Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
101POH0000000166.rtf
|
Rich Text Format data, version 1, ANSI, code page 1250, default middle east language ID 1025
|
initial sample
|
||
|
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\913A360A-E69B-44A8-AAEF-E0FC3C105644
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3C004465.wmf
|
Windows metafile
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\533700F4.wmf
|
Windows metafile
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D520B722.wmf
|
Windows metafile
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{9B880850-96FA-42C0-A89A-62B76274DB3A}.tmp
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C47AA337-7EB7-42EC-A441-6A672102AA66}.tmp
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{DC16EFFE-5C6A-4DAD-AD70-F1D7DEACD209}.tmp
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\101POH0000000166.rtf.LNK
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 20:38:45
2022, mtime=Wed Jan 25 17:07:46 2023, atime=Wed Jan 25 17:07:43 2023, length=62509, window=hide
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
|
data
|
dropped
|
||
|
C:\Users\user\Desktop\~$1POH0000000166.rtf
|
data
|
dropped
|
There are 2 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
|
"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
|
||
|
C:\Windows\splwow64.exe
|
C:\Windows\splwow64.exe 12288
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://api.diagnosticssdf.office.com
|
unknown
|
||
|
https://login.microsoftonline.com/
|
unknown
|
||
|
https://shell.suite.office.com:1443
|
unknown
|
||
|
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
|
unknown
|
||
|
https://autodiscover-s.outlook.com/
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
|
unknown
|
||
|
https://cdn.entity.
|
unknown
|
||
|
https://api.addins.omex.office.net/appinfo/query
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/tenantassociationkey
|
unknown
|
||
|
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
|
unknown
|
||
|
https://powerlift.acompli.net
|
unknown
|
||
|
https://rpsticket.partnerservices.getmicrosoftkey.com
|
unknown
|
||
|
https://lookup.onenote.com/lookup/geolocation/v1
|
unknown
|
||
|
https://cortana.ai
|
unknown
|
||
|
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
|
unknown
|
||
|
https://cloudfiles.onenote.com/upload.aspx
|
unknown
|
||
|
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
|
unknown
|
||
|
https://entitlement.diagnosticssdf.office.com
|
unknown
|
||
|
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
|
unknown
|
||
|
https://api.aadrm.com/
|
unknown
|
||
|
https://ofcrecsvcapi-int.azurewebsites.net/
|
unknown
|
||
|
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
|
unknown
|
||
|
https://api.microsoftstream.com/api/
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
|
unknown
|
||
|
https://cr.office.com
|
unknown
|
||
|
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
|
unknown
|
||
|
https://portal.office.com/account/?ref=ClientMeControl
|
unknown
|
||
|
https://graph.ppe.windows.net
|
unknown
|
||
|
https://res.getmicrosoftkey.com/api/redemptionevents
|
unknown
|
||
|
https://powerlift-frontdesk.acompli.net
|
unknown
|
||
|
https://tasks.office.com
|
unknown
|
||
|
https://officeci.azurewebsites.net/api/
|
unknown
|
||
|
https://sr.outlook.office.net/ws/speech/recognize/assistant/work
|
unknown
|
||
|
https://api.scheduler.
|
unknown
|
||
|
https://my.microsoftpersonalcontent.com
|
unknown
|
||
|
https://store.office.cn/addinstemplate
|
unknown
|
||
|
https://api.aadrm.com
|
unknown
|
||
|
https://outlook.office.com/autosuggest/api/v1/init?cvid=
|
unknown
|
||
|
https://globaldisco.crm.dynamics.com
|
unknown
|
||
|
https://messaging.engagement.office.com/
|
unknown
|
||
|
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
|
unknown
|
||
|
https://dev0-api.acompli.net/autodetect
|
unknown
|
||
|
https://www.odwebp.svc.ms
|
unknown
|
||
|
https://api.diagnosticssdf.office.com/v2/feedback
|
unknown
|
||
|
https://api.powerbi.com/v1.0/myorg/groups
|
unknown
|
||
|
https://web.microsoftstream.com/video/
|
unknown
|
||
|
https://api.addins.store.officeppe.com/addinstemplate
|
unknown
|
||
|
https://graph.windows.net
|
unknown
|
||
|
https://dataservice.o365filtering.com/
|
unknown
|
||
|
https://officesetup.getmicrosoftkey.com
|
unknown
|
||
|
https://analysis.windows.net/powerbi/api
|
unknown
|
||
|
https://prod-global-autodetect.acompli.net/autodetect
|
unknown
|
||
|
https://outlook.office365.com/autodiscover/autodiscover.json
|
unknown
|
||
|
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
|
unknown
|
||
|
https://consent.config.office.com/consentcheckin/v1.0/consents
|
unknown
|
||
|
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
|
unknown
|
||
|
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
|
unknown
|
||
|
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
|
unknown
|
||
|
https://d.docs.live.net
|
unknown
|
||
|
https://ncus.contentsync.
|
unknown
|
||
|
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
|
unknown
|
||
|
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
|
unknown
|
||
|
http://weather.service.msn.com/data.aspx
|
unknown
|
||
|
https://apis.live.net/v5.0/
|
unknown
|
||
|
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
|
unknown
|
||
|
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
|
unknown
|
||
|
https://messaging.lifecycle.office.com/
|
unknown
|
||
|
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
|
unknown
|
||
|
https://pushchannel.1drv.ms
|
unknown
|
||
|
https://management.azure.com
|
unknown
|
||
|
https://outlook.office365.com
|
unknown
|
||
|
https://wus2.contentsync.
|
unknown
|
||
|
https://incidents.diagnostics.office.com
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/ios
|
unknown
|
||
|
https://make.powerautomate.com
|
unknown
|
||
|
https://insertmedia.bing.office.net/odc/insertmedia
|
unknown
|
||
|
https://o365auditrealtimeingestion.manage.office.com
|
unknown
|
||
|
https://outlook.office365.com/api/v1.0/me/Activities
|
unknown
|
||
|
https://api.office.net
|
unknown
|
||
|
https://incidents.diagnosticssdf.office.com
|
unknown
|
||
|
https://asgsmsproxyapi.azurewebsites.net/
|
unknown
|
||
|
https://clients.config.office.net/user/v1.0/android/policies
|
unknown
|
||
|
https://entitlement.diagnostics.office.com
|
unknown
|
||
|
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
|
unknown
|
||
|
https://substrate.office.com/search/api/v2/init
|
unknown
|
||
|
https://outlook.office.com/
|
unknown
|
||
|
https://storage.live.com/clientlogs/uploadlocation
|
unknown
|
||
|
https://outlook.office365.com/
|
unknown
|
||
|
https://webshell.suite.office.com
|
unknown
|
||
|
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
|
unknown
|
||
|
https://substrate.office.com/search/api/v1/SearchHistory
|
unknown
|
||
|
https://management.azure.com/
|
unknown
|
||
|
https://messaging.lifecycle.office.com/getcustommessage16
|
unknown
|
||
|
https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
|
unknown
|
||
|
https://login.windows.net/common/oauth2/authorize
|
unknown
|
||
|
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
|
unknown
|
||
|
https://graph.windows.net/
|
unknown
|
||
|
https://api.powerbi.com/beta/myorg/imports
|
unknown
|
||
|
https://devnull.onenote.com
|
unknown
|
||
|
https://messaging.action.office.com/
|
unknown
|
There are 90 hidden URLs, click here to show them.
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems
|
'd8
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems
|
(d8
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV
|
LastBootTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems
|
rg8
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache
|
RemoteClearDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3
|
Last
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
FilePath
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
StartDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
EndDate
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
Properties
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.4954&crev=3\0
|
Url
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\internet\WebServiceCache
|
LastClean
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableWinHttpCertAuth
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableIsOwnerRegex
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableSessionAwareHttpClose
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableADALForExtendedApps
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
DisableADALSetSilentAuth
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
msoridDisableGuestCredProvider
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity
|
msoridDisableOstringReplace
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\StartupItems
|
bl8
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\ReviewCycle
|
ReviewToken
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\1C7D0
|
1C7D0
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
VBAFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Word8.0
|
MSForms
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Word8.0
|
MSComctlLib
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Name
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Path
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Extensions
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
|
Cambria Math
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\256E1
|
256E1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Reading Locations\Document 0
|
File Path
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Reading Locations\Document 0
|
Datetime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Reading Locations\Document 0
|
Position
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options
|
VisiFlm
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options
|
AutoGrammar
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options
|
AutosaveInterval
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options
|
PreferredView
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
|
en-US
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
|
en-US
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
WORDFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\IOAV
|
LastBootTime
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1036
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
|
SpellingAndGrammarFiles_3082
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1036
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1036
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
|
SpellingAndGrammarFiles_3082
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
|
SpellingAndGrammarFiles_3082
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingConfigurableSettings
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingLastSyncTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingLastWriteTime
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Name
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Path
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Extensions
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Name
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Path
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Office\16.0\Word\Text Converters\Import
|
Extensions
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency\DocumentRecovery\256E1
|
256E1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Data
|
Settings
|
There are 55 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1580DC73000
|
heap
|
page read and write
|
||
|
1580DC3D000
|
heap
|
page read and write
|
||
|
18873C5C000
|
heap
|
page read and write
|
||
|
18874522000
|
heap
|
page read and write
|
||
|
1AD7A7D000
|
stack
|
page read and write
|
||
|
2A58BBD6000
|
trusted library allocation
|
page read and write
|
||
|
2479B9C0000
|
heap
|
page read and write
|
||
|
19B27B000
|
stack
|
page read and write
|
||
|
38BE87D000
|
stack
|
page read and write
|
||
|
E7E17F9000
|
stack
|
page read and write
|
||
|
906F8F9000
|
stack
|
page read and write
|
||
|
ED5C9FF000
|
stack
|
page read and write
|
||
|
13230300000
|
heap
|
page read and write
|
||
|
18874543000
|
heap
|
page read and write
|
||
|
1580DC62000
|
heap
|
page read and write
|
||
|
1E3DBFF000
|
stack
|
page read and write
|
||
|
188745BB000
|
heap
|
page read and write
|
||
|
21616CF0000
|
heap
|
page read and write
|
||
|
1580DC13000
|
heap
|
page read and write
|
||
|
1F7F9C67000
|
heap
|
page read and write
|
||
|
3607CFF000
|
stack
|
page read and write
|
||
|
2A58AFF6000
|
heap
|
page read and write
|
||
|
13230313000
|
heap
|
page read and write
|
||
|
2A58B200000
|
trusted library allocation
|
page read and write
|
||
|
18874402000
|
heap
|
page read and write
|
||
|
1F7F9C3B000
|
heap
|
page read and write
|
||
|
18873C43000
|
heap
|
page read and write
|
||
|
18874554000
|
heap
|
page read and write
|
||
|
1323026A000
|
heap
|
page read and write
|
||
|
16936500000
|
heap
|
page read and write
|
||
|
ED5C47C000
|
stack
|
page read and write
|
||
|
18873C00000
|
heap
|
page read and write
|
||
|
1580F750000
|
remote allocation
|
page read and write
|
||
|
2A58AFFF000
|
heap
|
page read and write
|
||
|
FAE487C000
|
stack
|
page read and write
|
||
|
2A58AFDE000
|
heap
|
page read and write
|
||
|
18873D13000
|
heap
|
page read and write
|
||
|
1AD7B7F000
|
stack
|
page read and write
|
||
|
2A58AFDE000
|
heap
|
page read and write
|
||
|
2479BA30000
|
heap
|
page read and write
|
||
|
21616E29000
|
heap
|
page read and write
|
||
|
18873B60000
|
heap
|
page read and write
|
||
|
3607FFF000
|
stack
|
page read and write
|
||
|
2479BC61000
|
heap
|
page read and write
|
||
|
19B3FA000
|
stack
|
page read and write
|
||
|
188745C1000
|
heap
|
page read and write
|
||
|
FAE4B7E000
|
stack
|
page read and write
|
||
|
16935BA0000
|
heap
|
page read and write
|
||
|
2B79D4E0000
|
heap
|
page read and write
|
||
|
1580DD00000
|
heap
|
page read and write
|
||
|
FAE4EFD000
|
stack
|
page read and write
|
||
|
2B79D602000
|
heap
|
page read and write
|
||
|
2A58AF98000
|
heap
|
page read and write
|
||
|
1F7F9AE0000
|
heap
|
page read and write
|
||
|
16935C10000
|
heap
|
page read and write
|
||
|
16935E2A000
|
heap
|
page read and write
|
||
|
19B5FE000
|
stack
|
page read and write
|
||
|
18874630000
|
heap
|
page read and write
|
||
|
21616E3C000
|
heap
|
page read and write
|
||
|
FAE4AFE000
|
stack
|
page read and write
|
||
|
2A58B220000
|
trusted library allocation
|
page read and write
|
||
|
2479BC00000
|
heap
|
page read and write
|
||
|
1E3DEFE000
|
stack
|
page read and write
|
||
|
2B79D65C000
|
heap
|
page read and write
|
||
|
2479BC7B000
|
heap
|
page read and write
|
||
|
2B79D640000
|
heap
|
page read and write
|
||
|
1F7F9C6D000
|
heap
|
page read and write
|
||
|
906F7FE000
|
stack
|
page read and write
|
||
|
2479BC47000
|
heap
|
page read and write
|
||
|
1F7F9D02000
|
heap
|
page read and write
|
||
|
2B79D600000
|
heap
|
page read and write
|
||
|
2479BD02000
|
heap
|
page read and write
|
||
|
1E3D7BB000
|
stack
|
page read and write
|
||
|
18874350000
|
trusted library allocation
|
page read and write
|
||
|
2A58B160000
|
trusted library allocation
|
page read and write
|
||
|
1AD7D7F000
|
stack
|
page read and write
|
||
|
1F7F9C29000
|
heap
|
page read and write
|
||
|
13230202000
|
heap
|
page read and write
|
||
|
2A58AFA0000
|
heap
|
page read and write
|
||
|
2479BC41000
|
heap
|
page read and write
|
||
|
21616E02000
|
heap
|
page read and write
|
||
|
2479BC4C000
|
heap
|
page read and write
|
||
|
2479BC85000
|
heap
|
page read and write
|
||
|
21616E44000
|
heap
|
page read and write
|
||
|
18874330000
|
trusted library allocation
|
page read and write
|
||
|
21616E13000
|
heap
|
page read and write
|
||
|
2A58AF10000
|
heap
|
page read and write
|
||
|
36078FB000
|
stack
|
page read and write
|
||
|
18873C58000
|
heap
|
page read and write
|
||
|
13230241000
|
heap
|
page read and write
|
||
|
18873C55000
|
heap
|
page read and write
|
||
|
2A58AE90000
|
trusted library allocation
|
page read and write
|
||
|
1E3DDFF000
|
stack
|
page read and write
|
||
|
16935DE0000
|
trusted library allocation
|
page read and write
|
||
|
2479BC13000
|
heap
|
page read and write
|
||
|
E7E139B000
|
stack
|
page read and write
|
||
|
13230302000
|
heap
|
page read and write
|
||
|
FAE4D7D000
|
stack
|
page read and write
|
||
|
1887458E000
|
heap
|
page read and write
|
||
|
1580DD1C000
|
heap
|
page read and write
|
||
|
18873C29000
|
heap
|
page read and write
|
||
|
2479BC6B000
|
heap
|
page read and write
|
||
|
2479BC66000
|
heap
|
page read and write
|
||
|
2A58BDE0000
|
heap
|
page readonly
|
||
|
21616CA0000
|
heap
|
page read and write
|
||
|
16935E89000
|
heap
|
page read and write
|
||
|
18873C13000
|
heap
|
page read and write
|
||
|
18874500000
|
heap
|
page read and write
|
||
|
E7E187E000
|
stack
|
page read and write
|
||
|
2479BC46000
|
heap
|
page read and write
|
||
|
1F7F9A80000
|
heap
|
page read and write
|
||
|
2B79DE02000
|
trusted library allocation
|
page read and write
|
||
|
13230282000
|
heap
|
page read and write
|
||
|
1AD797B000
|
stack
|
page read and write
|
||
|
21616E4B000
|
heap
|
page read and write
|
||
|
16935E13000
|
heap
|
page read and write
|
||
|
1580DB30000
|
heap
|
page read and write
|
||
|
18873C92000
|
heap
|
page read and write
|
||
|
16935F13000
|
heap
|
page read and write
|
||
|
18873C3C000
|
heap
|
page read and write
|
||
|
18873C6A000
|
heap
|
page read and write
|
||
|
16935E00000
|
heap
|
page read and write
|
||
|
2479BC2A000
|
heap
|
page read and write
|
||
|
FAE507D000
|
stack
|
page read and write
|
||
|
16935EE3000
|
heap
|
page read and write
|
||
|
18874623000
|
heap
|
page read and write
|
||
|
38BE37E000
|
stack
|
page read and write
|
||
|
13230060000
|
heap
|
page read and write
|
||
|
360747B000
|
stack
|
page read and write
|
||
|
1580DD13000
|
heap
|
page read and write
|
||
|
1580DD18000
|
heap
|
page read and write
|
||
|
1F7F9C3D000
|
heap
|
page read and write
|
||
|
18873C52000
|
heap
|
page read and write
|
||
|
21616E41000
|
heap
|
page read and write
|
||
|
38BE27E000
|
stack
|
page read and write
|
||
|
1AD78FC000
|
stack
|
page read and write
|
||
|
188745CF000
|
heap
|
page read and write
|
||
|
1580DC00000
|
heap
|
page read and write
|
||
|
19B6FB000
|
stack
|
page read and write
|
||
|
13230A02000
|
trusted library allocation
|
page read and write
|
||
|
2479BC3B000
|
heap
|
page read and write
|
||
|
2479BC30000
|
heap
|
page read and write
|
||
|
2A58B215000
|
heap
|
page read and write
|
||
|
19B4FF000
|
stack
|
page read and write
|
||
|
2A58BDF0000
|
trusted library allocation
|
page read and write
|
||
|
2479BC7F000
|
heap
|
page read and write
|
||
|
2B79D570000
|
trusted library allocation
|
page read and write
|
||
|
19AFFF000
|
stack
|
page read and write
|
||
|
1AD77FC000
|
stack
|
page read and write
|
||
|
38BE77E000
|
stack
|
page read and write
|
||
|
18874600000
|
heap
|
page read and write
|
||
|
2B79D5A0000
|
remote allocation
|
page read and write
|
||
|
3607DFF000
|
stack
|
page read and write
|
||
|
2A58B219000
|
heap
|
page read and write
|
||
|
1580DB40000
|
heap
|
page read and write
|
||
|
13230213000
|
heap
|
page read and write
|
||
|
2A58BE00000
|
trusted library allocation
|
page read and write
|
||
|
21617602000
|
trusted library allocation
|
page read and write
|
||
|
38BDCCB000
|
stack
|
page read and write
|
||
|
188745CB000
|
heap
|
page read and write
|
||
|
1580DC81000
|
heap
|
page read and write
|
||
|
2479C202000
|
trusted library allocation
|
page read and write
|
||
|
1580DC02000
|
heap
|
page read and write
|
||
|
1580DC2A000
|
heap
|
page read and write
|
||
|
18873DB9000
|
heap
|
page read and write
|
||
|
1580DC58000
|
heap
|
page read and write
|
||
|
13230258000
|
heap
|
page read and write
|
||
|
1F7F9A70000
|
heap
|
page read and write
|
||
|
1580F750000
|
remote allocation
|
page read and write
|
||
|
2479BC3E000
|
heap
|
page read and write
|
||
|
FAE4F7F000
|
stack
|
page read and write
|
||
|
21616F02000
|
heap
|
page read and write
|
||
|
18874613000
|
heap
|
page read and write
|
||
|
21616E2E000
|
heap
|
page read and write
|
||
|
1AD727B000
|
stack
|
page read and write
|
||
|
2B79D4D0000
|
heap
|
page read and write
|
||
|
1580DC48000
|
heap
|
page read and write
|
||
|
2A58AF90000
|
heap
|
page read and write
|
||
|
2A58BBD0000
|
trusted library allocation
|
page read and write
|
||
|
1580F6D0000
|
trusted library allocation
|
page read and write
|
||
|
2479BC48000
|
heap
|
page read and write
|
||
|
2479BC63000
|
heap
|
page read and write
|
||
|
1580DBD0000
|
trusted library allocation
|
page read and write
|
||
|
18873C68000
|
heap
|
page read and write
|
||
|
2B79D629000
|
heap
|
page read and write
|
||
|
2B79D540000
|
heap
|
page read and write
|
||
|
18873DE5000
|
heap
|
page read and write
|
||
|
ED5C4FE000
|
stack
|
page read and write
|
||
|
18873D8E000
|
heap
|
page read and write
|
||
|
21616E48000
|
heap
|
page read and write
|
||
|
21616C90000
|
heap
|
page read and write
|
||
|
1AD767E000
|
stack
|
page read and write
|
||
|
18874602000
|
heap
|
page read and write
|
||
|
1E3DCFB000
|
stack
|
page read and write
|
||
|
906F9FF000
|
stack
|
page read and write
|
||
|
2B79D5A0000
|
remote allocation
|
page read and write
|
||
|
2A58AFDE000
|
heap
|
page read and write
|
||
|
1AD747B000
|
stack
|
page read and write
|
||
|
2479BC5C000
|
heap
|
page read and write
|
||
|
1580DC58000
|
heap
|
page read and write
|
||
|
18874522000
|
heap
|
page read and write
|
||
|
18874627000
|
heap
|
page read and write
|
||
|
2479BC78000
|
heap
|
page read and write
|
||
|
16935EC3000
|
heap
|
page read and write
|
||
|
1580DBA0000
|
heap
|
page read and write
|
||
|
16935F02000
|
heap
|
page read and write
|
||
|
38BE67B000
|
stack
|
page read and write
|
||
|
21616DF0000
|
trusted library allocation
|
page read and write
|
||
|
21616E00000
|
heap
|
page read and write
|
||
|
1AD7C7C000
|
stack
|
page read and write
|
||
|
2479BC3C000
|
heap
|
page read and write
|
||
|
13230160000
|
trusted library allocation
|
page read and write
|
||
|
1580DC47000
|
heap
|
page read and write
|
||
|
1F7F9C75000
|
heap
|
page read and write
|
||
|
16935E6F000
|
heap
|
page read and write
|
||
|
FAE4DFF000
|
stack
|
page read and write
|
||
|
2479BC3A000
|
heap
|
page read and write
|
||
|
2A58AF80000
|
trusted library allocation
|
page read and write
|
||
|
19B2F9000
|
stack
|
page read and write
|
||
|
E7E18F9000
|
stack
|
page read and write
|
||
|
1F7F9C13000
|
heap
|
page read and write
|
||
|
ED5C7FE000
|
stack
|
page read and write
|
||
|
FAE4C7E000
|
stack
|
page read and write
|
||
|
21616E53000
|
heap
|
page read and write
|
||
|
2479BC7C000
|
heap
|
page read and write
|
||
|
3607AFD000
|
stack
|
page read and write
|
||
|
1323027B000
|
heap
|
page read and write
|
||
|
19AE7B000
|
stack
|
page read and write
|
||
|
1580F750000
|
remote allocation
|
page read and write
|
||
|
1F7F9C5A000
|
heap
|
page read and write
|
||
|
1580DD02000
|
heap
|
page read and write
|
||
|
2A58B1C0000
|
trusted library allocation
|
page read and write
|
||
|
1AD777E000
|
stack
|
page read and write
|
||
|
2479BC43000
|
heap
|
page read and write
|
||
|
1580DBF0000
|
trusted library allocation
|
page read and write
|
||
|
21616E3A000
|
heap
|
page read and write
|
||
|
18873BD0000
|
heap
|
page read and write
|
||
|
1322FFF0000
|
heap
|
page read and write
|
||
|
ED5C57E000
|
stack
|
page read and write
|
||
|
ED5C6FE000
|
stack
|
page read and write
|
||
|
18873C92000
|
heap
|
page read and write
|
||
|
1F7FA402000
|
trusted library allocation
|
page read and write
|
||
|
E7E197D000
|
stack
|
page read and write
|
||
|
1F7F9C71000
|
heap
|
page read and write
|
||
|
2479C190000
|
trusted library allocation
|
page read and write
|
||
|
2A58BE50000
|
trusted library allocation
|
page read and write
|
||
|
188745AF000
|
heap
|
page read and write
|
||
|
18873C8B000
|
heap
|
page read and write
|
||
|
906FAFF000
|
stack
|
page read and write
|
||
|
1580DC57000
|
heap
|
page read and write
|
||
|
16936402000
|
heap
|
page read and write
|
||
|
E7E1779000
|
stack
|
page read and write
|
||
|
13230200000
|
heap
|
page read and write
|
||
|
1F7F9C00000
|
heap
|
page read and write
|
||
|
2479BC5C000
|
heap
|
page read and write
|
||
|
906F3FB000
|
stack
|
page read and write
|
||
|
1580DC89000
|
heap
|
page read and write
|
||
|
18873B70000
|
heap
|
page read and write
|
||
|
2A58AE80000
|
heap
|
page read and write
|
||
|
16935ECD000
|
heap
|
page read and write
|
||
|
19B17F000
|
stack
|
page read and write
|
||
|
2479BC68000
|
heap
|
page read and write
|
||
|
1580F802000
|
trusted library allocation
|
page read and write
|
||
|
2479B9D0000
|
heap
|
page read and write
|
||
|
2B79D613000
|
heap
|
page read and write
|
||
|
1887456D000
|
heap
|
page read and write
|
||
|
2479BC6C000
|
heap
|
page read and write
|
||
|
1580DC48000
|
heap
|
page read and write
|
||
|
2479BC50000
|
heap
|
page read and write
|
||
|
13230279000
|
heap
|
page read and write
|
||
|
2479BC4F000
|
heap
|
page read and write
|
||
|
2B79D5A0000
|
remote allocation
|
page read and write
|
||
|
ED5C8FE000
|
stack
|
page read and write
|
||
|
36079FE000
|
stack
|
page read and write
|
||
|
2B79D702000
|
heap
|
page read and write
|
||
|
38BE47F000
|
stack
|
page read and write
|
||
|
1F7F9BE0000
|
trusted library allocation
|
page read and write
|
||
|
3607BFE000
|
stack
|
page read and write
|
||
|
2479BC6E000
|
heap
|
page read and write
|
||
|
13230228000
|
heap
|
page read and write
|
||
|
1580F690000
|
trusted library allocation
|
page read and write
|
||
|
18873C43000
|
heap
|
page read and write
|
||
|
2479BC64000
|
heap
|
page read and write
|
||
|
360767B000
|
stack
|
page read and write
|
||
|
3607EFF000
|
stack
|
page read and write
|
||
|
2A58B210000
|
heap
|
page read and write
|
||
|
13230000000
|
heap
|
page read and write
|
||
|
2479BC4A000
|
heap
|
page read and write
|
||
|
18874502000
|
heap
|
page read and write
|
||
|
18873C86000
|
heap
|
page read and write
|
||
|
38BE57B000
|
stack
|
page read and write
|
||
|
16935BB0000
|
heap
|
page read and write
|
||
|
1F7F9C02000
|
heap
|
page read and write
|
||
|
16935EBC000
|
heap
|
page read and write
|
||
|
1F7F9D13000
|
heap
|
page read and write
|
||
|
16935E68000
|
heap
|
page read and write
|
||
|
36077FE000
|
stack
|
page read and write
|
||
|
16935E45000
|
heap
|
page read and write
|
||
|
2A58AEF0000
|
heap
|
page read and write
|
||
|
19B07F000
|
stack
|
page read and write
|
There are 290 hidden memdumps, click here to show them.