popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

mazx.exe

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 28, 2021, 3:34 p.m. April 28, 2021, 3:37 p.m.
Size 17.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 342d651660cf2b0587d25f343aff786f
SHA256 fa84a0c29e5aa8ba804e8cdfaec78f1f642b7de25d89c02ff03a7a75588b4663
CRC32 238E789F
ssdeep 384:4z/GJAMGr+ncEfvadZ3fflIi+fxYGu0fDREXmXmfJMQ+/7+YoP5Ap5maBmQ:M/GdGb7x+fxYGu0ryWWfJMQ+/7+YoP5i
Yara
  • PE_Header_Zero - PE File Signature
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
ldvamlwhdpetnyn.ml
A 172.67.208.174
A 104.21.85.176
172.67.208.174
IP Address Status Action
164.124.101.2 Active Moloch
172.67.208.174 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:61479 -> 164.124.101.2:53 2025106 ET INFO DNS Query for Suspicious .ml Domain Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Waiting for 1
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: seconds, press a key to continue ...
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001e3310
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001e3350
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x001e3350
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00301620
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003014a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003014a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1
mscorlib+0x2f45b0 @ 0x6ff345b0
mscorlib+0x2f73b5 @ 0x6ff373b5
mscorlib+0x2eeaf8 @ 0x6ff2eaf8
mscorlib+0x2eea8f @ 0x6ff2ea8f
mscorlib+0x30c43f @ 0x6ff4c43f
system+0xe8021 @ 0x6e958021
system+0xe7f77 @ 0x6e957f77
system+0xd01da @ 0x6e9401da
system+0xcec0d @ 0x6e93ec0d
system+0xea387 @ 0x6e95a387
system+0xcec2d @ 0x6e93ec2d
system+0x6f7869 @ 0x6f9b7869
system+0x6f6e71 @ 0x6f9b6e71
system+0x6f3892 @ 0x6f9b3892
system+0x6f3514 @ 0x6f9b3514
system+0x6f42ec @ 0x6f9b42ec
0xb304e6
0xb30088
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3797148
registers.edi: 0
registers.eax: 3797148
registers.ebp: 3797228
registers.edx: 0
registers.ebx: 2335312
registers.esi: 1796112
registers.ecx: 3498520633
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1
mscorlib+0x2f45a5 @ 0x6ff345a5
mscorlib+0x30a2fa @ 0x6ff4a2fa
microsoft+0x54d57 @ 0x6f134d57
microsoft+0x54b2d @ 0x6f134b2d
0xb30826
0xb30563
0xb30088
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3797556
registers.edi: 0
registers.eax: 3797556
registers.ebp: 3797636
registers.edx: 2
registers.ebx: 2335312
registers.esi: 1796112
registers.ecx: 3498521281
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1
mscorlib+0x2f45b6 @ 0x6ff345b6
mscorlib+0x30a2fa @ 0x6ff4a2fa
microsoft+0x54d57 @ 0x6f134d57
microsoft+0x54b2d @ 0x6f134b2d
0xb30826
0xb30563
0xb30088
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3797556
registers.edi: 0
registers.eax: 3797556
registers.ebp: 3797636
registers.edx: 2
registers.ebx: 2335312
registers.esi: 1796112
registers.ecx: 3498521281
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1
mscorlib+0x98878c @ 0x705c878c
mscorlib+0x988d23 @ 0x705c8d23
0xb305bb
0xb30088
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3797648
registers.edi: 0
registers.eax: 3797648
registers.ebp: 3797728
registers.edx: 0
registers.ebx: 2335312
registers.esi: 1796112
registers.ecx: 3498521129
1 0 0

__exception__

 stacktrace: 
0xc91790
0xc90fb3
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 93 d7
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc91c03
registers.esp: 2749040
registers.edi: 2749064
registers.eax: 0
registers.ebp: 2749076
registers.edx: 195
registers.ebx: 2749324
registers.esi: 37016088
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc96fc0
0xc91521
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 02 f0 2c 6e
exception.instruction: cmp byte ptr [edi], al
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc9fcbe
registers.esp: 2747776
registers.edi: 0
registers.eax: 37377988
registers.ebp: 2747824
registers.edx: 37377988
registers.ebx: 37377220
registers.esi: 37377184
registers.ecx: 1858619794
1 0 0

__exception__

 stacktrace: 
0xc97165
0xc91521
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 8b 40 2c ff 50 14 38 00 89 45 cc e9 85 00
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4c00921
registers.esp: 2747772
registers.edi: 2747812
registers.eax: 3
registers.ebp: 2747824
registers.edx: 0
registers.ebx: 37194696
registers.esi: 37409280
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc91521
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 83 7f 04 01 0f 9f
exception.instruction: cmp dword ptr [eax + 4], 1
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc97252
registers.esp: 2747832
registers.edi: 37420276
registers.eax: 0
registers.ebp: 2749112
registers.edx: 37420276
registers.ebx: 37194696
registers.esi: 0
registers.ecx: 36512408
1 0 0

__exception__

 stacktrace: 
0xc97713
0xc91521
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 c1 ea 2e 6a 89 45 c8 33 d2 89 55 dc 83
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4c02024
registers.esp: 2747760
registers.edi: 2747808
registers.eax: 0
registers.ebp: 2747824
registers.edx: 2747728
registers.ebx: 37194696
registers.esi: 0
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xc9798f
0xc91521
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x720a2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x720b264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x720b2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72167610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x721f1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x721f1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x721f1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x721f416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x736ef5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 39 09 e8 46 61 2e 6a 83 78 04 00 0f 84 3b 02 00
exception.instruction: cmp dword ptr [ecx], ecx
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x4c0a99f
registers.esp: 2747744
registers.edi: 2747808
registers.eax: 0
registers.ebp: 2747824
registers.edx: 2747712
registers.ebx: 37194696
registers.esi: 0
registers.ecx: 0
1 0 0
suspicious_features GET method with no useragent header suspicious_request GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C040980FB238F42747D4200E39E5134.html
suspicious_features GET method with no useragent header suspicious_request GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E6414DF053ECE16DD340D40A0368921A.html
request GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C040980FB238F42747D4200E39E5134.html
request GET http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E6414DF053ECE16DD340D40A0368921A.html
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00540000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00630000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72742000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005c0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00562000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0057c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00595000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0059b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00597000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00586000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0058a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00587000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0057a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0058b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b31000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff48000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff30000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0xfff30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b32000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b33000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b34000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b35000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2444
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b36000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 30
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400008
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040000c
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400010
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400016
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040001c
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400020
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400028
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040002c
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400034
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040003c
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040004c
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400050
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400054
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400058
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400060
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400064
process_handle: 0xffffffff
3221225541 0

NtProtectVirtualMemory

 process_identifier: 2444
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400068
process_handle: 0xffffffff
3221225541 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file C:\Users\test22\AppData\Local\Chromium\User Data
file C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data
cmdline cmd.exe /c timeout 1
cmdline "C:\Windows\System32\cmd.exe" /c timeout 1
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c timeout 1
filepath: cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc.\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\user.config
flags: 1
oldfilepath_r: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\o1wryewq.newcfg
newfilepath: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\user.config
oldfilepath: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\o1wryewq.newcfg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc.\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\user.config
flags: 1
oldfilepath_r: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\xijw5ttl.newcfg
newfilepath: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\user.config
oldfilepath: C:\Users\test22\AppData\Local\柑柘栆栂栐栗栁柣柷柕_Inc\mazx.exe_Url_u03rti0hiw425amgogqqxre4p0spnbru\2.78.996.560\xijw5ttl.newcfg
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Communications smtp rule Network_SMTP_dotNet
description Run a KeyLogger rule KeyLogger
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2324
region_size: 245760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000004c8
1 0 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
description mazx.exe tried to sleep 13641049 seconds, actually delayed analysis time by 13641049 seconds
file C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELd†`à  X®w @ À@…TwW€À   H.text´W X `.rsrcÀ€Z@@.reloc  ^@B
base_address: 0x00400000
process_identifier: 2324
process_handle: 0x000004c8
1 1 0

WriteProcessMemory

 buffer: €0€ HX€häh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsTlTX PKPy(CompanyNameKTo8FileDescriptionYhQ IDm0FileVersion7.1.0.4: InternalNameIvdv KTS.exez+LegalCopyrightCopyright 2020 © WMS. All rights reserved.2LegalTrademarksGWNpB OriginalFilenameIvdv KTS.exe2 ProductNameIvdv KTS4ProductVersion7.0.2.28Assembly Version7.0.2.2DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00438000
process_identifier: 2324
process_handle: 0x000004c8
1 1 0

WriteProcessMemory

 buffer: p °7
base_address: 0x0043a000
process_identifier: 2324
process_handle: 0x000004c8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2324
process_handle: 0x000004c8
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELd†`à  X®w @ À@…TwW€À   H.text´W X `.rsrcÀ€Z@@.reloc  ^@B
base_address: 0x00400000
process_identifier: 2324
process_handle: 0x000004c8
1 1 0
Time & API Arguments Status Return Repeated

SetWindowsHookExW

 thread_identifier: 0
callback_function: 0x005813ea
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00400000
1 394055 0
file C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Process injection Process 2444 called NtSetContextThread to modify thread in remote process 2324
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4421550
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000004dc
process_identifier: 2324
1 0 0
Process injection Process 2444 resumed a thread in remote process 2324
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000004dc
suspend_count: 1
process_identifier: 2324
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x00000154
suspend_count: 1
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x00000190
suspend_count: 1
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x000003dc
suspend_count: 1
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x0000029c
suspend_count: 1
process_identifier: 2444
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2444
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtSetContextThread

 registers.eip: 1920740228
registers.esp: 3797356
registers.edi: 1225077
registers.eax: 2097270
registers.ebp: 3797360
registers.edx: 64867584
registers.ebx: 63104096
registers.esi: 343349
registers.ecx: 67317752
thread_handle: 0x000000e8
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2444
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2444
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtSetContextThread

 registers.eip: 1920740228
registers.esp: 3797764
registers.edi: 36783432
registers.eax: 3342425
registers.ebp: 3797768
registers.edx: 36856498
registers.ebx: 142424392
registers.esi: 90
registers.ecx: 143265792
thread_handle: 0x000000e8
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2444
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtSetContextThread

 registers.eip: 1920740228
registers.esp: 3797764
registers.edi: 36783372
registers.eax: 4587588
registers.ebp: 3797768
registers.edx: 36884288
registers.ebx: 55768584
registers.esi: 46
registers.ecx: 57724916
thread_handle: 0x000000e8
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2444
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtSetContextThread

 registers.eip: 1920740228
registers.esp: 3797856
registers.edi: 0
registers.eax: 16816
registers.ebp: 3797888
registers.edx: 121518392
registers.ebx: 1
registers.esi: 45393
registers.ecx: 36518564
thread_handle: 0x000000e8
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x000000e8
suspend_count: 1
process_identifier: 2444
1 0 0

NtResumeThread

 thread_handle: 0x00000290
suspend_count: 1
process_identifier: 2444
1 0 0

CreateProcessInternalW

 thread_identifier: 2624
thread_handle: 0x000004d4
process_identifier: 2276
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /c timeout 1
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000004d8
1 1 0

CreateProcessInternalW

 thread_identifier: 1048
thread_handle: 0x000004dc
process_identifier: 2324
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\mazx.exe
track: 1
command_line:
filepath_r: C:\Users\test22\AppData\Local\Temp\mazx.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000004c8
1 1 0

NtGetContextThread

 thread_handle: 0x000004dc
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2324
region_size: 245760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000004c8
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELd†`à  X®w @ À@…TwW€À   H.text´W X `.rsrcÀ€Z@@.reloc  ^@B
base_address: 0x00400000
process_identifier: 2324
process_handle: 0x000004c8
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00402000
process_identifier: 2324
process_handle: 0x000004c8
1 1 0

WriteProcessMemory

 buffer: €0€ HX€häh4VS_VERSION_INFO½ïþ?ÈStringFileInfo¤040904b1, CommentsTlTX PKPy(CompanyNameKTo8FileDescriptionYhQ IDm0FileVersion7.1.0.4: InternalNameIvdv KTS.exez+LegalCopyrightCopyright 2020 © WMS. All rights reserved.2LegalTrademarksGWNpB OriginalFilenameIvdv KTS.exe2 ProductNameIvdv KTS4ProductVersion7.0.2.28Assembly Version7.0.2.2DVarFileInfo$Translation PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
base_address: 0x00438000
process_identifier: 2324
process_handle: 0x000004c8
1 1 0

WriteProcessMemory

 buffer: p °7
base_address: 0x0043a000
process_identifier: 2324
process_handle: 0x000004c8
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 2324
process_handle: 0x000004c8
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4421550
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000004dc
process_identifier: 2324
1 0 0

NtResumeThread

 thread_handle: 0x000004dc
suspend_count: 1
process_identifier: 2324
1 0 0

CreateProcessInternalW

 thread_identifier: 556
thread_handle: 0x00000084
process_identifier: 1976
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\timeout.exe
track: 1
command_line: timeout 1
filepath_r: C:\Windows\system32\timeout.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

NtResumeThread

 thread_handle: 0x000000e0
suspend_count: 1
process_identifier: 2324
1 0 0

NtResumeThread

 thread_handle: 0x00000158
suspend_count: 1
process_identifier: 2324
1 0 0

NtResumeThread

 thread_handle: 0x00000184
suspend_count: 1
process_identifier: 2324
1 0 0

NtResumeThread

 thread_handle: 0x0000031c
suspend_count: 1
process_identifier: 2324
1 0 0

NtResumeThread

 thread_handle: 0x0000033c
suspend_count: 1
process_identifier: 2324
1 0 0

NtResumeThread

 thread_handle: 0x000003a0
suspend_count: 1
process_identifier: 2324
1 0 0
MicroWorld-eScan Trojan.GenericKD.36801069
FireEye Trojan.GenericKD.36801069
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Trojan:MSIL/Generic.516f301d
K7GW Trojan-Downloader ( 0057b8a01 )
Cyren W32/MSIL_Kryptik.EBP.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/TrojanDownloader.Agent.HVE
APEX Malicious
Avast FileRepMalware
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.36801069
AegisLab Trojan.MSIL.Agensla.i!c
Ad-Aware Trojan.GenericKD.36801069
DrWeb Trojan.InjectNET.29
McAfee-GW-Edition Artemis!Trojan
Emsisoft Trojan.GenericKD.46191255 (B)
SentinelOne Static AI - Malicious PE
Webroot W32.Trojan.Gen
Kingsoft Win32.PSWTroj.Undef.(kcloud)
Microsoft Trojan:MSIL/Agensla.GE!MTB
GData Win32.Trojan.Agent.W6GJFB
McAfee Artemis!342D651660CF
Malwarebytes Trojan.Downloader.MSIL
TrendMicro-HouseCall TROJ_GEN.R002H0DDR21
Rising Downloader.Agent!8.B23 (CLOUD)
Ikarus Win32.Outbreak
Fortinet MSIL/Agent.HVE!tr.dldr
BitDefenderTheta Gen:NN.ZemsilCO.34684.bm0@a8uD5Odi
AVG FileRepMalware