Play interactive tourEdit tour
Windows Analysis Report 7HHrcwZjLI.exe
Overview
General Information
Detection
GuLoader Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected Remcos RAT
Yara detected GuLoader
Hides threads from debuggers
Tries to detect Any.run
C2 URLs / IPs found in malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Uses dynamic DNS services
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Abnormal high CPU Usage
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Remcos |
---|
{"Host:Port:Password": "dyn-wave.duckdns.org:1144:1dyn-wave.duckdns.org:2404:0", "Assigned name": "RemoteHost_NEW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-2LBKGP", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}
Threatname: GuLoader |
---|
{"Payload URL": "http://dypage.duckdns.org/remcos_d_QUBXVO174.b"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: | ||
Source: | URLs: |
Uses dynamic DNS services | Show sources |
Source: | DNS query: | ||
Source: | DNS query: |
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | Binary or memory string: |
E-Banking Fraud: |
---|
Yara detected Remcos RAT | Show sources |
Source: | File source: |
System Summary: |
---|
Potential malicious icon found | Show sources |
Source: | Icon embedded in PE file: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process Stats: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Section loaded: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Mutant created: |
Source: | Classification label: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Data Obfuscation: |
---|
Yara detected GuLoader | Show sources |
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Tries to detect Any.run | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Window / User API: |
Source: | Thread sleep count: |
Source: | Thread sleep count: |
Source: | Last function: |
Source: | System information queried: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging: |
---|
Hides threads from debuggers | Show sources |
Source: | Thread information set: | ||
Source: | Thread information set: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information: |
---|
GuLoader behavior detected | Show sources |
Source: | Signature Results: |
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Remcos RAT | Show sources |
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection12 | Virtualization/Sandbox Evasion22 | Input Capture1 | Security Software Discovery31 | Remote Services | Input Capture1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection12 | LSASS Memory | Virtualization/Sandbox Evasion22 | Remote Desktop Protocol | Archive Collected Data1 | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing1 | NTDS | Application Window Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Non-Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | Remote System Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol212 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | System Information Discovery2 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
40% | Virustotal | Browse | ||
16% | ReversingLabs | Win32.Trojan.Mucc | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
dypage.duckdns.org | 23.146.242.85 | true | true | unknown | |
dyn-wave.duckdns.org | 23.146.241.70 | true | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
false |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
23.146.241.70 | dyn-wave.duckdns.org | Reserved | 46664 | VDI-NETWORKUS | true | |
23.146.242.85 | dypage.duckdns.org | Reserved | 46664 | VDI-NETWORKUS | true |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 491246 |
Start date: | 27.09.2021 |
Start time: | 11:56:39 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 31s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 7HHrcwZjLI.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 22 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.rans.troj.evad.winEXE@3/0@2/2 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
23.146.242.85 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
VDI-NETWORKUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
VDI-NETWORKUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.204068690250343 |
TrID: |
|
File name: | 7HHrcwZjLI.exe |
File size: | 196608 |
MD5: | 5f09b37b56cb003804dca1a778799746 |
SHA1: | 7d9924657fb4275d47b1e8ff30abfd6a1726ca70 |
SHA256: | 1f2f9b357003d7816259c172bff00bc8be6305247a94594de4eb9a7e7ecbb385 |
SHA512: | 61c89f0eddf54e3ab7883cf18557711d4a143a6cb8f72c6c6bb92888f48e0ea1186d4347dee922dc79ea60f63bde2a4e830e3c03a1836efa6c45f3885eb30ef9 |
SSDEEP: | 3072:GI8X4DXaGnFbn3j+2co5q0DtH1+Z8j7G9YgVoDqD9N9:Gj4DqGFbT+Zo5RD5Fjq9RoY |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...X..N.....................0....................@................ |
File Icon |
---|
Icon Hash: | 20047c7c70f0e004 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x4013f0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x4EC4AC58 [Thu Nov 17 06:40:24 2011 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | bd85017eeb8dd3332d04b1838f2b93b1 |
Entrypoint Preview |
---|
Instruction |
---|
push 00401698h |
call 00007FE2848F6353h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
inc eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add bh, dl |
inc ebp |
dec edi |
hlt |
insd |
out dx, eax |
inc esi |
mov ecx, 629EC330h |
mov dword ptr [00009238h], eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add dword ptr [eax], eax |
add byte ptr [eax], al |
inc edx |
add byte ptr [edx], al |
push eax |
add dword ptr [ecx], 42h |
outsd |
insd |
bound edi, dword ptr [ecx+6Ch] |
imul ebp, dword ptr [ecx+64h], CC006561h |
aas |
or eax, dword ptr [ebx] |
add byte ptr [eax], al |
add byte ptr [eax], al |
dec esp |
xor dword ptr [eax], eax |
or al, 73h |
mov edx, 30173730h |
je 00007FE2848F63A6h |
movsb |
sub ebp, dword ptr [ecx-59423EB9h] |
mov al, byte ptr [8B7091A7h] |
mov esp, 844382B6h |
test byte ptr [eax], ah |
call far 4F3Ah : 07D5689Ah |
lodsd |
xor ebx, dword ptr [ecx-48EE309Ah] |
or al, 00h |
stosb |
add byte ptr [eax-2Dh], ah |
xchg eax, ebx |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
test dword ptr [ecx], 00470000h |
add byte ptr [eax], al |
add byte ptr [ebx], cl |
add byte ptr [eax+6Ch], dl |
popad |
jnc 00007FE2848F63D0h |
jnc 00007FE2848F63D5h |
imul esp, dword ptr [edi+74h], 07010D00h |
add byte ptr [edx+esi*2+69h], dl |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2d074 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x30000 | 0xbea | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x138 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x2c528 | 0x2d000 | False | 0.619411892361 | data | 7.41395278491 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x2e000 | 0x190c | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x30000 | 0xbea | 0x1000 | False | 0.2529296875 | data | 3.21005066435 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
CUSTOM | 0x30990 | 0x25a | ASCII text, with CRLF line terminators | English | United States |
RT_ICON | 0x30860 | 0x130 | data | ||
RT_ICON | 0x30578 | 0x2e8 | data | ||
RT_ICON | 0x30450 | 0x128 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x30420 | 0x30 | data | ||
RT_VERSION | 0x301a0 | 0x280 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
MSVBVM60.DLL | _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarAdd, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0409 0x04b0 |
InternalName | TREMMERNE |
FileVersion | 1.04 |
CompanyName | Qualtrics |
Comments | Qualtrics |
ProductName | Qualtrics |
ProductVersion | 1.04 |
FileDescription | Qualtrics |
OriginalFilename | TREMMERNE.exe |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
09/27/21-12:01:09.327782 | UDP | 254 | DNS SPOOF query response with TTL of 1 min. and no authority | 53 | 50055 | 8.8.8.8 | 192.168.2.6 |
09/27/21-12:01:11.469581 | UDP | 254 | DNS SPOOF query response with TTL of 1 min. and no authority | 53 | 61374 | 8.8.8.8 | 192.168.2.6 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2021 12:01:09.399159908 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:09.511538029 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.515326023 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:09.571798086 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:09.685571909 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.685606956 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.685631037 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.685642958 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:09.685655117 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.685671091 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.685691118 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:09.685749054 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:09.798145056 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.798172951 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.798479080 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.798500061 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.798517942 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.798533916 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.798549891 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.798567057 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.798583031 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.798937082 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:09.799078941 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:09.911395073 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.911441088 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.911468983 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.911514044 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.911537886 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.911569118 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.911596060 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.911619902 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.911648035 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.911673069 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.911700010 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.911727905 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.911770105 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.911791086 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.911813974 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:09.912409067 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:10.024640083 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.024682999 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.024703026 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.024753094 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.024775982 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.024802923 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.024828911 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.024852991 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.024876118 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.024899960 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.024921894 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.025033951 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.025058031 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.025082111 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.025105000 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.025131941 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.025156021 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.025177956 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.025193930 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.027384043 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:10.139297962 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.139336109 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.139357090 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.139377117 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.139399052 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.139419079 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.139448881 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:10.139468908 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.139545918 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:10.139556885 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.139583111 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.139607906 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:10.139652014 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:10.140234947 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.140263081 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.140286922 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.140307903 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.140316963 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:10.140330076 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.140350103 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:10.140352964 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.140377998 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.140402079 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:10.140407085 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.140427113 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:10.140429974 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.140450954 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.140469074 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:10.140474081 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.140497923 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.140517950 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.140537024 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.140538931 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:10.140558958 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:10.253523111 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.253557920 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.253582954 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.253607035 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.253619909 CEST | 49826 | 80 | 192.168.2.6 | 23.146.242.85 |
Sep 27, 2021 12:01:10.253632069 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
Sep 27, 2021 12:01:10.253655910 CEST | 80 | 49826 | 23.146.242.85 | 192.168.2.6 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2021 11:58:04.005224943 CEST | 54513 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:04.032073021 CEST | 53 | 54513 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:58:18.950525999 CEST | 62044 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:19.027103901 CEST | 53 | 62044 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:58:19.744672060 CEST | 63791 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:19.842484951 CEST | 53 | 63791 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:58:20.240284920 CEST | 64267 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:20.307231903 CEST | 53 | 64267 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:58:20.604614019 CEST | 49448 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:20.618647099 CEST | 53 | 49448 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:58:21.073795080 CEST | 60342 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:21.087407112 CEST | 53 | 60342 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:58:21.445225000 CEST | 61346 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:21.472714901 CEST | 53 | 61346 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:58:21.519813061 CEST | 51774 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:21.535204887 CEST | 53 | 51774 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:58:21.939475060 CEST | 56023 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:21.953433037 CEST | 53 | 56023 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:58:22.586143017 CEST | 58384 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:22.716329098 CEST | 53 | 58384 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:58:23.737333059 CEST | 60261 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:23.751560926 CEST | 53 | 60261 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:58:24.083543062 CEST | 56061 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:24.097618103 CEST | 53 | 56061 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:58:45.185661077 CEST | 58336 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:45.214778900 CEST | 53 | 58336 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:58:45.351905107 CEST | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:45.387033939 CEST | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:58:50.912964106 CEST | 54064 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:58:50.955738068 CEST | 53 | 54064 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:59:01.400873899 CEST | 52811 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:59:01.455881119 CEST | 53 | 52811 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:59:27.841049910 CEST | 55299 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:59:27.853720903 CEST | 53 | 55299 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 11:59:34.487144947 CEST | 63745 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 11:59:34.521306992 CEST | 53 | 63745 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 12:01:09.211680889 CEST | 50055 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 12:01:09.327781916 CEST | 53 | 50055 | 8.8.8.8 | 192.168.2.6 |
Sep 27, 2021 12:01:11.354238033 CEST | 61374 | 53 | 192.168.2.6 | 8.8.8.8 |
Sep 27, 2021 12:01:11.469580889 CEST | 53 | 61374 | 8.8.8.8 | 192.168.2.6 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Sep 27, 2021 12:01:09.211680889 CEST | 192.168.2.6 | 8.8.8.8 | 0xd6ae | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 27, 2021 12:01:11.354238033 CEST | 192.168.2.6 | 8.8.8.8 | 0x2aa8 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Sep 27, 2021 12:01:09.327781916 CEST | 8.8.8.8 | 192.168.2.6 | 0xd6ae | No error (0) | 23.146.242.85 | A (IP address) | IN (0x0001) | ||
Sep 27, 2021 12:01:11.469580889 CEST | 8.8.8.8 | 192.168.2.6 | 0x2aa8 | No error (0) | 23.146.241.70 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.6 | 49826 | 23.146.242.85 | 80 | C:\Users\user\Desktop\7HHrcwZjLI.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2021 12:01:09.571798086 CEST | 5754 | OUT | |
Sep 27, 2021 12:01:09.685571909 CEST | 5756 | IN |