Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe
|
PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B0F622F0-4ECB-4A62-9DE8-0BE100D4B6DD
|
XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\???????.LNK
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 5 15:52:21
2022, mtime=Fri Aug 5 15:52:32 2022, atime=Fri Aug 5 15:52:32 2022, length=23552, window=hide
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
|
ASCII text, with CRLF line terminators
|
modified
|
||
|
C:\Users\user\Desktop\???????.xls
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1200, Locale ID: 2052, Author: ma,
Last Saved By: Adminis, Create Time/Date: Sun Jul 25 22:22:00 2021, Last Saved Time/Date: Mon Jul 18 16:11:36 2022, Name of
Creating Application: WPS Of, Security: 0
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe
|
"C:\Users\user\Desktop\#U8d26#U53f7#U5bc6#U7801#U8868.xls.exe"
|
|
|
|
C:\Windows\System32\cmd.exe
|
c:\windows\system32\cmd.exe /C start ???????.xls
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
|
"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://jquery-min.us:8443/jquery-3.3.2.slim.min.js
|
|
||
|
https://api.diagnosticssdf.office.com
|
unknown
|
||
|
https://login.microsoftonline.com/
|
unknown
|
||
|
https://shell.suite.office.com:1443
|
unknown
|
||
|
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
|
unknown
|
||
|
https://autodiscover-s.outlook.com/
|
unknown
|
||
|
https://roaming.edog.
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
|
unknown
|
||
|
https://cdn.entity.
|
unknown
|
||
|
https://api.addins.omex.office.net/appinfo/query
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/tenantassociationkey
|
unknown
|
||
|
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
|
unknown
|
||
|
https://powerlift.acompli.net
|
unknown
|
||
|
https://rpsticket.partnerservices.getmicrosoftkey.com
|
unknown
|
||
|
https://lookup.onenote.com/lookup/geolocation/v1
|
unknown
|
||
|
https://cortana.ai
|
unknown
|
||
|
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
|
unknown
|
||
|
https://cloudfiles.onenote.com/upload.aspx
|
unknown
|
||
|
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
|
unknown
|
||
|
https://entitlement.diagnosticssdf.office.com
|
unknown
|
||
|
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
|
unknown
|
||
|
http://27.0.135.13/
|
unknown
|
||
|
https://api.aadrm.com/
|
unknown
|
||
|
https://ofcrecsvcapi-int.azurewebsites.net/
|
unknown
|
||
|
https://jquery-min.us:8443/jquery-3.3.2.slim.min.jsL
|
unknown
|
||
|
https://jquery-min.us:8443/
|
unknown
|
||
|
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
|
unknown
|
||
|
https://api.microsoftstream.com/api/
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
|
unknown
|
||
|
https://cr.office.com
|
unknown
|
||
|
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
|
unknown
|
||
|
https://portal.office.com/account/?ref=ClientMeControl
|
unknown
|
||
|
https://jquery-min.us:8443/jquery-3.3.2.slim.min.js
|
unknown
|
||
|
https://graph.ppe.windows.net
|
unknown
|
||
|
https://res.getmicrosoftkey.com/api/redemptionevents
|
unknown
|
||
|
https://powerlift-frontdesk.acompli.net
|
unknown
|
||
|
https://tasks.office.com
|
unknown
|
||
|
https://officeci.azurewebsites.net/api/
|
unknown
|
||
|
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
|
unknown
|
||
|
https://my.microsoftpersonalcontent.com
|
unknown
|
||
|
https://store.office.cn/addinstemplate
|
unknown
|
||
|
https://api.aadrm.com
|
unknown
|
||
|
https://outlook.office.com/autosuggest/api/v1/init?cvid=
|
unknown
|
||
|
https://globaldisco.crm.dynamics.com
|
unknown
|
||
|
https://messaging.engagement.office.com/
|
unknown
|
||
|
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
|
unknown
|
||
|
https://dev0-api.acompli.net/autodetect
|
unknown
|
||
|
https://www.odwebp.svc.ms
|
unknown
|
||
|
https://api.diagnosticssdf.office.com/v2/feedback
|
unknown
|
||
|
https://api.powerbi.com/v1.0/myorg/groups
|
unknown
|
||
|
https://web.microsoftstream.com/video/
|
unknown
|
||
|
https://api.addins.store.officeppe.com/addinstemplate
|
unknown
|
||
|
https://graph.windows.net
|
unknown
|
||
|
https://dataservice.o365filtering.com/
|
unknown
|
||
|
https://officesetup.getmicrosoftkey.com
|
unknown
|
||
|
https://analysis.windows.net/powerbi/api
|
unknown
|
||
|
https://prod-global-autodetect.acompli.net/autodetect
|
unknown
|
||
|
https://jquery-min.us:8443/s
|
unknown
|
||
|
https://outlook.office365.com/autodiscover/autodiscover.json
|
unknown
|
||
|
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
|
unknown
|
||
|
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
|
unknown
|
||
|
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
|
unknown
|
||
|
http://27.0.135.13/%E6%B6%89%E7%96%AB%E8%BD%A8%E8%BF%B9%E6%A3%80%E6%9F%A5%E8%A1%A8.xls
|
27.0.135.13
|
||
|
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
|
unknown
|
||
|
https://ncus.contentsync.
|
unknown
|
||
|
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
|
unknown
|
||
|
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
|
unknown
|
||
|
http://weather.service.msn.com/data.aspx
|
unknown
|
||
|
https://apis.live.net/v5.0/
|
unknown
|
||
|
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
|
unknown
|
||
|
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
|
unknown
|
||
|
https://messaging.lifecycle.office.com/
|
unknown
|
||
|
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
|
unknown
|
||
|
https://management.azure.com
|
unknown
|
||
|
https://outlook.office365.com
|
unknown
|
||
|
http://code.jquery.com/
|
unknown
|
||
|
https://wus2.contentsync.
|
unknown
|
||
|
https://incidents.diagnostics.office.com
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/ios
|
unknown
|
||
|
https://insertmedia.bing.office.net/odc/insertmedia
|
unknown
|
||
|
https://o365auditrealtimeingestion.manage.office.com
|
unknown
|
||
|
https://outlook.office365.com/api/v1.0/me/Activities
|
unknown
|
||
|
https://api.office.net
|
unknown
|
||
|
https://incidents.diagnosticssdf.office.com
|
unknown
|
||
|
https://asgsmsproxyapi.azurewebsites.net/
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/android/policies
|
unknown
|
||
|
https://entitlement.diagnostics.office.com
|
unknown
|
||
|
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
|
unknown
|
||
|
https://substrate.office.com/search/api/v2/init
|
unknown
|
||
|
https://outlook.office.com/
|
unknown
|
||
|
https://storage.live.com/clientlogs/uploadlocation
|
unknown
|
||
|
https://outlook.office365.com/
|
unknown
|
||
|
https://webshell.suite.office.com
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
|
unknown
|
||
|
https://substrate.office.com/search/api/v1/SearchHistory
|
unknown
|
||
|
https://management.azure.com/
|
unknown
|
||
|
https://messaging.lifecycle.office.com/getcustommessage16
|
unknown
|
||
|
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorize
|
unknown
|
||
|
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
|
unknown
|
There are 90 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
jquery-min.us
|
unknown
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
27.0.135.13
|
unknown
|
China
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\Excel\system
|
ProcessName
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\Excel\system
|
WindowName
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\Excel\system
|
WindowClassName
|
||
|
HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\f0\52C64B7E
|
@C:\Program Files\Common Files\Microsoft Shared\Office16\oregres.dll,-206
|
||
|
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
|
LangID
|
||
|
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE.FriendlyAppName
|
||
|
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
|
C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE.ApplicationCompany
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
EXCELFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
|
e,)
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
|
f,)
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache
|
RemoteClearDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3
|
Last
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
FilePath
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
StartDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
EndDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
Properties
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
Url
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache
|
LastClean
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableWinHttpCertAuth
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableIsOwnerRegex
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableSessionAwareHttpClose
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableADALForExtendedApps
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableADALSetSilentAuth
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
msoridDisableGuestCredProvider
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
msoridDisableOstringReplace
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
|
f4)
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\33867
|
33867
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV
|
LastBootTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ReviewCycle
|
ReviewToken
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\355B3
|
355B3
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Place MRU
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 21
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
|
en-US
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
|
en-US
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
EXCELFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingConfigurableSettings
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingLastSyncTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingLastWriteTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\33867
|
33867
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV
|
LastBootTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog
|
CacheReady
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog
|
LastRequest
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog
|
CacheReady
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog
|
LastUpdate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ServicesManagerCache\ServicesCatalog
|
NextUpdate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Place MRU\Change
|
ChangeId
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 2
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 3
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 4
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 6
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 7
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 8
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 9
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 10
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 11
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 12
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 13
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 14
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 15
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 16
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 17
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 18
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 19
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU
|
Item 20
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\File MRU\Change
|
ChangeId
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\Trusted Documents
|
LastPurgeTime
|
There are 60 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
C0001CE000
|
direct allocation
|
page read and write
|
|
|
|
C0001D4000
|
direct allocation
|
page read and write
|
|
|
|
26E30000
|
direct allocation
|
page execute and read and write
|
|
|
|
290F2550000
|
trusted library section
|
page read and write
|
||
|
1EE0FA00000
|
heap
|
page read and write
|
||
|
FB000
|
heap
|
page read and write
|
||
|
290F2656000
|
heap
|
page read and write
|
||
|
290F35E0000
|
trusted library allocation
|
page read and write
|
||
|
290F268D000
|
heap
|
page read and write
|
||
|
3251D8B000
|
stack
|
page read and write
|
||
|
B2FC2FF000
|
stack
|
page read and write
|
||
|
C0000E4000
|
direct allocation
|
page read and write
|
||
|
B2FC4FF000
|
stack
|
page read and write
|
||
|
C000186000
|
direct allocation
|
page read and write
|
||
|
C0000EE000
|
direct allocation
|
page read and write
|
||
|
290F7EDA000
|
heap
|
page read and write
|
||
|
290F267A000
|
heap
|
page read and write
|
||
|
1BEE1A75000
|
heap
|
page read and write
|
||
|
C000012000
|
direct allocation
|
page read and write
|
||
|
1BEE1B02000
|
heap
|
page read and write
|
||
|
E48000
|
direct allocation
|
page read and write
|
||
|
C0000D2000
|
direct allocation
|
page read and write
|
||
|
A0000
|
heap
|
page read and write
|
||
|
290F7EE0000
|
heap
|
page read and write
|
||
|
290F7EF8000
|
heap
|
page read and write
|
||
|
C0000D8000
|
direct allocation
|
page read and write
|
||
|
290F2DB1000
|
trusted library allocation
|
page read and write
|
||
|
C000118000
|
direct allocation
|
page read and write
|
||
|
C000080000
|
direct allocation
|
page read and write
|
||
|
1EE0FA8A000
|
heap
|
page read and write
|
||
|
32525FE000
|
stack
|
page read and write
|
||
|
1BEE1A00000
|
heap
|
page read and write
|
||
|
904000
|
unkown
|
page execute and read and write
|
||
|
290F7D40000
|
remote allocation
|
page read and write
|
||
|
290F2DD0000
|
trusted library allocation
|
page read and write
|
||
|
C0000A6000
|
direct allocation
|
page read and write
|
||
|
C000031000
|
direct allocation
|
page read and write
|
||
|
B2FC27B000
|
stack
|
page read and write
|
||
|
2242F849000
|
heap
|
page read and write
|
||
|
C0000A0000
|
direct allocation
|
page read and write
|
||
|
99478F9000
|
stack
|
page read and write
|
||
|
1BEE1A13000
|
heap
|
page read and write
|
||
|
2242F800000
|
heap
|
page read and write
|
||
|
80000
|
heap
|
page read and write
|
||
|
C0000B6000
|
direct allocation
|
page read and write
|
||
|
290F269F000
|
heap
|
page read and write
|
||
|
160C2C52000
|
heap
|
page read and write
|
||
|
B2FC37E000
|
stack
|
page read and write
|
||
|
1EE10202000
|
trusted library allocation
|
page read and write
|
||
|
2242F870000
|
heap
|
page read and write
|
||
|
1E16E2E0000
|
trusted library allocation
|
page read and write
|
||
|
290F7D20000
|
trusted library allocation
|
page read and write
|
||
|
2937E000
|
stack
|
page read and write
|
||
|
28B3A000
|
stack
|
page read and write
|
||
|
1E16E210000
|
trusted library allocation
|
page read and write
|
||
|
160C2C46000
|
heap
|
page read and write
|
||
|
290F3A60000
|
trusted library allocation
|
page read and write
|
||
|
1BEE1A82000
|
heap
|
page read and write
|
||
|
9947A7F000
|
stack
|
page read and write
|
||
|
C00010A000
|
direct allocation
|
page read and write
|
||
|
1CB000
|
direct allocation
|
page read and write
|
||
|
32520FF000
|
stack
|
page read and write
|
||
|
2242F730000
|
trusted library allocation
|
page read and write
|
||
|
C0000C4000
|
direct allocation
|
page read and write
|
||
|
2242F848000
|
heap
|
page read and write
|
||
|
E6E17F000
|
stack
|
page read and write
|
||
|
2242F879000
|
heap
|
page read and write
|
||
|
9947879000
|
stack
|
page read and write
|
||
|
290F2F13000
|
heap
|
page read and write
|
||
|
2242F850000
|
heap
|
page read and write
|
||
|
290F7AD0000
|
trusted library allocation
|
page read and write
|
||
|
290F23E0000
|
heap
|
page read and write
|
||
|
1EE0FB13000
|
heap
|
page read and write
|
||
|
290F7EF6000
|
heap
|
page read and write
|
||
|
160C2C70000
|
heap
|
page read and write
|
||
|
290F2F18000
|
heap
|
page read and write
|
||
|
B2FC3FF000
|
stack
|
page read and write
|
||
|
AC000
|
heap
|
page read and write
|
||
|
290F36D0000
|
trusted library section
|
page readonly
|
||
|
C00009C000
|
direct allocation
|
page read and write
|
||
|
2242F859000
|
heap
|
page read and write
|
||
|
290F7D10000
|
trusted library allocation
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
1EE0F7D0000
|
heap
|
page read and write
|
||
|
290F7BE0000
|
trusted library allocation
|
page read and write
|
||
|
2242F856000
|
heap
|
page read and write
|
||
|
683A57B000
|
stack
|
page read and write
|
||
|
99479F9000
|
stack
|
page read and write
|
||
|
B2FC77E000
|
stack
|
page read and write
|
||
|
1E16E2D0000
|
trusted library allocation
|
page read and write
|
||
|
1C0000
|
direct allocation
|
page read and write
|
||
|
C000002000
|
direct allocation
|
page read and write
|
||
|
1BEE1890000
|
heap
|
page read and write
|
||
|
290F36E0000
|
trusted library section
|
page readonly
|
||
|
C0000FE000
|
direct allocation
|
page read and write
|
||
|
290F7E15000
|
heap
|
page read and write
|
||
|
C000035000
|
direct allocation
|
page read and write
|
||
|
C0000F4000
|
direct allocation
|
page read and write
|
||
|
2242F852000
|
heap
|
page read and write
|
||
|
C000098000
|
direct allocation
|
page read and write
|
||
|
C00018C000
|
direct allocation
|
page read and write
|
||
|
1BEE1A28000
|
heap
|
page read and write
|
||
|
2915F000
|
stack
|
page read and write
|
||
|
160C2D13000
|
heap
|
page read and write
|
||
|
290F7E3E000
|
heap
|
page read and write
|
||
|
32523F7000
|
stack
|
page read and write
|
||
|
268CF000
|
stack
|
page read and write
|
||
|
8F1000
|
unkown
|
page execute and read and write
|
||
|
290F2F18000
|
heap
|
page read and write
|
||
|
8F7000
|
unkown
|
page execute and read and write
|
||
|
1BEE1A02000
|
heap
|
page read and write
|
||
|
2242F83C000
|
heap
|
page read and write
|
||
|
2242F913000
|
heap
|
page read and write
|
||
|
C000100000
|
direct allocation
|
page read and write
|
||
|
290F2694000
|
heap
|
page read and write
|
||
|
C000197000
|
direct allocation
|
page read and write
|
||
|
C00002A000
|
direct allocation
|
page read and write
|
||
|
B2FBE79000
|
stack
|
page read and write
|
||
|
32521FC000
|
stack
|
page read and write
|
||
|
32522FB000
|
stack
|
page read and write
|
||
|
290F2DE0000
|
trusted library allocation
|
page read and write
|
||
|
1BEE1B13000
|
heap
|
page read and write
|
||
|
1E16E2C0000
|
heap
|
page readonly
|
||
|
623D1FB000
|
stack
|
page read and write
|
||
|
C000019000
|
direct allocation
|
page read and write
|
||
|
1E16E200000
|
trusted library allocation
|
page read and write
|
||
|
EC5000
|
heap
|
page read and write
|
||
|
C0000DA000
|
direct allocation
|
page read and write
|
||
|
C0001BC000
|
direct allocation
|
page read and write
|
||
|
160C2C50000
|
heap
|
page read and write
|
||
|
10000
|
heap
|
page read and write
|
||
|
E6E47E000
|
stack
|
page read and write
|
||
|
C0000E0000
|
direct allocation
|
page read and write
|
||
|
290F7EAC000
|
heap
|
page read and write
|
||
|
160C2B40000
|
heap
|
page read and write
|
||
|
105000
|
heap
|
page read and write
|
||
|
1E16E0D1000
|
heap
|
page read and write
|
||
|
20000
|
direct allocation
|
page read and write
|
||
|
683A47B000
|
stack
|
page read and write
|
||
|
99474AC000
|
stack
|
page read and write
|
||
|
1E16E2B0000
|
trusted library allocation
|
page read and write
|
||
|
1BEE18A0000
|
heap
|
page read and write
|
||
|
325207F000
|
stack
|
page read and write
|
||
|
160C2AD0000
|
heap
|
page read and write
|
||
|
C0000DE000
|
direct allocation
|
page read and write
|
||
|
1E16E070000
|
heap
|
page read and write
|
||
|
290F2E15000
|
heap
|
page read and write
|
||
|
290F3700000
|
trusted library section
|
page readonly
|
||
|
C0000E2000
|
direct allocation
|
page read and write
|
||
|
623CD8B000
|
stack
|
page read and write
|
||
|
160C2C29000
|
heap
|
page read and write
|
||
|
160C2C3C000
|
heap
|
page read and write
|
||
|
290F36C0000
|
trusted library section
|
page readonly
|
||
|
290F26FC000
|
heap
|
page read and write
|
||
|
160C2C00000
|
heap
|
page read and write
|
||
|
2242F85A000
|
heap
|
page read and write
|
||
|
1BEE21A0000
|
trusted library allocation
|
page read and write
|
||
|
26ACC000
|
stack
|
page read and write
|
||
|
C000180000
|
direct allocation
|
page read and write
|
||
|
B2FBF7B000
|
stack
|
page read and write
|
||
|
1E16DF40000
|
trusted library allocation
|
page read and write
|
||
|
290F263C000
|
heap
|
page read and write
|
||
|
290F26A1000
|
heap
|
page read and write
|
||
|
1BEE1A41000
|
heap
|
page read and write
|
||
|
2242F902000
|
heap
|
page read and write
|
||
|
905000
|
unkown
|
page execute and write copy
|
||
|
B2FBD77000
|
stack
|
page read and write
|
||
|
160C2C8E000
|
heap
|
page read and write
|
||
|
160C2AE0000
|
heap
|
page read and write
|
||
|
264CF000
|
stack
|
page read and write
|
||
|
1BEE2202000
|
trusted library allocation
|
page read and write
|
||
|
290F7E17000
|
heap
|
page read and write
|
||
|
160C2D00000
|
heap
|
page read and write
|
||
|
108000
|
heap
|
page read and write
|
||
|
290F2440000
|
heap
|
page read and write
|
||
|
1E16E310000
|
trusted library allocation
|
page read and write
|
||
|
1E16E190000
|
heap
|
page read and write
|
||
|
794000
|
unkown
|
page execute and write copy
|
||
|
C000190000
|
direct allocation
|
page read and write
|
||
|
160C2C7A000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute and read and write
|
||
|
290F7C04000
|
trusted library allocation
|
page read and write
|
||
|
1BEE1A53000
|
heap
|
page read and write
|
||
|
B2FC17B000
|
stack
|
page read and write
|
||
|
2242F908000
|
heap
|
page read and write
|
||
|
9947AFE000
|
stack
|
page read and write
|
||
|
290F7EA4000
|
heap
|
page read and write
|
||
|
290F7D40000
|
trusted library allocation
|
page read and write
|
||
|
C000017000
|
direct allocation
|
page read and write
|
||
|
10CF000
|
stack
|
page read and write
|
||
|
290F7D40000
|
remote allocation
|
page read and write
|
||
|
2242F5D0000
|
heap
|
page read and write
|
||
|
290F7E00000
|
heap
|
page read and write
|
||
|
2242F855000
|
heap
|
page read and write
|
||
|
160C2D08000
|
heap
|
page read and write
|
||
|
160C2C4F000
|
heap
|
page read and write
|
||
|
1EE0F940000
|
trusted library allocation
|
page read and write
|
||
|
290F2671000
|
heap
|
page read and write
|
||
|
290F23D0000
|
heap
|
page read and write
|
||
|
32524FE000
|
stack
|
page read and write
|
||
|
290F7C10000
|
trusted library allocation
|
page read and write
|
||
|
1BEE1B00000
|
heap
|
page read and write
|
||
|
290F2629000
|
heap
|
page read and write
|
||
|
C00009E000
|
direct allocation
|
page read and write
|
||
|
1EE0FB02000
|
heap
|
page read and write
|
||
|
99475AE000
|
stack
|
page read and write
|
||
|
160C2C88000
|
heap
|
page read and write
|
||
|
28D39000
|
stack
|
page read and write
|
||
|
DDF000
|
stack
|
page read and write
|
||
|
E20000
|
direct allocation
|
page read and write
|
||
|
290F2676000
|
heap
|
page read and write
|
||
|
290F7EFA000
|
heap
|
page read and write
|
||
|
22430002000
|
trusted library allocation
|
page read and write
|
||
|
160C2D02000
|
heap
|
page read and write
|
||
|
160C2B70000
|
trusted library allocation
|
page read and write
|
||
|
290F7D30000
|
trusted library allocation
|
page read and write
|
||
|
26CCF000
|
stack
|
page read and write
|
||
|
6839F3C000
|
stack
|
page read and write
|
||
|
C0000C9000
|
direct allocation
|
page read and write
|
||
|
1EE0FA70000
|
heap
|
page read and write
|
||
|
1C4000
|
direct allocation
|
page read and write
|
||
|
906000
|
unkown
|
page read and write
|
||
|
C0000CE000
|
direct allocation
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
160C2C47000
|
heap
|
page read and write
|
||
|
EC0000
|
heap
|
page read and write
|
||
|
E6E377000
|
stack
|
page read and write
|
||
|
1E16EE00000
|
trusted library allocation
|
page read and write
|
||
|
290F7C20000
|
trusted library allocation
|
page read and write
|
||
|
266CF000
|
stack
|
page read and write
|
||
|
2242F900000
|
heap
|
page read and write
|
||
|
1E16E305000
|
heap
|
page read and write
|
||
|
290F7AC0000
|
trusted library allocation
|
page read and write
|
||
|
1E16E270000
|
trusted library allocation
|
page read and write
|
||
|
E40000
|
direct allocation
|
page read and write
|
||
|
290F7CB0000
|
trusted library allocation
|
page read and write
|
||
|
28F3F000
|
stack
|
page read and write
|
||
|
E0C000
|
direct allocation
|
page read and write
|
||
|
623D3F7000
|
stack
|
page read and write
|
||
|
994752F000
|
stack
|
page read and write
|
||
|
C000000000
|
direct allocation
|
page read and write
|
||
|
E6DD0F000
|
stack
|
page read and write
|
||
|
290F7C01000
|
trusted library allocation
|
page read and write
|
||
|
1E16E300000
|
heap
|
page read and write
|
||
|
C00000C000
|
direct allocation
|
page read and write
|
||
|
C000199000
|
direct allocation
|
page read and write
|
||
|
ADF000
|
stack
|
page read and write
|
||
|
290F7D00000
|
trusted library allocation
|
page read and write
|
||
|
1E16E170000
|
heap
|
page read and write
|
||
|
C00008E000
|
direct allocation
|
page read and write
|
||
|
C0000E6000
|
direct allocation
|
page read and write
|
||
|
C000094000
|
direct allocation
|
page read and write
|
||
|
C000008000
|
direct allocation
|
page read and write
|
||
|
290F36F0000
|
trusted library section
|
page readonly
|
||
|
E04000
|
direct allocation
|
page read and write
|
||
|
290F2DF0000
|
trusted library allocation
|
page read and write
|
||
|
290F268F000
|
heap
|
page read and write
|
||
|
290F7EF3000
|
heap
|
page read and write
|
||
|
146000
|
heap
|
page read and write
|
||
|
290F7EE2000
|
heap
|
page read and write
|
||
|
290F2F58000
|
heap
|
page read and write
|
||
|
E6E27B000
|
stack
|
page read and write
|
||
|
1BEE1900000
|
heap
|
page read and write
|
||
|
2242F84D000
|
heap
|
page read and write
|
||
|
B2FC07E000
|
stack
|
page read and write
|
||
|
290F7C00000
|
trusted library allocation
|
page read and write
|
||
|
623D0FE000
|
stack
|
page read and write
|
||
|
1E16E309000
|
heap
|
page read and write
|
||
|
290F7BEE000
|
trusted library allocation
|
page read and write
|
||
|
1EE0F7E0000
|
heap
|
page read and write
|
||
|
E6E0FD000
|
stack
|
page read and write
|
||
|
290F7BE8000
|
trusted library allocation
|
page read and write
|
||
|
C0001A2000
|
direct allocation
|
page read and write
|
||
|
290F2613000
|
heap
|
page read and write
|
||
|
1EE0FA02000
|
heap
|
page read and write
|
||
|
C0000FA000
|
direct allocation
|
page read and write
|
||
|
E00000
|
direct allocation
|
page read and write
|
||
|
C0001A8000
|
direct allocation
|
page read and write
|
||
|
2242F89C000
|
heap
|
page read and write
|
||
|
290F7C24000
|
trusted library allocation
|
page read and write
|
||
|
290F7E4B000
|
heap
|
page read and write
|
||
|
E6E57F000
|
stack
|
page read and write
|
||
|
1A0000
|
heap
|
page read and write
|
||
|
C000027000
|
direct allocation
|
page read and write
|
||
|
290F2DD3000
|
trusted library allocation
|
page read and write
|
||
|
C00008A000
|
direct allocation
|
page read and write
|
||
|
290F2600000
|
heap
|
page read and write
|
||
|
B2FB90B000
|
stack
|
page read and write
|
||
|
111000
|
heap
|
page read and write
|
||
|
623D5FF000
|
stack
|
page read and write
|
||
|
290F7E36000
|
heap
|
page read and write
|
||
|
683A67B000
|
stack
|
page read and write
|
||
|
290F3710000
|
trusted library section
|
page readonly
|
||
|
C000084000
|
direct allocation
|
page read and write
|
||
|
1C9000
|
direct allocation
|
page read and write
|
||
|
290F2540000
|
trusted library allocation
|
page read and write
|
||
|
C0000A2000
|
direct allocation
|
page read and write
|
||
|
160C2C4B000
|
heap
|
page read and write
|
||
|
C00000E000
|
direct allocation
|
page read and write
|
||
|
290F7EF8000
|
heap
|
page read and write
|
||
|
290F2713000
|
heap
|
page read and write
|
||
|
1EE0FA29000
|
heap
|
page read and write
|
||
|
1E16E0BE000
|
heap
|
page read and write
|
||
|
290F7CF0000
|
trusted library allocation
|
page read and write
|
||
|
160C2C4D000
|
heap
|
page read and write
|
||
|
E6DC8B000
|
stack
|
page read and write
|
||
|
E6DD8E000
|
stack
|
page read and write
|
||
|
C000182000
|
direct allocation
|
page read and write
|
||
|
1E16E0B6000
|
heap
|
page read and write
|
||
|
1EE0FA13000
|
heap
|
page read and write
|
||
|
623D4FE000
|
stack
|
page read and write
|
||
|
C00011A000
|
direct allocation
|
page read and write
|
||
|
2242F897000
|
heap
|
page read and write
|
||
|
121000
|
heap
|
page read and write
|
||
|
290F7C10000
|
trusted library allocation
|
page read and write
|
||
|
2242F813000
|
heap
|
page read and write
|
||
|
C000090000
|
direct allocation
|
page read and write
|
||
|
C0001AC000
|
direct allocation
|
page read and write
|
||
|
1E16DF30000
|
heap
|
page read and write
|
||
|
623D2FB000
|
stack
|
page read and write
|
||
|
1EE0F840000
|
heap
|
page read and write
|
||
|
C0000B8000
|
direct allocation
|
page read and write
|
||
|
C00001B000
|
direct allocation
|
page read and write
|
||
|
2242F829000
|
heap
|
page read and write
|
||
|
906000
|
unkown
|
page write copy
|
||
|
1E16E0BE000
|
heap
|
page read and write
|
||
|
1EE0FA3C000
|
heap
|
page read and write
|
||
|
290F2F02000
|
heap
|
page read and write
|
||
|
2242F84F000
|
heap
|
page read and write
|
||
|
2242F5C0000
|
heap
|
page read and write
|
||
|
160C3602000
|
trusted library allocation
|
page read and write
|
||
|
2242F84C000
|
heap
|
page read and write
|
||
|
1E16E0BE000
|
heap
|
page read and write
|
||
|
2242F853000
|
heap
|
page read and write
|
||
|
994797F000
|
stack
|
page read and write
|
||
|
C000014000
|
direct allocation
|
page read and write
|
||
|
C00011C000
|
direct allocation
|
page read and write
|
||
|
290F7BE0000
|
trusted library allocation
|
page read and write
|
||
|
C0000A8000
|
direct allocation
|
page read and write
|
||
|
290F7E2B000
|
heap
|
page read and write
|
||
|
290F2F00000
|
heap
|
page read and write
|
||
|
C0000C0000
|
direct allocation
|
page read and write
|
||
|
B2FC57F000
|
stack
|
page read and write
|
||
|
C000010000
|
direct allocation
|
page read and write
|
||
|
1E16F040000
|
trusted library allocation
|
page read and write
|
||
|
290F7D40000
|
remote allocation
|
page read and write
|
||
|
C000088000
|
direct allocation
|
page read and write
|
||
|
290F7EF4000
|
heap
|
page read and write
|
||
|
290F2702000
|
heap
|
page read and write
|
||
|
C000025000
|
direct allocation
|
page read and write
|
||
|
C0001AE000
|
direct allocation
|
page read and write
|
||
|
131000
|
heap
|
page read and write
|
||
|
C000020000
|
direct allocation
|
page read and write
|
||
|
2242F630000
|
heap
|
page read and write
|
||
|
623D07F000
|
stack
|
page read and write
|
||
|
2242F84B000
|
heap
|
page read and write
|
||
|
160C2C13000
|
heap
|
page read and write
|
||
|
290F2E00000
|
heap
|
page read and write
|
||
|
683A77E000
|
stack
|
page read and write
|
||
|
B2FC47E000
|
stack
|
page read and write
|
||
|
290F2E02000
|
heap
|
page read and write
|
||
|
290F268A000
|
heap
|
page read and write
|
||
|
C0000F2000
|
direct allocation
|
page read and write
|
||
|
160C2C4C000
|
heap
|
page read and write
|
||
|
290F9000000
|
heap
|
page read and write
|
||
|
290F7E65000
|
heap
|
page read and write
|
There are 356 hidden memdumps, click here to show them.