Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 29, 2024, 7:45 a.m.	March 29, 2024, 7:48 a.m.

Size	510.0KB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	`7f264ba8e4c519ce90c6e3b430945476`
SHA256	`5157d8d5c583eea41772fb99793e13f9d7e3c3c2b0eb2cd876c65d1835cc8d8f`
CRC32	`949FC6D5`
ssdeep	`6144:rKeacbD2RU5+csDgVortcBiWg3cPXblkqDHd16Z6Zm5rULuW1+inHsvzUHFYWg5l:r3y1/D+McxaZvkL1pHyzWPp4xje9`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

go.exe "C:\Users\test22\AppData\Local\Temp\go.exe"
2556
- pop3.exe "C:\Users\test22\AppData\Local\Temp\pop3.exe"
  2644
  - installutil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    1308
cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"' & exit
812
- schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"'
  152
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmpC03E.tmp.bat""
1404
- timeout.exe timeout 3
  2180

Name	Response	Post-Analysis Lookup
leetboy.dynuddns.net	A 185.196.11.223	185.196.11.223

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.196.11.223	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.196.11.223:1339 -> 192.168.56.101:49174	2400021	ET DROP Spamhaus DROP Listed Traffic Inbound group 22	Misc Attack
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2045995	ET INFO DYNAMIC_DNS Query to a *.dynuddns .net Domain	Potentially Bad Traffic
TCP 185.196.11.223:1339 -> 192.168.56.101:49174	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	Domain Observed Used for C2 Detected
TCP 185.196.11.223:1339 -> 192.168.56.101:49174	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	Domain Observed Used for C2 Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49174 185.196.11.223:1339	CN=AsyncRAT Server	CN=AsyncRAT Server	c0:74:2f:cf:ac:08:26:95:4d:1f:b6:6f:1e:ab:22:b3:91:b1:75:90

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 29, 2024, 7:46 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 29, 2024, 7:38 a.m.			0	0
IsDebuggerPresent March 29, 2024, 7:38 a.m.			0	0
IsDebuggerPresent March 29, 2024, 7:47 a.m.			0	0
IsDebuggerPresent March 29, 2024, 7:47 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 29, 2024, 7:46 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0
WriteConsoleW March 29, 2024, 7:46 a.m.	buffer: SUCCESS: The scheduled task "svchos" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey March 29, 2024, 7:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000030d1f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 29, 2024, 7:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000030d500 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 29, 2024, 7:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000030d500 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 29, 2024, 7:45 a.m.		1	1	0

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ March 29, 2024, 7:40 a.m.	stacktrace: RtlInitUnicodeStringEx+0x24 RtlFreeAnsiString-0x22c ntdll+0x553e4 @ 0x76d853e4 BasepCheckBadapp+0xa2b LCMapStringW-0x785 kernel32+0x2064b @ 0x76c3064b CreateProcessInternalW+0x7dc BasepCheckBadapp-0xc94 kernel32+0x1ef8c @ 0x76c2ef8c New_kernel32_CreateProcessInternalW+0x208 New_kernel32_CreateRemoteThread-0x198 @ 0x73989b5a CreateProcessW+0x6c NeedCurrentDirectoryForExePathW-0x14 kernel32+0x21c1c @ 0x76c31c1c 0x7fe943cff07 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a7f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a7f242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef3acb042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef3acad83 mscorlib+0x563bfc @ 0x7fef2933bfc mscorlib+0x486001 @ 0x7fef2856001 0x7fe943bc5c5 0x7fe943bbe5b 0x7fe943bb60f 0x7fe943b74cd 0x7fe943b7144 0x7fe943b67bd 0x7fe943cd08b 0x7fe943cfd77 0x7fe943cf3dd CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a7f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a7f242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef3acb042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef3acad83 mscorlib+0x563c95 @ 0x7fef2933c95 mscorlib+0x486001 @ 0x7fef2856001 0x7fe943bc5c5 0x7fe943bbe5b 0x7fe943bb60f 0x7fe943b74cd 0x7fe943b7144 0x7fe943b67bd 0x7fe943b38dc 0x7fe943cbba2 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a7f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a7f242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef3acb042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef3acad83 mscorlib+0x563c95 @ 0x7fef2933c95 mscorlib+0x486001 @ 0x7fef2856001 mscorlib+0x48c543 @ 0x7fef285c543 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a7f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a7f242 StrongNameTokenFromPublicKey+0x50f2 SetRuntimeInfo-0x3684e clr+0x9b042 @ 0x7fef3acb042 StrongNameTokenFromPublicKey+0x4e33 SetRuntimeInfo-0x36b0d clr+0x9ad83 @ 0x7fef3acad83 mscorlib+0x563bfc @ 0x7fef2933bfc mscorlib+0x486001 @ 0x7fef2856001 microsoft+0x1432c0 @ 0x7feef8e32c0 microsoft+0x13b31e @ 0x7feef8db31e microsoft+0x1a1808 @ 0x7feef941808 0x7fe943b10bb 0x7fe943b06c8 CoUninitializeEE+0x4c56f GetMetaDataInternalInterface-0x2b1ad clr+0x4f713 @ 0x7fef3a7f713 CoUninitializeEE+0x4c09e GetMetaDataInternalInterface-0x2b67e clr+0x4f242 @ 0x7fef3a7f242 CoUninitializeEE+0x4c167 GetMetaDataInternalInterface-0x2b5b5 clr+0x4f30b @ 0x7fef3a7f30b _CorExeMain+0x335c ClrCreateManagedInstance-0x15ae4 clr+0x1e721c @ 0x7fef3c1721c _CorExeMain+0x3ab6 ClrCreateManagedInstance-0x1538a clr+0x1e7976 @ 0x7fef3c17976 _CorExeMain+0x39b0 ClrCreateManagedInstance-0x15490 clr+0x1e7870 @ 0x7fef3c17870 _CorExeMain+0x3526 ClrCreateManagedInstance-0x1591a clr+0x1e73e6 @ 0x7fef3c173e6 _CorExeMain+0x347e ClrCreateManagedInstance-0x159c2 clr+0x1e733e @ 0x7fef3c1733e _CorExeMain+0x14 ClrCreateManagedInstance-0x18e2c clr+0x1e3ed4 @ 0x7fef3c13ed4 _CorExeMain+0x5d CLRCreateInstance-0x2bd3 mscoreei+0x74e5 @ 0x7fef4e874e5 _CorExeMain+0x69 ND_RU1-0x1707 mscoree+0x5b21 @ 0x7fef4f25b21 exception.instruction_r: 66 f2 af 48 8b 3c 24 48 f7 d1 48 ff c9 48 81 f9 exception.symbol: RtlInitUnicodeStringEx+0x24 RtlFreeAnsiString-0x22c ntdll+0x553e4 exception.instruction: scasw ax, word ptr [rdi] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 349156 exception.address: 0x76d853e4 registers.r14: 0 registers.r15: 0 registers.rcx: -1 registers.rsi: 0 registers.r10: 29555246222803002 registers.rbx: 0 registers.rsp: 1636960 registers.r11: 452518540 registers.r8: 1617144 registers.r9: 0 registers.rdx: 4406636577536 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1
__exception__ March 29, 2024, 7:40 a.m.	stacktrace: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd hook_in_monitor+0x45 lde-0x133 @ 0x739742ea New_kernel32_IsDebuggerPresent+0x19 New_kernel32_LoadResource-0x91 @ 0x7398c6b2 TranslateSecurityAttributes+0x1934a PostErrorVA-0x13fab6 clr+0x3ac6b2 @ 0x7fef3ddc6b2 TranslateSecurityAttributes+0x15654 PostErrorVA-0x1437ac clr+0x3a89bc @ 0x7fef3dd89bc TranslateSecurityAttributes+0x15385 PostErrorVA-0x143a7b clr+0x3a86ed @ 0x7fef3dd86ed TranslateSecurityAttributes+0x11ee4 PostErrorVA-0x146f1c clr+0x3a524c @ 0x7fef3dd524c GetXMLElement+0x229e mscoreei+0x4450e @ 0x7fef4ec450e GetXMLElement+0x2234 mscoreei+0x444a4 @ 0x7fef4ec44a4 UnhandledExceptionFilter+0x160 RegFlushKey-0x2b0 kernel32+0x99490 @ 0x76ca9490 MD5Final+0x1de8 TpDbgSetLogRoutine-0xe7e8 ntdll+0x943b8 @ 0x76dc43b8 __C_specific_handler+0x9c RtlUnwindEx-0x48 ntdll+0x185a8 @ 0x76d485a8 RtlDecodePointer+0xbd NtdllDefWindowProc_W-0x139f ntdll+0x29d0d @ 0x76d59d0d RtlUnwindEx+0xbbf RtlRaiseException-0x3b1 ntdll+0x191af @ 0x76d491af New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlInitUnicodeStringEx+0x24 RtlFreeAnsiString-0x22c ntdll+0x553e4 @ 0x76d853e4 exception.instruction_r: 48 8b 01 4a 89 44 c6 78 4d 85 e4 74 08 4b 89 8c exception.symbol: RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a exception.instruction: mov rax, qword ptr [rcx] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 105050 exception.address: 0x76d49a5a registers.r14: 0 registers.r15: 0 registers.rcx: 120 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1617008 registers.r11: -128 registers.r8: 3 registers.r9: 1939989760 registers.rdx: 3 registers.r12: 0 registers.rbp: 0 registers.rdi: 1618672 registers.rax: 2 registers.r13: 0	1
__exception__ March 29, 2024, 7:40 a.m.	stacktrace: RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 @ 0x76d48df5 New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd hook_in_monitor+0x45 lde-0x133 @ 0x739742ea New_kernel32_IsDebuggerPresent+0x19 New_kernel32_LoadResource-0x91 @ 0x7398c6b2 TranslateSecurityAttributes+0x1934a PostErrorVA-0x13fab6 clr+0x3ac6b2 @ 0x7fef3ddc6b2 TranslateSecurityAttributes+0x15654 PostErrorVA-0x1437ac clr+0x3a89bc @ 0x7fef3dd89bc TranslateSecurityAttributes+0x15385 PostErrorVA-0x143a7b clr+0x3a86ed @ 0x7fef3dd86ed TranslateSecurityAttributes+0x11ee4 PostErrorVA-0x146f1c clr+0x3a524c @ 0x7fef3dd524c GetXMLElement+0x229e mscoreei+0x4450e @ 0x7fef4ec450e GetXMLElement+0x2234 mscoreei+0x444a4 @ 0x7fef4ec44a4 UnhandledExceptionFilter+0x160 RegFlushKey-0x2b0 kernel32+0x99490 @ 0x76ca9490 MD5Final+0x1de8 TpDbgSetLogRoutine-0xe7e8 ntdll+0x943b8 @ 0x76dc43b8 __C_specific_handler+0x9c RtlUnwindEx-0x48 ntdll+0x185a8 @ 0x76d485a8 RtlDecodePointer+0xbd NtdllDefWindowProc_W-0x139f ntdll+0x29d0d @ 0x76d59d0d RtlUnwindEx+0xbbf RtlRaiseException-0x3b1 ntdll+0x191af @ 0x76d491af exception.instruction_r: 49 8b 00 4a 89 84 cc 58 01 00 00 4c 8b 84 24 78 exception.symbol: RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 exception.instruction: mov rax, qword ptr [r8] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 101877 exception.address: 0x76d48df5 registers.r14: 0 registers.r15: 0 registers.rcx: 0 registers.rsi: 452518448 registers.r10: 0 registers.rbx: 0 registers.rsp: 1614560 registers.r11: 1939984384 registers.r8: 120 registers.r9: 3 registers.rdx: 248 registers.r12: 2742176 registers.rbp: 1614688 registers.rdi: 4406636577536 registers.rax: 2 registers.r13: 8796092837888	1
__exception__ March 29, 2024, 7:40 a.m.	stacktrace: RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 @ 0x76d48df5 New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 @ 0x76d48df5 New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd hook_in_monitor+0x45 lde-0x133 @ 0x739742ea New_kernel32_IsDebuggerPresent+0x19 New_kernel32_LoadResource-0x91 @ 0x7398c6b2 TranslateSecurityAttributes+0x1934a PostErrorVA-0x13fab6 clr+0x3ac6b2 @ 0x7fef3ddc6b2 TranslateSecurityAttributes+0x15654 PostErrorVA-0x1437ac clr+0x3a89bc @ 0x7fef3dd89bc TranslateSecurityAttributes+0x15385 PostErrorVA-0x143a7b clr+0x3a86ed @ 0x7fef3dd86ed TranslateSecurityAttributes+0x11ee4 PostErrorVA-0x146f1c clr+0x3a524c @ 0x7fef3dd524c GetXMLElement+0x229e mscoreei+0x4450e @ 0x7fef4ec450e GetXMLElement+0x2234 mscoreei+0x444a4 @ 0x7fef4ec44a4 UnhandledExceptionFilter+0x160 RegFlushKey-0x2b0 kernel32+0x99490 @ 0x76ca9490 MD5Final+0x1de8 TpDbgSetLogRoutine-0xe7e8 ntdll+0x943b8 @ 0x76dc43b8 exception.instruction_r: 49 8b 00 4a 89 84 cc 58 01 00 00 4c 8b 84 24 78 exception.symbol: RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 exception.instruction: mov rax, qword ptr [r8] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 101877 exception.address: 0x76d48df5 registers.r14: 1993539584 registers.r15: 1616432 registers.rcx: 0 registers.rsi: 1637008 registers.r10: 0 registers.rbx: 1994752420 registers.rsp: 1612640 registers.r11: 1939984384 registers.r8: 120 registers.r9: 3 registers.rdx: 248 registers.r12: 1994752408 registers.rbp: 1612944 registers.rdi: 0 registers.rax: 2 registers.r13: 181537	1
__exception__ March 29, 2024, 7:40 a.m.	stacktrace: RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 @ 0x76d48df5 New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 @ 0x76d48df5 New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 @ 0x76d48df5 New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd hook_in_monitor+0x45 lde-0x133 @ 0x739742ea New_kernel32_IsDebuggerPresent+0x19 New_kernel32_LoadResource-0x91 @ 0x7398c6b2 TranslateSecurityAttributes+0x1934a PostErrorVA-0x13fab6 clr+0x3ac6b2 @ 0x7fef3ddc6b2 TranslateSecurityAttributes+0x15654 PostErrorVA-0x1437ac clr+0x3a89bc @ 0x7fef3dd89bc TranslateSecurityAttributes+0x15385 PostErrorVA-0x143a7b clr+0x3a86ed @ 0x7fef3dd86ed TranslateSecurityAttributes+0x11ee4 PostErrorVA-0x146f1c clr+0x3a524c @ 0x7fef3dd524c GetXMLElement+0x229e mscoreei+0x4450e @ 0x7fef4ec450e exception.instruction_r: 49 8b 00 4a 89 84 cc 58 01 00 00 4c 8b 84 24 78 exception.symbol: RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 exception.instruction: mov rax, qword ptr [r8] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 101877 exception.address: 0x76d48df5 registers.r14: 8791612212324 registers.r15: 1993454376 registers.rcx: 0 registers.rsi: 1612688 registers.r10: 0 registers.rbx: 0 registers.rsp: 1612320 registers.r11: 1939984384 registers.r8: 120 registers.r9: 3 registers.rdx: 248 registers.r12: 1612688 registers.rbp: 1637008 registers.rdi: 2538064 registers.rax: 2 registers.r13: 0	1
__exception__ March 29, 2024, 7:40 a.m.	stacktrace: RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 @ 0x76d48df5 New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 @ 0x76d48df5 New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 @ 0x76d48df5 New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 @ 0x76d48df5 New_ntdll_RtlDispatchException+0x154 New_ntdll_RtlRemoveVectoredContinueHandler-0x33 @ 0x73996df1 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd New_ntdll_RtlDispatchException+0xfa New_ntdll_RtlRemoveVectoredContinueHandler-0x8d @ 0x73996d97 KiUserExceptionDispatcher+0x2e KiRaiseUserExceptionDispatcher-0x45 ntdll+0x51278 @ 0x76d81278 RtlVirtualUnwind+0x14a RtlCheckForOrphanedCriticalSections-0x356 ntdll+0x19a5a @ 0x76d49a5a RtlVirtualUnwind+0x37 RtlRestoreContext-0x19 kernel32+0x4b5e7 @ 0x76c5b5e7 stacktrace+0x1d1 memdup-0x62 @ 0x739805bd hook_in_monitor+0x45 lde-0x133 @ 0x739742ea New_kernel32_IsDebuggerPresent+0x19 New_kernel32_LoadResource-0x91 @ 0x7398c6b2 TranslateSecurityAttributes+0x1934a PostErrorVA-0x13fab6 clr+0x3ac6b2 @ 0x7fef3ddc6b2 TranslateSecurityAttributes+0x15654 PostErrorVA-0x1437ac clr+0x3a89bc @ 0x7fef3dd89bc exception.instruction_r: 49 8b 00 4a 89 84 cc 58 01 00 00 4c 8b 84 24 78 exception.symbol: RtlUnwindEx+0x805 RtlRaiseException-0x76b ntdll+0x18df5 exception.instruction: mov rax, qword ptr [r8] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 101877 exception.address: 0x76d48df5 registers.r14: 2538096 registers.r15: 1612688 registers.rcx: 0 registers.rsi: 0 registers.r10: 0 registers.rbx: 1612688 registers.rsp: 1612144 registers.r11: 1939984384 registers.r8: 120 registers.r9: 3 registers.rdx: 248 registers.r12: 1612688 registers.rbp: 8791594455564 registers.rdi: 2566816 registers.rax: 2 registers.r13: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 133 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000760000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000820000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef40cb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002020000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a32000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3a34000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe942ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9433c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94366000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe94282000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9429b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe9428b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 29, 2024, 7:38 a.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:39 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:39 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:39 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory March 29, 2024, 7:39 a.m.	process_identifier: 2644 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe943f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\pop3.exe
file	C:\Users\test22\AppData\Local\Temp\start.exe

Creates a suspicious process (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"'

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\pop3.exe
file	C:\Users\test22\AppData\Roaming\svchos.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\svchos.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0007e800', u'virtual_address': u'0x00002000', u'entropy': 7.971016395776296, u'name': u'.rdata', u'virtual_size': u'0x0007e7a3'}

entropy

7.97101639578

description

A section with a high entropy has been found

entropy

0.994106090373

description

Overall entropy of this PE file is high

Yara rule detected in process memory (42 events)

description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"'

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 6842f1576da1424d2750170cb208414feb6462a5
buffer	Buffer with sha1: 4dd29c3207a64282d8631c44ff2a9a15cba0d39c

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 29, 2024, 7:40 a.m.	process_identifier: 1308 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000244	1	0	0

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"'

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2644 manipulating memory of non-child process 0
NtUnmapViewOfSection March 29, 2024, 7:40 a.m.	base_address: 0x0000000000400000 region_size: 0 process_identifier: 0 process_handle: 0x0000000000333990		-1073741816	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 29, 2024, 7:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÒ7Hbàê® @ `@` K õ @ H.text´é ê `.rsrcõ ì@@.reloc@ú@B base_address: 0x0000000000400000 process_identifier: 1308 process_handle: 0x0000000000000244	1	1
WriteProcessMemory March 29, 2024, 7:40 a.m.	buffer: P8h ´#A 4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°tStringFileInfoP000004b0Comments"CompanyNameJFileDescriptionVenom RAT + HVNC,FileVersion5.0.56InternalNameClient.exeHLegalCopyrightCopyright © 2022LegalTrademarks>OriginalFilenameClient.exe,ProductNameVenom0ProductVersion5.0.58Assembly Version5.0.5.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <assemblyIdentity version="1.0.7.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- A list of the Windows versions that this application has been tested on and is designed to work with. Uncomment the appropriate elements and Windows will automatically select the most compatible environment. --> <!-- Windows Vista --> <!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />--> <!-- Windows 7 --> <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />--> <!-- Windows 8 --> <!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />--> <!-- Windows 8.1 --> <!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />--> <!-- Windows 10 --> <!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />--> </application> </compatibility> <!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. --> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) --> <!-- <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> --> </assembly> base_address: 0x0000000000412000 process_identifier: 1308 process_handle: 0x0000000000000244	1	1
WriteProcessMemory March 29, 2024, 7:40 a.m.	buffer: °9 base_address: 0x0000000000414000 process_identifier: 1308 process_handle: 0x0000000000000244	1	1
WriteProcessMemory March 29, 2024, 7:40 a.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 1308 process_handle: 0x0000000000000244	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 29, 2024, 7:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÒ7Hbàê® @ `@` K õ @ H.text´é ê `.rsrcõ ì@@.reloc@ú@B base_address: 0x0000000000400000 process_identifier: 1308 process_handle: 0x0000000000000244	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2644 resumed a thread in remote process 1308
Process injection	Process 1404 resumed a thread in remote process 2440
NtResumeThread March 29, 2024, 7:40 a.m.	thread_handle: 0x0000000000000240 suspend_count: 1 process_identifier: 1308	1	0	0
NtResumeThread March 29, 2024, 7:46 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2440	1	0	0

Executed a process and injected code into it, probably while unpacking (24 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 29, 2024, 7:45 a.m.	thread_identifier: 2648 thread_handle: 0x00000270 process_identifier: 2644 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\pop3.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\pop3.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\pop3.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000278	1	1
CreateProcessInternalW March 29, 2024, 7:45 a.m.	thread_identifier: 2688 thread_handle: 0x00000274 process_identifier: 2684 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\start.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\start.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\start.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000027c	1	1
NtResumeThread March 29, 2024, 7:38 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread March 29, 2024, 7:38 a.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread March 29, 2024, 7:38 a.m.	thread_handle: 0x0000000000000180 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread March 29, 2024, 7:40 a.m.	thread_handle: 0x00000000000002a4 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread March 29, 2024, 7:40 a.m.	thread_handle: 0x00000000000002c4 suspend_count: 1 process_identifier: 2644	1	0
NtResumeThread March 29, 2024, 7:40 a.m.	thread_handle: 0x00000000000002e0 suspend_count: 1 process_identifier: 2644	1	0
CreateProcessInternalW March 29, 2024, 7:40 a.m.	thread_identifier: 1732 thread_handle: 0x0000000000000240 process_identifier: 1308 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000244	1	1
NtUnmapViewOfSection March 29, 2024, 7:40 a.m.	base_address: 0x0000000000400000 region_size: 0 process_identifier: 0 process_handle: 0x0000000000333990		-1073741816
NtAllocateVirtualMemory March 29, 2024, 7:40 a.m.	process_identifier: 1308 region_size: 90112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000244	1	0
WriteProcessMemory March 29, 2024, 7:40 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÒ7Hbàê® @ `@` K õ @ H.text´é ê `.rsrcõ ì@@.reloc@ú@B base_address: 0x0000000000400000 process_identifier: 1308 process_handle: 0x0000000000000244	1	1
WriteProcessMemory March 29, 2024, 7:40 a.m.	buffer: base_address: 0x0000000000402000 process_identifier: 1308 process_handle: 0x0000000000000244	1	1
WriteProcessMemory March 29, 2024, 7:40 a.m.	buffer: P8h ´#A 4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°tStringFileInfoP000004b0Comments"CompanyNameJFileDescriptionVenom RAT + HVNC,FileVersion5.0.56InternalNameClient.exeHLegalCopyrightCopyright © 2022LegalTrademarks>OriginalFilenameClient.exe,ProductNameVenom0ProductVersion5.0.58Assembly Version5.0.5.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <assemblyIdentity version="1.0.7.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- A list of the Windows versions that this application has been tested on and is designed to work with. Uncomment the appropriate elements and Windows will automatically select the most compatible environment. --> <!-- Windows Vista --> <!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />--> <!-- Windows 7 --> <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />--> <!-- Windows 8 --> <!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />--> <!-- Windows 8.1 --> <!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />--> <!-- Windows 10 --> <!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />--> </application> </compatibility> <!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. --> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) --> <!-- <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> --> </assembly> base_address: 0x0000000000412000 process_identifier: 1308 process_handle: 0x0000000000000244	1	1
WriteProcessMemory March 29, 2024, 7:40 a.m.	buffer: °9 base_address: 0x0000000000414000 process_identifier: 1308 process_handle: 0x0000000000000244	1	1
WriteProcessMemory March 29, 2024, 7:40 a.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 1308 process_handle: 0x0000000000000244	1	1
NtResumeThread March 29, 2024, 7:40 a.m.	thread_handle: 0x0000000000000240 suspend_count: 1 process_identifier: 1308	1	0
CreateProcessInternalW March 29, 2024, 7:46 a.m.	thread_identifier: 196 thread_handle: 0x00000084 process_identifier: 152 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\test22\AppData\Roaming\svchos.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW March 29, 2024, 7:46 a.m.	thread_identifier: 320 thread_handle: 0x00000084 process_identifier: 2180 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 3 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW March 29, 2024, 7:46 a.m.	thread_identifier: 2448 thread_handle: 0x00000088 process_identifier: 2440 current_directory: filepath: C:\Users\test22\AppData\Roaming\svchos.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\svchos.exe" filepath_r: C:\Users\test22\AppData\Roaming\svchos.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
NtResumeThread March 29, 2024, 7:46 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2440	1	0
NtResumeThread March 29, 2024, 7:47 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread March 29, 2024, 7:47 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1308	1	0
NtResumeThread March 29, 2024, 7:47 a.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 1308	1	0

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Dapato.l!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	TjnDroppr.Dapato.S28495190
Skyhigh	BehavesLike.Win32.Generic.hc
ALYac	Gen:Variant.FakeAlert.2
Cylance	unsafe
VIPRE	Gen:Variant.FakeAlert.2
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 005a7a3c1 )
BitDefender	Gen:Variant.FakeAlert.2
K7GW	Trojan ( 005a7a3c1 )
Cybereason	malicious.8e4c51
Arcabit	Trojan.FakeAlert.2
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDropper.Agent.SRM
APEX	Malicious
McAfee	GenericRXTU-AS!7F264BA8E4C5
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Alibaba	TrojanDropper:Win32/Dapato.41245d7a
MicroWorld-eScan	Gen:Variant.FakeAlert.2
Rising	Backdoor.DcRat!8.129D9 (TFE:1:BNER4NzZWDL)
Emsisoft	Gen:Variant.FakeAlert.2 (B)
F-Secure	Trojan.TR/Crypt.ZPACK.Gen
TrendMicro	TROJ_GEN.R002C0DCS24
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.7f264ba8e4c519ce
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Tnega
Google	Detected
Avira	TR/Crypt.ZPACK.Gen
MAX	malware (ai score=89)
Antiy-AVL	Trojan[Dropper]/Win32.Dapato
Kingsoft	malware.kb.b.975
Microsoft	TrojanDropper:Win32/Dapato!pz
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Win32.Trojan.PSE.102OIFV
Varist	W32/Lazy.U.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R497632
Acronis	suspicious
BitDefenderTheta	AI:Packer.D1ADD6341F
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Nitol
Malwarebytes	Trojan.Injector
Panda	Trj/Genetic.gen
Tencent	Msil.Trojan-Spy.Stealer.Rwhl
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.300983.susgen

go.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All