IOC Report
SWIFTCOPYMT1030000000_pdf.exe

loading gif

Files

File Path
Type
Category
Malicious
SWIFTCOPYMT1030000000_pdf.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
initial sample
 malicious
C:\Users\user\AppData\Local\Temp\Drikkelse\Nonaddicting.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
dropped
 malicious
C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\System.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
 malicious
C:\Users\user\AppData\Local\Temp\nsv10BA.tmp\nsExec.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SWIFTCOPYMT10300_b9e5f432cb9f1954977155ad8a81be740fe4f69_4d2b002c_27de1eb3-8436-4619-8df8-ea2aad8a21e4\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF676.tmp.dmp
Mini DuMP crash report, 14 streams, Fri Apr 26 11:39:22 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF703.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF743.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\udskriftskartotek\chiromancy\refalling\Nonessential\Milched.gri
data
dropped
C:\Users\user\udskriftskartotek\chiromancy\refalling\Nonessential\Uforstaaeligheds.Com
data
dropped
C:\Users\user\udskriftskartotek\chiromancy\refalling\avram\Peatery50\Busboy\perivesical.cer
Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0
dropped
C:\Users\user\udskriftskartotek\chiromancy\refalling\avram\Peatery50\Busboy\vanskabningers.txt
ASCII text, with CRLF line terminators
dropped
C:\Users\user\udskriftskartotek\chiromancy\refalling\kryddernes\Kontorarbejderne\Helbredskontrollen.Ana
data
dropped
C:\Users\user\udskriftskartotek\chiromancy\refalling\kryddernes\Kontorarbejderne\dhourra.dei
data
dropped
C:\Users\user\udskriftskartotek\chiromancy\refalling\kryddernes\Kontorarbejderne\fiskeriinteressernes.bnk
data
dropped
C:\Users\user\udskriftskartotek\chiromancy\refalling\kryddernes\Kontorarbejderne\motleyest.hea
data
dropped
C:\Windows\Resources\0409\gashanens.ini
ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
MS Windows registry file, NT/2000 or above
dropped
There are 9 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "250^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "244^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "227^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "255^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "244^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "253^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "130^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "131^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "139^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "139^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "242^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "212^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "208^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "197^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "212^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "247^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "221^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "212^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "240^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "153^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "220^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "195^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "133^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "201^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "137^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "193^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "133^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "157^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "216^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "145^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "201^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "137^177"
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c set /a "129^177"
 malicious
C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe
"C:\Users\user\Desktop\SWIFTCOPYMT1030000000_pdf.exe"
 malicious
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1092
There are 121 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://nsis.sf.net/NSIS_Error
unknown
http://nsis.sf.net/NSIS_ErrorError
unknown
http://94.156.8.104/yFtqL16.bin
94.156.8.104
http://94.156.8.104/yFtqL16.binApokOpt103.78.0.98/yFtqL16.bin
unknown

IPs

IP
Domain
Country
Malicious
94.156.8.104
unknown
Bulgaria

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Blankbook
 malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\swazi
stednavnene
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\housecraft\Uninstall\Chalcocite\bredsaaningerne
Orientalizes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Straalemestrene\Uninstall\ensky
lkkersultent
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Genos199\mellemskolen
pocheringer
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
ProgramId
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
FileId
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
LowerCaseLongPath
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
LongPathHash
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
Name
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
OriginalFileName
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
Publisher
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
Version
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
BinFileVersion
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
BinaryType
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
ProductName
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
ProductVersion
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
LinkDate
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
BinProductVersion
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
AppxPackageFullName
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
AppxPackageRelativeId
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
Size
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
Language
\REGISTRY\A\{3a2867e5-97fb-b1a2-4cb9-ed2b34524ce5}\Root\InventoryApplicationFile\swiftcopymt10300|5b0ad39ef8e6acc2
Usn
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
TickCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
0018C00DBDA8E855
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
There are 19 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
863000
heap
page read and write
 malicious
81E000
heap
page read and write
 malicious
85F6000
direct allocation
page execute and read and write
 malicious
2EE6000
remote allocation
page execute and read and write
37BCF000
stack
page read and write
8FF6000
direct allocation
page execute and read and write
91D0000
direct allocation
page read and write
2760000
heap
page read and write
5DF6000
direct allocation
page execute and read and write
7BF000
unkown
page readonly
409000
unkown
page write copy
30000
heap
page read and write
37F0000
trusted library allocation
page read and write
263E000
stack
page read and write
53F6000
direct allocation
page execute and read and write
1A40000
remote allocation
page execute and read and write
2F80000
direct allocation
page read and write
5350000
direct allocation
page execute and read and write
2750000
direct allocation
page read and write
2870000
heap
page read and write
CEE000
stack
page read and write
87A000
heap
page read and write
7530000
direct allocation
page read and write
9230000
direct allocation
page read and write
98E000
stack
page read and write
995000
heap
page read and write
BAE000
stack
page read and write
CAF000
stack
page read and write
2720000
heap
page read and write
98000
stack
page read and write
92A0000
heap
page read and write
7540000
heap
page read and write
76BA000
heap
page read and write
286E000
stack
page read and write
7545000
heap
page read and write
2FB0000
direct allocation
page read and write
81A000
heap
page read and write
67F6000
direct allocation
page execute and read and write
7890000
heap
page read and write
2FC0000
direct allocation
page read and write
373DF000
stack
page read and write
400000
unkown
page readonly
2FA0000
direct allocation
page read and write
28B0000
heap
page read and write
268E000
stack
page read and write
76B0000
heap
page read and write
778E000
stack
page read and write
2930000
direct allocation
page read and write
377BF000
stack
page read and write
77A000
unkown
page read and write
7A0000
unkown
page read and write
7650000
heap
page read and write
407000
unkown
page readonly
2765000
heap
page read and write
401000
unkown
page execute read
4CE6000
remote allocation
page execute and read and write
7BD000
unkown
page read and write
6AE6000
remote allocation
page execute and read and write
2940000
heap
page read and write
7BF6000
direct allocation
page execute and read and write
24E6000
remote allocation
page execute and read and write
401000
unkown
page execute read
407000
unkown
page readonly
910000
heap
page read and write
9210000
direct allocation
page read and write
91C0000
direct allocation
page read and write
2724000
heap
page read and write
9280000
direct allocation
page read and write
810000
heap
page read and write
DEF000
stack
page read and write
9350000
heap
page read and write
850000
heap
page read and write
7BF000
unkown
page readonly
874000
heap
page read and write
407000
unkown
page readonly
B6F000
stack
page read and write
7BF000
unkown
page readonly
9240000
direct allocation
page read and write
376BE000
stack
page read and write
784000
unkown
page read and write
9320000
heap
page read and write
91F0000
direct allocation
page read and write
10003000
unkown
page readonly
2590000
heap
page read and write
38E6000
remote allocation
page execute and read and write
750E000
stack
page read and write
7BF000
unkown
page readonly
401000
unkown
page execute read
401000
unkown
page execute read
9260000
direct allocation
page read and write
10000000
unkown
page readonly
400000
unkown
page readonly
1AE6000
remote allocation
page execute and read and write
7A0F000
stack
page read and write
292C000
stack
page read and write
3751F000
stack
page read and write
91B0000
direct allocation
page read and write
7A4000
unkown
page read and write
869000
heap
page read and write
3798D000
stack
page read and write
409000
unkown
page read and write
790E000
stack
page read and write
409000
unkown
page write copy
990000
heap
page read and write
400000
unkown
page readonly
788000
unkown
page read and write
9290000
heap
page read and write
2D90000
heap
page read and write
769C000
heap
page read and write
84C000
heap
page read and write
30000
heap
page read and write
378FF000
stack
page read and write
60E6000
remote allocation
page execute and read and write
788F000
stack
page read and write
2FE0000
direct allocation
page read and write
400000
unkown
page readonly
764E000
stack
page read and write
A3F6000
direct allocation
page execute and read and write
407000
unkown
page readonly
3765B000
stack
page read and write
2740000
direct allocation
page read and write
40EB000
stack
page read and write
882000
heap
page read and write
56E6000
remote allocation
page execute and read and write
409000
unkown
page write copy
9220000
direct allocation
page read and write
7A7000
unkown
page read and write
99F6000
direct allocation
page execute and read and write
42E6000
remote allocation
page execute and read and write
3755E000
stack
page read and write
7658000
heap
page read and write
2710000
direct allocation
page read and write
10001000
unkown
page execute read
2D8F000
stack
page read and write
19A000
stack
page read and write
2730000
direct allocation
page read and write
377FE000
stack
page read and write
10005000
unkown
page readonly
2FD0000
direct allocation
page read and write
3741E000
stack
page read and write
2769000
heap
page read and write
2F90000
direct allocation
page read and write
37ACE000
stack
page read and write
9270000
direct allocation
page read and write
91E0000
direct allocation
page read and write
76A2000
heap
page read and write
878000
heap
page read and write
37A8E000
stack
page read and write
9200000
direct allocation
page read and write
372DE000
stack
page read and write
780000
unkown
page read and write
71F6000
direct allocation
page execute and read and write
There are 142 hidden memdumps, click here to show them.