popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

reader.jar

UPX Malicious Library PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Aug. 4, 2021, 9:23 a.m. Aug. 4, 2021, 9:46 a.m.
Size 6.9KB
Type Java archive data (JAR)
MD5 62f16f566ecdf99cfc14e82dadf0f18e
SHA256 04b9398217671d5282716edd773af60c3a57765b679214aa65a04f2565437190
CRC32 65BDC675
ssdeep 192:Qvu/IefKMEEjGOZCUY6vvoIi3A64r+jSWGrKnq14uCuxAW:yuxfTjGsYinb6Kr76uCW
Yara None matched

Name Response Post-Analysis Lookup
gtr.antoinfer.com
A 185.228.233.17
185.228.233.17
data.green-iraq.com
A 162.241.216.53
162.241.216.53
app.bighomegl.at
A 185.228.233.17
185.228.233.17
IP Address Status Action
162.241.216.53 Active Moloch
164.124.101.2 Active Moloch
185.228.233.17 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49162 -> 162.241.216.53:443 2028375 ET JA3 Hash - Possible Malware - Java Based RAT Unknown Traffic
TCP 192.168.56.102:49165 -> 185.228.233.17:80 2033203 ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B) Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 185.228.233.17:80 2033203 ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B) Malware Command and Control Activity Detected
TCP 192.168.56.102:49165 -> 185.228.233.17:80 2033204 ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F) Malware Command and Control Activity Detected
TCP 192.168.56.102:49166 -> 185.228.233.17:80 2033204 ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F) Malware Command and Control Activity Detected
TCP 192.168.56.102:49167 -> 185.228.233.17:80 2033204 ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F) Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 185.228.233.17:80 2033203 ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B) Malware Command and Control Activity Detected
TCP 192.168.56.102:49168 -> 185.228.233.17:80 2033204 ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F) Malware Command and Control Activity Detected
TCP 192.168.56.102:49169 -> 185.228.233.17:80 2033203 ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B) Malware Command and Control Activity Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.102:49162
162.241.216.53:443 		C=US, O=Let's Encrypt, CN=R3 CN=data.green-iraq.com 32:13:a5:dc:f9:2e:54:7b:fc:57:ea:36:3c:5a:8a:9b:24:3b:5e:d6

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name:
0 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name:
0 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 

        
      
      
      

    
  
    
      
        exception.instruction_r:
        8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e
        

      
        exception.instruction:
        mov eax, dword ptr [esi]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x2770202
        

      
    
  
    
      
        registers.esp:
        38401128
        

      
        registers.edi:
        1
        

      
        registers.eax:
        6
        

      
        registers.ebp:
        1945359552
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        133120
        

      
        registers.esi:
        0
        

      
        registers.ecx:
        3405691582
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    request
                                    GET http://gtr.antoinfer.com/JpYeaQ5AOcDY/rfyxDpNI3mO/iJ3ovqS5v_2B5H/8_2FstgmLGy8SiY5LMx0P/EituxAw_2F1OT_2F/X1ci3b8Sjr8wAo1/66YBaY_2FksW8vd5vo/TEXd_2B2W/D2pVfVv3mXhAGWXDPytU/12Zw2ncyKTiv3go_2Fg/foUK_2BpSlCsNRew7G6G_2/FjRnzaxKHNolO/9wMZxS2S/ZbdD3kRoyjRmPKx8evdOYQv/LsnlVH7KdN/N715k_2Fp9Cvil0Rl/1RuaOQ5a0KCi/XN4U0cOQy7B/XKxlW1nVTT4OQl/g_2BHBlRyEvp6KHlKz5TY/rB2xcCyiu0f_2/Fli_2F
                                    
                                


                            

                        

                            

                                

                                    request
                                    GET http://app.bighomegl.at/2BX4usqR3CA_/2BGc5QtYAkk/5sQ6xMttRRkp2M/4e_2Bzb1wuuVdjXiLpFsr/WsqZJWNfhuYjSGsc/ideV2yEdm89knSR/K9gbcsE4Nafxh70syF/AFgpdwBcE/swkgenw1UzriUWCHteY_/2FJ1fxEg4WYRspNakt4/WsqnHSeo1RsAJxvNSqO_2B/KnTqsuw8WKdm1/RgI0C0Gy/VvsFdangS27BzKwMpW5lpaV/aiKt3hFrVz/_2FVaKCayP98D_2Fz/h_2BwIdo7MEP/4AsUgz2l7my/5pwDfQf2QeO339/g_2Fm3RUAzmV0QuWpfJeC/nSxN6eOQ/K
                                    
                                


                            

                        

                            

                                

                                    request
                                    GET http://gtr.antoinfer.com/RkrrjybChQ/2EXR8TFwqFx6VGRuO/Z1QFUB4IXCZD/Qd1860UstEI/0FpsdG207nYgJY/fCRqHqVZJg9116Ab4KV_2/FhRpJqUDX6mgFqsW/Gdwx_2F_2BxnFaZ/Lq789C1khgtpGx93q_/2Fhqyr4hh/GqqD1e8CEJbEMhIvrCSE/M3EODhmOAJC2X81BGtu/YufOphUnysDzRsTNhJMaEZ/YU8IWtJVc5pQ_/2FwODAJ_/2FIdXFF2zb5me4s4pKIB8JV/1tU8xhNTMv/53smDsLaBrxX39Lz0/eXPOugZCaKtZ/0_2FbCMp4zF/oc0_2F2k2mX/pUKZxw
                                    
                                


                            

                        

                            

                                

                                    request
                                    GET http://app.bighomegl.at/4E0ttg1gp_2Ftg4l1_2B/eWoaZ3c3FW95iKk417H/7xB7p1XLZlyeRkNPYn4CKT/J7muNdOXn6DxQ/ogzt4SJJ/GiRzl0CTb2sRT1GcnGWx_2B/5zRPscx2Yo/UlYLKtmtVbormrIIa/i98ki83IT3HK/7VbEyf0xeIm/AOmPHig3hq8uyi/r570yUoRqQ63LqrdYxqn1/tlGlFCDGGtgOANlU/wcwiSAfqxf_2FeM/8MyLGHvpPs9yFd_2FR/83vaIGBtT/N81Y9eyW0iXQcRmLwwPR/Me83RfWCGiivw4PiW2Y/fJVtnndZ/jQeTvlCOeJjw6/l
                                    
                                


                            

                        

                            

                                

                                    request
                                    GET http://gtr.antoinfer.com/NfYGW6X8yzwJ/TmELLbBwdW8/83tNWrSsAj2oO4/3mzyhwtyvu9xtyhBWsmEB/jvXNrSaYUeg9877Z/YkmJwmj7sbSiAPM/wvOnCYU3mtanlAAWVF/lEOl7A3Bg/rUbUyj5LWePdqjlbaGUW/iSW2ckc2ykuZHBzXpot/akHudVkA_2Fm_2Bq9if8ml/0wuZHIUOvWQk8/o4RWoGKb/KPtvXi6uRZ0s9YIobMM3iAx/mxuUhe9l8v/Zl4W6Dbg77k9Iw6Rk/bxaLW1uBN21L/4huFTLcw0rY/FfYqgoZ5_2BQXz/dzZVMlvJz6FcKlA/2o7a_2B
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          163840
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02770000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02798000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x027a0000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x027a8000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x027b0000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x027b8000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x027c0000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x027c8000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x027d0000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x027d8000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x027e0000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x027e8000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x027f0000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x027f8000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02800000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02808000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02810000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02818000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02820000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02828000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02830000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02838000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02840000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02848000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02850000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02858000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02860000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02868000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02870000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02878000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02880000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02888000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02890000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x02898000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          32768
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x028a0000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2252
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x73bf0000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2252
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x76001000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2252
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x74d31000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2252
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x73b91000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2252
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x73b81000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2252
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          16384
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x73c62000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2252
        
      
      
      

    
  
    
      region_size:
      
        
          4096
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x00410000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2252
        
      
      
      

    
  
    
      region_size:
      
        
          4096
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x00420000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2252
        
      
      
      

    
  
    
      region_size:
      
        
          147456
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x00760000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2252
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x73b21000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2252
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x73ad1000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2252
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x73841000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2252
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x73801000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2252
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x73791000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    file
                                    C:\Users\test22\winapp.dll
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    cmdline
                                    regsvr32.exe /s C:\Users\test22\winapp.dll
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    Symantec
                                    Trojan.Maljava
                                    
                                


                            

                        

                            

                                

                                    Kaspersky
                                    UDS:Trojan.Java.Alien.gen
                                    
                                


                            

                        

                            

                                

                                    McAfee-GW-Edition
                                    Artemis!Trojan
                                    
                                


                            

                        

                            

                                

                                    Ikarus
                                    Win32.Outbreak
                                    
                                


                            

                        

                            

                                

                                    Avira
                                    EXP/JAVA.Download.AMAA.Gen
                                    
                                


                            

                        

                            

                                

                                    Cynet
                                    Malicious (score: 99)
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          1144
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          65536
        
      
      
      

    
  
    
      protection:
      
        
          32
        
      
      
        (PAGE_EXECUTE_READ)
      
      

    
  
    
      base_address:
      
        
          0x16200000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
GetAdaptersAddresses

  
  
    
      
    
  


  
    
      flags:
      
        
          28
        
      
      
      

    
  
    
      family:
      
        
          0
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtQuerySystemInformation

  
  
    
      
    
  


  
    
      information_class:
      
        
          8
        
      
      
        (SystemProcessorPerformanceInformation)
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    file
                                    C:\Users\test22\winapp.dll