Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 11, 2024, 9:43 a.m.	Nov. 11, 2024, 9:47 a.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`910327e1694532d09255bd8873c2265b`
SHA256	`465b3ea1a625728238b4d832b54b6fdc9321bd638ebd483ebecf2b8e32c322e0`
CRC32	`8F375D74`
ssdeep	`49152:Jswg4gfCUU/mW7Mi8Q1ogJ2U91vwmlRbQhfAu7RPq:ewg4gfc/m9inJy8RbQCu7RP`
Yara	themida_packer - themida packer PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

remcos_a.exe "C:\Users\test22\AppData\Local\Temp\remcos_a.exe"
2668

Name	Response	Post-Analysis Lookup
ms-office.duckdns.org		194.59.31.120
ms-office1.duckdns.org

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:61950 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:55146 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:61950 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:55146 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:51901 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:51901 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:51901 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:51901 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:51901 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:51901 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:55146 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:61950 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:55146 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:61950 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54883 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54883 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:58297 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:58297 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54883 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:58297 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52753 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54883 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52753 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52753 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:51901 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:51901 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:57986 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:51901 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:57986 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:51901 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:51901 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:57986 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:51901 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:57986 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:51901 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:51901 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52815 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:57986 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:57986 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52815 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:57986 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:57986 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:57986 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:57986 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52815 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52815 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52815 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52797 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52797 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52797 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52797 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52797 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52797 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:58297 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52797 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:58297 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52797 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:58297 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:58297 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52753 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52753 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52753 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.101:52753 -> 8.8.8.8:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 8.8.8.8:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (50 out of 59 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:43 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0
IsDebuggerPresent Nov. 11, 2024, 9:44 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	yqqskrpr
section	ydaqvckj
section	.taggant

One or more processes crashed (50 out of 114 events)

Time & API	Arguments	Status
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: remcos_a+0x32a0b9 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 3317945 exception.address: 0x72a0b9 registers.esp: 1638276 registers.edi: 0 registers.eax: 1 registers.ebp: 1638292 registers.edx: 9269248 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 29 c9 ff 34 39 ff 34 24 ff 34 24 58 57 e9 2d exception.symbol: remcos_a+0x7e0b1 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 516273 exception.address: 0x47e0b1 registers.esp: 1638244 registers.edi: 4739840 registers.eax: 30094 registers.ebp: 3969105940 registers.edx: 4194304 registers.ebx: 1969094656 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb e9 0d 00 00 00 5c 59 51 b9 89 10 37 7f e9 8f exception.symbol: remcos_a+0x7e44e exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 517198 exception.address: 0x47e44e registers.esp: 1638244 registers.edi: 4739840 registers.eax: 239849 registers.ebp: 3969105940 registers.edx: 4194304 registers.ebx: 1969094656 registers.esi: 3 registers.ecx: 4294939672	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb e9 3e 01 00 00 50 57 89 2c 24 bd 40 9c ff 7f exception.symbol: remcos_a+0x7edb0 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 519600 exception.address: 0x47edb0 registers.esp: 1638240 registers.edi: 4713572 registers.eax: 30365 registers.ebp: 3969105940 registers.edx: 1696871424 registers.ebx: 1969094656 registers.esi: 3 registers.ecx: 4294939672	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 31 c9 e9 69 00 00 00 5c e9 92 fb ff ff 09 d8 exception.symbol: remcos_a+0x7f1cb exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 520651 exception.address: 0x47f1cb registers.esp: 1638244 registers.edi: 4743937 registers.eax: 30365 registers.ebp: 3969105940 registers.edx: 1696871424 registers.ebx: 1969094656 registers.esi: 3 registers.ecx: 4294939672	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 b1 bc c3 1e 89 14 24 50 b8 87 c8 exception.symbol: remcos_a+0x7ed93 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 519571 exception.address: 0x47ed93 registers.esp: 1638244 registers.edi: 4743937 registers.eax: 30365 registers.ebp: 3969105940 registers.edx: 1696871424 registers.ebx: 1969094656 registers.esi: 1259 registers.ecx: 4294940008	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 54 e9 ba ff ff ff 81 e3 a7 exception.symbol: remcos_a+0x202536 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2106678 exception.address: 0x602536 registers.esp: 1638244 registers.edi: 4748782 registers.eax: 31696 registers.ebp: 3969105940 registers.edx: 2345 registers.ebx: 6331735 registers.esi: 6299565 registers.ecx: 2119237632	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 56 52 ba 90 62 fd 5f 4a 81 c2 55 04 8d 73 e9 exception.symbol: remcos_a+0x202bd6 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2108374 exception.address: 0x602bd6 registers.esp: 1638244 registers.edi: 0 registers.eax: 31696 registers.ebp: 3969105940 registers.edx: 2345 registers.ebx: 6302943 registers.esi: 3006956648 registers.ecx: 2119237632	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb e9 4d 00 00 00 53 e9 2a 00 00 00 8b 24 24 89 exception.symbol: remcos_a+0x208ab9 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2132665 exception.address: 0x608ab9 registers.esp: 1638244 registers.edi: 1968985030 registers.eax: 29643 registers.ebp: 3969105940 registers.edx: 6354037 registers.ebx: 6322145 registers.esi: 0 registers.ecx: 96	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb e9 43 02 00 00 83 ea 04 87 14 24 5c 89 0c 24 exception.symbol: remcos_a+0x2086f2 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2131698 exception.address: 0x6086f2 registers.esp: 1638244 registers.edi: 1968985030 registers.eax: 0 registers.ebp: 3969105940 registers.edx: 6327273 registers.ebx: 6322145 registers.esi: 0 registers.ecx: 50665	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 81 e9 e4 7c 9d 6f 57 bf 61 5c de 7f 81 e9 8f exception.symbol: remcos_a+0x20990f exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2136335 exception.address: 0x60990f registers.esp: 1638240 registers.edi: 1968985030 registers.eax: 29836 registers.ebp: 3969105940 registers.edx: 6327273 registers.ebx: 1467746027 registers.esi: 0 registers.ecx: 6329633	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 55 e9 b5 f9 ff ff 5c e9 8f f5 ff ff 59 81 04 exception.symbol: remcos_a+0x209fb3 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2138035 exception.address: 0x609fb3 registers.esp: 1638244 registers.edi: 1968985030 registers.eax: 29836 registers.ebp: 3969105940 registers.edx: 6327273 registers.ebx: 4294940404 registers.esi: 134889 registers.ecx: 6359469	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 eb c4 98 18 89 34 24 exception.symbol: remcos_a+0x216944 exception.instruction: in eax, dx exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2189636 exception.address: 0x616944 registers.esp: 1638236 registers.edi: 10300970 registers.eax: 1447909480 registers.ebp: 3969105940 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 6361676 registers.ecx: 20	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: remcos_a+0x21492b exception.address: 0x61492b exception.module: remcos_a.exe exception.exception_code: 0xc000001d exception.offset: 2181419 registers.esp: 1638236 registers.edi: 10300970 registers.eax: 1 registers.ebp: 3969105940 registers.edx: 22104 registers.ebx: 0 registers.esi: 6361676 registers.ecx: 20	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 f5 27 b4 13 01 exception.symbol: remcos_a+0x212e8d exception.instruction: in eax, dx exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2174605 exception.address: 0x612e8d registers.esp: 1638236 registers.edi: 10300970 registers.eax: 1447909480 registers.ebp: 3969105940 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 6361676 registers.ecx: 10	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 51 b9 69 4f ff 6b e9 be 09 00 00 5a 29 cf 81 exception.symbol: remcos_a+0x219ae6 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2202342 exception.address: 0x619ae6 registers.esp: 1638240 registers.edi: 10300970 registers.eax: 30953 registers.ebp: 3969105940 registers.edx: 6396456 registers.ebx: 45661593 registers.esi: 10 registers.ecx: 2119237632	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb e9 6a 01 00 00 81 c6 04 00 00 00 87 34 24 e9 exception.symbol: remcos_a+0x219ecb exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2203339 exception.address: 0x619ecb registers.esp: 1638244 registers.edi: 10300970 registers.eax: 30953 registers.ebp: 3969105940 registers.edx: 6427409 registers.ebx: 45661593 registers.esi: 10 registers.ecx: 2119237632	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 68 16 f6 10 0d 89 3c 24 56 68 66 46 ff 71 89 exception.symbol: remcos_a+0x21a2f6 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2204406 exception.address: 0x61a2f6 registers.esp: 1638244 registers.edi: 1370464 registers.eax: 30953 registers.ebp: 3969105940 registers.edx: 6399537 registers.ebx: 45661593 registers.esi: 10 registers.ecx: 0	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 b5 aa 57 66 ba 00 c5 59 64 8f 05 00 exception.symbol: remcos_a+0x21a880 exception.instruction: int 1 exception.module: remcos_a.exe exception.exception_code: 0xc0000005 exception.offset: 2205824 exception.address: 0x61a880 registers.esp: 1638204 registers.edi: 0 registers.eax: 1638204 registers.ebp: 3969105940 registers.edx: 6411947 registers.ebx: 6400398 registers.esi: 6400105 registers.ecx: 2901840315	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 0c 38 68 38 89 1c 24 e9 e7 f8 ff exception.symbol: remcos_a+0x221f9e exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2236318 exception.address: 0x621f9e registers.esp: 1638240 registers.edi: 6428310 registers.eax: 28888 registers.ebp: 3969105940 registers.edx: 6422225 registers.ebx: 1439319296 registers.esi: 10 registers.ecx: 6411745	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 57 89 14 24 e9 9a 00 00 00 5f e9 28 f8 ff ff exception.symbol: remcos_a+0x221eaa exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2236074 exception.address: 0x621eaa registers.esp: 1638244 registers.edi: 6457198 registers.eax: 28888 registers.ebp: 3969105940 registers.edx: 6422225 registers.ebx: 1439319296 registers.esi: 10 registers.ecx: 6411745	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 57 e9 b9 02 00 00 01 cd 59 50 b8 78 85 be 54 exception.symbol: remcos_a+0x221b18 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2235160 exception.address: 0x621b18 registers.esp: 1638244 registers.edi: 6431310 registers.eax: 28888 registers.ebp: 3969105940 registers.edx: 6422225 registers.ebx: 322689 registers.esi: 10 registers.ecx: 0	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 56 e9 d2 fc ff ff 83 c4 04 05 4f 25 fb 15 2d exception.symbol: remcos_a+0x22af96 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2273174 exception.address: 0x62af96 registers.esp: 1638240 registers.edi: 4706098 registers.eax: 25680 registers.ebp: 3969105940 registers.edx: 6 registers.ebx: 45661815 registers.esi: 1968968720 registers.ecx: 6464976	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 52 81 ec 04 00 00 exception.symbol: remcos_a+0x22aae9 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2271977 exception.address: 0x62aae9 registers.esp: 1638244 registers.edi: 4706098 registers.eax: 25680 registers.ebp: 3969105940 registers.edx: 6 registers.ebx: 45661815 registers.esi: 1968968720 registers.ecx: 6490656	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 68 61 03 7f 11 89 04 24 54 58 83 ec 04 89 1c exception.symbol: remcos_a+0x22a6b1 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2270897 exception.address: 0x62a6b1 registers.esp: 1638244 registers.edi: 4706098 registers.eax: 0 registers.ebp: 3969105940 registers.edx: 80172631 registers.ebx: 45661815 registers.esi: 1968968720 registers.ecx: 6467900	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb ba 67 11 f1 73 55 bd 00 00 00 00 81 ed 30 25 exception.symbol: remcos_a+0x22b87b exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2275451 exception.address: 0x62b87b registers.esp: 1638244 registers.edi: 6496757 registers.eax: 28531 registers.ebp: 3969105940 registers.edx: 1875214256 registers.ebx: 4294942116 registers.esi: 1986639720 registers.ecx: 562342291	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 55 bd 4a f7 df 3d f7 d5 55 56 8b 2c 24 51 c7 exception.symbol: remcos_a+0x234489 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2311305 exception.address: 0x634489 registers.esp: 1638236 registers.edi: 6496757 registers.eax: 26335 registers.ebp: 3969105940 registers.edx: 2130566132 registers.ebx: 383011929 registers.esi: 6531245 registers.ecx: 2119237632	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 56 50 e9 e6 00 00 00 81 ed 2b exception.symbol: remcos_a+0x23496b exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2312555 exception.address: 0x63496b registers.esp: 1638236 registers.edi: 84201 registers.eax: 0 registers.ebp: 3969105940 registers.edx: 2130566132 registers.ebx: 383011929 registers.esi: 6507885 registers.ecx: 2119237632	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb e9 1a 00 00 00 83 04 24 ff 81 04 24 16 18 26 exception.symbol: remcos_a+0x23f31c exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2355996 exception.address: 0x63f31c registers.esp: 1638236 registers.edi: 1358981728 registers.eax: 28986 registers.ebp: 3969105940 registers.edx: 0 registers.ebx: 6543526 registers.esi: 1900854016 registers.ecx: 6550745	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 52 e9 83 03 00 00 55 bd 83 9c f7 73 e9 80 04 exception.symbol: remcos_a+0x250760 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2426720 exception.address: 0x650760 registers.esp: 1638200 registers.edi: 6619762 registers.eax: 28864 registers.ebp: 3969105940 registers.edx: 2130566132 registers.ebx: 2119237632 registers.esi: 6614639 registers.ecx: 2119237632	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 29 c9 ff 34 0f ff 34 24 5a 50 e9 cc fa ff ff exception.symbol: remcos_a+0x250a1f exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2427423 exception.address: 0x650a1f registers.esp: 1638204 registers.edi: 6648626 registers.eax: 28864 registers.ebp: 3969105940 registers.edx: 2130566132 registers.ebx: 2119237632 registers.esi: 6614639 registers.ecx: 2119237632	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 52 89 34 24 54 e9 65 02 00 00 81 f5 c8 1f 2a exception.symbol: remcos_a+0x2506bf exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2426559 exception.address: 0x6506bf registers.esp: 1638204 registers.edi: 6648626 registers.eax: 28864 registers.ebp: 3969105940 registers.edx: 3711154770 registers.ebx: 2119237632 registers.esi: 6614639 registers.ecx: 4294941132	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb e9 91 06 00 00 55 89 e5 e9 cd fb ff ff 81 ed exception.symbol: remcos_a+0x25130e exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2429710 exception.address: 0x65130e registers.esp: 1638204 registers.edi: 4012048568 registers.eax: 30354 registers.ebp: 3969105940 registers.edx: 4294939704 registers.ebx: 1631683244 registers.esi: 6614639 registers.ecx: 6653296	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 68 a6 4f 87 04 89 2c 24 bd 6f 78 7f 57 57 bf exception.symbol: remcos_a+0x251ca0 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2432160 exception.address: 0x651ca0 registers.esp: 1638200 registers.edi: 4012048568 registers.eax: 29591 registers.ebp: 3969105940 registers.edx: 6626159 registers.ebx: 205857050 registers.esi: 6614639 registers.ecx: 2078502080	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 68 22 7e 2b 2b 89 0c 24 e9 10 00 00 00 89 e1 exception.symbol: remcos_a+0x252452 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2434130 exception.address: 0x652452 registers.esp: 1638204 registers.edi: 4012048568 registers.eax: 0 registers.ebp: 3969105940 registers.edx: 6629202 registers.ebx: 1358981728 registers.esi: 6614639 registers.ecx: 2078502080	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 55 55 c7 04 24 ab 4d c2 6b c1 2c 24 02 81 34 exception.symbol: remcos_a+0x2536a2 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2438818 exception.address: 0x6536a2 registers.esp: 1638204 registers.edi: 6631431 registers.eax: 6663528 registers.ebp: 3969105940 registers.edx: 322689 registers.ebx: 4712881 registers.esi: 4294938664 registers.ecx: 0	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 52 ba a3 72 af 5f c1 ea 05 56 89 14 24 f7 14 exception.symbol: remcos_a+0x259410 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2462736 exception.address: 0x659410 registers.esp: 1638200 registers.edi: 3975606291 registers.eax: 25441 registers.ebp: 3969105940 registers.edx: 0 registers.ebx: 65786 registers.esi: 6655595 registers.ecx: 1971716238	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb e9 4f fd ff ff 50 89 34 24 be f3 e0 d7 7c 81 exception.symbol: remcos_a+0x25938f exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2462607 exception.address: 0x65938f registers.esp: 1638204 registers.edi: 3975606291 registers.eax: 25441 registers.ebp: 3969105940 registers.edx: 0 registers.ebx: 65786 registers.esi: 6681036 registers.ecx: 1971716238	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb e9 92 00 00 00 83 c4 04 e9 f2 00 00 00 bb 5e exception.symbol: remcos_a+0x2592fd exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2462461 exception.address: 0x6592fd registers.esp: 1638204 registers.edi: 4294944704 registers.eax: 98281 registers.ebp: 3969105940 registers.edx: 0 registers.ebx: 65786 registers.esi: 6681036 registers.ecx: 1971716238	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 55 53 68 70 c8 ca 46 89 14 24 c7 04 24 26 03 exception.symbol: remcos_a+0x25c5b9 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2475449 exception.address: 0x65c5b9 registers.esp: 1638200 registers.edi: 4294944704 registers.eax: 25212 registers.ebp: 3969105940 registers.edx: 0 registers.ebx: 932665569 registers.esi: 6681036 registers.ecx: 6668474	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 31 f6 ff 34 31 52 89 34 24 53 bb 1f a4 bf 5f exception.symbol: remcos_a+0x25c724 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2475812 exception.address: 0x65c724 registers.esp: 1638204 registers.edi: 4294944704 registers.eax: 25212 registers.ebp: 3969105940 registers.edx: 0 registers.ebx: 932665569 registers.esi: 6681036 registers.ecx: 6693686	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 ea 01 00 00 c7 04 24 a0 a9 4c 72 exception.symbol: remcos_a+0x25c6f2 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2475762 exception.address: 0x65c6f2 registers.esp: 1638204 registers.edi: 4294944704 registers.eax: 59734 registers.ebp: 3969105940 registers.edx: 0 registers.ebx: 932665569 registers.esi: 4294944748 registers.ecx: 6693686	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 53 e9 72 f6 ff ff 83 ec 04 e9 d2 fb ff ff 81 exception.symbol: remcos_a+0x25d6ca exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2479818 exception.address: 0x65d6ca registers.esp: 1638204 registers.edi: 4294944704 registers.eax: 26804 registers.ebp: 3969105940 registers.edx: 1901618421 registers.ebx: 932665569 registers.esi: 6698450 registers.ecx: 688913842	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 50 68 ba 8e eb 21 89 3c 24 53 e9 cf 02 00 00 exception.symbol: remcos_a+0x25cf8e exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2477966 exception.address: 0x65cf8e registers.esp: 1638204 registers.edi: 4294944704 registers.eax: 26804 registers.ebp: 3969105940 registers.edx: 607453008 registers.ebx: 932665569 registers.esi: 6698450 registers.ecx: 4294943160	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 50 e9 e1 00 00 00 83 c4 04 8f 04 24 8b 24 24 exception.symbol: remcos_a+0x26c3d6 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2540502 exception.address: 0x66c3d6 registers.esp: 1638204 registers.edi: 6735677 registers.eax: 29527 registers.ebp: 3969105940 registers.edx: 0 registers.ebx: 604277078 registers.esi: 10207496 registers.ecx: 4294967295	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 51 b9 b5 ff b6 33 89 4c 24 exception.symbol: remcos_a+0x27545f exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2577503 exception.address: 0x67545f registers.esp: 1638204 registers.edi: 6748482 registers.eax: 32454 registers.ebp: 3969105940 registers.edx: 582600 registers.ebx: 605325648 registers.esi: 4294937664 registers.ecx: 6803711	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 34 24 57 e9 dd 03 00 00 89 e6 e9 exception.symbol: remcos_a+0x280e8f exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2625167 exception.address: 0x680e8f registers.esp: 1638204 registers.edi: 4294937460 registers.eax: 15329618 registers.ebp: 3969105940 registers.edx: 582600 registers.ebx: 1971716070 registers.esi: 6851082 registers.ecx: 2119237632	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 55 bd 0a 82 bf 2f 81 ec 04 00 00 00 89 1c 24 exception.symbol: remcos_a+0x28e39d exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2679709 exception.address: 0x68e39d registers.esp: 1638200 registers.edi: 0 registers.eax: 30943 registers.ebp: 3969105940 registers.edx: 1977232858 registers.ebx: 6851636 registers.esi: 10207496 registers.ecx: 6873854	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb e9 d7 00 00 00 5b 52 ba 11 25 fa 57 31 d3 5a exception.symbol: remcos_a+0x28e97d exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2681213 exception.address: 0x68e97d registers.esp: 1638204 registers.edi: 0 registers.eax: 30943 registers.ebp: 3969105940 registers.edx: 1474398545 registers.ebx: 6851636 registers.esi: 0 registers.ecx: 6876625	1
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: fb 56 be c4 b8 f7 67 81 ee 74 9d 8b 54 c1 ee 01 exception.symbol: remcos_a+0x296cd1 exception.instruction: sti exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2714833 exception.address: 0x696cd1 registers.esp: 1638200 registers.edi: 0 registers.eax: 26977 registers.ebp: 3969105940 registers.edx: 11 registers.ebx: 6878145 registers.esi: 10207496 registers.ecx: 6907186	1

Connects to a Dynamic DNS Domain (2 events)

domain	ms-office1.duckdns.org
domain	ms-office.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (46 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 241664 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2024, 9:43 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (4 events)

section

{u'size_of_data': u'0x0003aa00', u'virtual_address': u'0x00001000', u'entropy': 7.987345933748962, u'name': u' \\x00 ', u'virtual_size': u'0x00075000'}

entropy

7.98734593375

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00001800', u'virtual_address': u'0x00076000', u'entropy': 7.486180765228967, u'name': u'.rsrc', u'virtual_size': u'0x00004af0'}

entropy

7.48618076523

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001ab800', u'virtual_address': u'0x0032a000', u'entropy': 7.941982672751419, u'name': u'yqqskrpr', u'virtual_size': u'0x001ac000'}

entropy

7.94198267275

description

A section with a high entropy has been found

entropy

0.994645588985

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 341 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Nov. 11, 2024, 9:43 a.m.	class_name: 18467-41 window_name:		0	0

A process attempted to delay the analysis task. (1 event)

description

remcos_a.exe tried to sleep 1397 seconds, actually delayed analysis time by 1397 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Nov. 11, 2024, 9:43 a.m.	thread_identifier: 0 callback_function: 0x004099d0 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	5702025	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 11, 2024, 9:43 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 68 eb c4 98 18 89 34 24 exception.symbol: remcos_a+0x216944 exception.instruction: in eax, dx exception.module: remcos_a.exe exception.exception_code: 0xc0000096 exception.offset: 2189636 exception.address: 0x616944 registers.esp: 1638236 registers.edi: 10300970 registers.eax: 1447909480 registers.ebp: 3969105940 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 6361676 registers.ecx: 20	1	0	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Remcos.m!c
tehtris	Generic.Malware
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojandownloader.Generic
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Dump:Generic.Remcos.DADA99F8
Cylance	Unsafe
VIPRE	Dump:Generic.Remcos.DADA99F8
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Dump:Generic.Remcos.DADA99F8
K7GW	Trojan ( 00587f0f1 )
K7AntiVirus	Trojan ( 00587f0f1 )
Arcabit	Dump:Generic.Remcos.DADA99F8
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:RATX-gen [Trj]
Kaspersky	Backdoor.Win32.Remcos.yyg
Alibaba	Backdoor:Win32/Remcos.51313001
NANO-Antivirus	Trojan.Win32.Mlw.kthgmt
MicroWorld-eScan	Dump:Generic.Remcos.DADA99F8
Emsisoft	Dump:Generic.Remcos.DADA99F8 (B)
F-Secure	Heuristic.HEUR/AGEN.1314794
McAfeeD	Real Protect-LS!910327E16945
Trapmine	malicious.high.ml.score
CTX	exe.trojan.remcos
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.910327e1694532d0
Google	Detected
Avira	HEUR/AGEN.1314794
Kingsoft	Win32.HeurC.KVMH008.a
Gridinsoft	Trojan.Win32.Remcos.tr
Xcitium	Malware@#2j016mmqgksg9
Microsoft	Backdoor:Win32/Remcos!rfn
GData	Dump:Generic.Remcos.DADA99F8
Varist	W32/ABTrojan.QFSM-5966
AhnLab-V3	Trojan/Win.Generic.C5691507
McAfee	Artemis!910327E16945
DeepInstinct	MALICIOUS
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Backdoor.Remcos
Ikarus	Trojan.Win32.Themida
Panda	Trj/Chgt.AD
Zoner	Probably Heur.ExeHeaderL
Tencent	Win32.Backdoor.Remcos.Anhl
MaxSecure	Trojan.Malware.297477645.susgen
Fortinet	W32/Delf.EQM!tr

remcos_a.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All