IOC Report
2fiDcmkaZY.exe

Files

File Path

Type

Category

Malicious

2fiDcmkaZY.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.459199222303618
Filename:	2fiDcmkaZY.exe
Filesize:	75264
MD5:	a8ac57500de5dadf8c4db19959ddf2ec
SHA1:	202baa4b862222951619adc032fd2883562113b2
SHA256:	fcc7cc8f57d5a2a525d8026e81f69318262ca4e9036a726e26b1e3406f6f52d5
SHA512:	52ac5555cd39250903965ef6b30dbafcbe73e5f33b7d07a443cc3678e77ee3ce0736e2a70881f23c2002318b9dfba59d482cd724e5f8fdcf8084b2f6e6f826e8
SSDEEP:	1536:055u555555555pmgSeGDjtQhnwmmB0ybMqqU+2bbbAV2/S2mr3IdE8mne0Avu5rJ:mMSjOnrmBTMqqDL2/mr3IdE8we0Avu5h
Preview:	MZ......................@...............................................!..L.!This ...l!sm cannot be run in DOS mode....$.......AU@..4...4...4..Ce...4..Ce...4...f...4...4...4...L...4...4/..4...f...4...f...4...f...4..Rich.4..................PE..L...].vZ...

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Antivirus / Scanner detection for submitted sample	AV Detection
Contains functionality to determine the online IP of the system	Networking	System Network Connections Discovery
Found Tor onion address	Networking	Proxy
Uses nslookup.exe to query domains	Networking	System Network Configuration Discovery
Machine Learning detection for sample	AV Detection
May check the online IP address of the machine	Networking
Uses 32bit PE files	Compliance, System Summary	Masquerading
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	Native API
Yara signature match	System Summary
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion File and Directory Discovery
Detected potential crypto function	System Summary	Process Discovery
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Creates a DirectInput object (often for capturing keystrokes)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	Native API File and Directory Discovery
Drops PE files	Persistence and Installation Behavior
Contains functionality to enumerate device drivers	Malware Analysis System Evasion	Process Discovery
Checks for available system drives (often done to infect USB drives)	Spreading	Replication Through Removable Media Peripheral Device Discovery
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	Encrypted Channel
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sample is known by Antivirus	System Summary
PE file has an executable .text section and no other executable section	System Summary
Reads software policies	System Summary
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Uses an in-process (OLE) Automation server	System Summary
Creates files inside the user directory	System Summary	Masquerading
Contains functionality to check free disk space	System Summary
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder File and Directory Discovery
Contains functionality to enum processes or threads	System Summary	Process Discovery
Program exit points	Malware Analysis System Evasion
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
URLs found in memory or binary data	Networking
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Reads the hosts file	System Summary	Remote System Discovery Ingress Tool Transfer
Contains functionality to import cryptographic keys (often used in ransomware)	Spam, unwanted Advertisements and Ransom Demands	Archive Collected Data Data Encrypted for Impact
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary

C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe
Category:	dropped
Dump:	tdicrr.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\2fiDcmkaZY.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.459228563179094
Encrypted:	false
Ssdeep:	1536:G55u555555555pmgSeGDjtQhnwmmB0ybMqqU+2bbbAV2/S2mr3IdE8mne0Avu5rJ:sMSjOnrmBTMqqDL2/mr3IdE8we0Avu5h
Size:	75264
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for dropped file	AV Detection
Yara detected Gandcrab	Spam, unwanted Advertisements and Ransom Demands
Found evasive API chain (may stop execution after checking mutex)	Malware Analysis System Evasion	Native API
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found evaded block containing many API calls	Malware Analysis System Evasion	Native API
Queries information about the installed CPU (vendor, model number etc)	Language, Device and Operating System Detection	System Information Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Creates files inside the user directory	System Summary	Masquerading
Program exit points	Malware Analysis System Evasion
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a
Category:	dropped
Dump:	89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\2fiDcmkaZY.exe
Type:	data
Entropy:	0.0
Encrypted:	false
Ssdeep:	3::
Size:	2219
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\2fiDcmkaZY.exe

"C:\Users\user\Desktop\2fiDcmkaZY.exe"

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe

"C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe"

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe

"C:\Users\user\AppData\Roaming\Microsoft\tdicrr.exe"

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup gandcrab.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup nomoreransom.bit dns1.soprodns.ru

C:\Windows\SysWOW64\nslookup.exe

nslookup emsisoft.bit dns1.soprodns.ru

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

There are 51 hidden processes, click here to show them.

URLs

Name

IP

Malicious

http://gdcbghvjyqy7jclk.onion.casa/2d028d577a0eb038

unknown

Details

Name:	http://gdcbghvjyqy7jclk.onion.casa/2d028d577a0eb038
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\2fiDcmkaZY.exe
Source:	2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found Tor onion address	Networking	Proxy
URLs found in memory or binary data	Networking

http://gdcbghvjyqy7jclk.onion/2d028d577a0eb038

unknown

Details

Name:	http://gdcbghvjyqy7jclk.onion/2d028d577a0eb038
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\2fiDcmkaZY.exe
Source:	2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy
URLs found in memory or binary data	Networking

http://gdcbghvjyqy7jclk.onion.top/2d028d577a0eb038

unknown

Details

Name:	http://gdcbghvjyqy7jclk.onion.top/2d028d577a0eb038
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\2fiDcmkaZY.exe
Source:	2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp

Signature Hits	Behavior Group	Mitre Attack
Antivirus detection for URL or domain	AV Detection
Found Tor onion address	Networking	Proxy
URLs found in memory or binary data	Networking

http://gdcbghvjyqy7jclk.onion.plus/2d028d577a0eb038

unknown

Details

Name:	http://gdcbghvjyqy7jclk.onion.plus/2d028d577a0eb038
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\2fiDcmkaZY.exe
Source:	2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy
URLs found in memory or binary data	Networking

http://gdcbghvjyqy7jclk.onion.rip/2d028d577a0eb038

unknown

Details

Name:	http://gdcbghvjyqy7jclk.onion.rip/2d028d577a0eb038
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\2fiDcmkaZY.exe
Source:	2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy
URLs found in memory or binary data	Networking

https://www.torproject.org/

unknown

Details

Name:	https://www.torproject.org/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\2fiDcmkaZY.exe
Source:	2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://gdcbghvjyqy7jclk.onion.guide/2d028d577a0eb038

unknown

Details

Name:	http://gdcbghvjyqy7jclk.onion.guide/2d028d577a0eb038
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\2fiDcmkaZY.exe
Source:	2fiDcmkaZY.exe, 00000000.00000002.598939067.0000000000A69000.00000004.00000001.01000000.00000003.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Found Tor onion address	Networking	Proxy
URLs found in memory or binary data	Networking

http://ipv4bot.whatismyipaddress.com/

unknown

Details

Name:	http://ipv4bot.whatismyipaddress.com/
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\2fiDcmkaZY.exe
Source:	2fiDcmkaZY.exe, 00000000.00000002.599059548.000000000120A000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://ipv4bot.whatismyipaddress.com/n

unknown

Details

Name:	http://ipv4bot.whatismyipaddress.com/n
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\2fiDcmkaZY.exe
Source:	2fiDcmkaZY.exe, 00000000.00000002.599059548.000000000120A000.00000004.00000020.00020000.00000000.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Domains

Name

IP

Malicious

emsisoft.bit

unknown

Details

Name:	emsisoft.bit
TargetID:	68
Current Path:	C:\Windows\SysWOW64\nslookup.exe

Signature Hits	Behavior Group	Mitre Attack
Uses nslookup.exe to query domains	Networking	System Network Configuration Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

nomoreransom.bit

unknown

Details

Name:	nomoreransom.bit
TargetID:	49
Current Path:	C:\Windows\SysWOW64\nslookup.exe

Signature Hits	Behavior Group	Mitre Attack
Uses nslookup.exe to query domains	Networking	System Network Configuration Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

gandcrab.bit

unknown

Details

Name:	gandcrab.bit
TargetID:	64
Current Path:	C:\Windows\SysWOW64\nslookup.exe

Signature Hits	Behavior Group	Mitre Attack
Uses nslookup.exe to query domains	Networking	System Network Configuration Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

dns1.soprodns.ru

unknown

Details

Name:	dns1.soprodns.ru
TargetID:	49
Current Path:	C:\Windows\SysWOW64\nslookup.exe

Signature Hits	Behavior Group	Mitre Attack
Uses nslookup.exe to query domains	Networking	System Network Configuration Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

ipv4bot.whatismyipaddress.com

unknown

Details

Name:	ipv4bot.whatismyipaddress.com
TargetID:	0
Current Path:	C:\Users\user\Desktop\2fiDcmkaZY.exe
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to determine the online IP of the system	Networking	System Network Connections Discovery
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

8.8.8.8.in-addr.arpa

unknown

IPs

IP

Domain

Country

Malicious

192.168.2.1

unknown

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

tbmdhshhgoz

Memdumps

Base Address

Regiontype

Protect

Malicious

C79000

unkown

page write copy

C79000

unkown

page read and write

C79000

unkown

page read and write

A69000

unkown

page write copy

C79000

unkown

page write copy

A69000

unkown

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1F5A7C66000

heap

page read and write

1F5A8602000

trusted library allocation

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

C6D000

stack

page read and write

A74000

unkown

page readonly

1144000

heap

page read and write

122A000

heap

page read and write

122A000

heap

page read and write

1F5A7C4A000

heap

page read and write

1144000

heap

page read and write

DCB927E000

stack

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1120000

direct allocation

page read and write

122A000

heap

page read and write

26B2BC29000

heap

page read and write

1144000

heap

page read and write

2AFEF285000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1080000

trusted library allocation

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

26B2BA90000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

26B2BAA0000

heap

page read and write

DCB8F3B000

stack

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

12A0000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1F5A7C55000

heap

page read and write

2AFEF160000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1F5A7C66000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1130000

direct allocation

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

2AFEF264000

heap

page read and write

2E00000

direct allocation

page execute and read and write

1144000

heap

page read and write

1144000

heap

page read and write

E9F418F000

stack

page read and write

1144000

heap

page read and write

C7CD5FF000

stack

page read and write

1144000

heap

page read and write

C20000

trusted library allocation

page read and write

1144000

heap

page read and write

26B2BD02000

heap

page read and write

DD0000

trusted library allocation

page read and write

C7CCFAF000

stack

page read and write

1144000

heap

page read and write

1190000

direct allocation

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

A61000

unkown

page execute read

122A000

heap

page read and write

1144000

heap

page read and write

C71000

unkown

page execute read

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

11A0000

direct allocation

page read and write

E5C000

stack

page read and write

1144000

heap

page read and write

2E90000

direct allocation

page execute and read and write

2DF0000

direct allocation

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

2AFEF226000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

C7CD2FB000

stack

page read and write

1144000

heap

page read and write

1130000

direct allocation

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

26B2C402000

trusted library allocation

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1277000

heap

page read and write

2AFEF229000

heap

page read and write

1144000

heap

page read and write

C84000

unkown

page readonly

122A000

heap

page read and write

26B2BC4D000

heap

page read and write

1270000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

341E000

stack

page read and write

1144000

heap

page read and write

BAC000

stack

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

26B2BC49000

heap

page read and write

1130000

direct allocation

page read and write

1144000

heap

page read and write

2AFEF100000

heap

page read and write

1144000

heap

page read and write

26B2BC7F000

heap

page read and write

E9F4877000

stack

page read and write

E9F497F000

stack

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1000000

direct allocation

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1F5A7D02000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

A40000

heap

page read and write

1144000

heap

page read and write

DCB97FF000

stack

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

2EA1000

heap

page read and write

1144000

heap

page read and write

2AFEF28A000

heap

page read and write

1144000

heap

page read and write

26B2BD00000

heap

page read and write

2AFEF25D000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1130000

direct allocation

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

2EA1000

heap

page read and write

C82000

unkown

page write copy

1144000

heap

page read and write

122A000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

26B2BC4E000

heap

page read and write

1130000

direct allocation

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

2E7E000

stack

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

120A000

heap

page read and write

1144000

heap

page read and write

AAD000

stack

page read and write

1F5A7C50000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

2AFEF262000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

DCB93FD000

stack

page read and write

10FB000

stack

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

14DF000

stack

page read and write

26B2BC4F000

heap

page read and write

1010000

direct allocation

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

E9F467B000

stack

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1F5A7C70000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

12DE000

stack

page read and write

1144000

heap

page read and write

369E000

stack

page read and write

10E0000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1120000

direct allocation

page read and write

D6C000

stack

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

C71000

unkown

page execute read

38F0000

direct allocation

page execute and read and write

122A000

heap

page read and write

1120000

direct allocation

page read and write

1144000

heap

page read and write

26B2BC4B000

heap

page read and write

1144000

heap

page read and write

2AFEF300000

heap

page read and write

1144000

heap

page read and write

1F5A7B80000

heap

page read and write

1144000

heap

page read and write

1265000

heap

page read and write

10EA000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

BE0000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

15BF000

stack

page read and write

1144000

heap

page read and write

1250000

direct allocation

page read and write

A60000

unkown

page readonly

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

351F000

stack

page read and write

2AFEF27D000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

DCB94FB000

stack

page read and write

123B000

heap

page read and write

1144000

heap

page read and write

3BA0000

direct allocation

page execute and read and write

1144000

heap

page read and write

1144000

heap

page read and write

C82000

unkown

page write copy

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1F5A7D13000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1120000

direct allocation

page execute and read and write

122A000

heap

page read and write

1144000

heap

page read and write

C7CD6FF000

stack

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1130000

direct allocation

page read and write

26B2BB00000

heap

page read and write

2AFEF0F0000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1F5A8490000

trusted library allocation

page read and write

1120000

direct allocation

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

C70000

unkown

page readonly

1144000

heap

page read and write

122A000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

38DA000

stack

page read and write

C84000

unkown

page readonly

122A000

heap

page read and write

1144000

heap

page read and write

C7CD3FB000

stack

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

E9F477E000

stack

page read and write

C70000

unkown

page readonly

1144000

heap

page read and write

26B2BD13000

heap

page read and write

122A000

heap

page read and write

DCB8FBF000

stack

page read and write

C10000

heap

page read and write

122A000

heap

page read and write

26B2C3A0000

trusted library allocation

page read and write

1144000

heap

page read and write

2D80000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

26B2BC80000

heap

page read and write

1144000

heap

page read and write

1140000

heap

page read and write

1120000

direct allocation

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

2AFEF279000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

3A3E000

stack

page read and write

1244000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

DCB95F7000

stack

page read and write

2AFEF25C000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

2AFEFC02000

trusted library allocation

page read and write

26B2BC8C000

heap

page read and write

122A000

heap

page read and write

122A000

heap

page read and write

1130000

direct allocation

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

2AFEF25B000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

F5C000

stack

page read and write

1226000

heap

page read and write

C71000

unkown

page execute read

1144000

heap

page read and write

2AFEF25F000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1190000

direct allocation

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1F5A7C89000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

2AFEF190000

trusted library allocation

page read and write

1260000

direct allocation

page read and write

C70000

unkown

page readonly

26B2BC4A000

heap

page read and write

1144000

heap

page read and write

1F5A7C87000

heap

page read and write

13DE000

stack

page read and write

1144000

heap

page read and write

1F5A7C29000

heap

page read and write

2EA0000

heap

page read and write

1144000

heap

page read and write

C70000

unkown

page readonly

1144000

heap

page read and write

122A000

heap

page read and write

1200000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

26B2BC00000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

13AF000

stack

page read and write

33DF000

stack

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

2AFEF23C000

heap

page read and write

1144000

heap

page read and write

37DD000

stack

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

D9E000

stack

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

2AFEF308000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

3B7F000

stack

page read and write

2EA1000

heap

page read and write

1144000

heap

page read and write

1F5A7D08000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

13C0000

heap

page read and write

120E000

stack

page read and write

11D0000

heap

page read and write

1144000

heap

page read and write

C7CCF2D000

stack

page read and write

26B2BD08000

heap

page read and write

1144000

heap

page read and write

1F5A7D00000

heap

page read and write

1F5A7C3C000

heap

page read and write

122A000

heap

page read and write

2AFEF27D000

heap

page read and write

1144000

heap

page read and write

26B2BC3C000

heap

page read and write

1144000

heap

page read and write

1130000

direct allocation

page read and write

A60000

unkown

page readonly

1144000

heap

page read and write

13C7000

heap

page read and write

DDE000

stack

page read and write

122A000

heap

page read and write

DCB96FF000

stack

page read and write

122A000

heap

page read and write

122A000

heap

page read and write

1190000

trusted library allocation

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

2AFEF27F000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1F5A7C13000

heap

page read and write

122A000

heap

page read and write

122A000

heap

page read and write

3BAB000

direct allocation

page execute and read and write

3A7E000

stack

page read and write

1144000

heap

page read and write

1120000

direct allocation

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

E9F457B000

stack

page read and write

2AFEF313000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

26B2BC13000

heap

page read and write

E9F447F000

stack

page read and write

1144000

heap

page read and write

379F000

stack

page read and write

1144000

heap

page read and write

2DE0000

direct allocation

page read and write

2AFEF25E000

heap

page read and write

C7CD4F7000

stack

page read and write

1F5A7C76000

heap

page read and write

2AFEF200000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

393D000

stack

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

26B2BC6F000

heap

page read and write

1F5A7C7A000

heap

page read and write

1144000

heap

page read and write

1F5A7BF0000

heap

page read and write

2AFEF279000

heap

page read and write

1144000

heap

page read and write

1F5A7C4D000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

2AFEF302000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

26B2BC51000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

1120000

direct allocation

page read and write

122A000

heap

page read and write

2AFEF213000

heap

page read and write

C71000

unkown

page execute read

1144000

heap

page read and write

124E000

stack

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

D00000

heap

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

E9F410B000

stack

page read and write

1144000

heap

page read and write

2F50000

heap

page read and write

2E00000

trusted library allocation

page read and write

1144000

heap

page read and write

C84000

unkown

page readonly

1144000

heap

page read and write

1144000

heap

page read and write

A74000

unkown

page readonly

1144000

heap

page read and write

1144000

heap

page read and write

2AFEF261000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

1F5A7C00000

heap

page read and write

A61000

unkown

page execute read

1190000

direct allocation

page read and write

1144000

heap

page read and write

1144000

heap

page read and write

1F5A7B90000

heap

page read and write

1144000

heap

page read and write

C84000

unkown

page readonly

1144000

heap

page read and write

1144000

heap

page read and write

C7CCEAB000

stack

page read and write

1144000

heap

page read and write

122A000

heap

page read and write

122A000

heap

page read and write

There are 629 hidden memdumps, click here to show them.