IOC Report
relay.dll

loading gif

Files

File Path
Type
Category
Malicious
relay.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_41a576617a4d91b2fca1f808095b0ff5072ae_7522e4b5_42b45446-5eab-40ec-af17-0c0f836199b4\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_43a5166fcb246f7d77dda47518c3ad7a1b5fed0_7522e4b5_947ae66e-1b85-463a-8ce6-0cbc4dae92d4\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_43a5166fcb246f7d77dda47518c3ad7a1b5fed0_7522e4b5_e91ff5ac-65a9-46ed-9bba-93ef15ff2f0b\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_58917a6b9efbc14a7f3eb3b1b9c8b1b9253d4_7522e4b5_1b83567d-f16f-46b8-80f9-995180bfbf98\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7b66fce5118c38f37fd6766cbdd34cc5acf99d_7522e4b5_2e868f36-de62-4ba6-9b84-fedb1c24e82b\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7b66fce5118c38f37fd6766cbdd34cc5acf99d_7522e4b5_80a7260b-cf6e-489e-a566-6a270c8c0270\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7b66fce5118c38f37fd6766cbdd34cc5acf99d_7522e4b5_d55df6fc-a234-4ca2-8311-086d43100733\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER12B.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER14B.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F.tmp.dmp
Mini DuMP crash report, 15 streams, Sat Apr 20 09:36:03 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5F.tmp.dmp
Mini DuMP crash report, 14 streams, Sat Apr 20 09:36:06 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8E.tmp.dmp
Mini DuMP crash report, 14 streams, Sat Apr 20 09:36:06 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDEC.tmp.dmp
Mini DuMP crash report, 14 streams, Sat Apr 20 09:36:06 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE93D.tmp.dmp
Mini DuMP crash report, 14 streams, Sat Apr 20 09:35:57 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE94D.tmp.dmp
Mini DuMP crash report, 15 streams, Sat Apr 20 09:35:57 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE99.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA67.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA68.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAA7.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREAB6.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC8.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERED8.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE7.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF07.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3DC.tmp.dmp
Mini DuMP crash report, 15 streams, Sat Apr 20 09:35:59 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF44A.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF47A.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF55.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
C:\Windows\appcompat\Programs\Amcache.hve.tmp
MS Windows registry file, NT/2000 or above
dropped
C:\Windows\appcompat\Programs\Amcache.hve.tmp.LOG1
MS Windows registry file, NT/2000 or above
dropped
C:\Windows\appcompat\Programs\Amcache.hve.tmp.LOG2
MS Windows registry file, NT/2000 or above
dropped
There are 23 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\loaddll32.exe
loaddll32.exe "C:\Users\user\Desktop\relay.dll"
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C rundll32.exe "C:\Users\user\Desktop\relay.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\relay.dll,Cancel
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\relay.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6540 -s 672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 632
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\relay.dll,Finalize
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 620
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\user\Desktop\relay.dll,Initialize
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 624
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\relay.dll",Cancel
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\relay.dll",Finalize
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\relay.dll",Initialize
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\relay.dll",Run
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\user\Desktop\relay.dll",PrepareRun
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 664
There are 9 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://upx.sf.net
unknown

Registry

Path
Value
Malicious
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
ProgramId
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
FileId
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
LowerCaseLongPath
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
LongPathHash
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Name
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
OriginalFileName
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Publisher
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Version
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
BinFileVersion
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
BinaryType
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
ProductName
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
ProductVersion
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
LinkDate
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
BinProductVersion
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
AppxPackageFullName
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
AppxPackageRelativeId
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Size
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Language
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
IsOsComponent
\REGISTRY\A\{00e3fecd-e9f5-2144-ffc2-a2712e4b4115}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Usn
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
TickCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
0018C00DAC9758FC
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\{11517B7C-E79D-4e20-961B-75A811715ADD}
CreatingCommand
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\{11517B7C-E79D-4e20-961B-75A811715ADD}
CreatingModule
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHivePermissionsCorrect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHiveOwnerCorrect
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
PendingFileRenameOperations
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiOverridePath
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile
ProviderSyncId
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
ProgramId
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
FileId
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
LowerCaseLongPath
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
LongPathHash
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Name
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
OriginalFileName
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Publisher
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Version
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
BinFileVersion
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
BinaryType
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
ProductName
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
ProductVersion
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
LinkDate
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
BinProductVersion
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
AppxPackageFullName
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
AppxPackageRelativeId
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Size
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Language
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
IsOsComponent
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile\rundll32.exe|ccf370e740f0e788
Usn
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
0018C00DAC9758FC
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
\REGISTRY\A\{dff6f116-9496-5caf-07d1-8d2a8b4283fe}\Root\InventoryApplicationFile
WritePermissionsCheck
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
0018C00DAC9758FC
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
There are 48 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
67F000
stack
page read and write
41F0000
heap
page read and write
6CCA0000
unkown
page read and write
BFE000
heap
page read and write
2CA0000
heap
page read and write
8F0000
heap
page read and write
47C000
stack
page read and write
87C000
stack
page read and write
6CCA7000
unkown
page readonly
8E0000
heap
page read and write
4367000
heap
page read and write
2960000
heap
page read and write
2ABF000
stack
page read and write
B5B000
heap
page read and write
6CC99000
unkown
page read and write
27F0000
heap
page read and write
2AB1000
heap
page read and write
2B50000
heap
page read and write
3170000
heap
page read and write
2C10000
heap
page read and write
6CCA0000
unkown
page read and write
63E000
stack
page read and write
4120000
heap
page read and write
8F0000
remote allocation
page read and write
4180000
heap
page read and write
69C000
stack
page read and write
2AEC000
stack
page read and write
6CC57000
unkown
page readonly
7D0000
heap
page read and write
4170000
heap
page read and write
2A9F000
stack
page read and write
B80000
heap
page read and write
8D0000
heap
page read and write
8E0000
heap
page read and write
2F8F000
stack
page read and write
2940000
remote allocation
page read and write
1B0000
heap
page read and write
2A10000
heap
page read and write
2B3A000
heap
page read and write
727000
heap
page read and write
38C000
stack
page read and write
490000
heap
page read and write
7F0000
heap
page read and write
46F0000
heap
page read and write
550000
heap
page read and write
2D40000
heap
page read and write
2960000
heap
page read and write
4314000
heap
page read and write
34B000
stack
page read and write
4140000
heap
page read and write
30B4000
heap
page read and write
2AAB000
stack
page read and write
891000
heap
page read and write
4BA000
heap
page read and write
8DE000
stack
page read and write
6CC99000
unkown
page read and write
2760000
remote allocation
page read and write
4160000
heap
page read and write
847000
heap
page read and write
89F000
stack
page read and write
2C50000
heap
page read and write
3F0000
heap
page read and write
2A5E000
stack
page read and write
6D0000
heap
page read and write
461D000
stack
page read and write
452F000
stack
page read and write
13C000
stack
page read and write
2B60000
heap
page read and write
27F7000
heap
page read and write
1A0000
heap
page read and write
7D0000
heap
page read and write
431F000
stack
page read and write
2A1A000
heap
page read and write
2C10000
heap
page read and write
3211000
heap
page read and write
6CB40000
unkown
page readonly
6CCA7000
unkown
page readonly
6CC57000
unkown
page readonly
2CB000
stack
page read and write
B50000
heap
page read and write
7CE000
stack
page read and write
4D0000
heap
page read and write
2AF0000
heap
page read and write
6F0000
heap
page read and write
4310000
heap
page read and write
2AF0000
heap
page read and write
2A50000
heap
page read and write
4184000
heap
page read and write
41AF000
stack
page read and write
190000
heap
page read and write
731000
heap
page read and write
2B00000
heap
page read and write
2C5A000
heap
page read and write
63E000
stack
page read and write
2710000
heap
page read and write
2A70000
heap
page read and write
6CB40000
unkown
page readonly
4797000
heap
page read and write
27F4000
heap
page read and write
7AE000
stack
page read and write
2BDE000
stack
page read and write
2B30000
heap
page read and write
82F000
stack
page read and write
4317000
heap
page read and write
7E0000
heap
page read and write
2780000
heap
page read and write
8F0000
heap
page read and write
40FE000
stack
page read and write
2B70000
heap
page read and write
6CB41000
unkown
page execute read
4320000
heap
page read and write
3110000
heap
page read and write
84E000
stack
page read and write
3FB0000
heap
page read and write
6CC57000
unkown
page readonly
4CA000
heap
page read and write
6CB40000
unkown
page readonly
8C0000
heap
page read and write
724000
heap
page read and write
2950000
heap
page read and write
6CB40000
unkown
page readonly
850000
heap
page read and write
C60000
heap
page read and write
B81000
heap
page read and write
7B0000
heap
page read and write
7A0000
heap
page read and write
670000
heap
page read and write
4360000
heap
page read and write
690000
heap
page read and write
3F6E000
stack
page read and write
47F000
stack
page read and write
390000
heap
page read and write
47F000
stack
page read and write
561000
heap
page read and write
844000
heap
page read and write
6CC99000
unkown
page read and write
1A0000
heap
page read and write
2CF0000
heap
page read and write
43AF000
stack
page read and write
6CCA7000
unkown
page readonly
88F000
stack
page read and write
730000
heap
page read and write
FB000
stack
page read and write
F3E000
stack
page read and write
5B0000
heap
page read and write
2BD1000
heap
page read and write
73B000
stack
page read and write
870000
heap
page read and write
30C000
stack
page read and write
2FC0000
heap
page read and write
2CA7000
heap
page read and write
4150000
heap
page read and write
2B7F000
stack
page read and write
2B4E000
stack
page read and write
740000
heap
page read and write
465E000
stack
page read and write
B5F000
heap
page read and write
30A0000
heap
page read and write
2967000
heap
page read and write
43E000
stack
page read and write
78E000
stack
page read and write
43B000
stack
page read and write
2BBF000
stack
page read and write
E3E000
stack
page read and write
45D0000
heap
page read and write
4590000
heap
page read and write
6CCA7000
unkown
page readonly
72E000
stack
page read and write
720000
heap
page read and write
5B0000
heap
page read and write
380000
heap
page read and write
4630000
heap
page read and write
6CC57000
unkown
page readonly
6CCA0000
unkown
page read and write
2F0E000
stack
page read and write
4794000
heap
page read and write
8A0000
heap
page read and write
2CA4000
heap
page read and write
42DE000
stack
page read and write
413E000
stack
page read and write
6CB41000
unkown
page execute read
5E0000
heap
page read and write
7FE000
stack
page read and write
2B3E000
stack
page read and write
3130000
heap
page read and write
2720000
heap
page read and write
7DA000
heap
page read and write
4364000
heap
page read and write
2964000
heap
page read and write
6CCA0000
unkown
page read and write
30B7000
heap
page read and write
4C0000
heap
page read and write
710000
heap
page read and write
4B0000
heap
page read and write
6CB41000
unkown
page execute read
7FA000
heap
page read and write
2C6E000
stack
page read and write
4187000
heap
page read and write
EB000
stack
page read and write
2F4E000
stack
page read and write
87C000
stack
page read and write
317A000
heap
page read and write
3050000
heap
page read and write
370000
heap
page read and write
2910000
heap
page read and write
12C000
stack
page read and write
B67000
heap
page read and write
40D0000
heap
page read and write
AFC000
stack
page read and write
660000
heap
page read and write
83B000
stack
page read and write
83B000
stack
page read and write
4790000
heap
page read and write
6D0000
heap
page read and write
40FF000
stack
page read and write
815000
heap
page read and write
43E000
stack
page read and write
6CC99000
unkown
page read and write
65B000
stack
page read and write
2A4E000
stack
page read and write
B3E000
stack
page read and write
30B0000
heap
page read and write
760000
heap
page read and write
6CB41000
unkown
page execute read
830000
heap
page read and write
3FAF000
stack
page read and write
69A000
heap
page read and write
41CB000
stack
page read and write
840000
heap
page read and write
700000
heap
page read and write
There are 220 hidden memdumps, click here to show them.