Create Interactive TourAnalysis Report Remcos Professional Cracked By Alcatraz3222.exe
Overview
General Information
| Sample Name: | Remcos Professional Cracked By Alcatraz3222.exe |
| Analysis ID: | 422809 |
| MD5: | efc159c7cf75545997f8c6af52d3e802 |
| SHA1: | b85bd368c91a13db1c5de2326deb25ad666c24c1 |
| SHA256: | 898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e |
| Infos: | |
Most interesting Screenshot:  | |
Detection
Njrat
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Njrat
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Creates files with lurking names (e.g. Crack.exe)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: System File Execution Location Anomaly
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Netsh Port or Application Allowed
Tries to load missing DLLs
Uses 32bit PE files
Uses reg.exe to modify the Windows registry
Yara signature match
Classification
|
{
"Campaign ID": "HacKed",
"Version": "0.7d",
"Install Name": "3b570ffeeb3d34249b9a5ce0ee58a328",
"Install Dir": "20",
"Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"Host": "TEMP",
"Port": "3202",
"Network Seprator": "svchost"
}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| njrat1 | Identify njRat | Brian Wallace @botnet_hunter |
| |
| Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group |
| |
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| Click to see the 4 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| CN_disclosed_20180208_c | Detects malware from disclosed CN malware set | Florian Roth |
| |
| JoeSecurity_Njrat | Yara detected Njrat | Joe Security | ||
| njrat1 | Identify njRat | Brian Wallace @botnet_hunter |
| |
| Njrat | detect njRAT in memory | JPCERT/CC Incident Response Group |
| |
| CN_disclosed_20180208_c | Detects malware from disclosed CN malware set | Florian Roth |
| |
| Click to see the 13 entries | ||||
Sigma Overview |
|---|
System Summary: |   |
|---|
| Sigma detected: System File Execution Location Anomaly | |||
| Source: | Author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: | ||
| Sigma detected: Direct Autorun Keys Modification | |||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: | ||
| Sigma detected: Netsh Port or Application Allowed | |||
| Source: | Author: Markus Neis, Sander Wiebing: | ||
| Sigma detected: Windows Processes Suspicious Parent Directory | |||
| Source: | Author: vburov: | ||
Signature Overview |
|---|
- • AV Detection
- • Compliance
- • Networking
- • E-Banking Fraud
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
- • Stealing of Sensitive Information
- • Remote Access Functionality
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Antivirus / Scanner detection for submitted sample | |||
| Source: | Avira: | ||
| Antivirus detection for dropped file | |||
| Source: | Avira: | ||
| Found malware configuration | |||
| Source: | Malware Configuration Extractor: | ||
| Multi AV Scanner detection for dropped file | |||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Multi AV Scanner detection for submitted file | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | ReversingLabs: | |||
| Yara detected Njrat | |||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Machine Learning detection for dropped file | |||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Machine Learning detection for sample | |||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
Networking: | |
|---|
| C2 URLs / IPs found in malware configuration | |||
| Source: | URLs: | ||
| Uses dynamic DNS services | |||
| Source: | DNS query: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
E-Banking Fraud: | |
|---|
| Yara detected Njrat | |||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
System Summary: | |
|---|
| Malicious sample detected (through community Yara rule) | |||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Creates files with lurking names (e.g. Crack.exe) | |||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Dropped File: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Process created: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Matched rule: | ||
| Source: | Task registration methods: | ||
| Source: | Task registration methods: | ||
| Source: | Task registration methods: | ||
| Source: | Task registration methods: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Security API names: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | Section loaded: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | ReversingLabs: | ||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | |||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Window found: | Jump to behavior | ||
| Source: | Window detected: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static file information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival: | |
|---|
| Creates an undocumented autostart registry key | |||
| Source: | Key value created or modified: | Jump to behavior | ||
Hooking and other Techniques for Hiding and Protection: | |
|---|
| Overwrites code with unconditional jumps - possibly settings hooks in foreign process | |||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
Malware Analysis System Evasion: | |
|---|
| Tries to detect debuggers by setting the trap flag for special instructions | |||
| Source: | Special instruction interceptor: | ||
| Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | |||
| Source: | Binary or memory string: | ||
| Tries to detect virtualization through RDTSC time measurements | |||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | RDTSC instruction interceptor: | ||
| Source: | File opened / queried: | Jump to behavior | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Window / User API: | Jump to behavior | ||
| Source: | Thread sleep time: | Jump to behavior | ||
| Source: | Thread sleep count: | Jump to behavior | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Last function: | ||
| Source: | Thread delayed: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Process information queried: | Jump to behavior | ||
Anti Debugging: | |
|---|
| Hides threads from debuggers | |||
| Source: | Thread information set: | Jump to behavior | ||
| Source: | System information queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process queried: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Process token adjusted: | Jump to behavior | ||
| Source: | Memory allocated: | Jump to behavior | ||
HIPS / PFW / Operating System Protection Evasion: | |
|---|
| .NET source code references suspicious native API functions | |||
| Source: | Reference to suspicious API methods: | ||
| Allocates memory in foreign processes | |||
| Source: | Memory allocated: | Jump to behavior | ||
| Injects a PE file into a foreign processes | |||
| Source: | Memory written: | Jump to behavior | ||
| Writes to foreign memory regions | |||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Memory written: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Process created: | Jump to behavior | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Queries volume information: | Jump to behavior | ||
| Source: | Key value queried: | Jump to behavior | ||
Lowering of HIPS / PFW / Operating System Security Settings: | |
|---|
| Modifies the windows firewall | |||
| Source: | Process created: | ||
| Uses netsh to modify the Windows network and firewall settings | |||
| Source: | Process created: | ||
Stealing of Sensitive Information: | |
|---|
| Yara detected Njrat | |||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Remote Access Functionality: | |
|---|
| Yara detected Njrat | |||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Scheduled Task/Job1 | Scheduled Task/Job1 | Process Injection312 | Masquerading11 | Credential API Hooking1 | Security Software Discovery531 | Remote Services | Credential API Hooking1 | Exfiltration Over Other Network Medium | Non-Standard Port1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Native API1 | Registry Run Keys / Startup Folder1 | Scheduled Task/Job1 | Modify Registry1 | LSASS Memory | Process Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | DLL Side-Loading1 | Registry Run Keys / Startup Folder1 | Disable or Modify Tools21 | Security Account Manager | Virtualization/Sandbox Evasion151 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol21 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | At (Windows) | Logon Script (Mac) | DLL Side-Loading1 | Virtualization/Sandbox Evasion151 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Process Injection312 | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Software Packing1 | Cached Domain Credentials | File and Directory Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | DLL Side-Loading1 | DCSync | System Information Discovery213 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 63% | Virustotal | Browse | ||
| 55% | ReversingLabs | ByteCode-MSIL.Trojan.Occamy | ||
| 100% | Avira | TR/Dropper.Gen | ||
| 100% | Joe Sandbox ML |
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Avira | TR/Dropper.Gen | ||
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 55% | ReversingLabs | ByteCode-MSIL.Trojan.Occamy | ||
| 8% | Metadefender | Browse | ||
| 31% | ReversingLabs | |||
| 0% | Metadefender | Browse | ||
| 0% | ReversingLabs |
| Source | Detection | Scanner | Label | Link | Download |
|---|---|---|---|---|---|
| 100% | Avira | TR/Spy.Gen8 | Download File |
| No Antivirus matches |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe |
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| dllsys.duckdns.org | 84.220.8.178 | true | true | unknown |
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
| low |
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | unknown | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 84.220.8.178 | dllsys.duckdns.org | Italy | 8612 | TISCALI-IT | true |
General Information |
|---|
| Joe Sandbox Version: | 32.0.0 Black Diamond |
| Analysis ID: | 422809 |
| Start date: | 24.05.2021 |
| Start time: | 16:01:32 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 9m 2s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | Remcos Professional Cracked By Alcatraz3222.exe |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 32 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.troj.evad.winEXE@20/9@24/1 |
| EGA Information: | Failed |
| HDC Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
| Warnings: | Show All
|
| Time | Type | Description |
|---|---|---|
| 16:03:11 | API Interceptor |
| No context |
|---|
| No context |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| TISCALI-IT | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
| No context |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| C:\Users\user\AppData\Local\Temp\taskhost.exe | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse |
| Process: | C:\Users\user\Desktop\Remcos Professional Cracked By Alcatraz3222.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 522 |
| Entropy (8bit): | 5.348034597186669 |
| Encrypted: | false |
| SSDEEP: | 12:Q3La/KDLI4MWuPk21t92n4M9XKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2f84qXKDE4KhK3VZ9pKhk |
| MD5: | 2BB2F12BA5748B56A733B09151565321 |
| SHA1: | 3D3EC51320B4BD72C20E5472FBA4675B5BD7E550 |
| SHA-256: | 4114743647967ADE8811D6824ABC4C9ABD4EF0177A0082BACEBFC70C53EE3B16 |
| SHA-512: | 84B7D2949FC3E4900A2F74E63C314CC331528BC3010F7867462B8C78AC530075F01C6B7576AE0ACAD909DA200AC28F8BD312F77E0013A73E1D81918CD513DE3F |
| Malicious: | true |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 73 |
| Entropy (8bit): | 4.6906762603832455 |
| Encrypted: | false |
| SSDEEP: | 3:PLrgUOYEE1ULNfCys2lM9yn:P/XrEEiLNC/2W9y |
| MD5: | 1A32B94BD8D51DF35D766B6AFFDFACFC |
| SHA1: | B35BA7F44B350DD9E86C74ACFC722EE7373B77EE |
| SHA-256: | 3D464700F406245D63409C36AAE1504DD9FB63C784CBF7AE8957052068213937 |
| SHA-512: | 9F31CB9B0972EFAB2BA566ACD10E0355ACB316B49A8CDB5C3B0787CBA9F97670EA592E385182FE143F54A2EFFB565C1F78083223BC4600CD961BBFFC8F01D3BD |
| Malicious: | false |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 18539216 |
| Entropy (8bit): | 7.9879261117410865 |
| Encrypted: | false |
| SSDEEP: | 393216:GYuGvp8EHb+in8f4Zg41+Q4AXf5ZZcyfHDMxVpSc+q+eOFxdx:3mqSi8fN4sAXfrZcyfo7p0eYHx |
| MD5: | EFC159C7CF75545997F8C6AF52D3E802 |
| SHA1: | B85BD368C91A13DB1C5DE2326DEB25AD666C24C1 |
| SHA-256: | 898AC001D0F6C52C1001C640D9860287FDF30A648D580E9F5DD15E2EF84AB18E |
| SHA-512: | D06A432233DCEB731DEFD53238971699FEF201D0F9144EE50E5DD7D6620DFDD6C298D52618BF2C9FEB0519574F4565FB0177B00FD8292768FBD8B85DD11E650D |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Users\user\Desktop\Remcos Professional Cracked By Alcatraz3222.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 232 |
| Entropy (8bit): | 4.970244067530965 |
| Encrypted: | false |
| SSDEEP: | 6:SyRK2v/y61EoJOtTZLHvZQRW9m1N723fqkKzEiLVoviKwvM:llx/CoRW9saqLD0 |
| MD5: | 5E2757CA2F45970923D85C9A23313CFF |
| SHA1: | CE78DA8A12BC22BCBD22C70C45562AC9D0BEE043 |
| SHA-256: | A167B7C2F31333D22788B66B9CC754E4A82AC8BB3CD6A92A8609A36BD1054682 |
| SHA-512: | 8DB694BB806D6E1C1A1CC88ADCC1BB47FC333CEF41CF230AF8544918F77C371788E730959E46F579043653D7A62E866DBB8FFE3A24F4DA9D19A0752A01312197 |
| Malicious: | true |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Remcos Professional Cracked By Alcatraz3222.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1159 |
| Entropy (8bit): | 5.105409595300578 |
| Encrypted: | false |
| SSDEEP: | 24:8XA1zt589cURggKsfHpm4RFCbQAbXaqnt3OyO77aB6m:8XA1zt582URrfHpmuCbnbKqnNOyOiB6 |
| MD5: | A8B2E21D856B027D6B7051DA3F5B32B1 |
| SHA1: | 174CB2EB9454C480DAC1710D9213B6673F246D41 |
| SHA-256: | 807F97BFBA2F8E7A61FC0D5880AF27A5ECB5E5DF958AEEC83C8182D83E821764 |
| SHA-512: | 872E29E7293F5891426D7E03495F91CCF3E831524B55D6B74A9F424265DF5FB74B7467A8B30DEBF4EBE7C5A707FAE6D4CE7F1459031D8E797D6FCF480549F692 |
| Malicious: | true |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\cmd.exe |
| File Type: | |
| Category: | modified |
| Size (bytes): | 26 |
| Entropy (8bit): | 3.95006375643621 |
| Encrypted: | false |
| SSDEEP: | 3:ggPYV:rPYV |
| MD5: | 187F488E27DB4AF347237FE461A079AD |
| SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
| SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
| SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
| Malicious: | true |
| Preview: |
|
| Process: | C:\Users\user\Desktop\Remcos Professional Cracked By Alcatraz3222.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 18294272 |
| Entropy (8bit): | 7.984362832957851 |
| Encrypted: | false |
| SSDEEP: | 393216:rvSQtrigd//gMj7J/kwu6GY2JTzAval46wIF19u:DtXOUxkwu6G5fStS1 |
| MD5: | C3C21FA4C2186DEB641455482AB0D3AA |
| SHA1: | 2F4B49E8383E073CCB965943CE970DE403412567 |
| SHA-256: | 4EA203509D0FDFF3E31F976413C546CA3D36133BC708E9A1301860961CC3A8D9 |
| SHA-512: | 31DB2963F1BD49F7B4A6EE38E54940D20120D6C05EF7BF34EC97EB93051BEE6D5428E9E1271E4AE8F5544B824188AC7278315E2E2C27BE302A312EEBBF8C3FB7 |
| Malicious: | true |
| Antivirus: |
|
| Preview: |
|
| Process: | C:\Users\user\Desktop\Remcos Professional Cracked By Alcatraz3222.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 261728 |
| Entropy (8bit): | 6.1750840449797675 |
| Encrypted: | false |
| SSDEEP: | 3072:Mao0QHGUQWWimj9q/NLpj/WWqvAw2XpFU4rwOe4ubZSif02RFi/x2uv9FeP:boZTTWxxqVpqWVRXfr802biprVu |
| MD5: | D621FD77BD585874F9686D3A76462EF1 |
| SHA1: | ABCAE05EE61EE6292003AABD8C80583FA49EDDA2 |
| SHA-256: | 2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6 |
| SHA-512: | 2D85A81D708ECC8AF9A1273143C94DA84E632F1E595E22F54B867225105A1D0A44F918F0FAE6F1EB15ECF69D75B6F4616699776A16A2AA8B5282100FD15CA74C |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Preview: |
|
| Process: | C:\Windows\SysWOW64\netsh.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 313 |
| Entropy (8bit): | 4.971939296804078 |
| Encrypted: | false |
| SSDEEP: | 6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha |
| MD5: | 689E2126A85BF55121488295EE068FA1 |
| SHA1: | 09BAAA253A49D80C18326DFBCA106551EBF22DD6 |
| SHA-256: | D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25 |
| SHA-512: | C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C |
| Malicious: | false |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 7.9879261117410865 |
| TrID: |
|
| File name: | Remcos Professional Cracked By Alcatraz3222.exe |
| File size: | 18539216 |
| MD5: | efc159c7cf75545997f8c6af52d3e802 |
| SHA1: | b85bd368c91a13db1c5de2326deb25ad666c24c1 |
| SHA256: | 898ac001d0f6c52c1001c640d9860287fdf30a648d580e9f5dd15e2ef84ab18e |
| SHA512: | d06a432233dceb731defd53238971699fef201d0f9144ee50e5dd7d6620dfdd6c298d52618bf2c9feb0519574f4565fb0177b00fd8292768fbd8b85dd11e650d |
| SSDEEP: | 393216:GYuGvp8EHb+in8f4Zg41+Q4AXf5ZZcyfHDMxVpSc+q+eOFxdx:3mqSi8fN4sAXfrZcyfo7p0eYHx |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^..].....................d....... ... ...@....@.. ....................................@................................ |
File Icon |
|---|
 | |
| Icon Hash: | 70ccb87171f0cc70 |
General | |
|---|---|
| Entrypoint: | 0x15620e6 |
| Entrypoint Section: | .text |
| Digitally signed: | false |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
| DLL Characteristics: | NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
| Time Stamp: | 0x5DBBF75E [Fri Nov 1 09:14:06 2019 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | v4.0.30319 |
| OS Version Major: | 4 |
| OS Version Minor: | 0 |
| File Version Major: | 4 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 4 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
| Instruction |
|---|
| jmp dword ptr [00402000h] |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| add byte ptr [eax], al |
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x116209c | 0x4a | .text |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x1164000 | 0x461da | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x11ac000 | 0xc | .reloc |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x2000 | 0x11600ec | 0x1160200 | unknown | unknown | unknown | unknown | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
| .rsrc | 0x1164000 | 0x461da | 0x46200 | False | 0.0958423852496 | data | 2.98313483639 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .reloc | 0x11ac000 | 0xc | 0x200 | False | 0.044921875 | data | 0.122275881259 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country |
|---|---|---|---|---|---|
| RT_ICON | 0x1164084 | 0x468 | GLS_BINARY_LSB_FIRST | ||
| RT_ICON | 0x1164510 | 0x10a8 | data | ||
| RT_ICON | 0x11655dc | 0x25a8 | data | ||
| RT_ICON | 0x1167ba8 | 0x42028 | dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0 | ||
| RT_GROUP_ICON | 0x11a9c1e | 0x3e | data | ||
| RT_VERSION | 0x11a9c98 | 0x31c | data | ||
| RT_MANIFEST | 0x11a9ff0 | 0x1ea | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators |
| DLL | Import |
|---|---|
| mscoree.dll | _CorExeMain |
| Description | Data |
|---|---|
| LegalCopyright | BreakingSecurity.net |
| FileVersion | 2.2.0.0 |
| CompanyName | Breaking-Security.net |
| LegalTrademarks | BreakingSecurity.net |
| ProductName | REMCOS Remote Control & Surveillance Software |
| ProductVersion | 2.2.0 |
| FileDescription | REMCOS Remote Control & Surveillance |
| Translation | 0x0409 0x04e4 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Network Port Distribution |
|---|
- Total Packets: 132
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 24, 2021 16:03:23.074137926 CEST | 49723 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:23.152892113 CEST | 3202 | 49723 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:23.753273964 CEST | 49723 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:23.832232952 CEST | 3202 | 49723 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:24.440859079 CEST | 49723 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:24.518795967 CEST | 3202 | 49723 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:26.623768091 CEST | 49725 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:26.704052925 CEST | 3202 | 49725 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:27.347301960 CEST | 49725 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:27.425695896 CEST | 3202 | 49725 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:27.941098928 CEST | 49725 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:28.019416094 CEST | 3202 | 49725 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:30.113775969 CEST | 49732 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:30.192531109 CEST | 3202 | 49732 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:30.707145929 CEST | 49732 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:30.787774086 CEST | 3202 | 49732 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:31.303771019 CEST | 49732 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:31.382246971 CEST | 3202 | 49732 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:33.618834019 CEST | 49737 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:33.697312117 CEST | 3202 | 49737 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:34.222883940 CEST | 49737 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:34.301685095 CEST | 3202 | 49737 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:34.926410913 CEST | 49737 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:35.005084038 CEST | 3202 | 49737 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:37.088747025 CEST | 49738 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:37.168802977 CEST | 3202 | 49738 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:37.754512072 CEST | 49738 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:37.835390091 CEST | 3202 | 49738 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:38.363831997 CEST | 49738 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:38.443274021 CEST | 3202 | 49738 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:40.569490910 CEST | 49743 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:40.648309946 CEST | 3202 | 49743 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:41.239106894 CEST | 49743 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:41.320913076 CEST | 3202 | 49743 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:41.927747011 CEST | 49743 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:42.008456945 CEST | 3202 | 49743 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:44.260922909 CEST | 49744 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:44.339313030 CEST | 3202 | 49744 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:44.848977089 CEST | 49744 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:44.927963018 CEST | 3202 | 49744 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:45.442653894 CEST | 49744 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:45.521043062 CEST | 3202 | 49744 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:47.605745077 CEST | 49745 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:47.684746981 CEST | 3202 | 49745 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:48.192850113 CEST | 49745 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:48.273237944 CEST | 3202 | 49745 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:48.786701918 CEST | 49745 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:48.865354061 CEST | 3202 | 49745 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:50.944272041 CEST | 49746 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:51.023458004 CEST | 3202 | 49746 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:51.536849976 CEST | 49746 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:51.615412951 CEST | 3202 | 49746 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:52.115593910 CEST | 49746 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:52.193907022 CEST | 3202 | 49746 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:54.789161921 CEST | 49750 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:54.867603064 CEST | 3202 | 49750 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:55.380960941 CEST | 49750 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:55.461220980 CEST | 3202 | 49750 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:55.974692106 CEST | 49750 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:56.053483009 CEST | 3202 | 49750 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:58.138701916 CEST | 49751 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:58.219340086 CEST | 3202 | 49751 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:58.725023031 CEST | 49751 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:58.805669069 CEST | 3202 | 49751 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:03:59.318732023 CEST | 49751 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:03:59.397439957 CEST | 3202 | 49751 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:01.483860016 CEST | 49752 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:01.562519073 CEST | 3202 | 49752 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:02.069200039 CEST | 49752 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:02.148128033 CEST | 3202 | 49752 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:02.662849903 CEST | 49752 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:02.741945028 CEST | 3202 | 49752 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:04.864890099 CEST | 49753 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:04.943691969 CEST | 3202 | 49753 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:05.444413900 CEST | 49753 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:05.524796963 CEST | 3202 | 49753 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:06.029947996 CEST | 49753 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:06.108968973 CEST | 3202 | 49753 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:08.199282885 CEST | 49755 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:08.277956009 CEST | 3202 | 49755 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:08.788409948 CEST | 49755 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:08.867136002 CEST | 3202 | 49755 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:09.379209995 CEST | 49755 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:09.457899094 CEST | 3202 | 49755 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:11.575144053 CEST | 49757 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:11.653953075 CEST | 3202 | 49757 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:12.157099009 CEST | 49757 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:12.240303040 CEST | 3202 | 49757 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:12.743577003 CEST | 49757 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:12.822180033 CEST | 3202 | 49757 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:14.902693033 CEST | 49758 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:14.983944893 CEST | 3202 | 49758 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:15.498625040 CEST | 49758 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:15.577882051 CEST | 3202 | 49758 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:16.085472107 CEST | 49758 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:16.172478914 CEST | 3202 | 49758 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:18.265439987 CEST | 49759 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:18.344494104 CEST | 3202 | 49759 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:18.850832939 CEST | 49759 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:18.929974079 CEST | 3202 | 49759 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:19.444556952 CEST | 49759 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:19.523386955 CEST | 3202 | 49759 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:21.601593018 CEST | 49760 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:21.680800915 CEST | 3202 | 49760 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:22.194905996 CEST | 49760 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:22.273658991 CEST | 3202 | 49760 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:22.788609028 CEST | 49760 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:22.867338896 CEST | 3202 | 49760 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:25.123464108 CEST | 49761 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:25.202537060 CEST | 3202 | 49761 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:25.710834980 CEST | 49761 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:25.792687893 CEST | 3202 | 49761 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:26.304510117 CEST | 49761 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:26.430068970 CEST | 3202 | 49761 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:29.218250990 CEST | 49762 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:29.296924114 CEST | 3202 | 49762 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:29.804783106 CEST | 49762 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:29.883203030 CEST | 3202 | 49762 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:30.398641109 CEST | 49762 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:30.476869106 CEST | 3202 | 49762 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:32.561530113 CEST | 49763 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:32.640470028 CEST | 3202 | 49763 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:33.148863077 CEST | 49763 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:33.230988026 CEST | 3202 | 49763 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:33.742662907 CEST | 49763 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:33.821598053 CEST | 3202 | 49763 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:35.909727097 CEST | 49764 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:35.988442898 CEST | 3202 | 49764 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:36.492897034 CEST | 49764 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:36.573563099 CEST | 3202 | 49764 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:37.086708069 CEST | 49764 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:37.165811062 CEST | 3202 | 49764 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:39.243803024 CEST | 49765 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:39.322177887 CEST | 3202 | 49765 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:39.836986065 CEST | 49765 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:39.917165041 CEST | 3202 | 49765 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:40.432095051 CEST | 49765 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:40.510570049 CEST | 3202 | 49765 | 84.220.8.178 | 192.168.2.6 |
| May 24, 2021 16:04:42.581653118 CEST | 49766 | 3202 | 192.168.2.6 | 84.220.8.178 |
| May 24, 2021 16:04:42.660214901 CEST | 3202 | 49766 | 84.220.8.178 | 192.168.2.6 |
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| May 24, 2021 16:02:17.151516914 CEST | 49283 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:17.172956944 CEST | 58377 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:17.205674887 CEST | 53 | 49283 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:17.231004953 CEST | 53 | 58377 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:19.326608896 CEST | 55074 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:19.376055956 CEST | 53 | 55074 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:20.497590065 CEST | 54513 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:20.546967983 CEST | 53 | 54513 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:20.594355106 CEST | 62044 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:20.645220041 CEST | 53 | 62044 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:23.771889925 CEST | 63791 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:23.823111057 CEST | 53 | 63791 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:26.213522911 CEST | 64267 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:26.263124943 CEST | 53 | 64267 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:29.919909954 CEST | 49448 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:29.969357967 CEST | 53 | 49448 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:30.957146883 CEST | 60342 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:31.015283108 CEST | 53 | 60342 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:31.782623053 CEST | 61346 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:31.832349062 CEST | 53 | 61346 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:32.926453114 CEST | 51774 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:32.976792097 CEST | 53 | 51774 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:33.729927063 CEST | 56023 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:33.782748938 CEST | 53 | 56023 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:34.959898949 CEST | 58384 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:35.009141922 CEST | 53 | 58384 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:36.907218933 CEST | 60261 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:36.958914042 CEST | 53 | 60261 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:38.075937033 CEST | 56061 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:38.127998114 CEST | 53 | 56061 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:40.174598932 CEST | 58336 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:40.234230995 CEST | 53 | 58336 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:41.585401058 CEST | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:41.635159016 CEST | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:47.370703936 CEST | 54064 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:47.420078993 CEST | 53 | 54064 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:48.470808029 CEST | 52811 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:48.520596027 CEST | 53 | 52811 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:49.287154913 CEST | 55299 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:49.338342905 CEST | 53 | 55299 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:50.679171085 CEST | 63745 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:50.731694937 CEST | 53 | 63745 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:02:55.899727106 CEST | 50055 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:02:55.958126068 CEST | 53 | 50055 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:12.603641987 CEST | 61374 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:12.655983925 CEST | 53 | 61374 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:22.839339972 CEST | 50339 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:23.066112041 CEST | 53 | 50339 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:25.923301935 CEST | 63307 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:26.060270071 CEST | 53 | 63307 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:26.564589024 CEST | 49694 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:26.615242004 CEST | 54982 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:26.622422934 CEST | 53 | 49694 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:26.739140034 CEST | 53 | 54982 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:27.169949055 CEST | 50010 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:27.243705034 CEST | 53 | 50010 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:27.345643044 CEST | 63718 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:27.535717010 CEST | 53 | 63718 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:28.037003040 CEST | 62116 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:28.142905951 CEST | 53 | 62116 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:28.719522953 CEST | 63816 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:28.777348995 CEST | 53 | 63816 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:29.399892092 CEST | 55014 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:29.450073957 CEST | 53 | 55014 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:30.044786930 CEST | 62208 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:30.085213900 CEST | 57574 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:30.109282970 CEST | 53 | 62208 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:30.143663883 CEST | 53 | 57574 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:31.045283079 CEST | 51818 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:31.102859020 CEST | 53 | 51818 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:32.587172985 CEST | 56628 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:32.646359921 CEST | 53 | 56628 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:33.402991056 CEST | 60778 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:33.420161009 CEST | 53799 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:33.477905035 CEST | 53 | 53799 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:33.617345095 CEST | 53 | 60778 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:37.026566982 CEST | 54683 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:37.087193966 CEST | 53 | 54683 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:37.541363001 CEST | 59329 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:37.605340958 CEST | 53 | 59329 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:40.508305073 CEST | 64021 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:40.565907001 CEST | 53 | 64021 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:44.032521009 CEST | 56129 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:44.258471966 CEST | 53 | 56129 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:47.545639992 CEST | 58177 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:47.603943110 CEST | 53 | 58177 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:50.889874935 CEST | 50700 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:50.941816092 CEST | 53 | 50700 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:54.066451073 CEST | 54069 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:54.131252050 CEST | 53 | 54069 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:54.700680017 CEST | 61178 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:54.761564970 CEST | 53 | 61178 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:03:58.077227116 CEST | 57017 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:03:58.136915922 CEST | 53 | 57017 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:01.422844887 CEST | 56327 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:01.480880976 CEST | 53 | 56327 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:04.800041914 CEST | 50243 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:04.862879992 CEST | 53 | 50243 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:05.798531055 CEST | 62055 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:05.861023903 CEST | 53 | 62055 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:08.138134956 CEST | 61249 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:08.167833090 CEST | 65252 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:08.197113991 CEST | 53 | 61249 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:08.238500118 CEST | 53 | 65252 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:11.515229940 CEST | 64367 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:11.573093891 CEST | 53 | 64367 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:14.843127966 CEST | 55066 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:14.901153088 CEST | 53 | 55066 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:18.188637972 CEST | 60211 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:18.238363028 CEST | 53 | 60211 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:21.547678947 CEST | 56570 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:21.599793911 CEST | 53 | 56570 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:24.891273022 CEST | 58454 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:25.121808052 CEST | 53 | 58454 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:29.154047012 CEST | 55180 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:29.217066050 CEST | 53 | 55180 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:32.500790119 CEST | 58721 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:32.559567928 CEST | 53 | 58721 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:35.847538948 CEST | 57691 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:35.908301115 CEST | 53 | 57691 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:39.182169914 CEST | 52943 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:39.241949081 CEST | 53 | 52943 | 8.8.8.8 | 192.168.2.6 |
| May 24, 2021 16:04:42.526715994 CEST | 59489 | 53 | 192.168.2.6 | 8.8.8.8 |
| May 24, 2021 16:04:42.579396963 CEST | 53 | 59489 | 8.8.8.8 | 192.168.2.6 |
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| May 24, 2021 16:03:22.839339972 CEST | 192.168.2.6 | 8.8.8.8 | 0xc2fe | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:03:26.564589024 CEST | 192.168.2.6 | 8.8.8.8 | 0xe85a | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:03:30.044786930 CEST | 192.168.2.6 | 8.8.8.8 | 0xe5ac | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:03:33.402991056 CEST | 192.168.2.6 | 8.8.8.8 | 0xcc65 | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:03:37.026566982 CEST | 192.168.2.6 | 8.8.8.8 | 0x4371 | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:03:40.508305073 CEST | 192.168.2.6 | 8.8.8.8 | 0xad12 | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:03:44.032521009 CEST | 192.168.2.6 | 8.8.8.8 | 0x2798 | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:03:47.545639992 CEST | 192.168.2.6 | 8.8.8.8 | 0x7e | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:03:50.889874935 CEST | 192.168.2.6 | 8.8.8.8 | 0x74fd | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:03:54.700680017 CEST | 192.168.2.6 | 8.8.8.8 | 0xf269 | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:03:58.077227116 CEST | 192.168.2.6 | 8.8.8.8 | 0x5599 | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:04:01.422844887 CEST | 192.168.2.6 | 8.8.8.8 | 0xa49f | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:04:04.800041914 CEST | 192.168.2.6 | 8.8.8.8 | 0xce87 | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:04:08.138134956 CEST | 192.168.2.6 | 8.8.8.8 | 0x6308 | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:04:11.515229940 CEST | 192.168.2.6 | 8.8.8.8 | 0xfb0e | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:04:14.843127966 CEST | 192.168.2.6 | 8.8.8.8 | 0x6f4f | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:04:18.188637972 CEST | 192.168.2.6 | 8.8.8.8 | 0x6d2e | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:04:21.547678947 CEST | 192.168.2.6 | 8.8.8.8 | 0xeade | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:04:24.891273022 CEST | 192.168.2.6 | 8.8.8.8 | 0x9c0e | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:04:29.154047012 CEST | 192.168.2.6 | 8.8.8.8 | 0x1b3d | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:04:32.500790119 CEST | 192.168.2.6 | 8.8.8.8 | 0x8bba | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:04:35.847538948 CEST | 192.168.2.6 | 8.8.8.8 | 0xa24e | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:04:39.182169914 CEST | 192.168.2.6 | 8.8.8.8 | 0x7138 | Standard query (0) | A (IP address) | IN (0x0001) | |
| May 24, 2021 16:04:42.526715994 CEST | 192.168.2.6 | 8.8.8.8 | 0x1844 | Standard query (0) | A (IP address) | IN (0x0001) |
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| May 24, 2021 16:03:23.066112041 CEST | 8.8.8.8 | 192.168.2.6 | 0xc2fe | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:03:26.622422934 CEST | 8.8.8.8 | 192.168.2.6 | 0xe85a | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:03:30.109282970 CEST | 8.8.8.8 | 192.168.2.6 | 0xe5ac | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:03:33.617345095 CEST | 8.8.8.8 | 192.168.2.6 | 0xcc65 | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:03:37.087193966 CEST | 8.8.8.8 | 192.168.2.6 | 0x4371 | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:03:40.565907001 CEST | 8.8.8.8 | 192.168.2.6 | 0xad12 | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:03:44.258471966 CEST | 8.8.8.8 | 192.168.2.6 | 0x2798 | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:03:47.603943110 CEST | 8.8.8.8 | 192.168.2.6 | 0x7e | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:03:50.941816092 CEST | 8.8.8.8 | 192.168.2.6 | 0x74fd | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:03:54.761564970 CEST | 8.8.8.8 | 192.168.2.6 | 0xf269 | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:03:58.136915922 CEST | 8.8.8.8 | 192.168.2.6 | 0x5599 | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:04:01.480880976 CEST | 8.8.8.8 | 192.168.2.6 | 0xa49f | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:04:04.862879992 CEST | 8.8.8.8 | 192.168.2.6 | 0xce87 | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:04:08.197113991 CEST | 8.8.8.8 | 192.168.2.6 | 0x6308 | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:04:11.573093891 CEST | 8.8.8.8 | 192.168.2.6 | 0xfb0e | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:04:14.901153088 CEST | 8.8.8.8 | 192.168.2.6 | 0x6f4f | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:04:18.238363028 CEST | 8.8.8.8 | 192.168.2.6 | 0x6d2e | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:04:21.599793911 CEST | 8.8.8.8 | 192.168.2.6 | 0xeade | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:04:25.121808052 CEST | 8.8.8.8 | 192.168.2.6 | 0x9c0e | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:04:29.217066050 CEST | 8.8.8.8 | 192.168.2.6 | 0x1b3d | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:04:32.559567928 CEST | 8.8.8.8 | 192.168.2.6 | 0x8bba | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:04:35.908301115 CEST | 8.8.8.8 | 192.168.2.6 | 0xa24e | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:04:39.241949081 CEST | 8.8.8.8 | 192.168.2.6 | 0x7138 | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) | ||
| May 24, 2021 16:04:42.579396963 CEST | 8.8.8.8 | 192.168.2.6 | 0x1844 | No error (0) | 84.220.8.178 | A (IP address) | IN (0x0001) |
Code Manipulations |
|---|
Statistics |
|---|
CPU Usage |
|---|
Click to jump to process
Memory Usage |
|---|
Click to jump to process
High Level Behavior Distribution |
|---|
back
Click to dive into process behavior distribution
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
| Start time: | 16:02:29 |
| Start date: | 24/05/2021 |
| Path: | C:\Users\user\Desktop\Remcos Professional Cracked By Alcatraz3222.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0xcc0000 |
| File size: | 18539216 bytes |
| MD5 hash: | EFC159C7CF75545997F8C6AF52D3E802 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Reputation: | low |
File Activities
Section Activities
Registry Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Timing Activities
Windows UI Activities
Process Token Activities
Object Security Activities
LPC Port Activities
| Start time: | 16:02:46 |
| Start date: | 24/05/2021 |
| Path: | C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 18294272 bytes |
| MD5 hash: | C3C21FA4C2186DEB641455482AB0D3AA |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | Borland Delphi |
| Antivirus matches: |
|
| Reputation: | low |
File Activities
Section Activities
Registry Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Timing Activities
Windows UI Activities
LPC Port Activities
| Start time: | 16:02:58 |
| Start date: | 24/05/2021 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2a0000 |
| File size: | 232960 bytes |
| MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
File Activities
Section Activities
Process Activities
Thread Activities
Memory Activities
System Activities
LPC Port Activities
| Start time: | 16:02:58 |
| Start date: | 24/05/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61de10000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
File Activities
Section Activities
Registry Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Windows UI Activities
LPC Port Activities
| Start time: | 16:03:00 |
| Start date: | 24/05/2021 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2a0000 |
| File size: | 232960 bytes |
| MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
File Activities
Section Activities
Process Activities
Thread Activities
Memory Activities
System Activities
LPC Port Activities
| Start time: | 16:03:01 |
| Start date: | 24/05/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61de10000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
File Activities
Section Activities
Registry Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Windows UI Activities
LPC Port Activities
| Start time: | 16:03:02 |
| Start date: | 24/05/2021 |
| Path: | C:\Windows\SysWOW64\reg.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1180000 |
| File size: | 59392 bytes |
| MD5 hash: | CEE2A7E57DF2A159A065A34913A055C2 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
File Activities
Section Activities
Registry Activities
Process Activities
Thread Activities
Memory Activities
System Activities
LPC Port Activities
| Start time: | 16:03:07 |
| Start date: | 24/05/2021 |
| Path: | C:\Windows\SysWOW64\cmd.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x2a0000 |
| File size: | 232960 bytes |
| MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
File Activities
Section Activities
Process Activities
Thread Activities
Memory Activities
System Activities
LPC Port Activities
| Start time: | 16:03:08 |
| Start date: | 24/05/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61de10000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
File Activities
Section Activities
Registry Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Windows UI Activities
LPC Port Activities
| Start time: | 16:03:10 |
| Start date: | 24/05/2021 |
| Path: | C:\Users\user\AppData\Local\Temp\taskhost.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x8e0000 |
| File size: | 261728 bytes |
| MD5 hash: | D621FD77BD585874F9686D3A76462EF1 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | .Net C# or VB.NET |
| Yara matches: |
|
| Antivirus matches: |
|
| Reputation: | moderate |
File Activities
Section Activities
Registry Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Windows UI Activities
Network Activities
Process Token Activities
LPC Port Activities
| Start time: | 16:03:18 |
| Start date: | 24/05/2021 |
| Path: | C:\Windows\SysWOW64\netsh.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x9e0000 |
| File size: | 82944 bytes |
| MD5 hash: | A0AA3322BB46BBFC36AB9DC1DBBBB807 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
File Activities
Section Activities
Registry Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Windows UI Activities
LPC Port Activities
| Start time: | 16:03:18 |
| Start date: | 24/05/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff61de10000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
File Activities
Section Activities
Registry Activities
Mutex Activities
Process Activities
Thread Activities
Memory Activities
System Activities
Windows UI Activities
LPC Port Activities
Disassembly |
|---|
Code Analysis |
|---|
Executed Functions |
|---|
Download Yara Rule
| Memory Dump Source |
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
|---|
