Play interactive tourEdit tour
Windows Analysis Report DW1VgsgHNU.exe
Overview
General Information
Detection
GuLoader Remcos
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected Remcos RAT
Yara detected GuLoader
Hides threads from debuggers
Tries to detect Any.run
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses dynamic DNS services
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Abnormal high CPU Usage
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: Remcos |
---|
{"Host:Port:Password": "dyn-wave.duckdns.org:1144:1dyn-wave.duckdns.org:2404:0", "Assigned name": "RemoteHost_NEW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Remcos-2LBKGP", "Keylog flag": "0", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "20000"}
Threatname: GuLoader |
---|
{"Payload URL": "http://dypage.duckdns.org/remcos_d_QUBXVO174"}
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security | ||
JoeSecurity_GuLoader_2 | Yara detected GuLoader | Joe Security | ||
JoeSecurity_Remcos | Yara detected Remcos RAT | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: | ||
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Yara detected Remcos RAT | Show sources |
Source: | File source: | ||
Source: | File source: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Code function: |
Source: | Static PE information: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: | ||
Source: | URLs: |
Uses dynamic DNS services | Show sources |
Source: | DNS query: | ||
Source: | DNS query: |
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
E-Banking Fraud: |
---|
Yara detected Remcos RAT | Show sources |
Source: | File source: | ||
Source: | File source: |
System Summary: |
---|
Potential malicious icon found | Show sources |
Source: | Icon embedded in PE file: |
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process Stats: |
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Section loaded: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | Mutant created: |
Source: | Classification label: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Data Obfuscation: |
---|
Yara detected GuLoader | Show sources |
Source: | File source: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Tries to detect Any.run | Show sources |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Last function: |
Source: | System information queried: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Anti Debugging: |
---|
Hides threads from debuggers | Show sources |
Source: | Thread information set: | ||
Source: | Thread information set: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Stealing of Sensitive Information: |
---|
GuLoader behavior detected | Show sources |
Source: | Signature Results: |
Yara detected Remcos RAT | Show sources |
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality: |
---|
Yara detected Remcos RAT | Show sources |
Source: | File source: | ||
Source: | File source: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection12 | Virtualization/Sandbox Evasion2 | OS Credential Dumping | Security Software Discovery21 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Process Injection12 | LSASS Memory | Virtualization/Sandbox Evasion2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Standard Port1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information2 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Software Packing1 | NTDS | Remote System Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Non-Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | System Information Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Application Layer Protocol212 | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
20% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
dypage.duckdns.org | 23.146.242.85 | true | true | unknown | |
dyn-wave.duckdns.org | 23.146.241.70 | true | true | unknown |
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
true |
| unknown | |
true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
23.146.241.70 | dyn-wave.duckdns.org | Reserved | 46664 | VDI-NETWORKUS | true | |
23.146.242.85 | dypage.duckdns.org | Reserved | 46664 | VDI-NETWORKUS | true |
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 491400 |
Start date: | 27.09.2021 |
Start time: | 14:52:48 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 40s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | DW1VgsgHNU.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 29 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.rans.troj.evad.winEXE@3/0@2/2 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
23.146.241.70 | Get hash | malicious | Browse | ||
23.146.242.85 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
dypage.duckdns.org | Get hash | malicious | Browse |
| |
dyn-wave.duckdns.org | Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
VDI-NETWORKUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
VDI-NETWORKUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 6.693618961961531 |
TrID: |
|
File name: | DW1VgsgHNU.exe |
File size: | 184320 |
MD5: | b30b9c1d23026ff24f234a07a557dc83 |
SHA1: | 044ceea8b2fb554e2fdd7bcf4d695dded3a58d3b |
SHA256: | c54b1a3af48ef7f70434b9e90c33b4bcdccfbd20339d8164e34957890c67f888 |
SHA512: | 80f9e5c0df30a6937450a35531b5be188c98a911703c30064575b1f6707ebeed98643f0166e689fa54ee5e17c232b9825fcdc6d13cb62ad89f22ef6883124bc3 |
SSDEEP: | 3072:aTN6q3h21LWcznBUcxYIBpafjJJUB/yu0d/eWjUUqdj/WHA:aTyttVBwbbGyjeWjp |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....xH.....................0......`.............@................ |
File Icon |
---|
Icon Hash: | 20047c7c70f0e004 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x401460 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
DLL Characteristics: | |
Time Stamp: | 0x487895E2 [Sat Jul 12 11:30:42 2008 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | 831c9926df4754b736e1ca092f4fb7e7 |
Entrypoint Preview |
---|
Instruction |
---|
push 004016B8h |
call 00007FE2A8EDA4F3h |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
xor byte ptr [eax], al |
add byte ptr [eax], al |
dec eax |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], dl |
test byte ptr [edx-47h], cl |
or eax, dword ptr [edx+eax*2-2B734EBAh] |
cld |
xchg eax, esp |
fsubr dword ptr [esi+0000003Dh] |
add byte ptr [eax], al |
add byte ptr [ecx], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax+71h], bl |
push cs |
add eax, dword ptr [ecx+52h] |
inc ebp |
inc ecx |
dec esp |
inc edx |
inc ebp |
push edx |
inc ebp |
inc edi |
dec esi |
dec ecx |
dec esi |
inc edi |
inc ebp |
dec esi |
add byte ptr [edi], al |
inc ecx |
add byte ptr [ecx+esi*2+0000030Eh], cl |
add byte ptr [eax], al |
dec esp |
xor dword ptr [eax], eax |
add esp, dword ptr [ebx+7E6E97A6h] |
mov ebp, E69A43FEh |
jbe 00007FE2A8EDA524h |
adc byte ptr [ebx+26886F8Bh], ah |
xor dword ptr [edi+37h], esp |
jnle 00007FE2A8EDA544h |
nop |
adc eax, 398128CEh |
salc |
cmp cl, byte ptr [edi-53h] |
xor ebx, dword ptr [ecx-48EE309Ah] |
or al, 00h |
stosb |
add byte ptr [eax-2Dh], ah |
xchg eax, ebx |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
scasd |
add byte ptr [eax], al |
add byte ptr [eax+00h], dl |
add byte ptr [eax], al |
add byte ptr [eax+eax], cl |
inc esi |
dec edi |
push edx |
push esp |
dec edx |
inc ebp |
dec esi |
inc ebp |
push ebx |
push esp |
inc ebp |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2a214 | 0x28 | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x2d000 | 0xbea | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x228 | 0x20 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x1000 | 0x198 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x29864 | 0x2a000 | False | 0.506946382068 | data | 6.92804161947 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.data | 0x2b000 | 0x11e8 | 0x1000 | False | 0.00634765625 | data | 0.0 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x2d000 | 0xbea | 0x1000 | False | 0.253173828125 | data | 3.21209329916 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
CUSTOM | 0x2d990 | 0x25a | ASCII text, with CRLF line terminators | English | United States |
RT_ICON | 0x2d860 | 0x130 | data | ||
RT_ICON | 0x2d578 | 0x2e8 | data | ||
RT_ICON | 0x2d450 | 0x128 | GLS_BINARY_LSB_FIRST | ||
RT_GROUP_ICON | 0x2d420 | 0x30 | data | ||
RT_VERSION | 0x2d1a0 | 0x280 | data | English | United States |
Imports |
---|
DLL | Import |
---|---|
MSVBVM60.DLL | _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaCyStr, __vbaVarTstLt, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaR4Str, __vbaI2I4, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj |
Version Infos |
---|
Description | Data |
---|---|
Translation | 0x0409 0x04b0 |
InternalName | Srklasse4 |
FileVersion | 1.04 |
CompanyName | Qualtrics |
Comments | Qualtrics |
ProductName | Qualtrics |
ProductVersion | 1.04 |
FileDescription | Qualtrics |
OriginalFilename | Srklasse4.exe |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
09/27/21-14:57:47.315553 | UDP | 254 | DNS SPOOF query response with TTL of 1 min. and no authority | 53 | 49958 | 8.8.8.8 | 192.168.2.7 |
09/27/21-14:57:48.635027 | UDP | 254 | DNS SPOOF query response with TTL of 1 min. and no authority | 53 | 50860 | 8.8.8.8 | 192.168.2.7 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2021 14:57:47.350785017 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.463856936 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.464104891 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.465127945 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.578341961 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.578381062 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.578398943 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.578416109 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.578430891 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.578505039 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.578546047 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.690390110 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.690427065 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.690449953 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.690466881 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.690485954 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.690504074 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.690517902 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.690521955 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.690558910 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.690594912 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.690618038 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.690635920 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.690679073 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.802376986 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.802423954 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.802452087 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.802475929 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.802501917 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.802524090 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.802524090 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.802566051 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.802575111 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.802589893 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.802591085 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.802618980 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.802630901 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.802670956 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.804008961 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.804047108 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.804071903 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.804091930 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.804111958 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.804124117 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.804142952 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.804162979 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.804172993 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.804683924 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.914715052 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.914762974 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.914791107 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.914814949 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.914835930 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.914854050 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.914988995 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.915056944 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.915087938 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.915136099 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.915169954 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.915191889 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.915219069 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.915242910 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.915263891 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.915283918 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.915307045 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.915329933 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.915369034 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.915390015 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.915405989 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.915401936 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.915437937 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.915452003 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.916304111 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.916440964 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.916490078 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.916513920 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.916532993 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.916591883 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.916614056 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.916635036 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.916656017 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.916655064 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.916681051 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.916698933 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.916735888 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.916826010 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.916825056 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:47.916837931 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:47.916981936 CEST | 49892 | 80 | 192.168.2.7 | 23.146.242.85 |
Sep 27, 2021 14:57:48.027556896 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:48.027601004 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:48.027731895 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:48.027760029 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:48.027785063 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:48.027807951 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:48.027832031 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:48.028039932 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:48.028068066 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:48.028091908 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
Sep 27, 2021 14:57:48.028114080 CEST | 80 | 49892 | 23.146.242.85 | 192.168.2.7 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 27, 2021 14:53:40.019715071 CEST | 51837 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:53:40.038727045 CEST | 53 | 51837 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:53:56.642399073 CEST | 55411 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:53:56.714075089 CEST | 53 | 55411 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:54:13.171747923 CEST | 63668 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:54:13.185282946 CEST | 53 | 63668 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:54:49.375288963 CEST | 54640 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:54:49.444178104 CEST | 53 | 54640 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:54:50.523938894 CEST | 58739 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:54:50.603393078 CEST | 53 | 58739 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:54:51.122011900 CEST | 60338 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:54:51.135569096 CEST | 53 | 60338 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:54:51.475680113 CEST | 58717 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:54:51.488689899 CEST | 53 | 58717 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:54:52.002674103 CEST | 59762 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:54:52.083827972 CEST | 53 | 59762 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:54:52.514565945 CEST | 54329 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:54:52.528856993 CEST | 53 | 54329 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:54:52.560240030 CEST | 58052 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:54:52.589730978 CEST | 53 | 58052 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:54:53.090322018 CEST | 54008 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:54:53.103915930 CEST | 53 | 54008 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:54:53.760950089 CEST | 59451 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:54:53.774543047 CEST | 53 | 59451 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:54:54.595487118 CEST | 52914 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:54:54.609592915 CEST | 53 | 52914 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:54:55.214437008 CEST | 64569 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:54:55.274261951 CEST | 53 | 64569 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:55:01.889481068 CEST | 52816 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:55:01.909058094 CEST | 53 | 52816 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:55:34.090076923 CEST | 50781 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:55:34.103554964 CEST | 53 | 50781 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:55:34.227729082 CEST | 54230 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:55:34.241355896 CEST | 53 | 54230 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:56:09.455324888 CEST | 54911 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:56:09.470839977 CEST | 53 | 54911 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:57:47.200725079 CEST | 49958 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:57:47.315552950 CEST | 53 | 49958 | 8.8.8.8 | 192.168.2.7 |
Sep 27, 2021 14:57:48.519510984 CEST | 50860 | 53 | 192.168.2.7 | 8.8.8.8 |
Sep 27, 2021 14:57:48.635026932 CEST | 53 | 50860 | 8.8.8.8 | 192.168.2.7 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Sep 27, 2021 14:57:47.200725079 CEST | 192.168.2.7 | 8.8.8.8 | 0xd3d3 | Standard query (0) | A (IP address) | IN (0x0001) | |
Sep 27, 2021 14:57:48.519510984 CEST | 192.168.2.7 | 8.8.8.8 | 0xe898 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Sep 27, 2021 14:57:47.315552950 CEST | 8.8.8.8 | 192.168.2.7 | 0xd3d3 | No error (0) | 23.146.242.85 | A (IP address) | IN (0x0001) | ||
Sep 27, 2021 14:57:48.635026932 CEST | 8.8.8.8 | 192.168.2.7 | 0xe898 | No error (0) | 23.146.241.70 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.7 | 49892 | 23.146.242.85 | 80 | C:\Users\user\Desktop\DW1VgsgHNU.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Sep 27, 2021 14:57:47.465127945 CEST | 8143 | OUT | |
Sep 27, 2021 14:57:47.578341961 CEST | 8144 | IN |