndetails\r\nYARA signature \"MS17_010_WanaCry_worm\" classified file\r\n\"22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6.bin\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators: \"PC NETWORK PROGRAM\r\n1.0,LANMAN1.0,Windows for Workgroups\r\n3.1a,__TREEID__PLACEHOLDER__,__USERID__PLACEHOLDER__,h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j,h54WfF9cGigW\r\n(Reference: https://www.exploit-db.com/exploits/41987/, Author: Felipe Molina (@felmoltor))\r\nYARA signature \"WannaDecryptor\" classified file\r\n\"22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6.bin\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators:\r\n\"taskdl.exe,taskse.exe,r.wnry,s.wnry,t.wnry,u.wnry,msg/m_\"\r\nYARA signature \"WannaCry_RansomwareEx\" classified file\r\n\"22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6.bin\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators: \"icacls . /grant Everyone:F /T /C\r\n/Q,taskdl.exe,tasksche.exe,Global\\MsWinZonesCacheCounterMutexA,WNcry@2ol7,www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergw\r\nWindows 10 --\u003e ,cmd.exe /c\r\n\"%s\",msg/m_portuguese.wnry,5c005c003100390032002e003100360038002e00350036002e00320030005c004900500043002400,5c\r\n(Reference: https://goo.gl/HG2j5T, Author: Florian Roth (with the help of binar.ly))\r\nYARA signature \"WannaDecryptor\" classified file \"tasksche.exe\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators:\r\n\"taskdl.exe,taskse.exe,r.wnry,s.wnry,t.wnry,u.wnry,msg/m_\"\r\nYARA signature \"WannaCry_RansomwareEx\" classified file \"tasksche.exe\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators: \"icacls . /grant Everyone:F /T /C\r\n/Q,taskdl.exe,tasksche.exe,Global\\MsWinZonesCacheCounterMutexA,WNcry@2ol7, Windows 10 --\u003e\r\n,cmd.exe /c\r\n\"%s\",msg/m_portuguese.wnry,09ff763050ff562c5959473b7e0c7c,c1ea1dc1ee1e83e20183e6018d1456,8d48fff7d18d4410ff23f123c1\r\n(Reference: https://goo.gl/HG2j5T, Author: Florian Roth (with the help of binar.ly))\r\nYARA signature \"WannaDecryptor\" classified file \"TASKSCHE.EXE.6038BB10.bin\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators:\r\n\"taskdl.exe,taskse.exe,r.wnry,s.wnry,t.wnry,u.wnry,msg/m_\"\r\nYARA signature \"WannaCry_RansomwareEx\" classified file \"TASKSCHE.EXE.6038BB10.bin\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators: \"icacls . /grant Everyone:F /T /C\r\n/Q,taskdl.exe,tasksche.exe,Global\\MsWinZonesCacheCounterMutexA,WNcry@2ol7, Windows 10 --\u003e\r\n,cmd.exe /c\r\n\"%s\",msg/m_portuguese.wnry,09ff763050ff562c5959473b7e0c7c,c1ea1dc1ee1e83e20183e6018d1456,8d48fff7d18d4410ff23f123c1\r\nhttps://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110\r\nPage 3 of 13\n\n(Reference: https://goo.gl/HG2j5T, Author: Florian Roth (with the help of binar.ly))\r\nYARA signature \"MS17_010_WanaCry_worm\" classified file \"MSSECSVC.EXE.6038B8CC.bin\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators: \"PC NETWORK PROGRAM\r\n1.0,LANMAN1.0,Windows for Workgroups\r\n3.1a,__TREEID__PLACEHOLDER__,__USERID__PLACEHOLDER__,h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j,h54WfF9cGigW\r\n(Reference: https://www.exploit-db.com/exploits/41987/, Author: Felipe Molina (@felmoltor))\r\nYARA signature \"WannaDecryptor\" classified file \"MSSECSVC.EXE.6038B8CC.bin\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators:\r\n\"taskdl.exe,taskse.exe,r.wnry,s.wnry,t.wnry,u.wnry,msg/m_\"\r\nYARA signature \"WannaCry_RansomwareEx\" classified file \"MSSECSVC.EXE.6038B8CC.bin\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators: \"icacls . /grant Everyone:F /T /C\r\n/Q,taskdl.exe,tasksche.exe,Global\\MsWinZonesCacheCounterMutexA,WNcry@2ol7,www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergw\r\nWindows 10 --\u003e ,cmd.exe /c\r\n\"%s\",msg/m_portuguese.wnry,5c005c003100390032002e003100360038002e00350036002e00320030005c004900500043002400,5c\r\n(Reference: https://goo.gl/HG2j5T, Author: Florian Roth (with the help of binar.ly))\r\nYARA signature \"WannaCry_Ransomware_Gen\" classified file \"MSSECSVC.EXE.6038B8CC.bin\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators:\r\n\"__TREEID__PLACEHOLDER__,__USERID__PLACEHOLDER__,Windows for Workgroups\r\n3.1a,PC NETWORK PROGRAM 1.0,LANMAN1.0\" (Reference: https://www.us-cert.gov/ncas/alerts/TA17-132A, Author: Florian Roth (based on rule by US CERT))\r\nYARA signature \"MS17_010_WanaCry_worm\" classified file \"mssecsvc.exe\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators: \"PC NETWORK PROGRAM\r\n1.0,LANMAN1.0,Windows for Workgroups\r\n3.1a,__TREEID__PLACEHOLDER__,__USERID__PLACEHOLDER__,h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j,h54WfF9cGigW\r\n(Reference: https://www.exploit-db.com/exploits/41987/, Author: Felipe Molina (@felmoltor))\r\nYARA signature \"WannaDecryptor\" classified file \"mssecsvc.exe\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators:\r\n\"taskdl.exe,taskse.exe,r.wnry,s.wnry,t.wnry,u.wnry,msg/m_\"\r\nYARA signature \"WannaCry_RansomwareEx\" classified file \"mssecsvc.exe\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators: \"icacls . /grant Everyone:F /T /C\r\n/Q,taskdl.exe,tasksche.exe,Global\\MsWinZonesCacheCounterMutexA,WNcry@2ol7,www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergw\r\nWindows 10 --\u003e ,cmd.exe /c\r\n\"%s\",msg/m_portuguese.wnry,5c005c003100390032002e003100360038002e00350036002e00320030005c004900500043002400,5c\r\n(Reference: https://goo.gl/HG2j5T, Author: Florian Roth (with the help of binar.ly))\r\nYARA signature \"WannaCry_Ransomware_Gen\" classified file \"mssecsvc.exe\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators:\r\n\"__TREEID__PLACEHOLDER__,__USERID__PLACEHOLDER__,Windows for Workgroups\r\n3.1a,PC NETWORK PROGRAM 1.0,LANMAN1.0\" (Reference: https://www.us-cert.gov/ncas/alerts/TA17-132A, Author: Florian Roth (based on rule by US CERT))\r\nYARA signature \"MS17_010_WanaCry_worm\" classified file \"all.bstring\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators: \"PC NETWORK PROGRAM\r\n1.0,LANMAN1.0,Windows for Workgroups\r\n3.1a,__TREEID__PLACEHOLDER__,__USERID__PLACEHOLDER__,h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j,h54WfF9cGigW\r\n(Reference: https://www.exploit-db.com/exploits/41987/, Author: Felipe Molina (@felmoltor))\r\nYARA signature \"WannaDecryptor\" classified file \"all.bstring\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators: \"taskdl.exe,taskse.exe,msg/m_\"\r\nYARA signature \"WannaCry_Ransomware_Gen\" classified file \"all.bstring\" as\r\n\"ransomware,wcry,wannacry,wanacrypt0r\" based on indicators:\r\n\"__TREEID__PLACEHOLDER__,__USERID__PLACEHOLDER__,Windows for Workgroups\r\n3.1a,PC NETWORK PROGRAM 1.0,LANMAN1.0\" (Reference: https://www.us-cert.gov/ncas/alerts/TA17-132A, Author: Florian Roth (based on rule by US CERT))\r\nsource\r\nYARA Signature\r\nrelevance\r\n10/10\r\nSystem Security\r\nModifies the access control lists of files\r\ndetails\r\nProcess \"icacls.exe\" with commandline \"icacls . /grant Everyone:F /T /C /Q\" (Show Process)\r\nProcess \"icacls.exe\" with commandline \"icacls . /grant Everyone:F /T /C /Q\" (Show Process)\r\nsource\r\nMonitored Target\r\nrelevance\r\n5/10\r\nhttps://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110\r\nPage 4 of 13\n\nATT\u0026CK ID\r\nT1044 (Show technique in the MITRE ATT\u0026CK™ matrix)\r\nUnusual Characteristics\r\nChecks for a resource fork (ADS) file\r\ndetails\r\n\"mssecsvc.exe\" checked file \"C:\"\r\nsource\r\nAPI Call\r\nrelevance\r\n5/10\r\nSpawns a lot of processes\r\ndetails\r\nSpawned process \"mssecsvc.exe\" (Show Process)\r\nSpawned process \"mssecsvc.exe\" with commandline \"-m security\" (Show Process)\r\nSpawned process \"tasksche.exe\" with commandline \"/i\" (Show Process)\r\nSpawned process \"tasksche.exe\" (Show Process)\r\nSpawned process \"tasksche.exe\" (Show Process)\r\nSpawned process \"attrib.exe\" with commandline \"attrib +h .\" (Show Process)\r\nSpawned process \"icacls.exe\" with commandline \"icacls . /grant Everyone:F /T /C /Q\" (Show Process)\r\nSpawned process \"attrib.exe\" with commandline \"attrib +h .\" (Show Process)\r\nSpawned process \"icacls.exe\" with commandline \"icacls . /grant Everyone:F /T /C /Q\" (Show Process)\r\nsource\r\nMonitored Target\r\nrelevance\r\n8/10\r\nHiding 4 Malicious Indicators\r\nAll indicators are available only in the private webservice or standalone version\r\nAnti-Reverse Engineering\r\nPE file has unusual entropy sections\r\ndetails\r\n.rsrc\r\n.rsrc with unusual entropies 7.71095306051\r\n7.72627063923\r\nsource\r\nStatic Parser\r\nrelevance\r\n10/10\r\nExternal Systems\r\nFound an IP/URL artifact that was identified as malicious by at least one reputation engine\r\ndetails\r\n4/84 reputation engines marked \"http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\" as\r\nmalicious (4% detection rate)\r\nsource\r\nExternal System\r\nrelevance\r\n10/10\r\nInstallation/Persistence\r\nChained signature (with api-8701...). Detects file write then launch as EXE\r\ndetails\r\nChained signature (with api-8701...). Detects file write then launch as EXE\r\nsource\r\nAPI Call\r\nrelevance\r\n8/10\r\nCreates new processes\r\ndetails\r\n\"rundll32.exe\" is creating a new process (Name: \"%WINDIR%\\mssecsvc.exe\", Handle: 212)\r\n\"mssecsvc.exe\" is creating a new process (Name: \"%WINDIR%\\tasksche.exe\", Handle: 720)\r\n\"tasksche.exe\" is creating a new process (Name:\r\n\"%ALLUSERSPROFILE%\\tvzfcptuxgtlf819\\tasksche.exe\", Handle: 140)\r\n\"tasksche.exe\" is creating a new process (Name: \"%WINDIR%\\System32\\attrib.exe\", Handle: 136)\r\n\"tasksche.exe\" is creating a new process (Name: \"%WINDIR%\\System32\\icacls.exe\", Handle: 136)\r\n\"tasksche.exe\" is creating a new process\r\nhttps://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110\r\nPage 5 of 13\n\n\"tasksche.exe\" is creating a new process (Name: \"%WINDIR%\\System32\\icacls.exe\", Handle: 64)\r\n\"tasksche.exe\" is creating a new process (Name: \"%WINDIR%\\System32\\attrib.exe\", Handle: 64)\r\nsource\r\nAPI Call\r\nrelevance\r\n8/10\r\nDrops executable files\r\ndetails\r\n\"MSSECSVC.EXE.6038B8CC.bin\" has type \"PE32 executable (GUI) Intel 80386 for MS Windows\"\r\n\"TASKSCHE.EXE.6038BB10.bin\" has type \"PE32 executable (GUI) Intel 80386 for MS Windows\"\r\n\"tasksche.exe\" has type \"PE32 executable (GUI) Intel 80386 for MS Windows\"\r\n\"mssecsvc.exe\" has type \"PE32 executable (GUI) Intel 80386 for MS Windows\"\r\nsource\r\nBinary File\r\nrelevance\r\n10/10\r\nNetwork Related\r\nFound potential IP address in binary/memory\r\ndetails\r\nPotential IP \"192.168.56.20\" found in string \"\\\\192.168.56.20\\IPC$\"\r\nsource\r\nFile/Memory\r\nrelevance\r\n3/10\r\nSends traffic on typical HTTP outbound port, but without HTTP header\r\ndetails\r\nTCP traffic to 104.16.173.80 on port 80 is sent without HTTP header\r\nsource\r\nNetwork Traffic\r\nrelevance\r\n5/10\r\nATT\u0026CK ID\r\nT1043 (Show technique in the MITRE ATT\u0026CK™ matrix)\r\nSystem Security\r\nModifies proxy settings\r\ndetails\r\n\"mssecsvc.exe\" (Access type: \"SETVAL\"; Path:\r\n\"HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\";\r\nKey: \"PROXYENABLE\"; Value: \"00000000\")\r\n\"mssecsvc.exe\" (Access type: \"DELETEVAL\"; Path:\r\n\"HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\";\r\nKey: \"PROXYSERVER\")\r\n\"mssecsvc.exe\" (Access type: \"DELETEVAL\"; Path:\r\n\"HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\";\r\nKey: \"PROXYOVERRIDE\")\r\n\"mssecsvc.exe\" (Access type: \"DELETEVAL\"; Path:\r\n\"HKCU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\ZONEMAP\"; Key: \"PROXYBYPASS\")\r\n\"mssecsvc.exe\" (Access type: \"DELETEVAL\"; Path:\r\n\"HKLM\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\ZONEMAP\"; Key: \"PROXYBYPASS\")\r\n\"mssecsvc.exe\" (Access type: \"SETVAL\"; Path:\r\n\"HKU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\";\r\nKey: \"PROXYENABLE\"; Value: \"00000000\")\r\n\"mssecsvc.exe\" (Access type: \"DELETEVAL\"; Path:\r\n\"HKU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\";\r\nKey: \"PROXYSERVER\")\r\n\"mssecsvc.exe\" (Access type: \"DELETEVAL\"; Path:\r\n\"HKU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\";\r\nKey: \"PROXYOVERRIDE\")\r\n\"mssecsvc.exe\" (Access type: \"DELETEVAL\"; Path:\r\n\"HKU\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET\r\nSETTINGS\\ZONEMAP\"; Key: \"PROXYBYPASS\")\r\nsource\r\nhttps://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110\r\nPage 6 of 13\n\nRegistry Access\r\nrelevance\r\n10/10\r\nATT\u0026CK ID\r\nT1112 (Show technique in the MITRE ATT\u0026CK™ matrix)\r\nUnusual Characteristics\r\nImports suspicious APIs\r\ndetails\r\nCreateProcessA\r\nLockResource\r\nWriteFile\r\nCreateFileA\r\nFindResourceA\r\nCreateServiceA\r\nStartServiceA\r\nStartServiceCtrlDispatcherA\r\nGetModuleFileNameA\r\nGetStartupInfoA\r\nGetFileSize\r\nGetProcAddress\r\nGetModuleHandleA\r\nGetModuleHandleW\r\nSleep\r\nGetTickCount\r\nInternetOpenUrlA\r\nInternetCloseHandle\r\nInternetOpenA\r\nsocket\r\nrecv\r\nsend\r\nWSAStartup\r\nconnect\r\nclosesocket\r\nRegCloseKey\r\nRegCreateKeyW\r\nLoadLibraryA\r\nGetFileAttributesA\r\nCopyFileA\r\nVirtualProtect\r\nGetFileAttributesW\r\nCreateDirectoryA\r\nCreateDirectoryW\r\nGetComputerNameW\r\nGetFileSizeEx\r\nGetTempPathW\r\nTerminateProcess\r\nVirtualAlloc\r\nsource\r\nStatic Parser\r\nrelevance\r\n1/10\r\nInstalls hooks/patches the running process\r\ndetails\r\n\"rundll32.exe\" wrote bytes\r\n\"88eadc761656dd7681ecdc764557dc763105dc76ca9edc76cda6dc768220d876000000009498cd7651c1cd76ee9ccd76ec32d77654d3\r\nto virtual address \"0x10002000\" (part of module \"2A8EFBFADD798F6111340F7C1C956BEE.DLL\")\r\n\"mssecsvc.exe\" wrote bytes\r\n\"e7393577e1a639772e713977ee29397785e234776da03977906438773ad53f7726e43477d16d3977003d3777804b377700000000ad3\r\nto virtual address \"0x74C01000\" (part of module \"WSHIP6.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"f8110000\" to virtual address \"0x750D12CC\" (part of module\r\n\"SSPICLI.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"f8110d75\" to virtual address \"0x750E834C\" (part of module\r\n\"SSPICLI.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"f8110000\" to virtual address \"0x750D1408\" (part of module\r\nhttps://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110\r\nPage 7 of 13\n\n\"SSPICLI.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"b89012036fffe0\" to virtual address \"0x750D1248\" (part of module\r\n\"SSPICLI.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"48120d75\" to virtual address \"0x750E8348\" (part of module\r\n\"SSPICLI.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"f8110d75\" to virtual address \"0x750E8368\" (part of module\r\n\"SSPICLI.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"68130000\" to virtual address \"0x75871680\" (part of module\r\n\"WS2_32.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"f8110d75\" to virtual address \"0x750E83C4\" (part of module\r\n\"SSPICLI.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"48120d75\" to virtual address \"0x750E8364\" (part of module\r\n\"SSPICLI.DLL\")\r\n\"mssecsvc.exe\" wrote bytes\r\n\"fae63477e1a639772e713977ee29397785e234776da0397726e43477d16d3977003d3777804b377700000000ad3787758b2d8775b64\r\nto virtual address \"0x746B1000\" (part of module \"WSHTCPIP.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"48120d75\" to virtual address \"0x750E83C0\" (part of module\r\n\"SSPICLI.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"f8110d75\" to virtual address \"0x750E83E0\" (part of module\r\n\"SSPICLI.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"b88011036fffe0\" to virtual address \"0x75871368\" (part of module\r\n\"WS2_32.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"48120000\" to virtual address \"0x750D139C\" (part of module\r\n\"SSPICLI.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"48120000\" to virtual address \"0x750D12DC\" (part of module\r\n\"SSPICLI.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"a011036f\" to virtual address \"0x7715E324\" (part of module\r\n\"WININET.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"48120d75\" to virtual address \"0x750E83DC\" (part of module\r\n\"SSPICLI.DLL\")\r\n\"mssecsvc.exe\" wrote bytes \"b81015036fffe0\" to virtual address \"0x750D11F8\" (part of module\r\n\"SSPICLI.DLL\")\r\nsource\r\nHook Detection\r\nrelevance\r\n10/10\r\nATT\u0026CK ID\r\nT1179 (Show technique in the MITRE ATT\u0026CK™ matrix)\r\nHiding 2 Suspicious Indicators\r\nAll indicators are available only in the private webservice or standalone version\r\nExternal Systems\r\nDetected Suricata Alert\r\ndetails\r\nDetected alert \"ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection\" (SID:\r\n2001569, Rev: 15, Severity: 3) categorized as \"Misc activity\"\r\nsource\r\nSuricata Alerts\r\nrelevance\r\n10/10\r\nGeneral\r\nContacts domains\r\ndetails\r\n\"www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\"\r\nsource\r\nNetwork Traffic\r\nrelevance\r\n1/10\r\nContacts server\r\ndetails\r\n\"104.16.173.80:80\"\r\n\"123.119.235.225:445\"\r\n\"171.243.141.156:445\"\r\n\"22.190.114.199:445\"\r\nhttps://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110\r\nPage 8 of 13\n\n\"19.28.211.242:445\"\r\n\"51.187.114.224:445\"\r\n\"80.93.187.33:445\"\r\n\"191.7.5.28:445\"\r\n\"74.66.141.75:445\"\r\n\"72.55.56.162:445\"\r\n\"182.74.141.79:445\"\r\n\"66.120.107.41:445\"\r\n\"112.61.249.78:445\"\r\n\"159.170.228.202:445\"\r\n\"41.61.70.132:445\"\r\n\"161.154.238.120:445\"\r\n\"207.194.34.20:445\"\r\n\"207.27.9.151:445\"\r\n\"47.143.47.147:445\"\r\n\"106.131.54.225:445\"\r\nsource\r\nNetwork Traffic\r\nrelevance\r\n1/10\r\nCreates mutants\r\ndetails\r\n\"\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesCacheCounterMutex\"\r\n\"\\Sessions\\1\\BaseNamedObjects\\Local\\ZonesLockedCacheCounterMutex\"\r\n\"Local\\ZonesCacheCounterMutex\"\r\n\"Local\\ZonesLockedCacheCounterMutex\"\r\n\"\\BaseNamedObjects\\Local\\ZonesCacheCounterMutex\"\r\n\"\\BaseNamedObjects\\Local\\ZonesLockedCacheCounterMutex\"\r\nsource\r\nCreated Mutant\r\nrelevance\r\n3/10\r\nGETs files from a webserver\r\ndetails\r\n\"GET / HTTP/1.1\r\nHost: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\r\nCache-Control: no-cache\"\r\nsource\r\nNetwork Traffic\r\nrelevance\r\n5/10\r\nProcess launched with changed environment\r\ndetails\r\nProcess \"mssecsvc.exe\" (Show Process) was launched with modified environment variables: \"Path,\r\nLOCALAPPDATA, USERDOMAIN, TEMP, APPDATA, USERPROFILE, TMP\"\r\nProcess \"mssecsvc.exe\" (Show Process) was launched with missing environment variables:\r\n\"LOGONSERVER, HOMEPATH, HOMEDRIVE\"\r\nProcess \"tasksche.exe\" (Show Process) was launched with new environment variables:\r\n\"LOGONSERVER=\"\\\\HAPUBWS-PC\", HOMEPATH=\"\\Users\\BoXuzF2\", HOMEDRIVE=\"C:\"\"\r\nProcess \"tasksche.exe\" (Show Process) was launched with modified environment variables: \"Path,\r\nLOCALAPPDATA, USERDOMAIN, TEMP, APPDATA, USERPROFILE, TMP\"\r\nProcess \"tasksche.exe\" (Show Process) was launched with new environment variables:\r\n\"PROMPT=\"$P$G\"\"\r\nProcess \"tasksche.exe\" (Show Process) was launched with modified environment variables: \"Path,\r\nLOCALAPPDATA, USERDOMAIN, TEMP, APPDATA, USERPROFILE, TMP\"\r\nProcess \"tasksche.exe\" (Show Process) was launched with missing environment variables:\r\n\"LOGONSERVER, HOMEPATH, HOMEDRIVE\"\r\nProcess \"tasksche.exe\" (Show Process) was launched with new environment variables:\r\n\"LOGONSERVER=\"\\\\HAPUBWS-PC\", HOMEPATH=\"\\Users\\BoXuzF2\", HOMEDRIVE=\"C:\"\"\r\nProcess \"tasksche.exe\" (Show Process) was launched with modified environment variables: \"Path,\r\nLOCALAPPDATA, USERDOMAIN, TEMP, APPDATA, USERPROFILE, TMP\"\r\nProcess \"tasksche.exe\" (Show Process) was launched with missing environment variables: \"PROMPT\"\r\nsource\r\nMonitored Target\r\nhttps://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110\r\nPage 9 of 13\n\nrelevance\r\n10/10\r\nSpawns new processes\r\ndetails\r\nSpawned process \"rundll32.exe\" with commandline \"\"C:\\2a8efbfadd798f6111340f7c1c956bee.dll\",#1\"\r\n(Show Process)\r\nSpawned process \"mssecsvc.exe\" (Show Process)\r\nSpawned process \"mssecsvc.exe\" with commandline \"-m security\" (Show Process)\r\nSpawned process \"tasksche.exe\" with commandline \"/i\" (Show Process)\r\nSpawned process \"tasksche.exe\" (Show Process)\r\nSpawned process \"tasksche.exe\" (Show Process)\r\nSpawned process \"attrib.exe\" with commandline \"attrib +h .\" (Show Process)\r\nSpawned process \"icacls.exe\" with commandline \"icacls . /grant Everyone:F /T /C /Q\" (Show Process)\r\nSpawned process \"attrib.exe\" with commandline \"attrib +h .\" (Show Process)\r\nSpawned process \"icacls.exe\" with commandline \"icacls . /grant Everyone:F /T /C /Q\" (Show Process)\r\nsource\r\nMonitored Target\r\nrelevance\r\n3/10\r\nSpawns new processes that are not known child processes\r\ndetails\r\nSpawned process \"rundll32.exe\" with commandline \"\"C:\\2a8efbfadd798f6111340f7c1c956bee.dll\",#1\"\r\n(Show Process)\r\nSpawned process \"mssecsvc.exe\" (Show Process)\r\nSpawned process \"mssecsvc.exe\" with commandline \"-m security\" (Show Process)\r\nSpawned process \"tasksche.exe\" with commandline \"/i\" (Show Process)\r\nSpawned process \"tasksche.exe\" (Show Process)\r\nSpawned process \"tasksche.exe\" (Show Process)\r\nSpawned process \"attrib.exe\" with commandline \"attrib +h .\" (Show Process)\r\nSpawned process \"icacls.exe\" with commandline \"icacls . /grant Everyone:F /T /C /Q\" (Show Process)\r\nSpawned process \"attrib.exe\" with commandline \"attrib +h .\" (Show Process)\r\nSpawned process \"icacls.exe\" with commandline \"icacls . /grant Everyone:F /T /C /Q\" (Show Process)\r\nsource\r\nMonitored Target\r\nrelevance\r\n3/10\r\nThe input sample possibly contains the RDTSCP instruction\r\ndetails\r\nFound VM detection artifact \"RDTSCP trick\" in\r\n\"22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6.bin\" (Offset: 774762)\r\nsource\r\nBinary File\r\nrelevance\r\n5/10\r\nATT\u0026CK ID\r\nT1497 (Show technique in the MITRE ATT\u0026CK™ matrix)\r\nInstallation/Persistence\r\nDropped files\r\ndetails\r\n\"MSSECSVC.EXE.6038B8CC.bin\" has type \"PE32 executable (GUI) Intel 80386 for MS Windows\"\r\n\"TASKSCHE.EXE.6038BB10.bin\" has type \"PE32 executable (GUI) Intel 80386 for MS Windows\"\r\n\"tasksche.exe\" has type \"PE32 executable (GUI) Intel 80386 for MS Windows\"\r\n\"mssecsvc.exe\" has type \"PE32 executable (GUI) Intel 80386 for MS Windows\"\r\n\"m_dutch.wnry\" has type \"Rich Text Format data version 1 unknown character set\"\r\n\"m_finnish.wnry\" has type \"Rich Text Format data version 1 unknown character set\"\r\n\"m_vietnamese.wnry\" has type \"Rich Text Format data version 1 unknown character set\"\r\n\"m_turkish.wnry\" has type \"Rich Text Format data version 1 unknown character set\"\r\n\"m_russian.wnry\" has type \"Rich Text Format data version 1 unknown character set\"\r\n\"m_indonesian.wnry\" has type \"Rich Text Format data version 1 unknown character set\"\r\n\"m_italian.wnry\" has type \"Rich Text Format data version 1 unknown character set\"\r\n\"m_french.wnry\" has type \"Rich Text Format data version 1 unknown character set\"\r\n\"m_chinese _traditional_.wnry\" has type \"Rich Text Format data version 1 unknown character set\"\r\n\"m_spanish.wnry\" has type \"Rich Text Format data version 1 unknown character set\"\r\nhttps://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110\r\nPage 10 of 13\n\n\"m_portuguese.wnry\" has type \"Rich Text Format data version 1 unknown character set\"\r\n\"c.wnry\" has type \"data\"\r\nsource\r\nBinary File\r\nrelevance\r\n3/10\r\nTouches files in the Windows directory\r\ndetails\r\n\"rundll32.exe\" touched file \"%WINDIR%\\AppPatch\\sysmain.sdb\"\r\n\"rundll32.exe\" touched file \"%WINDIR%\\System32\\rundll32.exe\"\r\n\"rundll32.exe\" touched file \"%WINDIR%\\AppPatch\\AcLayers.dll\"\r\n\"rundll32.exe\" touched file \"%WINDIR%\\mssecsvc.exe\"\r\n\"rundll32.exe\" touched file \"%WINDIR%\\System32\\en-US\\rundll32.exe.mui\"\r\n\"mssecsvc.exe\" touched file \"%APPDATA%\\Microsoft\\Windows\\Cookies\"\r\n\"mssecsvc.exe\" touched file \"%APPDATA%\\Microsoft\\Windows\\Cookies\\FZD0P3G2.txt\"\r\n\"mssecsvc.exe\" touched file \"%WINDIR%\\tasksche.exe\"\r\n\"mssecsvc.exe\" touched file \"%WINDIR%\\AppPatch\\sysmain.sdb\"\r\nsource\r\nAPI Call\r\nrelevance\r\n7/10\r\nNetwork Related\r\nFound potential URL in binary/memory\r\ndetails\r\nPattern match: \"http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\"\r\nPattern match: \"www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\"\r\nPattern match: \"http://schemas.microsoft.com/o\"\r\nPattern match:\r\n\"http://schemas.microsoft.com/office/word/2003/wordml}}\\paperw12240\\paperh15840\\margl1501\\margr1502\\margt1701\\margb144\r\nPattern match:\r\n\"http://schemas.microsoft.com/office/word/2003/wordml}}\\paperw12240\\paperh15840\\margl1034\\margr1034\\margt1701\\margb144\r\nPattern match: \"http://schemas.microsoft\"\r\nsource\r\nFile/Memory\r\nrelevance\r\n10/10\r\nUnusual Characteristics\r\nMatched Compiler/Packer signature\r\ndetails\r\n\"22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6.bin\" was detected as\r\n\"Microsoft visual C++ 6.0 DLL\"\r\n\"MSSECSVC.EXE.6038B8CC.bin\" was detected as \"Microsoft visual C++ 5.0\"\r\n\"TASKSCHE.EXE.6038BB10.bin\" was detected as \"Microsoft visual C++ 5.0\"\r\nsource\r\nStatic Parser\r\nrelevance\r\n10/10\r\nATT\u0026CK ID\r\nT1045 (Show technique in the MITRE ATT\u0026CK™ matrix)\r\nFile Details\r\nAll Details:\r\n2a8efbfadd798f6111340f7c1c956bee\r\nFile Sections\r\nDetails Name Entropy\r\nVirtual\r\nAddress\r\nVirtual\r\nSize\r\nRaw Size MD5\r\nName\r\n.text\r\nEntropy\r\n.text 1.44299712447 0x1000 0x28c 0x1000 8de9a2cb31e4c74bd008b871\r\nhttps://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110\r\nPage 11 of 13\n\nDetails Name Entropy\r\nVirtual\r\nAddress\r\nVirtual\r\nSize\r\nRaw Size MD5\r\n1.44299712447\r\nVirtual Address\r\n0x1000\r\nVirtual Size\r\n0x28c\r\nRaw Size\r\n0x1000\r\nMD5\r\n8de9a2cb31e4c74bd008b871d14bfafc\r\nName\r\n.rdata\r\nEntropy\r\n0.734601813362\r\nVirtual Address\r\n0x2000\r\nVirtual Size\r\n0x1d8\r\nRaw Size\r\n0x1000\r\nMD5\r\n3dd394f95ab218593f2bc8eb65184db4\r\n.rdata 0.734601813362 0x2000 0x1d8 0x1000 3dd394f95ab218593f2bc8eb6\r\nName\r\n.data\r\nEntropy\r\n0.0852386864133\r\nVirtual Address\r\n0x3000\r\nVirtual Size\r\n0x154\r\nRaw Size\r\n0x1000\r\nMD5\r\nfe5022c5b5d015ad38b2b77fc437a5cb\r\n.data 0.0852386864133 0x3000 0x154 0x1000 fe5022c5b5d015ad38b2b77fc\r\nName\r\n.rsrc\r\nEntropy\r\n6.10865289671\r\nVirtual Address\r\n0x4000\r\nVirtual Size\r\n0x500060\r\nRaw Size\r\n0x501000\r\nMD5\r\nf016d5edc700b1685a0bdcec7c83cea4\r\n.rsrc 6.10865289671 0x4000 0x500060 0x501000 f016d5edc700b1685a0bdcec7\r\nName\r\n.reloc\r\nEntropy\r\n0\r\nVirtual Address\r\n0x505000\r\nVirtual Size\r\n0x2ac\r\nRaw Size\r\n.reloc 0 0x505000 0x2ac 0x1000 620f0b67a91f7f74151bc5be7\r\nhttps://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110\r\nPage 12 of 13\n\nDetails Name Entropy\r\nVirtual\r\nAddress\r\nVirtual\r\nSize\r\nRaw Size MD5\r\n0x1000\r\nMD5\r\n620f0b67a91f7f74151bc5be745b7110\r\nFile Resources\r\nFile Imports\r\nKERNEL32.dll\r\nMSVCRT.dll\r\nFile Exports\r\nScreenshots\r\nData couldn't be loaded. Please try again.\r\nCPU Usage\r\nCommitted Bytes\r\nDisk Read Bytes/sec\r\nDisk Write Bytes/sec\r\nNetwork Packets/sec\r\nPage File Bytes\r\nHybrid Analysis\r\nTip: Click an analysed process below to view more details.\r\nAnalysed 10 processes in total (System Resource Monitor).\r\nNetwork Analysis\r\nThis report was generated with enabled TOR analysis\r\nDNS Requests\r\nHTTP Traffic\r\nSuricata Alerts\r\nET rules applied using Suricata. Find out more about proofpoint ET Intelligence here.\r\nExtracted Files\r\nDisplaying 24 extracted file(s). The remaining 47 file(s) are available in the full version and XML/JSON reports.\r\nWarnings\r\nA process crash was detected during the runtime analysis\r\nEnforcing malicious verdict, as a reliable source indicates high confidence\r\nNetwork whitenoise filtering was applied\r\nNot all sources for indicator ID \"api-55\" are available in the report\r\nNot all sources for indicator ID \"binary-0\" are available in the report\r\nNot all sources for indicator ID \"hooks-8\" are available in the report\r\nNot all sources for indicator ID \"mutant-0\" are available in the report\r\nNot all sources for indicator ID \"network-1\" are available in the report\r\nNot all sources for indicator ID \"network-17\" are available in the report\r\nSome low-level data is hidden, as this is only a slim report\r\nSource: https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110\r\nhttps://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110"
	],
	"report_names": [
		"22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110"
	],
	"threat_actors": [],
	"ts_created_at": 1775434535,
	"ts_updated_at": 1775791198,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a1fd8ad50eaff2f265a556f024e3e4c20f4c89eb.pdf",
		"text": "https://archive.orkl.eu/a1fd8ad50eaff2f265a556f024e3e4c20f4c89eb.txt",
		"img": "https://archive.orkl.eu/a1fd8ad50eaff2f265a556f024e3e4c20f4c89eb.jpg"
	}
}