popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

mazx.exe

AsyncRAT KeyLogger SMTP AntiDebug PE File AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 28, 2021, 3:16 p.m. April 28, 2021, 3:18 p.m.
Size 17.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 342d651660cf2b0587d25f343aff786f
SHA256 fa84a0c29e5aa8ba804e8cdfaec78f1f642b7de25d89c02ff03a7a75588b4663
CRC32 238E789F
ssdeep 384:4z/GJAMGr+ncEfvadZ3fflIi+fxYGu0fDREXmXmfJMQ+/7+YoP5Ap5maBmQ:M/GdGb7x+fxYGu0ryWWfJMQ+/7+YoP5i
Yara
  • PE_Header_Zero - PE File Signature
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • IsPE32 - (no description)
  • IsNET_EXE - (no description)
  • IsWindowsGUI - (no description)

Name Response Post-Analysis Lookup
ldvamlwhdpetnyn.ml
A 172.67.208.174
A 104.21.85.176
172.67.208.174
IP Address Status Action
104.21.85.176 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53 2025106 ET INFO DNS Query for Suspicious .ml Domain Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Waiting for 1
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: seconds, press a key to continue ...
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f9760
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f97a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006f97a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007d1d18
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007d1b98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007d1b98
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1
mscorlib+0x2f45b0 @ 0x6ff345b0
mscorlib+0x2f73b5 @ 0x6ff373b5
mscorlib+0x2eeaf8 @ 0x6ff2eaf8
mscorlib+0x2eea8f @ 0x6ff2ea8f
mscorlib+0x30c43f @ 0x6ff4c43f
system+0xe8021 @ 0x6e958021
system+0xe7f77 @ 0x6e957f77
system+0xd01da @ 0x6e9401da
system+0xeb076 @ 0x6e95b076
system+0xeaf9e @ 0x6e95af9e
system+0x6f8f98 @ 0x6f9b8f98
system+0x9a204 @ 0x6f08a204
system+0x99ce4 @ 0x6f089ce4
system+0x9c316 @ 0x6f08c316
system+0x9a237 @ 0x6f08a237
system+0x99ce4 @ 0x6f089ce4
system+0x9f27c @ 0x6f08f27c
system+0xa7fe5 @ 0x6f097fe5
system+0xab6a2 @ 0x6f09b6a2
system+0xa1e00 @ 0x6f091e00
system+0x6f4ce3 @ 0x6f9b4ce3
system+0x6f6fb8 @ 0x6f9b6fb8
system+0x6f3892 @ 0x6f9b3892
system+0x6f3514 @ 0x6f9b3514
system+0x6f42ec @ 0x6f9b42ec
0x6404e6
0x640088
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3861508
registers.edi: 0
registers.eax: 3861508
registers.ebp: 3861588
registers.edx: 3
registers.ebx: 7702904
registers.esi: 7172616
registers.ecx: 3004451574
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1
mscorlib+0x2f45a5 @ 0x6ff345a5
mscorlib+0x2f73b5 @ 0x6ff373b5
mscorlib+0x2eeaf8 @ 0x6ff2eaf8
mscorlib+0x2eea8f @ 0x6ff2ea8f
mscorlib+0x30c43f @ 0x6ff4c43f
system+0xe8021 @ 0x6e958021
system+0xe7f77 @ 0x6e957f77
system+0xd01da @ 0x6e9401da
system+0xeb076 @ 0x6e95b076
system+0xeaf9e @ 0x6e95af9e
system+0x6f8f98 @ 0x6f9b8f98
system+0x9a204 @ 0x6f08a204
system+0x99ce4 @ 0x6f089ce4
system+0x9c316 @ 0x6f08c316
system+0x9a237 @ 0x6f08a237
system+0x99ce4 @ 0x6f089ce4
system+0x9f27c @ 0x6f08f27c
system+0xa7fe5 @ 0x6f097fe5
system+0xab6a2 @ 0x6f09b6a2
system+0xa1e00 @ 0x6f091e00
system+0x6f4ce3 @ 0x6f9b4ce3
system+0x6f6fb8 @ 0x6f9b6fb8
system+0x6f3892 @ 0x6f9b3892
system+0x6f3514 @ 0x6f9b3514
system+0x6f42ec @ 0x6f9b42ec
0x6404e6
0x640088
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3861508
registers.edi: 0
registers.eax: 3861508
registers.ebp: 3861588
registers.edx: 0
registers.ebx: 7702904
registers.esi: 7172616
registers.ecx: 3004451574
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1
mscorlib+0x2f45d1 @ 0x6ff345d1
mscorlib+0x30a2fa @ 0x6ff4a2fa
microsoft+0x54d57 @ 0x6f134d57
microsoft+0x54b2d @ 0x6f134b2d
0x640826
0x640563
0x640088
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3862564
registers.edi: 0
registers.eax: 3862564
registers.ebp: 3862644
registers.edx: 2
registers.ebx: 7702904
registers.esi: 7172616
registers.ecx: 3004454614
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1
mscorlib+0x98877e @ 0x705c877e
mscorlib+0x988d23 @ 0x705c8d23
0x6405bb
0x640088
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3862656
registers.edi: 0
registers.eax: 3862656
registers.ebp: 3862736
registers.edx: 0
registers.ebx: 7702904
registers.esi: 7172616
registers.ecx: 3004454526
1 0 0

__exception__

 stacktrace: 
0x645efc
0x64542f
0x640a57
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d3711 @ 0x6ff13711
mscorlib+0x308f2d @ 0x6ff48f2d
mscorlib+0x2cb060 @ 0x6ff0b060
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x727c1838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x727c1737
mscorlib+0x2d36ad @ 0x6ff136ad
mscorlib+0x308f2d @ 0x6ff48f2d
microsoft+0x50c17 @ 0x6f130c17
microsoft+0x3f33f @ 0x6f11f33f
microsoft+0x3edf8 @ 0x6f11edf8
microsoft+0x3e3b9 @ 0x6f11e3b9
microsoft+0x17e980 @ 0x6f25e980
0x6407f3
0x640707
0x640088
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 0f bf 01 eb 31 8d 55 e0 0f b6 01 88 02 0f b6 41
exception.instruction: movsx eax, word ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol: mscorlib+0x305ad2
exception.address: 0x6ff45ad2
registers.esp: 3860260
registers.edi: 3860284
registers.eax: 0
registers.ebp: 3860296
registers.edx: 0
registers.ebx: 43166788
registers.esi: 8417824
registers.ecx: 8417824
1 0 0

__exception__

 stacktrace: 
0x501790
0x500fb3
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 93 d7
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x501c03
registers.esp: 3993568
registers.edi: 3993592
registers.eax: 0
registers.ebp: 3993604
registers.edx: 195
registers.ebx: 3993852
registers.esi: 39507536
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x506fc0
0x501521
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 02 f0 a5 6e
exception.instruction: cmp byte ptr [edi], al
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x50fcbe
registers.esp: 3992304
registers.edi: 0
registers.eax: 39869468
registers.ebp: 3992352
registers.edx: 39869468
registers.ebx: 39868700
registers.esi: 39868664
registers.ecx: 1858619794
1 0 0

__exception__

 stacktrace: 
0x507165
0x501521
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 8b 40 2c ff 50 14 38 00 89 45 cc e9 85 00
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x2220921
registers.esp: 3992300
registers.edi: 3992340
registers.eax: 3
registers.ebp: 3992352
registers.edx: 0
registers.ebx: 39686176
registers.esi: 39900760
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x501521
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 83 7f 04 01 0f 9f
exception.instruction: cmp dword ptr [eax + 4], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x507252
registers.esp: 3992360
registers.edi: 39911756
registers.eax: 0
registers.ebp: 3993640
registers.edx: 39911756
registers.ebx: 39686176
registers.esi: 0
registers.ecx: 39002776
1 0 0

__exception__

 stacktrace: 
0x507713
0x501521
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 c1 ea cc 6c 89 45 c8 33 d2 89 55 dc 83
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x2222024
registers.esp: 3992288
registers.edi: 3992336
registers.eax: 0
registers.ebp: 3992352
registers.edx: 3992256
registers.ebx: 39686176
registers.esi: 0
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x50798f
0x501521
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 46 61 cc 6c 83 78 04 00 0f 84 3b 02 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x222a99f
registers.esp: 3992272
registers.edi: 3992336
registers.eax: 0
registers.ebp: 3992352
registers.edx: 3992240
registers.ebx: 39686176
registers.esi: 0
registers.ecx: 0
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C040980FB238F42747D4200E39E5134.html
suspicious_features GET method with no useragent header suspicious_request GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E6414DF053ECE16DD340D40A0368921A.html
request GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C040980FB238F42747D4200E39E5134.html
request GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E6414DF053ECE16DD340D40A0368921A.html
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 1179648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00570000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00650000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72742000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00460000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00640000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00405000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00407000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00641000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff48000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00642000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00643000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00644000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00645000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2216
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00646000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00440000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00510000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x720a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x720a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00620000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002bd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00500000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72a12000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00501000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file C:\Users\test22\AppData\Local\Chromium\User Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data
cmdline cmd.exe /c timeout 1
cmdline "C:\Windows\System32\cmd.exe" /c timeout 1
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c timeout 1
filepath: cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc.\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\user.config
flags: 1
oldfilepath_r: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\2al5xdjt.newcfg
newfilepath: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\user.config
oldfilepath: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\2al5xdjt.newcfg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc.\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\user.config
flags: 1
oldfilepath_r: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\wusaed4l.newcfg
newfilepath: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\user.config
oldfilepath: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\wusaed4l.newcfg
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Communications smtp rule Network_SMTP_dotNet
description Run a KeyLogger rule KeyLogger
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 245760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000004c8
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description mazx.exe tried to sleep 13641049 seconds, actually delayed analysis time by 13641049 seconds
file C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELd†`à  X®w @ À@…TwW€À   H.text´W X `.rsrcÀ€Z@@.reloc  ^@B
base_address: 0x00400000
process_identifier: 1048
process_handle: 0x000004c8
1 1 0

WriteProcessMemory

 buffer: €0€ HX€häh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsTlTX PKPy(CompanyNameKTo8FileDescriptionYhQ IDm0FileVersion7.1.0.4: InternalNameIvdv KTS.exez+LegalCopyrightCopyright 2020 © WMS. All rights reserved.2LegalTrademarksGWNpB OriginalFilenameIvdv KTS.exe2 ProductNameIvdv KTS4ProductVersion7.0.2.28Assembly Version7.0.2.2DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00438000
process_identifier: 1048
process_handle: 0x000004c8
1 1 0

WriteProcessMemory

 buffer: p °7
base_address: 0x0043a000
process_identifier: 1048
process_handle: 0x000004c8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 1048
process_handle: 0x000004c8
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELd†`à  X®w @ À@…TwW€À   H.text´W X `.rsrcÀ€Z@@.reloc  ^@B
base_address: 0x00400000
process_identifier: 1048
process_handle: 0x000004c8
1 1 0
Time & API Arguments Status Return Repeated

SetWindowsHookExW

 thread_identifier: 0
callback_function: 0x005113ea
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 328477 0
file C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Process injection Process 2216 called NtSetContextThread to modify thread in remote process 1048
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4421550
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000004dc
process_identifier: 1048
1 0 0
Process injection Process 2216 resumed a thread in remote process 1048
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000004dc
suspend_count: 1
process_identifier: 1048
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2216
1 0 0

NtResumeThread

 thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2216
1 0 0

NtResumeThread

 thread_handle: 0x00000194
suspend_count: 1
process_identifier: 2216
1 0 0

NtResumeThread

 thread_handle: 0x000003dc
suspend_count: 1
process_identifier: 2216
1 0 0

NtResumeThread

 thread_handle: 0x000002a0
suspend_count: 1
process_identifier: 2216
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtSetContextThread

 registers.eip: 1920740228
registers.esp: 3861716
registers.edi: 1023128
registers.eax: 5177376
registers.ebp: 3861720
registers.edx: 101292888
registers.ebx: 101272392
registers.esi: 1013152
registers.ecx: 105385976
thread_handle: 0x000000ec
process_identifier: 2216
1 0 0

NtResumeThread

 thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2216
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtResumeThread

 thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2216
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtSetContextThread

 registers.eip: 1920740228
registers.esp: 3861716
registers.edi: 1224821
registers.eax: 4456535
registers.ebp: 3861720
registers.edx: 116690696
registers.ebx: 116002824
registers.esi: 881157
registers.ecx: 119140352
thread_handle: 0x000000ec
process_identifier: 2216
1 0 0

NtResumeThread

 thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2216
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtResumeThread

 thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2216
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtResumeThread

 thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2216
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtSetContextThread

 registers.eip: 1920740228
registers.esp: 3862772
registers.edi: 36127996
registers.eax: 3145781
registers.ebp: 3862776
registers.edx: 36207026
registers.ebx: 62463824
registers.esi: 4
registers.ecx: 63127552
thread_handle: 0x000000ec
process_identifier: 2216
1 0 0

NtResumeThread

 thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2216
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtGetContextThread

 thread_handle: 0x000000ec
1 0 0

NtSetContextThread

 registers.eip: 1920740228
registers.esp: 3862864
registers.edi: 0
registers.eax: 15402
registers.ebp: 3862896
registers.edx: 62463824
registers.ebx: 1
registers.esi: 41422
registers.ecx: 35863204
thread_handle: 0x000000ec
process_identifier: 2216
1 0 0

NtResumeThread

 thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2216
1 0 0

NtResumeThread

 thread_handle: 0x00000294
suspend_count: 1
process_identifier: 2216
1 0 0

CreateProcessInternalW

 thread_identifier: 2876
thread_handle: 0x000004d4
process_identifier: 2084
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c timeout 1
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000004d8
1 1 0

CreateProcessInternalW

 thread_identifier: 656
thread_handle: 0x000004dc
process_identifier: 1048
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\mazx.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\mazx.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000004c8
1 1 0

NtGetContextThread

 thread_handle: 0x000004dc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1048
region_size: 245760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000004c8
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELd†`à  X®w @ À@…TwW€À   H.text´W X `.rsrcÀ€Z@@.reloc  ^@B
base_address: 0x00400000
process_identifier: 1048
process_handle: 0x000004c8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00402000
process_identifier: 1048
process_handle: 0x000004c8
1 1 0

WriteProcessMemory

 buffer: €0€ HX€häh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsTlTX PKPy(CompanyNameKTo8FileDescriptionYhQ IDm0FileVersion7.1.0.4: InternalNameIvdv KTS.exez+LegalCopyrightCopyright 2020 © WMS. All rights reserved.2LegalTrademarksGWNpB OriginalFilenameIvdv KTS.exe2 ProductNameIvdv KTS4ProductVersion7.0.2.28Assembly Version7.0.2.2DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00438000
process_identifier: 1048
process_handle: 0x000004c8
1 1 0

WriteProcessMemory

 buffer: p °7
base_address: 0x0043a000
process_identifier: 1048
process_handle: 0x000004c8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 1048
process_handle: 0x000004c8
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4421550
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000004dc
process_identifier: 1048
1 0 0

NtResumeThread

 thread_handle: 0x000004dc
suspend_count: 1
process_identifier: 1048
1 0 0

CreateProcessInternalW

 thread_identifier: 2044
thread_handle: 0x00000084
process_identifier: 1976
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\timeout.exe
track: 1
command_line: timeout 1
filepath_r: C:\Windows\system32\timeout.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 1048
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 1048
1 0 0

NtResumeThread

 thread_handle: 0x0000019c
suspend_count: 1
process_identifier: 1048
1 0 0
MicroWorld-eScan Trojan.GenericKD.36801069
FireEye Trojan.GenericKD.36801069
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Trojan:MSIL/Generic.516f301d
K7GW Trojan-Downloader ( 0057b8a01 )
Cyren W32/MSIL_Kryptik.EBP.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/TrojanDownloader.Agent.HVE
APEX Malicious
Avast FileRepMalware
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.36801069
AegisLab Trojan.MSIL.Agensla.i!c
Ad-Aware Trojan.GenericKD.36801069
DrWeb Trojan.InjectNET.29
McAfee-GW-Edition Artemis!Trojan
Emsisoft Trojan.GenericKD.46191255 (B)
SentinelOne Static AI - Malicious PE
Webroot W32.Trojan.Gen
Kingsoft Win32.PSWTroj.Undef.(kcloud)
Microsoft Trojan:MSIL/Agensla.GE!MTB
GData Win32.Trojan.Agent.W6GJFB
McAfee Artemis!342D651660CF
Malwarebytes Trojan.Downloader.MSIL
TrendMicro-HouseCall TROJ_GEN.R002H0DDR21
Rising Downloader.Agent!8.B23 (CLOUD)
Ikarus Win32.Outbreak
Fortinet MSIL/Agent.HVE!tr.dldr
BitDefenderTheta Gen:NN.ZemsilCO.34684.bm0@a8uD5Odi
AVG FileRepMalware